KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

Rogue Antimalware (FakeAV, 2011 year)

https://www.kernelmode.info/forum/viewtopic.php?f=16&t=2233

Page 10 of 34

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Wed Apr 20, 2011 9:21 am
by EP_X0FF
deco11 wrote:advanced security tool 2010
Original attach removed, see comment.
In attach re-uploaded original and unpacked exe (Solodovnikov creative removed).

Crapware has Russian origin and written on CodeGear RAD Studio v12.0.3170.16989

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Wed Apr 20, 2011 9:24 am
by EP_X0FF
@deco11

I recommend you to follow this link and read that topic http://www.kernelmode.info/forum/viewtopic.php?f=8&t=16

Antivirus AntiSpyware 2011

PostPosted:Thu Apr 21, 2011 4:10 pm
by bitx
Antivirus AntiSpyware 2011

Image

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Thu Apr 21, 2011 4:32 pm
by EP_X0FF
That's continuation of FakeAV "Security Essentials 2010" and "Internet Security 2010" :)

Image
Image

http://forum.sysinternals.com/fake-av-s ... 22020.html
http://forum.sysinternals.com/forum_pos ... l-3#115292

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Thu Apr 21, 2011 4:38 pm
by Xylitol
@lolikas: for register your Antivirus AntiSpyware 2011: AAS17-F7D9M-G3B2A or AAS17F7D9MG3B2A

---
Fake BitDefender 2011

http://www.virustotal.com/file-scan/rep ... 1303403611

Image

Fake BitDefender 2011 serial: BKI14-HJP10-IKO78-OBK894-XYL77

kg:
Code: Select all
.386
.model flat, stdcall
option casemap :none

      include windows.inc
      include user32.inc
      include kernel32.inc
      include C:\masm32\macros\macros.asm
      includelib user32.lib
      includelib kernel32.lib

DlgProc     PROTO   :DWORD,:DWORD,:DWORD,:DWORD
RandomAP    PROTO   :DWORD,:DWORD
RandomN     PROTO   :DWORD,:DWORD

.const
IDD_MAIN        equ 1000
IDB_EXIT            equ 1001
IDC_NAME        equ 1002
IDC_SERIAL      equ 1005
IDB_GENERATE    equ 1006
IDB_ABOUT       equ 1007

.data
Rndm        dd  0
b10         db  "0123456789012345",0
Base26A     db  "ABCDEFGHIJKLMNOP",0
tab             db   "-",0
hc          db  "XYL",0

.data?
hInstance   dd  ?
szSerial    db  100h    dup(?)
szSerial2   db  100h    dup(?)
szFinal db  100h    dup(?)

.code
start:
    invoke  GetModuleHandle, NULL
    mov hInstance, eax
    invoke  DialogBoxParam, hInstance, IDD_MAIN, 0, offset DlgProc, 0
    invoke  ExitProcess, eax

DlgProc proc uses esi edi hWnd:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
    mov eax,uMsg
    .if eax == WM_INITDIALOG
        invoke  LoadIcon,hInstance,200
        invoke  SendMessage, hWnd, WM_SETICON, 1, eax
    .elseif eax == WM_COMMAND
        mov eax,wParam
        .if eax == IDB_EXIT
            invoke  SendMessage, hWnd, WM_CLOSE, 0, 0
        .elseif eax == IDB_GENERATE

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2            
                invoke lstrcpy,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,3,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr hc
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke SetDlgItemText,hWnd,IDC_SERIAL,addr szFinal
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
                invoke RtlZeroMemory,addr szFinal,sizeof szFinal   

        .endif
    .elseif eax == WM_CLOSE
        invoke  EndDialog, hWnd, 0
    .endif
    xor eax,eax
    ret
DlgProc endp

RandomAP Proc   Length_:DWORD,OutPut:DWORD
    mov ecx,Length_
    mov esi,offset Base26A
    mov edi,OutPut
    .repeat
    invoke  GetTickCount
    add Rndm,eax
    add Rndm,'abcd'
    mov eax,Rndm
    rol Rndm,4
    and eax,0Fh
    mov al,byte ptr [esi+eax]
    stosb
    dec ecx
    .until ecx == 0
    Ret
RandomAP endp

RandomN Proc Length_:DWORD,OutPut:DWORD
    mov ecx,Length_
    mov esi,offset b10
    mov edi,OutPut
    .repeat
    invoke  GetTickCount
    add Rndm,eax
    add Rndm,'abcd'
    mov eax,Rndm
    rol Rndm,4
    and eax,0Fh
    mov al,byte ptr [esi+eax]
    stosb
    dec ecx
    .until ecx == 0
    Ret
RandomN endp
end start
Code: Select all
;This Resource Script was generated by WinAsm Studio.

