Page 22 of 34
Re: Rogue antimalware (FakeAV, FakeAlert)
PostPosted:Sun Aug 07, 2011 2:28 pm
by rkhunter
EP_X0FF wrote:Fake Antivirus Industry Down, But Not Out
A little quote from article - Support info for MacDefender and other fake AV products - found by Russian police on a ChronoPay PC.
Just take look on this guy, these eyes can't lie :) Somehow remember me some Rustock operator - the same happy smile and confidence in his own importance.
Yeah, he was arrested in June, after he arrived from the rest, as i know. Also he known as RedEye, his blog:
http://redeye-blog.com/.
ChronoPay Co-Founder Arrested
Vrublevsky, 32, is probably best known as the co-owner of the Rx-Promotion rogue online pharmacy program. His company also consistently has been involved in credit card processing for — and in many cases setting up companies on behalf of — rogue anti-virus or “scareware” scams that use misleading PC security alerts in a bid to frighten people into purchasing worthless security software.
http://krebsonsecurity.com/2011/06/chro ... -arrested/
One day before he was arrested, FBI performed a large-scale operation roundup of scareware distributors, "Operation Trident Tribunal".
The first of the international criminal groups disrupted by Operation Trident Tribunal infected hundreds of thousands of computers with scareware and sold more than $72 million of the fake antivirus product over a period of three years.
http://www.fbi.gov/news/pressrel/press- ... -scareware
Told, that ChronoPay was main processing company for money transfer.
Re: Rogue antimalware (FakeAV, FakeAlert)
PostPosted:Sun Aug 07, 2011 3:05 pm
by Flamef
rkhunter wrote:EP_X0FF wrote:Fake Antivirus Industry Down, But Not Out
A little quote from article - Support info for MacDefender and other fake AV products - found by Russian police on a ChronoPay PC.
Just take look on this guy, these eyes can't lie :) Somehow remember me some Rustock operator - the same happy smile and confidence in his own importance.
Yeah, he was arrested in June, after he arrived from the rest, as i know. Also he known as RedEye, his blog:
http://redeye-blog.com/.
ChronoPay Co-Founder Arrested
Vrublevsky, 32, is probably best known as the co-owner of the Rx-Promotion rogue online pharmacy program. His company also consistently has been involved in credit card processing for — and in many cases setting up companies on behalf of — rogue anti-virus or “scareware” scams that use misleading PC security alerts in a bid to frighten people into purchasing worthless security software.
http://krebsonsecurity.com/2011/06/chro ... -arrested/
One day before he was arrested, FBI performed a large-scale operation roundup of scareware distributors, "Operation Trident Tribunal".
The first of the international criminal groups disrupted by Operation Trident Tribunal infected hundreds of thousands of computers with scareware and sold more than $72 million of the fake antivirus product over a period of three years.
http://www.fbi.gov/news/pressrel/press- ... -scareware
Told, that ChronoPay was main processing company for money transfer.
How about the Rustock author?Microsoft offers 250k euros for him :D .
Anyway,i think such minds are not made to be in jail,you can't arrest an idea,a mind.His skills are kind of priceless and should not be wasted.Similar story with Zlob author,microsoft offered him a job but he said it was just life's irony.The only difference is that,microsoft will never offer rustock author a job :mrgreen:
Wolfram Antivirus
PostPosted:Sun Aug 14, 2011 12:15 am
by rsav
Wolfram Antivirus
Home Safety Essentials
PostPosted:Mon Aug 22, 2011 7:24 am
by bitx
Home Safety Essentials
Re: Rogue antimalware (FakeAV, FakeAlert)
PostPosted:Mon Aug 22, 2011 8:03 am
by Xylitol
bitx can you provid the 'installed' version ?
