![]() We are also, like usual with FakeAV’s, not allowed to start any applications because they are 'infected’: Some more aggressive warnings appear from time to time as well: There’s also an about section in the 'product’:īesides the fake scanning and available options it will also show a variety of fake warning messages: When enabling one of the options we get the same “Activate” popup. ![]() You cannot clean up until you active the product:īefore we activate the ‘product’ lets have a look around at what it 'can’ do for us:Īll of course are unavailable to us unless we activate. When you attempt to clear up the infections by hitting “Remove All” we get a message regarding activation. Once completed the user gets a listing of all the affected files: Once the machine has rebooted it will show the usual fake scanning with detection of infected items: When its first ran (before the reboot) it will show a splashscreen: Since the 1st or 2nd of February samples are now formatted as “svc-%s.exe”.Īfter the sample has installed itself it will force a reboot in order to make sure no other analysis tools are started. The filename is formatted as “guard-%s.exe”, as can be seen when running the sample through OllyDBG in the image below. “GuardSoftware”=“C:\Documents and Settings\admin\Application Data\guard-hqxl.exe”. ![]() It initially installs itself in the usual startup location, the keyname for these samples are “GuardSoftware”: This sample drops from a specialized social engineering kit for FakeAV’s, I’ll get into details about this later. I’ll end with a section which is a hashdump of all the samples I’ve been scraping from their backend. I’ll start of with an analysis of the current version of the FakeAV, after this I’ll go into the family, third will be the new FakeAV social engineering kit this group is using with their current campaign. The current campaign drops a sample I have named NameChanger.C as its the third FakeAV type from this family that is constantly being repackaged with new names. The Tritax family has been around for a long time, the first sample of it was seen around may 2009. More recently the same campaign was seen by redirecting via PopAds delivered advertisement: and another finding: ĭavid Jacoby from Securelist also published an article after Tritax started spreading via one of the largest websites in Sweden: A writeup for that was done by invincea: Skype advertisement has also been affected by the campaign: ![]() Some time ago a friend, pointed out a FakeAV spreading via : Not long after this, a similar thing happened to. The TDS’s stopped redirecting and no new domains are being registered, taking action against this campaign was successful! Update (20-3-2014): After sinkholing and taking down the domains actively with the help of some friends it seems the Tritax actors gave up. Update (27-2-2014): Updated the end of the article with a list of domains and IP’s seen in the past 2 months. Now why I named it the namechanger, just take a look the following image composed of screenshots of all the different samples: This time I’m diving into an active FakeAV campaign, I’ve named it the NameChanger FakeAV, it falls under the Tritax family. Analysis of the Tritax FakeAV family, their active campaign and the FakeAV social engineering kit
0 Comments
Leave a Reply. |