Stumbled upon another one of the FakeAV’s, its called”Internet Security” this time and the detection is decent for once.
Initial payload from exploit kit b4662d40b12250f79ffec121a083ba6e (VT 19/48)
Unpacked payload f77c7098ce70e9e197a37f1264357bf1 (VT 21/48)
Unpacked the 2nd layer dd158a5d2caa7f9df1bba52e51db7c2c (VT 21/48)
Do note, the screenshot shows the colorful icon being dropped on the desktop but this is after unpacking 2 layers of packers/crypter from the initial drop. The initial drop will show the following when installed:
The sample dropped from Neutrino and after being dropped it started to install itself and show fake security related warnings. It installs itself in %appdata% as avsecurity.exe and a startup key in the usual ‘\Software\Microsoft\Windows\CurrentVersion\Run’ section of the registry.
After it installed itself and made sure it killed all other running processes except windows explorer and other default windows processes. After this it starts displaying its fake warnings:
Also show popup messages from time to time indicating more problems on the computer:
And again like we’ve seen with previous FakeAV every single process we try to spawn is killed and market as ‘infected’:
After the initial scan finishes it tells us many problems have been found and we need to register before we can clean them up:
We will close that window for now and look around what else this ‘antivirus’ can do:
Now if we want to modify any of the options we get the message we need to activate:
Now lets get back the registration, we can either fill in our email and registration key we payed for or if we don’t have those we can pay to get them. The payment dialogs looks like this:
Now of course we aren’t going to pay. Back to the activation form:
Putting in junk info will not get it activated sadly:
Now if we attach our favorite debugger we can find out that the key is (as usual) static and any combination of an email address (can be junk info) with that key will work. The key for this “Internet Security” is the same in all samples I’ve been able to find, the key is:
We register successfully now:
We can also finally remove those infections!
And the application itself also shows that it is activated and we now have a ‘high security’ level:
After rebooting it still knows that we activated it because it writes a lockfile called ‘avbase.dat’ to disk:
The payment pages we saw earlier are webpages being loaded using the IE object in a form, the urls (same order as the screenshots):
http:// regdexsecurity .com/buynow.php?bid=<affiliate id>
https:// secure.combilling .com/order/pay
On the main tab we see a button saying “License Information…” if we click this it opens a browser loading ‘http:// www.3dsecureinternational .com/info.php’ which will redirect to ‘https:// secure.bill3dpayusauto .com/’. If we provide the correct information (email + CC) we can see our subscription status:
All the payment pages including this customer service page provide ssl from StartSSL which is free the first year, the certificate for the customer service:
Additionally to dropping via exploit kits you can also just purchase it from their website located at ‘http:// securityserviceauto .com’. This allows purchase and see all its ‘amazing’ features:
All domains seen with this FakeAV:
All IP’s seen with this FakeAV:
I have been monitoring the backend of this FakeAV and was able to build some statistics. In 12~ hours I saw around 1400~ unique IP’s contacting the C&C. I saw around 30~ successful payments, 400~ clients opened the payment window but never ended up paying and I saw about 70~ clients just visiting the main website.
From the total amount of clients that have payed their geographical location (in percentages over a time span of a couple of days):
- United States: 72%
- France: 13%
- United Kingdom: 7.5%
- Puerto Rico: 4.5%
- Australia: 1%
- Argentina: 1%
- Jamaica: 0.5%
- Canda: 0.5%
While reverseing this FakeAV I found an interesting string embedded in the sample:
This option is available only in the activated version of WinPC Defender. You must activate the program by entering registration information to use all of its features.
So lets see what this WinPC Defender is about, the hash for the sample of WinPC Defender is ‘af736cb7ea46b63f6a1cd9526eaf67a7’ (VT: 45/48). Lets infect ourselves with this sample, main window already looks familiar:
So it seems our actors have been busy, our first sample seems to be an improved and reskinned version. So lets register this version, after looking at it with the debugger the key was found to be:
Again any combination of an email address (or junk info) and this key will work to activate this FakeAV:
After restarting the sample still recognized the activation, this is because it writes a registry key to store its activation data:
And the main form also changes similar to what we saw with our first sample from “Internet Security”:
The domains seen with this FakeAV:
- 2payon.com (payment processor)
- winpcdefender09.com (main C&C)
The IP’s seen with these domains:
After some more research I found another sample which seems to be the version before “WinPC Defender”. This one was called ‘XP Police Antivirus’. The hash for this sample is “c9e1a1f20501280c5e2caf0fa7c1425a”. (VT: 34/48)
Again the main form looks similar, more simplistic and from what I could tell this is the first version of this family:
If we look at the registration we also see a lot of similarities:
Now if we reverse the registration/activation we find something interesting; the key from ‘WinPC Defender’ is the same one being used by ‘XP Police Antivirus’. The Key is (again):
And after we register it writes similar information to the registry for its start-up check of previous activation:
[HKEY_CURRENT_USER\Software\XP Police Antivirus]
The activation step:
And again the main form looks a lot like the previous samples we looked at after activation:
The domains involved with this FakeAV:
The IP’s seen with these domains:
Another thing to note is that all of the samples were written in Delphi. We can pretty much bind these 3 samples together as a family, you can also see the evolution of the icon if you put all the shortcuts next to each other:
We can conclude these 3 belong to the same family / authors. They were first seen with the “XP Police Antivirus” which appeared around January 2009, this was followed with the “WinPC Defender” variant which first appeared around June 2009. The current version “Internet Security” was first seen around October 2013, this leaves a large gap from 2009 to 2013 in which I am unable to link more to this family.
Edit: The gap can be filled with the data S!Ri collected, take a look at his blog here: http://siri-urz.blogspot.fr/search/label/Sig.
I also looked at the registration info on all of the domains but it seems fake identities have been used. I did bind a couple of used email addresses to facebook accounts and names but these ended up being used interleaved so I cannot be sure. Most of them seem to be stolen/abused identities.
The only thing I did notice was that all registrations at first had the name ‘Sergey Ryabov’ in it with the email address ‘firstname.lastname@example.org’. The information changed to some kind of privacy service a bit later every time. I was unable to bind this name and/or email address to an identity I could confirm.