MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

8.11.2010

Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus

Pay-per-Install is one of the business models by which an affiliate system provides a set of "clients" one or more malicious code, paying each a percentage of money as a commission for each installation the malicious application successful.

Phoenix Exploit's Kit is a crimeware by which intelligence is done collecting statistical information related to each of the infected computers. You enter through an access panel via the http protocol as we see in the screenshot.

PC Defender Antivirus is a rogue Russian origin whose spread is being made through Phoenix Exploit's Kit, reporting at the same time to an affiliate system that records the installation of each downloaded copy.

In addition to collaborating with the criminal circuit feeding back the fraudulent business through Pay-per-Install, the rogue has the grain of usual business whereby it’s intended that the fraudulent application is purchased, also via the web, this action involving form information stored somewhere confidential credit card. The cost of the rogue is USD 59.95.

Through Phoenix Exploit's Kit spreads a trojan downloader called exe.exe, in this case MD5 e49be7ef82250a36cf7410004ac3d69c that, after it establishes a connection to fordkaksosat.info (193.105.207.45 - AS50793 "ALFAHOSTNET") from which it downloads and executes the rogue (PCDefenderSilentSetup.msi - ecff63c1f983858dfd7fb926738cb478).

In this instance, the rogue is reported to the affiliate system to load the information on successful installation through count_installs.php file, and begins a malware scan issuing alerts about alleged attempts to connect infections and also false. This activity is usual in this type of malware to be one of their employers.


The release system for the alleged security application is similar to that used by some families of ransomware through the business model that involves sending a text message SMS to a specific type of phone number.

In this case, the information should be sent to the number 5711000002209 with the message 6681.


The threat has a timer which generates a false statement Blue Screen of Death (BSoD), in which shows the incentive to record the program, exerting a fear (psychological warfare) on the user that after reading this information might think register/buy what you think, this is a real antivirus solution.


Countermeasures
Terminate the processes called prockill32.exe, proccheck.exe and rundelay.exe. You can use the ProcessExplorer to view and terminate processes.

Remove PC Defender folder (which houses six files) located in C:\Program Files\Def Group\

Delete the system registry PC Defender key from HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run, which refers to c:\program files\def group\PC Defender\pcdef.exe. You can use the Autoruns to view and delete the key.

Related Information
New variant of ransomware through porn sites IV
New variant of ransomware through porn sites III
New variant of ransomware through porn sites  II
New variant of ransomware through porn sites
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild
Desktop Hijack by Internet Security 2010. Your System Is Infected!
LockScreen. Your computer is infected by Spyware!!!

2 comentarios:

Steven K said...

http://www.youtube.com/watch?v=eGyuBZbFWjM
http://xylibox.blogspot.com/2010/08/pc-defender-antivirus.html

hope you will like it

Jorge Mieres said...

Hi Steven, cool! Thanks! :)

Post a Comment