Monday, 22 August 2011

Home Safety Essential

Home Safety Essential is a fake Antivirus. This rogue displays fake alerts to scare users.
It replaces Anti-Malware Lab, System Smart Security, PC Security Guardian, Best Malware Protection, Internet Security Essentials, Smart Internet Protection 2011, Personal Internet Security 2011, Personal Security Sentinel, Internet Antivirus 2011, Internet Security Suite, Smart Security, My Security Shield, Security Master AV, My Security Engine, Security Guard, CleanUp Antivirus and Security Antivirus
 


To register (and help removal), use this code: K7LY-H4KA-SI9D-U2FD
Click on the Help icon, Register Now.
Enter the Serial code and click on Activate Product Key.


I was not able and maybe same for you to make work correctly Anti-Malware Lab, i was also bored to have a deeper look, finally i go to the conclusion of download issue

From France i got a timeout on all related sites (fake scanners, buy pages etc) and malwares of Home Safety Essential


And from an Ukraine VPN, all related Home Safety Essential website's load relatively fast.

Fake scanner who conduct to malware download. (originaly there is a redirect page hosted in a fake pharma who send you on this page)

Unpacking.



Anti dbg:


After passing that i got the FakeAV running correctly.

Some fun: when registered if you launch Firefox/Internet Explorer/ICQ/Skype/Msn it will display you a gif image.






On unregistered mode Firefox and Internet Explorer are injected.
here are some code samples also ripped.

Firefox:
<html xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" class="blacklist">
<head>
<STYLE>
html {background: -moz-Dialog;}
body {margin: 0;padding: 0 1em;color: -moz-FieldText;font: message-box;}
h1 {margin: 0 0 .6em 0;border-bottom: 1px solid ThreeDLightShadow;font-size: 160%;}
ul, ol {margin: 0;-moz-margin-start: 1.5em;padding: 0;}
ul > li, ol > li {margin-bottom: .5em;}
ul {list-style: square;}
#errorPageContainer {position: relative;min-width: 13em;max-width: 52em;margin: 4em auto;border: 1px solid ThreeDShadow;-moz-border-radius: 10px;padding: 3em;-moz-padding-start: 30px;background: left 0 no-repeat -moz-Field;-moz-background-origin: content;}
body[dir="rtl"] #errorPageContainer {background-position: right 0;}
#errorPageContainer {background-position: right 0;}
#errorTitle {-moz-margin-start: 80px;}
#errorLongContent {-moz-margin-start: 80px;}
#errorShortDesc > p {overflow: auto;border-bottom: 1px solid ThreeDLightShadow;padding-bottom: 1em;font-size: 130%;white-space: pre-wrap;}
#errorLongDesc {-moz-padding-end: 3em;font-size: 110%;}
#errorLongDesc > p {}
#errorTryAgain {margin-top: 2em;-moz-margin-start: 80px;}
#brand {position: absolute;right: 0;bottom: -1.5em;-moz-margin-end: 10px;opacity: .4;}
body[dir="rtl"] #brand {right: auto;left: 0;}
#brand > p {margin: 0;}
#errorContainer {display: none;}
#securityOverrideDiv {padding-top: 10px;}
#securityOverrideContent {background-color: InfoBackground;color: InfoText;padding: 10px;-moz-border-radius: 10px;}
:root.blacklist #errorTitle, :root.blacklist #errorLongContent,
:root.blacklist #errorShortDesc, :root.blacklist #errorLongDesc,
:root.blacklist a {background-color: #722;color: white;}
:root.blacklist #errorPageContainer {background-color: #722;}
:root.blacklist {background: #333;}
:root.blacklist #errorTryAgain {display: none;}
#ignoreWarningButton {-moz-appearance: none;background: transparent;border: none;color: white;text-decoration: underline;margin: 0;padding: 0;position: relative;top: 23px;left: 20px;font-size: smaller;}
#ignoreWarning {   text-align: right;}
</STYLE>
</head>
<body dir="ltr">
<div id="errorPageContainer">
<div id="errorTitle"><h1 id="errorTitleText_malware">Reported Attack Site!</h1></div>
<div id="errorLongContent"><div id="errorShortDesc"><p id="errorShortDescText_malware">This web site at <span id="malware_sitename">mozilla.com</span> has been reported as an attack site and has been blocked based on your security preferences.</p></div>
<div id="errorLongDesc"><p id="errorLongDescText_malware"><p>Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.</p><p>Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.</p></p></div>
<div id="buttons">
<INPUT TYPE=BUTTON OnClick="parent.location='%PRS%'" VALUE="Why was this site blocked?">
<INPUT TYPE=BUTTON OnClick="parent.location='%ORIGINAL%'" VALUE="Ignore this warning">
</div>
</div></body></html>

