Wednesday, July 3, 2013 &

FakeAV - Affiliate
ZBot / ZeroAccess
Advert Panel > > >
netname:      TOEN
descr:            TOEN INCORPORATED
descr:            Middle East, U.A.E.

country:         AE

UPDATE 7/12/13 - Still Active
same server, same panel, same stats. 

I took another sample to check out. 

AV detecting up from 22/46
but still..20 vendors don't detect this fucker..WTF 


The .pcap file shows a DNS query to find >

After the DNS lookup, 21.1.exe talks to via HTTP and makes some requests like: 
hxxp://  (404, LOL) 

After this chatter it downloads a file, "SCC" which appears to be clean

Next, another api/ping GET

And then this: 

I'll dig into this more when I have time. 

Original Post:

First posted on in 2012!

07-11-2012 FakeAV PC Defender Plus

Panel still online


Money: $ 0 
no shit. 


Sub Acc

Get .exe

This page builds a new binary and associates it with a subaccount for tracking the install.

I build a test .exe (21.21) and submit it to VirusTotal. After I did this, I check the Geo page and see that there is a new install from France (must be VirusTotal sandbox allowing exe to run)

The first two builds (21.1.exe and 21.566.exe) were already in the panel.

(VT 22/46)

(VT 22/47)

21.21.exe (test build)
(VT 22/47)

No comments:

Post a Comment