#define IDD_MAIN 1000
#define IDB_EXIT 1001
#define IDC_SERIAL 1005
#define IDB_GENERATE 1006

IDD_MAIN DIALOGEX 10,10,268,19
CAPTION "Fake BitDefender 2011 *KeyGen*"
FONT 8,"Tahoma"
STYLE 0x90c80804
EXSTYLE 0x00000188
BEGIN
    CONTROL "Exit",IDB_EXIT,"Button",0x10010000,220,3,45,13,0x00020000
    CONTROL "Xylitol",IDC_SERIAL,"Edit",0x50010801,3,3,167,13,0x00020000
    CONTROL "Generate",IDB_GENERATE,"Button",0x10010000,173,3,44,13,0x00020000
END
edit: another vt: http://www.virustotal.com/file-scan/rep ... 1303403931
sample repacked :x

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Fri Apr 29, 2011 5:23 pm
by Xylitol
CleanThis

repacked CleanThis

Image

Image

Image

VT: 3/42 >> 7.1%
https://www.virustotal.com/file-scan/re ... 1304091561

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Sat Apr 30, 2011 6:17 am
by thekillergreece
Rogue antivirus threat found!:Antivirus center!
Pass: infected
(80.75 KiB) Downloaded 57 times

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Sat Apr 30, 2011 3:58 pm
by a_d_13
Hello,

thekillergreece: I have added a password to the archive. Please be sure to password-protect malware samples in future.

Thanks,
--AD

Re: Rogue antimalware (FakeAV, FakeAlert)

PostPosted:Sun May 01, 2011 7:59 am
by Xylitol
Security Shield

Image

VT 7/41 >> 17.1%
http://www.virustotal.com/file-scan/rep ... 1304235188
Code: Select all
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9NA==
X-Message-Status: n
X-SID-PRA: Security Shield <support@gods-support.com>
X-AUTH-Result: NONE
X-Message-Info: 6sSXyD95QpXVWcVGuYnXAzv4aWyjS8hakKG2aii+CD3n4o+ema3a5oL6WEtHot7IEE8RWG9T+VRElyxrKzFyYlwgzVMA+F07288PQ+dYKrs=
Received: from pcsecuritysolutions.biz ([195.225.55.16]) by bay0-mc2-f4.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
	 Sun, 1 May 2011 00:16:28 -0700
Received: from v-2-do12-d1334-16.webazilla.com (v-2-do12-d1334-16.webazilla.com [127.0.0.1])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pcsecuritysolutions.biz (Postfix) with ESMTP id 0856C2A0234
	for <phoenixbytes@live.fr>; Sun,  1 May 2011 07:16:11 +0000 (UTC)
Received: (from www@localhost)
	by v-2-do12-d1334-16.webazilla.com (8.13.8/8.13.8/Submit) id p417GAc1001577;
	Sun, 1 May 2011 07:16:10 GMT
Date: Sun, 1 May 2011 07:16:10 GMT
To: ******@live.fr
Subject: Your ST registration key
X-PHP-Originating-Script: 5001:send_key.php
From: Security Shield<support@gods-support.com>
Reply-To: Security Shield<support@gods-support.com>
Message-ID: <1304234170-support@gods-support.com>
X-Mailer: PHP v5.3.3
Return-Path: www@v-2-do12-d1334-16.webazilla.com
X-OriginalArrivalTime: 01 May 2011 07:16:28.0620 (UTC) FILETIME=[B06908C0:01CC07CF]

Your new serial key: 64C665BE-4DE7-423B-A6B6-BC0172B25DF2
Regards, ST support

Some moderation

PostPosted:Sun May 01, 2011 10:11 am
by EP_X0FF
Flood and offtopic deleted.

deco11 and thekillergreece both go to rest until May 4, 2011.

Reasons: Prophylactic ban due to multiple flooding with nonsense replies, contempt of forum rules. Also seems both banned in Google and forum "Search" button unavailable too.
Next time this will be permanent ban including all their IP's.
All times are UTC
Page 10 of 34
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/