won't extract on my xp
Code: Select all0040941B |. 53 PUSH EBX ; /hTemplateFile
0040941C |. 68 80000000 PUSH 80 ; |Attributes = NORMAL
00409421 |. 6A 02 PUSH 2 ; |Mode = CREATE_ALWAYS
00409423 |. 53 PUSH EBX ; |pSecurity
00409424 |. 6A 01 PUSH 1 ; |ShareMode = FILE_SHARE_READ
00409426 |. 68 00000040 PUSH 40000000 ; |Access = GENERIC_WRITE
0040942B |. FF75 14 PUSH DWORD PTR SS:[EBP+14] ; |FileName
0040942E |. FF15 74114000 CALL DWORD PTR DS:[401174] ; \CreateFileA
01A4B98C 00335150 |FileName = "C:\Documents and Settings\All Users\Application Data\1be6f9\HomeSE.exe"
01A4B990 40000000 |Access = GENERIC_WRITE
01A4B994 00000001 |ShareMode = FILE_SHARE_READ
01A4B998 00000000 |pSecurity = NULL
01A4B99C 00000002 |Mode = CREATE_ALWAYS
01A4B9A0 00000080 |Attributes = NORMAL
01A4B9A4 00000000 \hTemplateFile = NULL
01A4B9A8 00000104
01A4B9AC 7C830D64 RETURN to kernel32.lstrcmpA
will check that deeper later
Code: Select alllGET
Mozilla/5.0 (Windows; U; Windows NT 5.1; en;)
!This program cannot be run in DOS mode.
Rich
pJN
.text
`.data
.rsrc
wMI
wBx
wyo
qog
qUS
wNb
wQN
wPz
wpo
OLLYDBG
DBGHELP.DLL
SBIEDLL.DLL
C:\file.exe
CurrentUser
Sandbox
ProductID
Software\Microsoft\Windows NT\CurrentVersion
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
BW_UPDATE_WINDOW_MSG
Debugger
svchost.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
bad allocation
Delete
NoRemove
ForceRemove
Val
\\.\PhysicalDrive%d
%02X%02X%02X%02X%02X%02X
\*.exe
wvUnKnown
wv2k3
wvVista
wv2k8
wvXP
wvNT
wv2K
wvME
APPDATA
ALLUSERSPROFILE
USERPROFILE
ComSpec
/c "%s" >> NUL
if exist "%s" goto Repeat
del "%s"
:Repeat
del.bat
TEMP
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.net
.com
%u%u%u%u%u
update2.
update1.
update.
report2.
-----
WinHttpQueryHeaders
WinHttpAddRequestHeaders
WinHttpCloseHandle
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpOpenRequest
WinHttpConnect
WinHttpOpen
winhttp.dll
InternetReadFile
HttpAddRequestHeadersA
InternetGetCookieA
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCloseHandle
InternetConnectA
InternetOpenA
wininet.dll
GET /
HEAD /
HTTP/
Keep-Alive
text/html, */*
Mozilla/3.0
http://
%s?%s=%s
%s?controller=hash
$controller=hash&mid=
Host
User-Agent
Accept
Connection
Content-Length
PsImSvc.exe;pavprsrv.exe;PavFnSvr.exe;avciman.exe;AVENGINE.EXE;pavsrv51.exe;PskSvc.exe;TPSrv.exe;WebProxy.exe;PsCtrls.exe;ekrn.exe;egui.exe;McSACore.exe;mcmscsvc.exe;mcnasvc.exe;mcproxy.exe;mcsysmon.exe;MPFSrv.exe;mcshell.exe;AluSchedulerSvc.exe;ccSvcHst.exe;symlcsvc.exe;ccSvcHst.exe;sched.exe;avcenter.exe;avgtray.exe;avgemc.exe;avgui.exe;bdmcon.exe;bdagent.exe;ashDisp.exe;AAWTray.exe;Ad-Aware