MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.


FakeAV via new strategy of deception from BKCNET "SIA" IZZI

Generally cheating strategies designed for the dissemination of false antivirus (AV Rogue) consist of online simulation of a scan for malware, showing an interface that mimics Windows Explorer and which always face the same threats, including when using operating systems other than Windows.

Conventional strategy of deception
This is one of the many templates. It shows a supposed scan to verify the integrity of the computer with an interface that simulates being under the Windows Explorer

However, recently launched a new strategy with similar features but using a different maneuver is to show a real video when it occurs, the event scanning. This is shown under the caption "Scan in progress. Please wait".

New strategy of deception
It shows a real video while the traffic is routed to a false report with the detection of a threat

While playing the video, traffic is routed to another page which displays information about alleged threats found after the scan. In this instance, presumably the information is provided by several antivirus engines listed in a strategic way to display information related to detection.

False report
As the scan has detected malware on your system. This seeks to give notice to the users through the false report with information from multiple antivirus engines

Coincidentally, each of the "products" to detect alleged antivirus malware activity provides the opportunity to download the application that will solve the problem:
Both the beginning and the end of the video shows the words "Protect your privacy! Use only licensed software!". It contains a high psychological impact of action on the user who "entertains" watching a video about the theft of data and then read the "recommendation".

Protect your privacy!
Psychological action strategy seeks to provoke a persuasive effect on users who then buy the rogue

This strategy is being channeled through the AS6851, better known as BKCNET "SIA" IZZI or SAGADE. BKCNET "SIA" IZZI serves as a "repository" to promote various criminal activities and provide cover for housing botnets and other crimeware as Koobface, ZeuS, Phoenix Exploit's Kit, BOMBA, among others, as well as some affiliated business type Pay-per-Install. In this case, solving from IP address.

The team is completed by installing a rogue called AntiSpy Safeguard that the duration of their initial scan blocks access to operating system resources. The ultimate goal of rogue is, as usually happens, get stuck buying the application is malicious.

Purchase rogue
These pages are usually under the guise of legal services, and is whereby the offender obtained money from the sale of rogue data and credit card

With this maneuver, the offender, or affiliate program, make sure the one hand a percentage of money for the cost of the rogue, and on the other, to feed its database with information on the credit card which is then sold on the black market variable costs directly proportional to the type of credit card.

Related information

Campaign infection through Phoenix Exploit's Pack
Circuit Koobface from (BKCNET "SIA" IZZI)
BOMBA Botnet. New alternative crimeware fuel the economy criminalPhoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus

Ver más


State of the art in Phoenix Exploit's Kit

Criminal alternatives grow very fast in an ecosystem where day to day business opportunities are conceived through fraudulent processes. In this sense, the demand for resources for the cyber criminal isn't expected and is constantly growing.

Generally I find new crimeware looking to get a place and a good acceptance in the virtual streets of the world underground, trying to reflect a balance on the cost/benefit of the "product" promoted, that allows criminals to enter the market as quickly as possible.

Similarly, crimeware already accepted in the well-known circuit and updated looking to optimize their "quality of service." Phoenix Exploit's Kit, despite its minimalist state compared to others in its style, is one of the most active malicious crimeware today.

This paper presents a series of data on criminal activities and fraud carried out using Phoenix Exploit's Kit as channel management, how often the cycle of criminal business on this crimeware and what are the exploits found in its different versions.

Phoenix Exploit’s Kit v2.3r
Phoenix Exploit’s Kit v2.3
Phoenix Exploit’s Kit v2.21
Phoenix Exploit’s Kit v2.2
Phoenix Exploit’s Kit v2.1
Phoenix Exploit’s Kit v2.0
Phoenix Exploit’s Kit v1.4
Phoenix Exploit’s Kit v1.31
Phoenix Exploit’s Kit v1.3
Phoenix Exploit’s Kit v1.2
Phoenix Exploit’s Kit v1.1
Phoenix Exploit’s Kit v1.0
Phoenix Exploit’s Kit v1.0beta

Spanish version | English version

Others articles of MalwareIntelligence

Ver más


Pirated Edition. Affiliate program Pay-per-Install

Affiliate programs are a growing business model more profitable for criminals and create a complete circuit of spreading / malware infection among many other alternatives, encouraging its customers with a percentage of money they get in terms of success their own business.