Internet Explorer:
<HTML><HEAD><TITLE>There is a problem with this website's security. Possible spyware threat detected</TITLE>
<SCRIPT LANGUAGE="javascript">function c_alert() {window.history.go(-2);}</SCRIPT>
<STYLE type=text/css>
BODY{MARGIN-TOP:20px;MARGIN-LEFT:20px;COLOR:#575757;BACKGROUND-REPEAT:repeat-x;FONT-FAMILY:"Segoe UI","verdana","arial";BACKGROUND-COLOR:#e8eaef}
A{FONT-WEIGHT:normal;FONT-SIZE:1em;MARGIN-LEFT:0px;VERTICAL-ALIGN:top;COLOR:rgb(19,112,171);TEXT-DECORATION: none}
A:link{VERTICAL-ALIGN:top;COLOR:rgb(19,112,171);TEXT-DECORATION:none}
A:visited{VERTICAL-ALIGN:top;COLOR:rgb(19,112,171);TEXT-DECORATION:none}
A:hover{COLOR:rgb(7,74,229);TEXT-DECORATION:underline}
P{FONT-SIZE: 0.9em}
H1{MARGIN-TOP:7px;FONT-WEIGHT:normal;FONT-SIZE:1.1em;MARGIN-BOTTOM:4px;VERTICAL-ALIGN:bottom;COLOR:#4465a2;}
H2{MARGIN-TOP:20px;FONT-WEIGHT:normal;FONT-SIZE:0.9em;MARGIN-BOTTOM:1px}
H3{MARGIN-TOP:10px;FONT-WEIGHT:normal;FONT-SIZE:0.9em;MARGIN-BOTTOM:1px}
H4{MARGIN-TOP:12px;FONT-WEIGHT:normal;FONT-SIZE:0.9em;MARGIN-BOTTOM:1px}
.actionIcon{MARGIN-TOP:0px;VERTICAL-ALIGN:middle;MARGIN-RIGHT:6px}
.infoBlock{DISPLAY:block;PADDING-LEFT:25px;FONT-SIZE:0.9em;COLOR:#575757}
.errorCodeAndDivider{FONT-WEIGHT:normal;FONT-SIZE:0.7em;COLOR:#787878}
.divider{BORDER-BOTTOM:#b6bcc6 1px solid}
</STYLE></HEAD><BODY><TABLE cellSpacing=0 cellPadding=0 width=730 border=0><TBODY><TR><TD id=shieldIconAlign vAlign=top align=left width=60 rowSpan=3></TD><TD id=mainTitleAlign vAlign=center align=left width=*><H1 id=mainTitle>There is a problem with this website's security. Possible spyware threat detected</H1></TD></TR>
<TR><TD><H3><DIV id=linkdiv name="linkdiv"></DIV></H3></TD></TR>
<TR><TD class=errorCodeAndDivider id=errorCodeAlign align=right>&nbsp;<DIV class=divider></DIV></TD></TR>
<TR><TD></TD>
<TD><H3><DIV id=CertUnknownCA style="DISPLAY: none" name="CertUnknownCA"></DIV>
<DIV id=CertExpired style="DISPLAY: none" name="CertExpired"></DIV>
<DIV id=CertCNMismatch style="DISPLAY: none" name="CertCNMismatch"></DIV>
<DIV id=CertRevoked style="DISPLAY: none" name="CertRevoked"></DIV><NOSCRIPT id=securityCert1>The security certificate presented by this website has errors, and should not be trusted.</NOSCRIPT>
<BR><ID id=securityCert2>As a result of insecure Internet browsing your PC may easily get infected with viruses, trojans or spyware that will lead to system slowdown, freezes and even crashes. Spyware can install itself in silent way and commit identity theft.<br>In order to get real-time protection against particular threats, you should install reliable up-to-date Antivirus and Antispyware suites.</ID> </H3></TD></TR>

