Sunday 19 June 2011

Tracking Cyber Crime: Gagarincash AV Affiliate

Another Fake AV affiliate infiltrated: Gagarincash AV
My friend ScriptKiddieSec gived me a ICQ number for contact these guys, and get access

Gagarincash AV site (nb: The man on background is Yuri Gagarin):

Contrary to the BestAV network who was very professional and closed, Gagarincash have a very simple interface and new account can be created if you have an invitation, and for get invitation, you need to pose as bad guys :þ

When connected, all is grouped on the same page:

Statistics, FakeAV download and three invitation keys, if you want invite someone.
The text before statistics is interesting: Обновляйте exe раз в 5-10 минут. Теперь будет чище гораздо.
It's mean the FakeAV Exe is repacked every 5-10 minutes. (Like BestAV and many others)

According to VirusTotal, repacked FakeAV are detected by 11 Antivirus

Finally it's time to test their FakeAV, and it's: Security Shield 2011, named 'pack.exe' on their download page.

 i'm sure you know it too ;)

 Fake gate:

You can edit your details on Gagarincash, and something i've noticed directly: your current password appear in plaintext on the input password. (i guess account infos are not encrypted on the database)

Contrary to common beliefs, peoples who make FakeAV are not some alone guys who do that for them.
Generaly behind a fakeAV there is a affiliate network who product a huge trafic, don't take them slightly.

The unpack of their FakeAV is boring like this:

Have a nice day.
PS: For those who menace me on irc, who you will call, hitman ?
haha, fags.

Gagarincash related ~
Tracking Cyber Crime: Inside the FakeAV Business (14 Jun 2k11)
Security Shield 2011 (11 Jun 2k11)
Essential Cleaner (18 May 2k11)
MS Removal Tool (29 Mar 2k11)
Security Shield (9 Dec 2k10)
System Tool (12 Dec 2k10)
Security Tool (10 Aug 2k10)

No comments:

Post a Comment