Active Security

[Malekal_morte]

Active Security est un rogue (faux anti-spyware) qui s'installe sans permission, le malware affiche de fausses alertes vous indiquant que vous êtes infecté par un spyware et vous recommande d'acheter ce faux anti-spyware pour soit disant désinfecter votre ordinateur.

[Malekal_morte]

Code : Tout sélectionner

1256823085.845   1425 192.168.1.63 TCP_MISS/200 11271 GET http://fopsl.cn/forum/exe.php - DIRECT/210.51.166.249 application/octet-stream
1256823101.861   8788 192.168.1.63 TCP_MISS/200 1147210 GET http://searchthomas.org/img/setup.exe - DIRECT/212.117.169.163 application/octet-stream

et pour le rogue:

Code : Tout sélectionner

1256831745.574    363 192.168.1.26 TCP_MISS/200 2915 GET http://scan-active-securitys.org/uninstall.exe - DIRECT/95.169.191.223 application/x-msdos-program
1256831745.964    359 192.168.1.26 TCP_MISS/200 2915 GET http://scan-active-securitys.org/asecurity.exe - DIRECT/95.169.191.223 application/x-msdos-program
http://91.207.61.180/cgupdate/Installer2.exe
http://94.232.248.75/prsys/Installer2.exe
http://78.46.151.178/cgupdate/Installer2.exe

File asecurity.exe received on 2009.10.29 12:17:41 (UTC)
Current status: finished

Result: 14/41 (34.15%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.29 Trojan.Win32.InternetAntivirus!IK
AhnLab-V3 5.0.0.2 2009.10.29 -
AntiVir 7.9.1.50 2009.10.29 TR/Crypt.ZPACK.Gen
Antiy-AVL 2.0.3.7 2009.10.27 -
Authentium 5.1.2.4 2009.10.28 -
Avast 4.8.1351.0 2009.10.28 Win32:MalOb-T
AVG 8.5.0.423 2009.10.29 Win32/Cryptor
BitDefender 7.2 2009.10.29 Gen:[email protected]
CAT-QuickHeal 10.00 2009.10.29 -
ClamAV 0.94.1 2009.10.29 -
Comodo 2768 2009.10.29 -
DrWeb 5.0.0.12182 2009.10.29 -
eSafe 7.0.17.0 2009.10.28 -
eTrust-Vet 35.1.7091 2009.10.29 -
F-Prot 4.5.1.85 2009.10.28 -
F-Secure 9.0.15370.0 2009.10.27 -
Fortinet 3.120.0.0 2009.10.29 -
GData 19 2009.10.29 Gen:[email protected]
Ikarus T3.1.1.72.0 2009.10.29 Trojan.Win32.InternetAntivirus
Jiangmin 11.0.800 2009.10.26 -
K7AntiVirus 7.10.881 2009.10.27 -
Kaspersky 7.0.0.125 2009.10.29 Packed.Win32.TDSS.aa
McAfee 5785 2009.10.28 FakeAlert-JN
McAfee+Artemis 5785 2009.10.28 FakeAlert-JN
McAfee-GW-Edition 6.8.5 2009.10.29 Trojan.Crypt.ZPACK.Gen
Microsoft 1.5202 2009.10.29 Trojan:Win32/FakeCog
NOD32 4554 2009.10.29 a variant of Win32/Kryptik.AXM
Norman 6.03.02 2009.10.29 -
nProtect 2009.1.8.0 2009.10.29 -
Panda 10.0.2.2 2009.10.28 -
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.29 -
Rising 21.53.33.00 2009.10.29 -
Sophos 4.46.0 2009.10.29 Mal/FakeAV-BP
Sunbelt 3.2.1858.2 2009.10.29 -
Symantec 1.4.4.12 2009.10.29 -
TheHacker 6.5.0.2.056 2009.10.28 -
TrendMicro 8.950.0.1094 2009.10.29 -
VBA32 3.12.10.11 2009.10.29 -
ViRobot 2009.10.29.2011 2009.10.29 -
VirusBuster 4.6.5.0 2009.10.28 -
Additional information
File size: 1437696 bytes
MD5 : c84b2b612e911baafc3cbf00b86a6db3
SHA1 : 129703a728b8a611b7f041c94bd4df21c752cf5b

Lignes HijackThis relatives à l'infection :

