Tracking Cyber Crime: Gagarincash AV Affiliate
Another Fake AV affiliate infiltrated: Gagarincash AV<br />
My friend <a href="http://scriptkiddiesec.blogspot.com/">ScriptKiddieSec</a> gived me a ICQ number for contact these guys, and get access<br />
<br />
<div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMGolSovsDosudt0IzPLiOgToN-G3luU5xC-MULXoDycOen7NpnOMk7I3UFUaSp3C-CIRZVJDaKfCwvr1NtFG9G_3syE4OaVlg_BcwG4nk1ZX9wMI7FYmW_8-2sP1WyIWF5etp2r5hDLaX/s1600/9.PNG" imageanchor="1"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMGolSovsDosudt0IzPLiOgToN-G3luU5xC-MULXoDycOen7NpnOMk7I3UFUaSp3C-CIRZVJDaKfCwvr1NtFG9G_3syE4OaVlg_BcwG4nk1ZX9wMI7FYmW_8-2sP1WyIWF5etp2r5hDLaX/s400/9.PNG" width="400" /></a></div><br />
Gagarincash AV site (nb: The man on background is Yuri Gagarin):<br />
<div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_yKqiChF5b2drRBFsDxwxNQrb57Dr8dv0GZlSIzOFTKnYkz_LEGrflNQJxGdzAGawrWE0nJ_fDN5D8Rum4H1pE_rpVyevkhCEXF-Yexa2K6esnAiRr99ip995w3IYaZWMJAHXiNzDgFXb/s1600/1.PNG" imageanchor="1"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_yKqiChF5b2drRBFsDxwxNQrb57Dr8dv0GZlSIzOFTKnYkz_LEGrflNQJxGdzAGawrWE0nJ_fDN5D8Rum4H1pE_rpVyevkhCEXF-Yexa2K6esnAiRr99ip995w3IYaZWMJAHXiNzDgFXb/s400/1.PNG" width="400" /></a></div><br />
<div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3XUR8inY8ouRoS2_g_NJp4n9KihiZ47evGmLDFx9HfHSy0Ct7vgP53KV08JkkI1Psy84R3HDuQ2J3LibYTXLiAd8nu3GuJrYC88Q4rlpbqQmSJPotAsY1C6HKVhDa13j4lPUC4zb3buID/s1600/8.PNG" imageanchor="1"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3XUR8inY8ouRoS2_g_NJp4n9KihiZ47evGmLDFx9HfHSy0Ct7vgP53KV08JkkI1Psy84R3HDuQ2J3LibYTXLiAd8nu3GuJrYC88Q4rlpbqQmSJPotAsY1C6HKVhDa13j4lPUC4zb3buID/s400/8.PNG" width="400" /></a></div><br />
Contrary to the BestAV network who was very professional and closed, Gagarincash have a very simple interface and new account can be created if you have an invitation, and for get invitation, you need to pose as bad guys :þ<br />
<br />
<div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcczH54CXnhyphenhyphenESerkQ5XfGyJEYaVEIXXeSRoqHFi9Tlu159Mm2FNvLKUVhuxATuUCIzitLD5hEXEnx6QEqUb1nMxw0s10mF9LOrQ8z24SBk9JqijW3hfNwoaCdIT3vkne17j9a3OnYGGNC/s1600/7.PNG" imageanchor="1"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcczH54CXnhyphenhyphenESerkQ5XfGyJEYaVEIXXeSRoqHFi9Tlu159Mm2FNvLKUVhuxATuUCIzitLD5hEXEnx6QEqUb1nMxw0s10mF9LOrQ8z24SBk9JqijW3hfNwoaCdIT3vkne17j9a3OnYGGNC/s400/7.PNG" width="400" /></a></div><br />
<div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTvEnpmpL2JZSVGcVU4I682kK3FBHwOmruRN_7ypOqio3kSUDwIHuCXTq6Z29fkfO3evDvBsg64uRGMHa0zvr1yhPBTEcuGMdOiRX3grz2AOuRkpIouUjm_M4RTRPrXrjx72mnjARNuKPX/s1600/2.PNG" imageanchor="1"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTvEnpmpL2JZSVGcVU4I682kK3FBHwOmruRN_7ypOqio3kSUDwIHuCXTq6Z29fkfO3evDvBsg64uRGMHa0zvr1yhPBTEcuGMdOiRX3grz2AOuRkpIouUjm_M4RTRPrXrjx72mnjARNuKPX/s400/2.PNG" width="400" /></a></div><br />
