Few days ago, a friend mention me about his new article.
For those who don't have access you can see the article here:
I've already see alots of FakeAV samples who got a filename like 'BestAV.exe'
Man, you have definitely intrigued me with your post :)
And like that, i've started to hunt these 'BestAV' guys.
After alot of coffee, i finally come inside the network.
You will see, it's nicely organized, they are responsible for the MS Removal Tool plague.
The main site is named BestAV2, you'll see only this:
Like the ripped announce on the ScriptKiddieSec blog says: it's a FakeAV Service, that explain why we see a big amounts of samples like MS Removal Tool, Security Tool, etc.. every day.
Anyone who have money can buy his own MS Removal Tool copy and make money by infecting peoples
The benefit system work like that: 50% for the customer and 50% for the site owner (BestAV team).
Statistic of the customer FakeAV:
I've hidden the stats here, but if you want an example:
Testing the downloaded FakeAV:
I guess you know it:
The famous fake payement gate:
BestAv sample found in the wild:
And that even include a system for know wich AntiVirus detect actualy the malware:
Like he says: These guys has a very good cryptor support:
Public download link:
The customer can manual encrypt the malware:
Can use also a public API
News pages, about campaigns, downtime etc...
Condition of use (what a joke):
What's your mind now about FakeAV ?
BestAV related ~
Security Shield 2011 (11 Jun 2k11)
Essential Cleaner (18 May 2k11)
MS Removal Tool (29 Mar 2k11)
Security Shield (9 Dec 2k10)
System Tool (12 Dec 2k10)
Security Tool (10 Aug 2k10)