One of the systems with greater uptake in this business model is provided by the facility payment, Pay-per-Install, where every customer gets the money for the installation of malware. That is, only to propagate malware and wait for someone to become infected.

In this circuit, each member can be either a single person as a botnet, because obviously the economic return generated by spreading the malware offenders provided by the affiliate system is massified, and botmaster benefits from a wider economic gap within a shorter time span, in addition to other veins fraudulent economically generated by botnets.

Another of these affiliate programs is Pirated Edition, whose access panel can be seen in the picture below.

Looking into the affiliate system, we find extremely minimalist model that only allows the client-offender check the amount of money earned and download the malware to spread, including updates to this.

This malicious code whose default name is limew.exe (757eda0929b94ea104a1a80825dee3e2) has a very low detection rate. According to the report of VT, is only detected by 8 of 41 AV engines.

When run, it's reported to true affiliate program that is behind this criminal circuit, in this case, answers

/get2.php?c=ROBFNNDI&d=26606B67393C34322E64636F317E3E3D2121222B25263078747D456E757923271416411A111410015D404E1618156A1971090A03700302010C090B7D7D0C07790305727474047E060C7072786A2F27212634206E6563677130303E666C6E3866505404004204020A55584C041F1B0B1D4D442D42522A021413444A4B4C494E4CB3B5B7B0A2F5F4E8EBB4CFF3FCE1E1FDF5E3BCD6CCD0B0FBFCA8C5FEA1ACB8FCCCCFD6FCC1989681DF9F9E969C8BC892808394D7D1D9D7CE85898A8B8C8D8E8FF1E7A1ADA0A9FBAAA9A5BDAABEA8E3BDB5A2B7B2B7BDF8BBB7BABBB7B8B2B3BE898FC48A80849282D5D8D8D3DDDAD6DDC8C7C6D5B1BAA4 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Cache-Control: no-cache

However, this is only one side presented the strategy and that the same IP ( other domains are resolved that each of them carries the same template.

It's worth mentioning a particular detail of the policies of this affiliate program. To obtain payment for each installation of malware, it must infect computers that are in the following countries: Australia, Belgium, Brazil, Canada, Czech Republic, Denmark, Estonia, France, Germany, Greece, Finland, Hungary, Italy, Ireland , Kuwait, Lithuania, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Russia, Saudi Arabia, Singapore, Slovakia, Spain, Sweden, Switzerland, Turkey, Ukraine, United Arab Emirates, United Kingdom, United States and Japan . And as a payment system using Epassporte services, AlertPay, PayPal and Webmoney.

Related information

Ver más



One of the most profitable businesses in the area computer crime, what are the affiliate programs. These are systems which adhere offenders an economic return for a commission, as in this case, for each successful installation of malware that takes place through the system distributed. 

VIVA INSTALLS, belonging to the same criminal group that is facing HAPPY INSTALLS, is one of them. This system is "protected" under the AS6851 to BKCNET "SIA" IZZI (ATECH-SAGADE) in the IP address, which resolves the domain This AS is known for its high incidence in fraudulent activities, and because it's also used for the propagation of Koobface.

The system promotes a concerned member of the malicious code more known rogue type: A-fast Antivirus.

The fake antivirus business generates several veins, regardless of the number of successful installations. On the one hand, the cost of this rogue is USD 69.65, which all those unprepared to "buy the malware" will be fueling the business. 

At the same time, for the purchase you must complete a form, which should specify the information of credit card, which gives the offender more data to fraudulent activities. Without describing in detail the information in your credit card will fill in the fields of any database, which then also sold. 