When connected, all is grouped on the same page:<br />
<div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBnfhnCiObqozGjOA8AyjugTpds1-EhV4LMmQf2vhgPMspELQx6GS_2OTsmM8L1SFfEqgCa8MkbCi7TXeRIoZ0yWPSoFwUiQtGw6Tpvw8OYJYN8yp515009-ZU1bzoEsC4ub1QySLNazUJ/s1600/3.PNG" imageanchor="1"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBnfhnCiObqozGjOA8AyjugTpds1-EhV4LMmQf2vhgPMspELQx6GS_2OTsmM8L1SFfEqgCa8MkbCi7TXeRIoZ0yWPSoFwUiQtGw6Tpvw8OYJYN8yp515009-ZU1bzoEsC4ub1QySLNazUJ/s400/3.PNG" width="400" /></a></div><br />
Statistics, FakeAV download and three invitation keys, if you want invite someone.<br />
The text before statistics is interesting: ОбновлÑйте exe раз в 5-10 минут. Теперь будет чище гораздо.<br />
It's mean the FakeAV Exe is repacked every 5-10 minutes. (Like BestAV and many others)<br />
<br />
According to VirusTotal, repacked FakeAV are detected by 11 Antivirus<br />
<br />
<div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCC6xho1pZYeCYfpMEuDmF8GfiFY6DohRUd5VOzbF8962p3G8WVg6hubWOmS8J2gvTPGgQULGMN35jD64e3dulezE436oSMEpAApPt__YaRL1Gisbmg_EpLZQawSKWXPwR2RSIztaJ0bCo/s1600/11.PNG" imageanchor="1"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCC6xho1pZYeCYfpMEuDmF8GfiFY6DohRUd5VOzbF8962p3G8WVg6hubWOmS8J2gvTPGgQULGMN35jD64e3dulezE436oSMEpAApPt__YaRL1Gisbmg_EpLZQawSKWXPwR2RSIztaJ0bCo/s400/11.PNG" width="400" /></a></div><br />
Finally it's time to test their FakeAV, and it's: <b>Security Shield 2011</b>, named 'pack.exe' on their download page.<br />
<br />
<div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj86TbyWdc1auYwi-UYtEW3fYhOJs3duVgf-IuX10fgIpJT2B335t4PgBJYA9oBpo_OJagNvtB6s_8Pn3n3Rm78ufQYk8ss2htAumVKt2KxTzo0rIgaCRS9_HvdrgnzABwq57mDXS6cuf8M/s1600/10.PNG" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj86TbyWdc1auYwi-UYtEW3fYhOJs3duVgf-IuX10fgIpJT2B335t4PgBJYA9oBpo_OJagNvtB6s_8Pn3n3Rm78ufQYk8ss2htAumVKt2KxTzo0rIgaCRS9_HvdrgnzABwq57mDXS6cuf8M/s1600/10.PNG" /></a></div><br />
 i'm sure you know it too ;)<br />
<br />
<div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis21K5NiO-Ur1buSRp2AozkszNFJB09Z757ZiNH-iV1geD0aaCPWy86bW25l-KUcakRlTDce2mWgbf4yC2dclS0TrizoZRhtnCoZj3yH7Biph3IaTmbkJmMsByztIo4_XIfFHkvV72nJdr/s1600/6.PNG" imageanchor="1"><img border="0" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis21K5NiO-Ur1buSRp2AozkszNFJB09Z757ZiNH-iV1geD0aaCPWy86bW25l-KUcakRlTDce2mWgbf4yC2dclS0TrizoZRhtnCoZj3yH7Biph3IaTmbkJmMsByztIo4_XIfFHkvV72nJdr/s400/6.PNG" width="400" /></a></div><br />
 Fake gate:<br />
