Author Topic: A new method to monetize scareware  (Read 5649 times)

0 Members and 1 Guest are viewing this topic.

March 20, 2009, 06:45:37 am
Read 5649 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

March 20, 2009, 07:05:46 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Some hints for making a decrypter:

The last 4 bytes of the file contain the key. Xor each 4 bytes of the file with the key.

http://forums.devshed.com/antivirus-protection-117/filefix-professional-2009t-595267-4.html

example code:

http://blog.fireeye.com/files/file-2.pl

online decrypter :

https://filefix.fireeye.com/
Ruining the bad guy's day


March 21, 2009, 11:13:06 pm
Reply #3

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Nice one bobby :)

I've posted a linky to your post here, over at Malwarebytes :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 22, 2009, 12:47:18 am
Reply #4

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Tool updated twice today.
Some FP fixed, fixed form showing on various DPI settings etc.

March 22, 2009, 04:03:33 am
Reply #5

sowhat-x

  • Guest


Took the courage to also post it over at the comments section in FireEye's blog entry,
so that it is easier for infected people to find it... :)

March 22, 2009, 11:15:32 am
Reply #6

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Took the courage to also post it over at the comments section in FireEye's blog entry,
so that it is easier for infected people to find it... :)
Let's hope they will allow link to other sites. I do not believe they would post your comment.

March 22, 2009, 11:24:55 am
Reply #7

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Took the courage to also post it over at the comments section in FireEye's blog entry,
so that it is easier for infected people to find it... :)
Let's hope they will allow link to other sites. I do not believe they would post your comment.

No problem. I posted several links to MDL in the past. The links have been published.
Ruining the bad guy's day

March 23, 2009, 07:59:48 am
Reply #8

sowhat-x

  • Guest
It's nice of them that they published the comment...what i originally thought was,
that not that many "common" windows end-users actually have Perl installed in their boxes...

March 24, 2009, 07:06:14 pm
Reply #9

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day