.exe;MSASCui.exe;_avp32.exe;_avpcc.exe;_avpm.exe;aAvgApi.exe;ackwin32.exe;adaware.exe;advxdwin.exe;agentsvr.exe;agentw.exe;alertsvc.exe;alevir.exe;alogserv.exe;amon9x.exe;anti-trojan.exe;antivirus.exe;ants.exe;apimonitor.exe;aplica32.exe;apvxdwin.exe;arr.exe;atcon.exe;atguard.exe;atro55en.exe;atupdater.exe;atwatch.exe;au.exe;aupdate.exe;auto-protect.nav80try.exe;autodown.exe;autotrace.exe;autoupdate.exe;avconsol.exe;ave32.exe;avgcc32.exe;avgctrl.exe;avgnt.exe;avgrsx.exe;avgserv.exe;avgserv9.exe;avguard.exe;avgw.exe;avkpop.exe;avkserv.exe;avkservice.exe;avkwctl9.exe;avltmain.exe;avnt.exe;avp.exe;avp32.exe;avpcc.exe;avpdos
a.exe;b.exe;c.exe;d.exe;
330F1D371B1619
Common
ExeName
$report=%s&appType=%1d&mid=%s&ls=%s&uid=%s&wv=%s&pid=%s&isStart=%d$
Microinstall
FINISH PREPARE FOR EXIT
EXTRACT SETPACK
controller=microinstaller&abbr=%s&setupType=%s&ttl=%s&pid=%s&uid=%s&mid=%s
RUN APP
.exe
/verysilent
GO DOWNLOAD
&VerInt=
VerInt
&sid=
sid
D:\Work\AdwareProjects\DeskTopWork\Cleaners\VirusDoctor
/F /IM
REMOVE
FINISHED PREPARE FOR EXIT
UNINSTALL
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
%s %s%d
SOFTWARE\BitDefender\
SOFTWARE\KasperskyLab\
Root
SOFTWARE\4\
SOFTWARE\3\
SOFTWARE\Zone Labs\ZoneAlarm\
SOFTWARE\Eset\Nod\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WebrootDesktopFirewall.exe\
SOFTWARE\Symantec\Norton AntiVirus\
SOFTWARE\Sophos\SAVService\Application\
SOFTWARE\rising\Rav\
SOFTWARE\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal\
SOFTWARE\Data Fellows\F-Secure\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E58B329B-FB28-4874-90DE-0D7CB2709267}\
SOFTWARE\BitDefender\BitDefender Antivirus 2008\
SOFTWARE\AVG\
SOFTWARE\ComodoGroup\CDI\
SOFTWARE\Agnitum\Security Suite\
/uid=
/brc=
uid=7
uid=
uid
test_uid
Virus1Doctor1Installer1Mutex1
test
user32
BINARY
kernel32.dll
---------
HSE.cfg
HSE
INSTALLER
ls;bid;uid;"http://trdatasft.com;trdatasft.com
HSE
SetupRelease.cab
SetupReleaseXP.cab
http://67.213.222.16/
TMainWindowHSE HOME_SAFETY_ESSENTIALS_UNINSTALL
HomeSE.exe
HOME_SAFETY_ESSENTIALS_APP5http://www5.home-safety-essentials.com/uninstall.php?
SetupReleaseXP.cab
Setup.exe
Home Safety Essentials HOME_SAFETY_ESSENTIALS_APP_CLOSE/http://save-secure.com;http://securityearth.net
reports/get_install_file.php
/index.php
/index.php
VS_VERSION_INFO
StringFileInfo
FileDescription
MasterDel
FileVersion
InternalName
Re: Rogue antimalware (FakeAV, FakeAlert)
PostPosted:Mon Aug 22, 2011 8:24 am
by EP_X0FF
Xylitol wrote:bitx can you provid the 'installed' version ?
won't extract on my xp
http://www.virustotal.com/file-scan/rep ... 1314001203
Business back to life.