<TR><TD>&nbsp;</TD><TD><H2 id=recommendation><B>It is strongly recommended to protect your PC now and continue secure Internet browsing.</B></H2></TD></TR>
<TR><TD>&nbsp;</TD><TD id=closeWebpageAlign vAlign=center align=left><H4 id=closeWebpage>
<A href="%PRS%"><font color="#0b9809">Click here to get full real-time protection and continue browsing.</front></A></H4></TD></TR>
<TR><TD>&nbsp;</TD><TD id=continueToSiteAlign vAlign=center align=left><H4 id=continueToSite><A id=overridelink OnClick="parent.location='%ORIGINAL%'" href="#" name=overridelink><font color="#e66969">Continue browsing this website unprotected (not recommended).</font></A> </H4></TD></TR></TBODY></TABLE></BODY></HTML>

He can also call a fake BSoD:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
    <head>
        <meta http-equiv="content-type" content="text/html; charset=utf-8">
        <title>Blue Screen of Death</title>
        <style type="text/css">
            body,div,p{
                margin:0;padding:0;
            }
            html, body{
                width:100%;
                min-height:100%;
                height:100%;
                background:#000082;
                overflow:auto;
            }
            body{
                font-family:terminal ;
                font-size:90%;
                color:#fff;              
            }
            .all{
                width:50%;
                font-size:1.3em;
                padding:25px 0 0 29px;
            }
        </style>
    </head>
    <body>
        <div class="all" >
            <p>
                A problem has been detected and windows has been shut down to prevent damage to your computer.
            </p>
            <br>
            <p>Process1_initialization_failed</p>
            <br>
            <p>
                If  this  is  the  first time you`ve seen this stop error screen,
                restart your computer. If this screen appears again, follow
                these steps:
            </p>
            <br>
            <p>
                Make sure your antivirus software is properly installed, if this is
                a new installation, ask your software manufacturer for any antivirus
                updates you might need.
            </p>
            <br>
            <p>
                Windows detected unregistred version of antivirus software on your
                computer. If problem continue, please activate your antivirus software

                to prevent computer damage and data loss.
            </p>
            <br>
            <p>
                If problems continue, disable or remove any newly installed hardware
                or software. Disable BIOS memory options such as caching or shadowing.
                If you need to use Safe mode to remove or disable components, restart
                your computer, press F8 to select Advanced Startup Options, and then
                select Safe mode.              
            </p>
            <br>
            <p>
                Technical  information:
            </p>
            <br>
            <p>
                *** STOP: 0x0000006B (0xc0000022, 0x00000002, 0x00000000, 0x00000000)
            </p>
        </div>
    </body>
</html>

2 comments:

  1. Wohaa, good one! By the way, do you know where could I find rogueware like these, I want to examine them in OllyDbg. Maybe some list of rogueware-s (the newer one preferable).

    Regards,
    dn5.

    ReplyDelete
  2. Hi, profnetwork i don't conserv files, but you can find recent samples of fakeav (including Home Safety Essential) at kernelmode.info

    ReplyDelete