February 3, 2014
Analysis of the Tritax FakeAV family, their active campaign and the FakeAV social engineering kit

This time I’m diving into an active FakeAV campaign, I’ve named it the NameChanger FakeAV, it falls under the Tritax family. Now why I named it the namechanger, just take a look the following image composed of screenshots of all the different samples:

image

Update (27-2-2014): Updated the end of the article with a list of domains and IP’s seen in the past 2 months. Tritax is still active and distributing.

Update (20-3-2014): After sinkholing and taking down  the domains actively with the help of some friends it seems the Tritax actors gave up. The TDS’s stopped redirecting and no new domains are being registered, taking action against this campaign was successful!

Read More

December 29, 2013
Piracy browser ‘ransomware’

About 3 months ago I published an article regarding the ‘browlock’ browser ransomware here. Recently I discovered a new variant of this browser ransomware. This time in stead of a generic allegation from the local police department users are now warned because of piracy.

The first time this one popped up was around the end of September, at the time it was hosted on 213.133.111.10 (malwr.com). Currently it is hosted on 178.254.44.45 (malwr.com).



Read More

October 15, 2013
Analysis of the “Internet Security” fake antivirus leads to family of FakeAV and possible actor behind it

Stumbled upon another one of the FakeAV’s, its called”Internet Security” this time and the detection is decent for once.

Initial payload from exploit kit b4662d40b12250f79ffec121a083ba6e (VT 19/48)
Unpacked payload f77c7098ce70e9e197a37f1264357bf1 (VT 21/48)
Unpacked the 2nd layer dd158a5d2caa7f9df1bba52e51db7c2c (VT 21/48)

image

Read More

October 4, 2013
Analysis of the “Security Cleaner Pro” fake antivirus

Another one of the FakeAV’s, this time it is called “Security Cleaner Pro”. The detection is quite low, 4/48 on VT for the loader and 8/48 for the payload.

Loader 2a8038d3acd963e804ca38a912ba116b : VirusTotal
Payload 8d15016f249274158e0472a02f9de00e : VirusTotal

image

Read More

September 27, 2013
Fiesta Exploit Kit analysis serving MSIE exploit CVE-2013-2551

After finding the Neutrino exploit kit implemented CVE-2013-2551 around the 10th of September I noticed a couple of days ago Fiesta also started to serve this exploit. This blog entry is a general writeup about the Fiesta exploit kit and shows CVE-2013-2551 to exploit MSIE 6 through 10 as an example.

One thing to note about Fiesta is the way it serves exploits. It checks browser / plugin versions and determines to which exploit these are vulnerable and serves all of them. This means going to a Fiesta landing page with multiple vulnerable products leads to the client receiving exploits for all of these.

Read More