[rkhunter]

Fake Antivirus Industry Down, But Not Out

A little quote from article - Support info for MacDefender and other fake AV products - found by Russian police on a ChronoPay PC.

Just take look on this guy, these eyes can't lie :) Somehow remember me some Rustock operator - the same happy smile and confidence in his own importance.

Yeah, he was arrested in June, after he arrived from the rest, as i know. Also he known as RedEye, his blog:
http://redeye-blog.com/.

ChronoPay Co-Founder Arrested

Vrublevsky, 32, is probably best known as the co-owner of the Rx-Promotion rogue online pharmacy program. His company also consistently has been involved in credit card processing for — and in many cases setting up companies on behalf of — rogue anti-virus or “scareware” scams that use misleading PC security alerts in a bid to frighten people into purchasing worthless security software.

http://krebsonsecurity.com/2011/06/chro ... -arrested/

One day before he was arrested, FBI performed a large-scale operation roundup of scareware distributors, "Operation Trident Tribunal".

The first of the international criminal groups disrupted by Operation Trident Tribunal infected hundreds of thousands of computers with scareware and sold more than $72 million of the fake antivirus product over a period of three years.

http://www.fbi.gov/news/pressrel/press- ... -scareware

Told, that ChronoPay was main processing company for money transfer.

[Flamef]

Fake Antivirus Industry Down, But Not Out

A little quote from article - Support info for MacDefender and other fake AV products - found by Russian police on a ChronoPay PC.

Just take look on this guy, these eyes can't lie :) Somehow remember me some Rustock operator - the same happy smile and confidence in his own importance.

Yeah, he was arrested in June, after he arrived from the rest, as i know. Also he known as RedEye, his blog:
http://redeye-blog.com/.

ChronoPay Co-Founder Arrested

Vrublevsky, 32, is probably best known as the co-owner of the Rx-Promotion rogue online pharmacy program. His company also consistently has been involved in credit card processing for — and in many cases setting up companies on behalf of — rogue anti-virus or “scareware” scams that use misleading PC security alerts in a bid to frighten people into purchasing worthless security software.

http://krebsonsecurity.com/2011/06/chro ... -arrested/

One day before he was arrested, FBI performed a large-scale operation roundup of scareware distributors, "Operation Trident Tribunal".

The first of the international criminal groups disrupted by Operation Trident Tribunal infected hundreds of thousands of computers with scareware and sold more than $72 million of the fake antivirus product over a period of three years.

http://www.fbi.gov/news/pressrel/press- ... -scareware

Told, that ChronoPay was main processing company for money transfer.

How about the Rustock author?Microsoft offers 250k euros for him :D .
Anyway,i think such minds are not made to be in jail,you can't arrest an idea,a mind.His skills are kind of priceless and should not be wasted.Similar story with Zlob author,microsoft offered him a job but he said it was just life's irony.The only difference is that,microsoft will never offer rustock author a job :mrgreen:

[rsav]

Wolfram Antivirus

[bitx]

Home Safety Essentials

[Xylitol]

bitx can you provid the 'installed' version ?
won't extract on my xp

Code: Select all

0040941B  |. 53             PUSH EBX                                 ; /hTemplateFile
0040941C  |. 68 80000000    PUSH 80                                  ; |Attributes = NORMAL
00409421  |. 6A 02          PUSH 2                                   ; |Mode = CREATE_ALWAYS
00409423  |. 53             PUSH EBX                                 ; |pSecurity
00409424  |. 6A 01          PUSH 1                                   ; |ShareMode = FILE_SHARE_READ
00409426  |. 68 00000040    PUSH 40000000                            ; |Access = GENERIC_WRITE
0040942B  |. FF75 14        PUSH DWORD PTR SS:[EBP+14]               ; |FileName
0040942E  |. FF15 74114000  CALL DWORD PTR DS:[401174]               ; \CreateFileA


01A4B98C   00335150  |FileName = "C:\Documents and Settings\All Users\Application Data\1be6f9\HomeSE.exe"
01A4B990   40000000  |Access = GENERIC_WRITE
01A4B994   00000001  |ShareMode = FILE_SHARE_READ
01A4B998   00000000  |pSecurity = NULL
01A4B99C   00000002  |Mode = CREATE_ALWAYS
01A4B9A0   00000080  |Attributes = NORMAL
01A4B9A4   00000000  \hTemplateFile = NULL
01A4B9A8   00000104
01A4B9AC   7C830D64  RETURN to kernel32.lstrcmpA

