Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Wed Aug 20, 2014 2:38 pm
by EP_X0FF
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Wed Aug 20, 2014 3:35 pm
by rnd.usr
EP_X0FF wrote:What up with biz?
http://blogs.technet.com/b/mmpc/archive ... light.aspx
FakeAV's want to be lockers, kinda cute.
Anyone have a sample of Win32/Defru? Tried to find one but no luck..
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Wed Aug 20, 2014 4:05 pm
by ISergey256
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Wed Aug 20, 2014 4:51 pm
by rnd.usr
ISergey256 wrote:Rogue:Win32/Defru
https://www.virustotal.com/uk/file/24ec ... /analysis/
Thanks!
Attached unpacked(from UPX) and extracted PHP-files. Can someone also decode the PHP-files? When I try to do it I get the same output as input.
But I get error when running the file, it says "WINDOWS ERROR!!!" in a CMD-prompt. The file itself does not do anything to the system after the message goes away. Same for you?
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Wed Aug 20, 2014 6:34 pm
by iShare
Pretty boring, a very n00b rogue proxy, redirecting all visited websites to fake av download page
%SYSDIR%\drivers\etc\hosts has been modified with lines like this
***
82.146.48.21 http://www.101.ru
82.146.48.21 ovg.cc
82.146.48.21 http://www.ovg.cc
82.146.48.21 onlainfilm.ucoz.ua
82.146.48.21 http://www.onlainfilm.ucoz.ua
82.146.48.21 hdkinoteatr.com
****
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Fri Aug 22, 2014 12:01 pm
by rnd.usr
iShare wrote:Pretty boring, a very n00b rogue proxy, redirecting all visited websites to fake av download page
Ah, yes! This is really a lame FakeAV. Just infecting the host-file.. I thought this was something good.
Attached host-file.
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Mon Sep 08, 2014 11:25 am
by Xylitol
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Sun Oct 19, 2014 7:09 pm
by bandicoot_
Hi, this is my first post on the forums.
While looking in the payment page, i found that the website for the rogue above is [url]hxxp://
www.softcleaning.net[/url] (Warning: WILL infect!!!)
Note the site is very generic where it only says "Antivirus 2014".
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Mon Oct 20, 2014 7:11 pm
by Xylitol
bandicoot_ wrote:Hi, this is my first post on the forums.
Welcome, i suggest you to read the forum rules:
http://www.kernelmode.info/forum/viewtopic.php?f=8&t=16
bandicoot_ wrote:While looking in the payment page, i found that the website for the rogue above is [url]hxxp://www.softcleaning.net[/url]
What i said just before your post:
Xylitol wrote:• dns: 1 ›› ip: 146.0.79.164 - adress: SOFTCLEANING.NET
bandicoot_ wrote:(Warning: WILL infect!!!)
I don't see any hostile code on this site.
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Mon Nov 03, 2014 1:02 pm
by Ramtadryla
Hi, maybe someone has a sample of "Spyware Defender" (or "System Defender") fake av (hxxp://spyware-defender.com)?
