AV Tracker

20. October 2009

It is time to present our AV Tracker to the public. We (our company) has published a new AV tracking system that logs and tracks all IPs and general information of antivirus analyzing systems. The tracker can be used to determine whether the software is being analyzed by AVs and protect against it. We have already customers using our system and protecting their software against unasked analyzers.

The AV Tracker is available at http://www.avtracker.info

124.49.72.145
128.130.56.11
128.130.56.12
128.130.56.14
128.130.56.16
128.130.60.24
128.130.60.43
128.241.40.7
134.155.241.17
138.210.79.214
140.115.83.203
149.9.0.58
174.133.89.72
174.133.89.76
192.192.45.70
195.214.79.22
210.105.37.123
212.5.80.7
217.23.132.226
24.4.75.188
61.73.22.161
62.43.181.79
64.95.48.100
67.198.92.102
70.181.48.131
85.85.181.72
91.181.133.241
91.199.104.15
91.199.104.3
91.199.104.4
92.113.214.222
94.179.108.166
94.23.201.45
95.135.1.2

That is the current list of anti virus systems in the internet. If you DDoS them, then you will lame down the whole AV business, then there won’t be any new detections for the time you cut them from the internet. The IP list is also useful for software that downloads something from the internet, in order to hide it from automatic analyzers like Anubis. You can simply exit the program when the IP matches with one of the AV list – and then your program stays secure from automatic analysis.

E.g. if you have a dropper that downloads the real malware, make a what-is-my-ip and exit accordingly, so AVs will never find out that you are download malware (and your dropper will not be added to the virus database then). Here is how the tracking system is working (in short):

1. An executable is leaked to AVs, e.g. at Anubis, VirusTotal or ThreatExpert
2. The executable contacts this website and reports the access (to a report.php file)
3. The website resolves the IP of the client and adds the record to the database
4. On the website the records are displayed, and the list can be exported as plain IP list

TU Wien (University of Vienna) tried to hack avtracker.info

Computers involved:

 - peach.seclab.tuwien.ac.at (128.130.60.43)
 - ckol.seclab.tuwien.ac.at (128.130.60.24)
 - chello080108003207.37.11.tuwien.teleweb.at (80.108.3.207)

Download their complete hack-attack log at http://www.avtracker.info/TU Wien.txt. What they did was injecting java-script code into the website (a typical XSS attack). The curious thing is that they are a public university. I have contacted the Seclab and TU Wien on this matter, let’s see how they react.

Kaspersky Lab tried to hack avtracker.info – coming later !

The source code of the AV Tracker will be published soon!

¬ geschrieben von Peter Kleissner in Uncategorized

«

» 

14 Kommentare zu 'AV Tracker'

  1. John sagte am 20. October 2009 um 5:58 pm Uhr:

    And then they changed the ips and added a rule to block traffic sent to http://www.avtracker.info :).

    Cheers

  2. c4r15714n sagte am 20. October 2009 um 6:08 pm Uhr:

    “And then they changed the ips and added a rule to block traffic sent to http://www.avtracker.info :).”

    for a lot of reasons that’s ridiculous…

    - not everyone could choose his ip (isp..) .. and if so.. avtracker will get the new ip’s…
    - it’s possible to check if avtracker isn’t avaiable… => no execution
    - avtracker is still under developing… functions will be adept if required
    - some other points

    ps: it’s definitly possible to avoid avtracker, but it’s hard for automatic analysis software…

  3. John sagte am 20. October 2009 um 8:27 pm Uhr:

    Haha you don’t know how many ‘anonymous’ automated systems exists :). Have you heard about dynamic ips (dsl accounts)?

    Cheers

  4. AV Tracker : peterkleissner.com AV hongkong ?? sagte am 22. October 2009 um 3:05 pm Uhr:

    [...] the rest here: AV Tracker : peterkleissner.com By admin | category: av download | tags: also-useful, from-the-internet, internet, [...]