will check that deeper later

Code: Select all

lGET
Mozilla/5.0 (Windows; U; Windows NT 5.1; en;)
!This program cannot be run in DOS mode.
Rich
pJN
.text
`.data
.rsrc
wMI
wBx
wyo
qog
qUS
wNb
wQN
wPz
wpo
OLLYDBG
DBGHELP.DLL
SBIEDLL.DLL
C:\file.exe
CurrentUser
Sandbox
ProductID
Software\Microsoft\Windows NT\CurrentVersion
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
BW_UPDATE_WINDOW_MSG
Debugger
svchost.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
bad allocation
Delete
NoRemove
ForceRemove
Val
\\.\PhysicalDrive%d
%02X%02X%02X%02X%02X%02X
\*.exe
wvUnKnown
wv2k3
wvVista
wv2k8
wvXP
wvNT
wv2K
wvME
APPDATA
ALLUSERSPROFILE
USERPROFILE
ComSpec
/c "%s"  >> NUL
if exist "%s" goto Repeat
del "%s"
:Repeat
del.bat
TEMP
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.net
.com
%u%u%u%u%u
update2.
update1.
update.
report2.
-----
WinHttpQueryHeaders
WinHttpAddRequestHeaders
WinHttpCloseHandle
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpOpenRequest
WinHttpConnect
WinHttpOpen
winhttp.dll
InternetReadFile
HttpAddRequestHeadersA
InternetGetCookieA
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCloseHandle
InternetConnectA
InternetOpenA
wininet.dll
GET /
HEAD /
HTTP/
Keep-Alive
text/html, */*
Mozilla/3.0
http://
%s?%s=%s
%s?controller=hash
$controller=hash&mid=
Host
User-Agent
Accept
Connection
Content-Length
PsImSvc.exe;pavprsrv.exe;PavFnSvr.exe;avciman.exe;AVENGINE.EXE;pavsrv51.exe;PskSvc.exe;TPSrv.exe;WebProxy.exe;PsCtrls.exe;ekrn.exe;egui.exe;McSACore.exe;mcmscsvc.exe;mcnasvc.exe;mcproxy.exe;mcsysmon.exe;MPFSrv.exe;mcshell.exe;AluSchedulerSvc.exe;ccSvcHst.exe;symlcsvc.exe;ccSvcHst.exe;sched.exe;avcenter.exe;avgtray.exe;avgemc.exe;avgui.exe;bdmcon.exe;bdagent.exe;ashDisp.exe;AAWTray.exe;Ad-Aware.exe;MSASCui.exe;_avp32.exe;_avpcc.exe;_avpm.exe;aAvgApi.exe;ackwin32.exe;adaware.exe;advxdwin.exe;agentsvr.exe;agentw.exe;alertsvc.exe;alevir.exe;alogserv.exe;amon9x.exe;anti-trojan.exe;antivirus.exe;ants.exe;apimonitor.exe;aplica32.exe;apvxdwin.exe;arr.exe;atcon.exe;atguard.exe;atro55en.exe;atupdater.exe;atwatch.exe;au.exe;aupdate.exe;auto-protect.nav80try.exe;autodown.exe;autotrace.exe;autoupdate.exe;avconsol.exe;ave32.exe;avgcc32.exe;avgctrl.exe;avgnt.exe;avgrsx.exe;avgserv.exe;avgserv9.exe;avguard.exe;avgw.exe;avkpop.exe;avkserv.exe;avkservice.exe;avkwctl9.exe;avltmain.exe;avnt.exe;avp.exe;avp32.exe;avpcc.exe;avpdos
a.exe;b.exe;c.exe;d.exe;
330F1D371B1619
Common
ExeName
$report=%s&appType=%1d&mid=%s&ls=%s&uid=%s&wv=%s&pid=%s&isStart=%d$
Microinstall
FINISH PREPARE FOR EXIT
EXTRACT SETPACK
controller=microinstaller&abbr=%s&setupType=%s&ttl=%s&pid=%s&uid=%s&mid=%s
RUN APP
.exe
/verysilent
GO DOWNLOAD
&VerInt=
VerInt
&sid=
sid
D:\Work\AdwareProjects\DeskTopWork\Cleaners\VirusDoctor
/F /IM 
REMOVE
FINISHED PREPARE FOR EXIT
UNINSTALL
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
%s %s%d 
SOFTWARE\BitDefender\
SOFTWARE\KasperskyLab\
Root
SOFTWARE\4\
SOFTWARE\3\
SOFTWARE\Zone Labs\ZoneAlarm\
SOFTWARE\Eset\Nod\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WebrootDesktopFirewall.exe\
SOFTWARE\Symantec\Norton AntiVirus\
SOFTWARE\Sophos\SAVService\Application\
SOFTWARE\rising\Rav\
SOFTWARE\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal\
SOFTWARE\Data Fellows\F-Secure\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E58B329B-FB28-4874-90DE-0D7CB2709267}\
SOFTWARE\BitDefender\BitDefender Antivirus 2008\
SOFTWARE\AVG\
SOFTWARE\ComodoGroup\CDI\
SOFTWARE\Agnitum\Security Suite\
/uid=
/brc=
uid=7
uid=
uid
test_uid
Virus1Doctor1Installer1Mutex1
test
user32
BINARY
kernel32.dll
---------
HSE.cfg
HSE
INSTALLER
ls;bid;uid;"http://trdatasft.com;trdatasft.com
HSE
SetupRelease.cab
SetupReleaseXP.cab
http://67.213.222.16/
TMainWindowHSE HOME_SAFETY_ESSENTIALS_UNINSTALL
HomeSE.exe
HOME_SAFETY_ESSENTIALS_APP5http://www5.home-safety-essentials.com/uninstall.php?
SetupReleaseXP.cab
Setup.exe
Home Safety Essentials HOME_SAFETY_ESSENTIALS_APP_CLOSE/http://save-secure.com;http://securityearth.net
reports/get_install_file.php
/index.php
/index.php
VS_VERSION_INFO
StringFileInfo
FileDescription
MasterDel
FileVersion
InternalName

