Monday, August 13, 2012

Live Security Platinum (RougeAV)

Just couple of weeks ago I just receive a rouge av sample the disguise as 'Live Security Platinum'. Although this malware is already discovered by other people few months ago. Once this malware is installed all your executable file will be mark as 'infected'. None of your file can be executed until you purchase their 'security' antivirus program. Lets take a look a basic dynamic analysis here. In this write up I'm not covering in detail about removing it from your system.

The malware that I received is from a compromised website that has been embedded with java object file that require users to allow their browser to execute the .jar file. This .jar file will the download the .exe install of the 'Live Security Platinum' malware.

The snapshot above show the first run of the malware which is check the latest update, download an install. The installed path will be located on user program data. See the image below.

After finished install it will automatically doing a fake 'scan'. At this time, all your application cannot be execute and has been blocked by the malware.

If you try to run any application on your computer, you will get fake notification that say your computer has been infected by 'malware'.

It will keep remind you to update and purchase their 'software'.

Lets give a try by entering a valid serial number to this malware registration form. The key that I was entered is AA39754E-715219CE. This key is already circulated on the internet. So, I just use it for easy removing the infection.

Once you click on 'Activate' button you will prompt about your successful register their 'product'. All your application now can be able to run normally. Now you will notice that the rouge AV window has been change to light blue color and there an extra shortcut icon on your desktop. It is a shortcut URL to access to the malware website.

If we try to open up the URL you will see there is online user guide for user to read. Until now the website is still accessible to the user.

For removal, MalwareBytes Anti-Malware would be fine to clean all the infection.

No comments:

Post a Comment