O4 - HKCU\..\Run: [wow64main.exe] C:\DOCUME~1\MALEKA~1\LOCALS~1\Temp\wow64main.exe
O4 - HKCU\..\Run: [Active Security] "C:\Program Files\Active Security\asecurity.exe" -noscan

NOTE : wow64main.exe charge le processus C:\DOCUME~1\MALEKA~1\LOCALS~1\Temp\wscsvc32.exe qui ouvre la fenêtre du faux centre de sécurité (security center) et affiche les fausses alertes de sécurité .

qui donnent les fausses alertes de sécurité habituelles avec l'icône bouclier en bas à droite à côté de l'horloge :


et alertes "Security Alert Center"


On peux aussi admirer les effets d'ombre à la UAC, c'est magnifique... \o/


Active Security qui intercepte les programmes dits "dangereux" harmful, ici c'est simplement Internet Explorer sur Wikipedia.


Les messages d'alertes :

This Trojan is designed to steal confidential data. The program itself is a Windows PE DLL file. It is 91136 bytes in size. It is written in Delphi.
This malicious program infects executable files on the victim machine. It is a Windows DLL file. The malicious file is 20480 bytes in size. It is not packed in any way. It is written in Visual C++.
This Trojan provides a remote malicious user with access to the victim machine. It is a Windows PE EXE file. It is 12787 bytes in size.
This Trojan has a malicious payload. It is a Windows PE EXE file. It is 20480 bytes in size.
This Trojan masks its presence in the system from users and from other programs. It is a Windows PE SYS file. It is 40960 bytes in size. It is not packed in any way. It is written in C.
This Trojan provides a remote malicious user with access to the victim machine. It is a Windows PE EXE file. It is 48640 bytes in size. It is packed using UPX. The unpacked file is approximately 360KB in size.
This Trojan downloads another program via the Internet and launches it on the victim machine without the user
s knowledge or consent. It is encrypted Java Script within an HTML document. It is 14147 bytes in size.
DipNet.d infects computers running under Windows. The worm itself is a Windows PE EXE file approximately 91KB in size, packed using UPX. The unpacked file is approximately 264KB in size. The worm propagates by exploiting a vulnerability in Microsoft Windows LSASS (MS04-011).
This network worm infects computers running Windows. The worm itself is a Windows PE EXE file, written in Visual C++. The file may be packed with one of a range of packers, and the size of the infected file may therefore vary. The packed file is approximately 47KB or greater in size, and the unpacked file is approximately 150KB to 260KB in size.
This worm spreads via the Internet as an attachment to infected messages. It is also able to propagate via P2P networks and accessible http and ftp directories. The worm's main component is a PE EXE file of approximately 29KB. The worm is packed using FSG; the unpacked file is approximately 40KB in size.
This malicious program encrypts files on the victim machine. It is a Windows PE EXE file 8030, bytes in size.

There are some serious security threats detected on your computer: viruses, trojans, keyloggers, exploits etc.
Your computer and all your personal data are in serious danger.
Protection: Click the balloon to install antivirus software.

Defenseless OS: Windows 2000/XP/Vista
Description: Spyware. Blocks access to computer. Attacks porn sites visitors.
Protection: Click the balloon to install antivirus software.

Defenseless OS: Windows 2000/XP/Vista
Description: Spyware try to steal payment details of your credit cards, bank account etc.
Protection: Click the balloon to install antivirus software.
Defenseless OS: Windows 2000/XP/Vista

Description: Virus try to damage your documents and bust file system..
Protection: Click the balloon to install antivirus software.
Your computer and all your personal data are in serious danger.
Protection: Please, click the balloon to get details.

Defenseless OS: Windows 2000/XP/Vista
Description: Blocks access to computer. Attacks porn sites visitors.
Protection: Please, click the balloon to get datails.

Defenseless OS: Windows 2000/XP/Vista
Description: Spyware try to steal payment details of your credit cards, bank account etc.
Protection: Please, click the balloon to get details.

Defenseless OS: Windows 2000/XP/Vista
Description: Virus try to damage your documents and bust file system..
Protection: Please, click the balloon to get details.