[EP_X0FF]

bitx can you provid the 'installed' version ?
won't extract on my xp

http://www.virustotal.com/file-scan/rep ... 1314001203

Business back to life.

[Xylitol]

found some crap like

Code: Select all

E85B840000
174.127.81.212/index.php
01A4B9B4

index.php?15bd48=kdjf0tXm1J6a09upztjL3ODO09%2FWwprP1N%2Bb0cbD5qJ6gbOP38bj3drF3tXRn9meiePh4a2K0d3Jb1Tj0tCeoZubl9LO0J%2BSkMil067VypTanmhfz52dk6DMy9SVm6KWwmCV0p2s04g%3D

update.nilanzkerhjafggb.net
update2.nilaohjqeelba.com/index.php
0033E1E1                                            75 70                up
0033E1F1  64 61 74 65 32 2E 6E 69 6C 61 6F 68 6A 71 65 65  date2.nilaohjqee
0033E201  6C 62 61 2E 63 6F 6D 2F 69 6E 64 65 78 2E 70 68  lba.com/index.ph
0033E211  70 3F 31 35 62 64 34 38 3D 6B 64 6A 66 30 74 58  p?15bd48=kdjf0tX
0033E221  6D 31 4A 36 61 30 39 75 70 7A 74 6A 4C 33 4F 44  m1J6a09upztjL3OD
0033E231  4F 30 39 25 32 46 57 77 70 72 50 31 4E 25 32 42  O09%2FWwprP1N%2B
0033E241  62 30 63 62 44 35 71 4A 36 67 62 4F 50 33 38 62  b0cbD5qJ6gbOP38b
0033E251  6A 33 64 72 46 33 74 58 52 6E 39 6D 65 69 65 50  j3drF3tXRn9meieP
0033E261  68 34 61 32 4B 30 64 33 4A 62 31 54 6A 30 74 43  h4a2K0d3Jb1Tj0tC
0033E271  65 6F 5A 75 62 6C 39 4C 4F 30 4A 25 32 42 53 6B  eoZubl9LO0J%2BSk
0033E281  4D 69 6C 30 36 37 56 79 70 54 61 6E 6D 68 66 7A  Mil067VypTanmhfz
0033E291  35 32 64 6B 36 44 4D 79 39 53 56 6D 36 4B 57 77  52dk6DMy9SVm6KWw
0033E2A1  6D 43 56 30 70 32 73 30 34 67 25 33 44           mCV0p2s04g%3D

i understand the situation now, it return me a timeout when he does sites connects
successfully worked under Ukraine vpn. and same for the fake scanner page who conduct to malicious download.
but the dropped exe crash now xD

[Maxstar]

Open Cloud Antivirus

Wireshark AV, BleuFlare, Wolfram clone.
http://www.pcwebplus.nl/phpbb/viewtopic ... 222&t=5261

MD5 : 468662b6942e312e03b0b456e97c2b3e
http://www.virustotal.com/file-scan/rep ... 1315119457

[rough_spear]

Hello All,
Five more files of FakeAVs. :D

AntiCare.exe
anticare_privacykeep.exe
lifeclean.exe

And their Links.

hxxp://down.anticare.co.kr/autoupdate/AntiCare/AntiCare.exe
hxxp://down.anticare.co.kr/app/install_2010/anticare_privacykeep.exe
hxxp://update.lifeclean.co.kr/bin/lifeclean.exe

File Name - AntiCare.7z
password - malware.

anticare_privacykeep.7z
password - malware.

lifeclean.7z
password - malware.

The remaining two files can be found in next post. ;)

Regards,


rough_spear.

[rough_spear]

Remaining two files. :lol:


Due to maximum size for attachment is 5MB.i have uploaded the PatchUp_privacykeep.7z file on hotfile.com. ;)

Url to download.

http://hotfile.com/dl/128933999/f61aeff ... ep.7z.html

PatchUp_privacykeep.7z
password - malware.

securelive.7z
password - malware.

hxxp://down.patchup.co.kr/install_2010/PatchUp_privacykeep.exe
hxxp://update.securelive.co.kr/bin/securelive.exe

Regards,


rough_spear.