October 15, 2013
Analysis of the “Internet Security” fake antivirus leads to family of FakeAV and possible actor behind it

Stumbled upon another one of the FakeAV’s, its called”Internet Security” this time and the detection is decent for once.

Initial payload from exploit kit b4662d40b12250f79ffec121a083ba6e (VT 19/48)
Unpacked payload f77c7098ce70e9e197a37f1264357bf1 (VT 21/48)
Unpacked the 2nd layer dd158a5d2caa7f9df1bba52e51db7c2c (VT 21/48)

image



Do note, the screenshot shows the colorful icon being dropped on the desktop but this is after unpacking 2 layers of packers/crypter from the initial drop. The initial drop will show the following when installed:

image

Analysis

The sample dropped from Neutrino and after being dropped it started to install itself and show fake security related warnings. It installs itself in %appdata% as avsecurity.exe and a startup key in the usual ‘\Software\Microsoft\Windows\CurrentVersion\Run’ section of the registry.

After it installed itself and made sure it killed all other running processes except windows explorer and other default windows processes. After this it starts displaying its fake warnings:

image

Also show popup messages from time to time indicating more problems on the computer:

image

image

And again like we’ve seen with previous FakeAV every single process we try to spawn is killed and market as ‘infected’:

image

After the initial scan finishes it tells us many problems have been found and we need to register before we can clean them up:

image

We will close that window for now and look around what else this ‘antivirus’ can do:

image

image

image

image

image

Now if we want to modify any of the options we get the message we need to activate:

image


Now lets get back the registration, we can either fill in our email and registration key we payed for or if we don’t have those we can pay to get them. The payment dialogs looks like this:

image

image

Now of course we aren’t going to pay. Back to the activation form:

image

Putting in junk info will not get it activated sadly:

image

Now if we attach our favorite debugger we can find out that the key is (as usual) static and any combination of an email address (can be junk info) with that key will work. The key for this “Internet Security” is the same in all samples I’ve been able to find, the key is:

Y68REW-T76FD1-U3VCF5A

We register successfully now:

image

We can also finally remove those infections!

image

And the application itself also shows that it is activated and we now have a ‘high security’ level:

image

After rebooting it still knows that we activated it because it writes a lockfile called ‘avbase.dat’ to disk:

image


The payment pages we saw earlier are webpages being loaded using the IE object in a form, the urls (same order as the screenshots):

http:// regdexsecurity .com/buynow.php?bid=<affiliate id>
https:// secure.combilling .com/order/pay

On the main tab we see a button saying “License Information…” if we click this it opens a browser loading ‘http:// www.3dsecureinternational .com/info.php’ which will redirect to ‘https:// secure.bill3dpayusauto .com/’. If we provide the correct information (email + CC) we can see our subscription status:

image

All the payment pages including this customer service page provide ssl from StartSSL which is free the first year, the certificate for the customer service:

image


Additionally to dropping via exploit kits you can also just purchase it from their website located at ‘http:// securityserviceauto .com’. This allows purchase and see all its ‘amazing’ features:

image

image

image

image

image

All domains seen with this FakeAV:

  • regdexsecurity.com
  • combilling.com
  • securityserviceauto.com
  • 3dsecureinternational.com
  • bill3dpayusauto.com
  • defendersecurityauto.com
  • autointsecurity.com
  • bill3dpayus.com
  • licencecheck24.com
  • internet-security2013.com
  • 3dsecpay.com

All IP’s seen with this FakeAV:

  • 194.54.80.212
  • 194.54.81.20
  • 194.54.81.101



Statistics

I have been monitoring the backend of this FakeAV and was able to build some statistics. In 12~ hours I saw around 1400~ unique IP’s contacting the C&C. I saw around 30~ successful payments, 400~ clients opened the payment window but never ended up paying and I saw about 70~ clients just visiting the main website.
From the total amount of clients that have payed their geographical location (in percentages over a time span of a couple of days):

  • United States: 72%
  • France: 13%
  • United Kingdom: 7.5%
  • Puerto Rico: 4.5%
  • Australia: 1%
  • Argentina: 1%
  • Jamaica: 0.5%
  • Canda: 0.5%



The family

While reverseing this FakeAV I found an interesting string embedded in the sample:

This option is available only in the activated version of WinPC Defender. You must activate the program by entering registration information to use all of its features.

So lets see what this WinPC Defender is about, the hash for the sample of WinPC Defender is ‘af736cb7ea46b63f6a1cd9526eaf67a7’ (VT: 45/48). Lets infect ourselves with this sample, main window already looks familiar:

image

So it seems our actors have been busy, our first sample seems to be an improved and reskinned version. So lets register this version, after looking at it with the debugger the key was found to be:

C79AA343F95B062F000C309C14DE2954

Again any combination of an email address (or junk info) and this key will work to activate this FakeAV:

image

After restarting the sample still recognized the activation, this is because it writes a registry key to store its activation data:
 
[HKEY_CURRENT_USER\Software\WinPC Defender]
"email"="registered@blog.0x3a.com"
"key"="C79AA343F95B062F000C309C14DE2954"

And the main form also changes similar to what we saw with our first sample from “Internet Security”:

image

The domains seen with this FakeAV:

  • 2payon.com (payment processor)
  • winpcdefender09.com (main C&C)

The IP’s seen with these domains:

  • 78.46.88.142
  • 194.165.4.77


After some more research I found another sample which seems to be the version before “WinPC Defender”. This one was called ‘XP Police Antivirus’. The hash for this sample is “c9e1a1f20501280c5e2caf0fa7c1425a”. (VT: 34/48)

Again the main form looks similar, more simplistic and from what I could tell this is the first version of this family:

image

If we look at the registration we also see a lot of similarities:

image

Now if we reverse the registration/activation we find something interesting; the key from ‘WinPC Defender’ is the same one being used by ‘XP Police Antivirus’. The Key is (again):

C79AA343F95B062F000C309C14DE2954

And after we register it writes similar information to the registry for its start-up check of previous activation:

[HKEY_CURRENT_USER\Software\XP Police Antivirus]
"email"="registered@blog.0x3a.com"
"key"="C79AA343F95B062F000C309C14DE2954"

The activation step:
image

And again the main form looks a lot like the previous samples we looked at after activation:

image

The domains involved with this FakeAV:

  • xp-police.com

The IP’s seen with these domains:

  • 213.155.10.63
  • 213.163.65.10


Another thing to note is that all of the samples were written in Delphi. We can pretty much bind these 3 samples together as a family, you can also see the evolution of the icon if you put all the shortcuts next to each other:

image



Conclusion

We can conclude these 3 belong to the same family / authors. They were first seen with the “XP Police Antivirus” which appeared around January 2009, this was followed with the “WinPC Defender” variant which first appeared around  June 2009. The current version “Internet Security” was first seen around October 2013, this leaves a large gap from 2009 to 2013 in which I am unable to link more to this family.
Edit: The gap can be filled with the data S!Ri collected, take a look at his blog here: http://siri-urz.blogspot.fr/search/label/Sig.

I also looked at the registration info on all of the domains but it seems fake identities have been used. I did bind a couple of used email addresses to facebook accounts and names but these ended up being used interleaved so I cannot be sure. Most of them seem to be stolen/abused identities.

The only thing I did notice was that all registrations at first had the name ‘Sergey Ryabov’ in it with the email address ‘director@climbing-games.com’. The information changed to some kind of privacy service a bit later every time. I was unable to bind this name and/or email address to an identity I could confirm.

Blog comments powered by Disqus