How is the circuit of infection?
The affiliate system provides its "customers" the URL from which to download the malware, warning that not verify the integrity of the executable through public services, such Virustotal. In this case it is the setup.exe file and exe.exe (971eab628a7aac18bb29cba8849dff61), the downloader which acts as a link for the download of A-fast Antivirus.

While the system is at members, download the rogue is from, domain This maneuver, although common, shows that BKCNET "SIA" IZZI is home to a large volume of criminal activity.

How is the process of registration?
Particularly access to the circuit of the members of business means having the necessary requirements. Basically, an activation code that is issued by the affiliate system based on the recommendation of another member of "trust" that is, an offender who is already actively in the circuit and load with a period of recognized activities.

How much does the affiliate for each successful installation?
A topic of interest around the affiliate systems is how much is paid in this case, for installation?

While affiliate systems share the same business model, the cost they pay for installation is the same for each of them. In the case of VIVA INSTALLS/HAPPY INSTALLS, prices are as follows:

    • USD 0.30 per installation in U.S.
    • USD 0.20 per installation in Canada, Australia and England.
    • USD 0.01 for installation in other countries.
In short, VIVA INSTALLS / HAPPY INSTALLS dedicated only for the moment, promotion and distribution of only one of many (hundreds) rogue circuit forming part of the offense.

Ver más


Campaign infection through Phoenix Exploit's Pack

Phoenix Exploit's Pack (PEK) is another crimeware programs more widely accepted within the online criminal ecosystem, whose use in the past week massifies spreading a large amount of malware.
Executable binaries that are part of the campaign so far is active, spread under the default name of the executable that incorporates the package, called exe.exe. Some of the executables that are part of this campaign are:

8515e378f836afbaf30e29bdf7eed799 - Not detected
bb04fe6f6232dcc0661435ae9a6da513 - Zbot/Krap
82caf746a0d4e32ad633c075f22c1969 - FakeAV
8c30bae5db5d6e693bd3d343176d10d4 - GootKit
80592a5c5c7f4e91e1fc7d45c69b26df - Zbot
f36dd53834bcd0997dbbf50f54617941 - Probably a variant of Vundo
f4d4734d4f7392290a341a367e412226 - FakeAV
310226a86e883284eb3e821895156c4e - Katusha
971eab628a7aac18bb29cba8849dff61 - Probably a variant of Genome
0c1de65a594796b77030892498da1372 - Small/Agent
10b21cd819089f8d0a3788107c1125f4 - Olmarik/TDSS
687992266d21c6d6ad3232d6c98e2819 - Papras
51b834a745afd2787848f59ee30df659 – Zbot

The upgrade of the binaries that are spread through this crimeware is very dynamic. It also has a wide range of precompiled exploits to exploit vulnerabilities in classic and browsers and PDF readers.

all.pdf (75c38165c54f99bc3631544855206aad) CVE-2009-0927
allv7.pdf (be3d6d64687cc83825476947e2955591)
collab.pdf (69fef7cb57f8c16128ec9daba51e53ae) CVE-2007-5659
geticon.pdf (149335ac9d8b1e9918411c4c71cdf8bf) CVE-2009-0927
flash.swf (3310c3eb2b43f1353166a7cd21566e34)
ie.html (715d1fc6c63fc350cad997083e2ddfbb) CVE-2006-0003
libtiff.pdf (e0b17cc54294f26b9b9df77770dc5380) 
newplayer.pdf (13da5c68a1eb5a895c1bd3da8740ee75)
printf.pdf (c62c08cc2ed57c187d5fd0eda12e1443) CVE-2008-2992
vistaie7.html (ffcb420c6a9c4c91c130fdf171424299)
vistan7ie8.html (74aae64e8c583623d3592a2f7061c64d)
vistan7other.html (640c67a372889068a426aebaf21f18b9)
xpie7.html (0e8488bc4f4936fceb4907a141b91567)
xpie8.html (c8bba1b71d570917551d8c96486ff5e6)
xpother.html (242988c80807f9bdb2631a7a9c65c941)

Among the domains used during July 2010 for the campaign are:

Related information

Ver más