Tuesday, 14 June 2011

Tracking Cyber Crime: Inside the FakeAV Business

Few days ago, a friend mention me about his new article.

For those who don't have access you can see the article here:

I've already see alots of FakeAV samples who got a filename like 'BestAV.exe'
Man, you have definitely intrigued me with your post :)
And like that, i've started to hunt these 'BestAV' guys.

After alot of coffee, i finally come inside the network.
You will see, it's nicely organized, they are responsible for the MS Removal Tool plague.

The main site is named BestAV2, you'll see only this:

nicline.com's WHOIS database is only for information purposes,
this information consists on domain name registration records.
nicline.com does not guarantee the accuracy of the information
contained in the WHOIS. nicline.com allows the use of the
information only for lawful purposes, under no circumstances this data
will be use for: (a) allow, enable, or otherwise support the transmission
by e-mail, telephone, or facsimile of mass unsolicited, commercial
advertising or solicitations to entities other than the data recipient's
own existing customers; or (b) enable high volume, automated,
electronic processes that send queries or data to the systems of
Registry Operator or any ICANN-Accredited Registrar, except as
reasonably necessary to register domain names or modify existing

Service provided by First Ukrainian Internet-Registrar LLC
Hosting solutions and domain registration service.

Domain name: bestavsoft2.com

Ivan Shlesko (SROW-1714932)

ordinskaya 23
Kiev none
827123 UA
+3 80993362121

Administrative contact:
Ivan Shlesko (SRCO-2727745)
Ivan Shlesko
ordinskaya 23
Kiev none
827123 UA
+3 80993362121

Technical contact:
Vyacheslav Cherkashyn (SRCO-101023)
First Ukrainian Internet-Registrar LLC
134-4-100 Nab Pobeda
Dnepropetrovsk Dnepropetrovsk
49106 UA
+38 0563705242 fax:+38 0563705242

Domain servers in listed order:

Created: 02 Dec 2010 00:53:48:930 UTC
Expires: 01 Dec 2011 00:00:00:000 UTC
Last updated: 02 Dec 2010 00:53:48:930 UTC

Like the ripped announce on the ScriptKiddieSec blog says: it's a FakeAV Service, that explain why we see a big amounts of samples like MS Removal Tool, Security Tool, etc.. every day.
Anyone who have money can buy his own MS Removal Tool copy and make money by infecting peoples
The benefit system work like that: 50% for the customer and 50% for the site owner (BestAV team).

Statistic of the customer FakeAV:

I've hidden the stats here, but if you want an example:
(Yeah, easy money.)

FakeAV download:

Testing the downloaded FakeAV:

I guess you know it:

The famous fake payement gate:

BestAv sample found in the wild:

And that even include a system for know wich AntiVirus detect actualy the malware:

Like he says: These guys has a very good cryptor support:

Public download link:

 The customer can manual encrypt the malware:

Can use also a public API



News pages, about campaigns, downtime etc...

Condition of use (what a joke):

Escrow support:

What's your mind now about FakeAV ?

BestAV related ~
Security Shield 2011 (11 Jun 2k11)
Essential Cleaner (18 May 2k11)
MS Removal Tool (29 Mar 2k11)
Security Shield (9 Dec 2k10)
System Tool (12 Dec 2k10)
Security Tool (10 Aug 2k10)


  1. Пидарасы....поеду в киев дам пизды

  2. Wow, Steven. Thats amazing. Who knew the FakeAV Affiliate Network was so professional! You did alot of great research here, you're like Brian Krebs but better!

  3. ...whoa. awesome.
    Btw, if you go to that av scanning site, it shows their contact details anyway, you might want to black out that dns.

  4. Interesting article.You make a good job.Keep up the good work!

  5. http://www.kernelmode.info/forum/viewtopic.php?f=16&t=75&start=220#p6860

    For thoses who want an unpacked version of MS Removal Tool.

  6. Hei XyliBox, Repost in Here :



  7. Французишка, куда ты лезешь, не мешай людям работать, если сам не умеешь ;))))

  8. >Французишка, куда ты лезешь, не мешай людям работать, если сам не умеешь ;))))

    its vazonez