Saturday 6 August 2011

Tracking Cyber Crime: BestAV and BlackSoftware *Reloaded*

2 months ago, i've infiltrated the BestAV affiliate.
After releasing my work, left the place to a 404 error.

In reality the network has never closed, you just need to connect on the good port.
And recently they added a Apache 2 Test Page instead of... nothing.

After spying what they do now, it's time to release again.
A new subdomain was opened:
And who says new subdomain, say new fakeAV.
When conduct to 'MS Removal Tool', conduct to 'Personal Shield Pro'
Actualy seem in trouble for spread MS Removal Tool, but the subdomain is fully operational.


Ticket "Oh no! i just lose bots, what's do ?" now open:


Main page when logged:


FakeAV download (Personal Shield Pro):

Public link:

manual encrypting:

Private API:








And about agreement, they recently updated it, all partners was subjected to this pages:

Now for and Sevantivir, after my first visit, they just stopped to update the affiliate program and shutdown domains.

Anyway, I don't really care of Peter Severa & friend's
I've just one thing to says to these guys: don't go into criminal business if you don't know how to secure correctly a box.

ICQ's mails, logins/passwords, VMZ, bad guys sites etc...
Passwords hashed in MD5 (what a joke)

To resume, using online md5 services, and some of my rdp's to brute force hashs, the passwords database is cracked to 85~90%
You just lose your credibility (and your partners)


  1. hello from Spain
    amazing work, i love your xylibox blog you're the only one who make disclosures infiltration like this.

    keep up !