Malware Domain List

Malware Related => Tools of the trade / Internet News => Topic started by: SysAdMini on March 20, 2009, 06:45:37 am

Title: A new method to monetize scareware
Post by: SysAdMini on March 20, 2009, 06:45:37 am
http://blog.fireeye.com/research/2009/03/a-new-method-to-monetize-scareware.html

http://voices.washingtonpost.com/securityfix/2009/03/antivirus2009_holds_victims_do.html

Code: [Select]
filefixpro.com/public/download.php?cmd=doDownload
http://www.virustotal.com/analisis/5ef5aed888af841fdff7bb38fa413da0 1/39
NOD32   3952   2009.03.20   Win32/Adware.FileFixProfessional2009
Title: Re: A new method to monetize scareware
Post by: SysAdMini on March 20, 2009, 07:05:46 pm
Some hints for making a decrypter:

The last 4 bytes of the file contain the key. Xor each 4 bytes of the file with the key.

http://forums.devshed.com/antivirus-protection-117/filefix-professional-2009t-595267-4.html

example code:

http://blog.fireeye.com/files/file-2.pl

online decrypter :

https://filefix.fireeye.com/
Title: Re: A new method to monetize scareware
Post by: bobby on March 21, 2009, 12:09:06 am
http://malzilla.org/anti_filefix/anti_filefix.exe
or
http://www.malzilla.org/anti_filefix/anti_filefix.exe
Title: Re: A new method to monetize scareware
Post by: MysteryFCM on March 21, 2009, 11:13:06 pm
Nice one bobby :)

I've posted a linky to your post here, over at Malwarebytes :)
Title: Re: A new method to monetize scareware
Post by: bobby on March 22, 2009, 12:47:18 am
Tool updated twice today.
Some FP fixed, fixed form showing on various DPI settings etc.
Title: Re: A new method to monetize scareware
Post by: sowhat-x on March 22, 2009, 04:03:33 am
(http://img27.imageshack.us/img27/4054/antifileflix.png)

Took the courage to also post it over at the comments section in FireEye's blog entry,
so that it is easier for infected people to find it... :)
Title: Re: A new method to monetize scareware
Post by: bobby on March 22, 2009, 11:15:32 am
Took the courage to also post it over at the comments section in FireEye's blog entry,
so that it is easier for infected people to find it... :)
Let's hope they will allow link to other sites. I do not believe they would post your comment.
Title: Re: A new method to monetize scareware
Post by: SysAdMini on March 22, 2009, 11:24:55 am
Took the courage to also post it over at the comments section in FireEye's blog entry,
so that it is easier for infected people to find it... :)
Let's hope they will allow link to other sites. I do not believe they would post your comment.

No problem. I posted several links to MDL in the past. The links have been published.
Title: Re: A new method to monetize scareware
Post by: sowhat-x on March 23, 2009, 07:59:48 am
It's nice of them that they published the comment...what i originally thought was,
that not that many "common" windows end-users actually have Perl installed in their boxes...
Title: Re: A new method to monetize scareware
Post by: SysAdMini on March 24, 2009, 07:06:14 pm
Filefix Professional 2009 Cryptanalysis
http://blog.fireeye.com/research/2009/03/filefix-professional-2009-cryptanalysis.html