Les malwares soit disant détectés et bloqués par le rogue :

System alert: Virus.Win32.Gpcode.ak
System alert: Trojan.Win.Agent.dcc
System alert: Virus Chin09.Win
Trojan-PSW.Win32.Hangame.cp
Virus.Win32.Hala.a
Backdoor.Win32.Kbot.al
Trojan.Win32.Agent.dcc
Rootkit.Win32.Agent.pp
Backdoor.Win32.Agent.ich
Trojan-Downloader.JS.Multi.ca
Net-Worm.Win32.DipNet.d
Net-Worm.Win32.Mytob.t
Email-Worm.Win32.NetSky.q
Virus.Win32.Gpcode.ak

[Malekal_morte]

Code : Tout sélectionner

1256993888.824   1761 192.168.1.63 TCP_MISS/200 11228 GET http://gksdh.cn/forum/image/exe.php - DIRECT/210.51.166.249 application/octet-stream
1256993958.629   1816 192.168.1.26 TCP_MISS/200 1147178 GET http://findproper.org/img/setup.exe - DIRECT/93.174.95.140 application/octet-stream
1256993968.076    698 192.168.1.26 TCP_MISS/200 65889 GET http://searchstring.org/img/nkr.exe - DIRECT/212.117.169.163 application/octet-stream
1256994113.364    324 192.168.1.26 TCP_MISS/200 2915 GET http://scan-active-securitys.org/uninstall.exe - DIRECT/95.169.191.223 application/x-msdos-program
1256994113.663    297 192.168.1.26 TCP_MISS/200 2915 GET http://scan-active-securitys.org/asecurity.exe - DIRECT/95.169.191.223 application/x-msdos-program

La détection du dropper original reste bonne :

File load_9_.exe received on 2009.10.31 10:46:25 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 8/40 (20%)

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.31 -
AhnLab-V3 5.0.0.2 2009.10.30 -
AntiVir 7.9.1.53 2009.10.30 -
Antiy-AVL 2.0.3.7 2009.10.30 -
Authentium 5.1.2.4 2009.10.31 -
Avast 4.8.1351.0 2009.10.30 -
AVG 8.5.0.423 2009.10.31 Win32/Heur
BitDefender 7.2 2009.10.31 -
CAT-QuickHeal 10.00 2009.10.31 Win32.Packed.TDSS.aa.5
ClamAV 0.94.1 2009.10.31 -
Comodo 2790 2009.10.31 -
DrWeb 5.0.0.12182 2009.10.31 -
eSafe 7.0.17.0 2009.10.29 Suspicious File
eTrust-Vet 35.1.7094 2009.10.30 -
F-Prot 4.5.1.85 2009.10.31 -
F-Secure 9.0.15370.0 2009.10.30 -
Fortinet 3.120.0.0 2009.10.31 -
GData 19 2009.10.31 -
Ikarus T3.1.1.72.0 2009.10.31 -
Jiangmin 11.0.800 2009.10.31 -
K7AntiVirus 7.10.884 2009.10.30 -
Kaspersky 7.0.0.125 2009.10.31 Packed.Win32.TDSS.aa
McAfee 5787 2009.10.30 -
McAfee+Artemis 5787 2009.10.30 Artemis!80017D11A588
McAfee-GW-Edition 6.8.5 2009.10.31 Heuristic.LooksLike.Trojan.PCK.Tdss.H
Microsoft 1.5202 2009.10.31 Trojan:Win32/Alureon.DA
NOD32 4559 2009.10.30 -
Norman 6.03.02 2009.10.30 -
nProtect 2009.1.8.0 2009.10.31 -
Panda 10.0.2.2 2009.10.30 -
PCTools 7.0.3.5 2009.10.30 -
Prevx 3.0 2009.10.31 -
Rising 21.53.52.00 2009.10.31 -
Sophos 4.47.0 2009.10.31 Mal/FakeAV-BP
Sunbelt 3.2.1858.2 2009.10.30 -
TheHacker 6.5.0.2.056 2009.10.28 -
TrendMicro 8.950.0.1094 2009.10.31 -
VBA32 3.12.10.11 2009.10.30 -
ViRobot 2009.10.31.2015 2009.10.31 -
VirusBuster 4.6.5.0 2009.10.30 -
Additional information
File size: 16896 bytes
MD5...: 80017d11a5887fd6a7ffff9dba2801a5
SHA1..: 0d53f2b9c19212e9c531b9c26987d257f5b01f84

[Malekal_morte]

Nouvelle variante AntiMalware