Tuesday, 28 June 2011

Tracking Cyber Crime: Severa and Black Software AV Affiliates

I know these FakeAV affiliates since 2 weeks now, but I get inside recently with a magic tricks of Krebs, admins seem asleeps or don't want take the risk to activate new accounts (disclosure :þ)

Login page:

Registration form (account must be activated by admin):

Main menu when inside:

Statistics:

Support:

Payements:

News:

Malware download:

Guide:

Traffic rules:

Account Infos:

The downloaded file have a size of 18,5Kb only:

It's a TR/Downloader, here the download procedure:

File are saved in: C:\WINDOWS\Temp\

It will download two files, and in case of fail, it swich to another domain, all in .cz.cc:

Downloaded files:

FakeAV:

SpamBot (detected as Win32/Kelihos.B by Microsoft):

Spam lead to fake pharma:

For Black Software, it's totally identic:

Registration (account must be activated by admin):

Main page:

News:

 Account infos:

Malware download:

The CMS used seem the same as BestAV and Gargarincash.

 Edit: EP_X0FF from KernelMode forum i've made an interesting post about Severa, you can read it here, or on my blog:


More infos about Peter Severa

Related ~
Decoding Security Shield Fake scanner page (20 June 2k11)
Tracking Cyber Crime: Gagarincash AV Affiliate (19 June 2k11)
Tracking Cyber Crime: Inside the FakeAV Business (14 Jun 2k11)
Security Shield 2011 (11 Jun 2k11)
Essential Cleaner (18 May 2k11)
MS Removal Tool (29 Mar 2k11)
Security Shield (9 Dec 2k10)
System Tool (12 Dec 2k10)
Security Tool (10 Aug 2k10)

4 comments:

  1. Salut Steven, bon travail encore une fois! Tu pourrais rajouter les MD5 des fichiers ?

    Merci

    ekse

    ReplyDelete
  2. Salut ekse,
    sure.
    Downloader: B5962A2F78D0224DCAAB331016E3BC44
    Sec Shield: 0E3F7D7B2DB16045023DD36DC15FF60D
    Spam Bot: 0CA1260ECF9D2ADC78B1AF3FBDC21AD9

    ReplyDelete
  3. Haha.. i looked at the vulnes site.. there are some tools that i think they use to make the rogues.. also i googled vulnes they are even on twitter ;)

    ReplyDelete
  4. Great job Steven. You're an anti-malware rockstar.

    ReplyDelete