Re: Rogue antimalware (FakeAV, FakeAlert)
PostPosted:Mon Aug 22, 2011 9:35 am
by Xylitol
found some crap like
Code: Select allE85B840000
174.127.81.212/index.php
01A4B9B4
index.php?15bd48=kdjf0tXm1J6a09upztjL3ODO09%2FWwprP1N%2Bb0cbD5qJ6gbOP38bj3drF3tXRn9meiePh4a2K0d3Jb1Tj0tCeoZubl9LO0J%2BSkMil067VypTanmhfz52dk6DMy9SVm6KWwmCV0p2s04g%3D
update.nilanzkerhjafggb.net
update2.nilaohjqeelba.com/index.php
0033E1E1 75 70 up
0033E1F1 64 61 74 65 32 2E 6E 69 6C 61 6F 68 6A 71 65 65 date2.nilaohjqee
0033E201 6C 62 61 2E 63 6F 6D 2F 69 6E 64 65 78 2E 70 68 lba.com/index.ph
0033E211 70 3F 31 35 62 64 34 38 3D 6B 64 6A 66 30 74 58 p?15bd48=kdjf0tX
0033E221 6D 31 4A 36 61 30 39 75 70 7A 74 6A 4C 33 4F 44 m1J6a09upztjL3OD
0033E231 4F 30 39 25 32 46 57 77 70 72 50 31 4E 25 32 42 O09%2FWwprP1N%2B
0033E241 62 30 63 62 44 35 71 4A 36 67 62 4F 50 33 38 62 b0cbD5qJ6gbOP38b
0033E251 6A 33 64 72 46 33 74 58 52 6E 39 6D 65 69 65 50 j3drF3tXRn9meieP
0033E261 68 34 61 32 4B 30 64 33 4A 62 31 54 6A 30 74 43 h4a2K0d3Jb1Tj0tC
0033E271 65 6F 5A 75 62 6C 39 4C 4F 30 4A 25 32 42 53 6B eoZubl9LO0J%2BSk
0033E281 4D 69 6C 30 36 37 56 79 70 54 61 6E 6D 68 66 7A Mil067VypTanmhfz
0033E291 35 32 64 6B 36 44 4D 79 39 53 56 6D 36 4B 57 77 52dk6DMy9SVm6KWw
0033E2A1 6D 43 56 30 70 32 73 30 34 67 25 33 44 mCV0p2s04g%3D
i understand the situation now, it return me a timeout when he does sites connects
successfully worked under Ukraine vpn. and same for the fake scanner page who conduct to malicious download.
but the dropped exe crash now xD
Open Cloud Antivirus
PostPosted:Mon Sep 05, 2011 9:34 am
by Maxstar
Re: Rogue antimalware (FakeAV, FakeAlert)
PostPosted:Mon Sep 05, 2011 5:49 pm
by rough_spear
Hello All,
Five more files of FakeAVs. :D
AntiCare.exe
anticare_privacykeep.exe
lifeclean.exe
And their Links.
hxxp://down.anticare.co.kr/autoupdate/AntiCare/AntiCare.exe
hxxp://down.anticare.co.kr/app/install_2010/anticare_privacykeep.exe
hxxp://update.lifeclean.co.kr/bin/lifeclean.exe
File Name - AntiCare.7z
password - malware.
anticare_privacykeep.7z
password - malware.
lifeclean.7z
password - malware.
The remaining two files can be found in next post. ;)
Regards,
rough_spear.
Re: Rogue antimalware (FakeAV, FakeAlert)
PostPosted:Mon Sep 05, 2011 5:59 pm
by rough_spear
Remaining two files. :lol:
Due to maximum size for attachment is 5MB.i have uploaded the PatchUp_privacykeep.7z file on hotfile.com. ;)
Url to download.
http://hotfile.com/dl/128933999/f61aeff ... ep.7z.html
PatchUp_privacykeep.7z
password - malware.
securelive.7z
password - malware.
hxxp://down.patchup.co.kr/install_2010/PatchUp_privacykeep.exe
hxxp://update.securelive.co.kr/bin/securelive.exe
Regards,
rough_spear.
