Rogue Antimalware (FakeAV, 2014 year)

Forum for analysis and discussion about malware.
User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Rogue Antimalware (FakeAV, 2014 year)

Post by Xylitol » Wed Jan 01, 2014 6:08 pm

remark start

2010 year FakeAV
2011 year FakeAV
2012 year FakeAV
2013 year FakeAV

remark end

Windows Accelerator Pro
https://www.virustotal.com/en/file/6946 ... 388598425/ > 6/46
http://web-sniffer.net/index.php?url=ht ... =GET&uak=0
Image Image Image
Network activities:

Code: Select all

http://zocrxiyds.freetzi.com/1.php
• dns: 1 ›› ip: 69.162.82.253 - adresse: ZOCRXIYDS.FREETZI.COM
http://c3913c6c.webantiviruslk.pl/index.html
• dns: 1 ›› ip: 109.236.86.172 - adresse: C3913C6C.WEBANTIVIRUSLK.PL
---
http://93.115.82.248/?0=1&1=1&2=9&3=i&4=2600&5=1&6=1111&7=obqrhutjgv
http://93.115.82.248/?0=1&1=1&2=9&3=p&4=2600&5=1&6=1111&7=obqrhutjgv
http://94.185.80.155/customgate2/?callback=jQuery17203112214965869417_1388599195453&name=Xylibox+Labs&email=xylitol%40malwareint.com&num=4111111111111111&cvv=147&year=2017&month=05&phone=3-478-856-54-05&address=123+winlocker+street&country=FRA&state=XX&zip=75000&option=0&support=false&id=1&sub_id=1&install_id=obqrhutjgv&project_id=9&serial=EWBWF-QYHBS-XGTGK-EH0A&_=1388599353015
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195454&transaction_id=646959059412b4308a4c613844951708&_=1388599356453
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195455&transaction_id=646959059412b4308a4c613844951708&_=1388599359469
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195456&transaction_id=646959059412b4308a4c613844951708&_=1388599362469
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195457&transaction_id=646959059412b4308a4c613844951708&_=1388599365469
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195458&transaction_id=646959059412b4308a4c613844951708&_=1388599368469
http://93.115.82.248/?0=1&1=1&2=9&3=p&4=2600&5=1&6=1111&7=obqrhutjgv
--

Code: Select all

fakeav://payandsec.com/p/?group=sgp&nid=9A93E62D&affid=85700&lid=0040&ver=0040 https://www.virustotal.com/en/ip-address/178.162.199.33/information/
fakeav://sgpsupport.com/
https://www.virustotal.com/en/ip-addres ... formation/
https://www.virustotal.com/en/ip-addres ... formation/
You do not have the required permissions to view the files attached to this post.

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: Rogue Antimalware (FakeAV, 2014 year)

Post by Win32:Virut » Wed Jan 01, 2014 7:17 pm

You do not have the required permissions to view the files attached to this post.

dairu87
Posts: 7
Joined: Sun Sep 22, 2013 8:55 pm

BitNefender Fake AV

Post by dairu87 » Wed Jan 01, 2014 11:13 pm

Ran across a reallllly nasty Fake AV today... Came with some sort of bootkit... another tech had already removed the rootkit so I cannot identify that... but this Fake AV doesnt seem to be pulling up anything to interfere with peoples machines... It looks like it is just running in the background... It dumps a bunch of randomly named folders to %appdata% and fills them with randomly named .exe's to invoke its primary process and max out the CPU & memory. It doesnt seem to have a limit to how many of those directories it makes either... Were about 40 different directories all filled with malicious .exe's. It also dumps around 10-12 randomly named .exe's into the syswow64 directory. I was unable to obtain any samples of a dropper unfortunately (Sorry) But was wondering... has any one else seen this nasty thing?

patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: BitNefender Fake AV

Post by patriq » Fri Jan 03, 2014 10:21 pm

dairu87 wrote:Ran across a reallllly nasty Fake AV today... I was unable to obtain any samples of a dropper unfortunately (Sorry) But was wondering... has any one else seen this nasty thing?
no sample or hash of the file?

don't think you will find much without those details.. good luck anyways.

malwareMD
Posts: 1
Joined: Sat Jan 04, 2014 1:14 am

Re: Rogue Antimalware (FakeAV, 2014 year)

Post by malwareMD » Sat Jan 04, 2014 1:19 am

thanks for sharing, we have also seen similar variants in past week.

Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: Rogue Antimalware (FakeAV, 2014 year)

Post by Cody Johnston » Sat Jan 04, 2014 4:19 pm

malwareMD wrote:thanks for sharing, we have also seen similar variants in past week.
dairu87 wrote:It dumps a bunch of randomly named folders to %appdata% and fills them with randomly named .exe's to invoke its primary process and max out the CPU & memory.
dairu87 wrote:It also dumps around 10-12 randomly named .exe's into the syswow64 directory.
Please share what you find if you come across this again. A sample of each exe from %appdata% and syswow64/system32 will work. A screenshot and VirusTotal scan would be very helpful for us as well. Use the first 2 posts in this topic as an example. Many times with rogues the exe that runs the UI acts also as a dropper, so you may in fact have found a dropper already. Thanks! :)

Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: BitNefender Fake AV

Post by Cody Johnston » Wed Jan 08, 2014 12:25 am

dairu87 wrote:Ran across a reallllly nasty Fake AV today... Came with some sort of bootkit... another tech had already removed the rootkit so I cannot identify that... but this Fake AV doesnt seem to be pulling up anything to interfere with peoples machines... It looks like it is just running in the background... It dumps a bunch of randomly named folders to %appdata% and fills them with randomly named .exe's to invoke its primary process and max out the CPU & memory. It doesnt seem to have a limit to how many of those directories it makes either... Were about 40 different directories all filled with malicious .exe's. It also dumps around 10-12 randomly named .exe's into the syswow64 directory. I was unable to obtain any samples of a dropper unfortunately (Sorry) But was wondering... has any one else seen this nasty thing?
Attached the dropper, it was in %localappdata% in random named folder. Looks like Cidox.B was the bootkit on this one.

Publisher BitMefender S.R.L.

MD5 204806d51d301a99be49b8882a791cfc
https://www.virustotal.com/en/file/10cc ... 389139839/
You do not have the required permissions to view the files attached to this post.

bitstechs
Posts: 17
Joined: Wed Jun 19, 2013 7:38 am

Re: Rogue Antimalware (FakeAV, 2014 year)

Post by bitstechs » Wed Jan 08, 2014 3:00 pm

Hmm, must have good anti-vm on that dropper Cody. I've got my virtual box patched for anti-vm and the virus doesn't want to infect it, any thoughts or work arounds?

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: Rogue Antimalware (FakeAV, 2014 year)

Post by Win32:Virut » Fri Jan 10, 2014 3:35 pm

Image
You do not have the required permissions to view the files attached to this post.

User avatar
hx1997
Posts: 101
Joined: Sat Apr 07, 2012 12:16 am

Re: Rogue Antimalware (FakeAV, 2014 year)

Post by hx1997 » Sun Jan 12, 2014 12:05 pm

Smart Guard Protection - Malware Security Suite

VT low detection 3 / 45
https://www.virustotal.com/en/file/2304 ... 389528458/
捕获3.png
You do not have the required permissions to view the files attached to this post.

Locked