<div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVJ4FFCJDRjHBSHYj9H2RtSXrJ1kkFXRWcNLpHQeUiAlTAaeL9weajBb8XNjO_wwhhD0Y9qgRO2UBDDKHIDCIO54MgFjQLATAmZUsJMYo9ZhhZzuyEtDfeko77857TxTQyBSYY22-o-M5A/s1600/5.PNG" imageanchor="1"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVJ4FFCJDRjHBSHYj9H2RtSXrJ1kkFXRWcNLpHQeUiAlTAaeL9weajBb8XNjO_wwhhD0Y9qgRO2UBDDKHIDCIO54MgFjQLATAmZUsJMYo9ZhhZzuyEtDfeko77857TxTQyBSYY22-o-M5A/s400/5.PNG" width="400" /></a></div><br />
You can edit your details on Gagarincash, and something i've noticed directly: your current password appear in plaintext on the input password. (i guess account infos are not encrypted on the database)<br />
<br />
<div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdb09Au_OwzyLmq1BkFriBVzjHljP1eoJE21QW3j_YI4eW-cUP33XLj2QTF_aVhZSWLHZocUIRNuCMVIMbnHdiprQJwaPR4E7d-2qXv2eYR1ajhp4Hxevpgtxo-cQZ2Cba6Bl4ViWFDviu/s1600/4.PNG" imageanchor="1"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdb09Au_OwzyLmq1BkFriBVzjHljP1eoJE21QW3j_YI4eW-cUP33XLj2QTF_aVhZSWLHZocUIRNuCMVIMbnHdiprQJwaPR4E7d-2qXv2eYR1ajhp4Hxevpgtxo-cQZ2Cba6Bl4ViWFDviu/s400/4.PNG" width="400" /></a></div><br />
Contrary to common beliefs, peoples who make FakeAV are not some alone guys who do that for them.<br />
Generaly behind a fakeAV there is a affiliate network who product a huge trafic, don't take them slightly.<br />
<br />
The unpack of their FakeAV is boring like this:<br />
<br />
<center></center><br />
<br />
Have a nice day.<br />
PS: For those who menace me on irc, who you will call, hitman ?<br />
haha, fags.<br />
<br />
Gagarincash related ~<br />
<a href="http://xylibox.blogspot.com/2011/06/tracking-cyber-crime-inside-fakeav.html">Tracking Cyber Crime: Inside the FakeAV Business</a> (14 Jun 2k11)<br />
<a href="http://xylibox.blogspot.com/2011/06/security-shield-2011.html">Security Shield 2011</a> (11 Jun 2k11)<br />
<a href="http://xylibox.blogspot.com/2011/05/essential-cleaner.html">Essential Cleaner</a> (18 May 2k11)<br />
<a href="http://xylibox.blogspot.com/2011/03/ms-removal-tool.html">MS Removal Tool</a> (29 Mar 2k11)<br />
<a href="http://xylibox.blogspot.com/2010/12/security-shield.html">Security Shield</a> (9 Dec 2k10)<br />
<a href="http://xylibox.blogspot.com/2010/11/system-tool.html">System Tool</a> (12 Dec 2k10)<br />
<a href="http://xylibox.blogspot.com/2010/08/security-tool-rogue-updated-version.html">Security Tool</a> (10 Aug 2k10)<div><img width="1" height="1" src="https://blogger.googleusercontent.com/tracker/5365964245877416061-7314490685890824959?l=xylibox.blogspot.com" alt="" /></div><br /><br /><a href="http://xylibox.blogspot.com/2011/06/tracking-cyber-crime-gagarincash-av.html" rel="nofollow">Read More</a>
Postingan