  5. blubb sagte am 22. October 2009 um 4:55 pm Uhr:

    “This is Peter Kleissner fuck Ikarus fuck the world fuck you all!
    I was once working with Ikarus and was a white hat, now I am the worst mean motherfucker black hat and I am selling the source code of Ikarus T3 :D
    I am with the SinowalWhistler developers, funny days, aren’t ;) and fuck Avira they don’t have no idea :D bitches”

    no comment…

    Kleissner: Thanks for your no comment but ensure to not take those messages literal, if you do, then you will fail to understand me and my mind. Hey I am doing so a lot of things, there I need to fool the world from time to time ;). We call it an easteregg, http://de.wikipedia.org/wiki/Easter_Egg.

    It seems like you haven’t done your homework, in the current version of the AV Tracker.exe I am leaking, I also include a line about Joanna Rutkowska :).

    And btw I am listening to Eminems sounds, so that shoulda explain a bit too.. ;)

  6. whoo sagte am 22. October 2009 um 6:27 pm Uhr:

    whoooooooooooooooooooo

  7. blubb sagte am 22. October 2009 um 11:22 pm Uhr:

    Not taking it seriously, the Sinowal developers are smart enough not to brag about what they do. Many people in the whitehat scene did what you do when they were your age except they did not talk about it in public.

  8. assemblage sagte am 23. October 2009 um 12:04 pm Uhr:

    Good job Peter, you have the ballz to fight against these corporate giants. I was working in the secindustry once for low piss money then got fired by a retard boss -cause I dont respect my co-workers lawlz-. I’m unemployed since years and making my living from pushing malware, also making more money with it. :D

    Nice site, keep it up!

  9. qgehyzwc sagte am 23. October 2009 um 6:47 pm Uhr:

    Well, its quite simple to spy the internal staffs of any public Sandbox. Just an example, if you create a file within your trojan, the file will be listed on the report. So you can use this approach by creating a file which has a filename of the harddisk serial number… or in threatexpert you can put the info into a messagebox due to threatexpert captures the screen and shows them to you ;) Once you have the harddisk serial number you can use it to check against threatexpert sandbox… and its just one idea from the hundred:D Be creative!

  10. Peter Kleissner, l’épine dans le pied de la sécurité - CNIS mag sagte am 29. October 2009 um 5:07 pm Uhr:

    [...] Il est temps pour moi de révéler au public l’existence d’AV Tracker », écrivait Kleissner le 20 du mois. Ce jeune gourou de la sécurité, dont les présentations à la BlackHat 2009 avaient fait [...]

  11. mikkololz sagte am 21. November 2009 um 6:57 am Uhr:

    Add this shit too:

    http://hospital.f-secure.com/HospitalServer/

  12. mikkololz sagte am 21. November 2009 um 10:11 am Uhr:

    Other server to fuck with:

    http://virusmap.quickheal.com/worldmap/entryadd.php?Vir_Name=Trojan.Stinker&Date=2009-11-20&Time=10:00:30

  13. rm0x1 sagte am 12. December 2009 um 2:13 am Uhr:

    Ganz ehrlich … das hört sich für mich an wie ne erpressung mit den 2000€ usw. unabhängig vom schaden. Wenn nämmlich einer entsteht wäre es auch ohne erpresserischen Druck gegangen. Da du aber schon vorab Geld von ihnen forderst bist du einfach nur naiv in der Beziehung.

  14. dingdong sagte am 12. December 2009 um 2:03 pm Uhr:

    wenn du das ganze etwas schlauer aufziehn würdest, hätte man nicht so ein schlechtes bild von dir.
    will damit sagen: dein “ich bin der tollste” gehabe (so kommst du nämlich bei leuten die dich nicht kennen an) zerstört viel. du kannst einiges und machst dir dein leben mit deiner art selber schwer.
    du kennst das doch selber, egomanen passen selten in eine gemeinschaft.
    fazit: du brauchst nen pr-berater.. dringend.

Hinterlasse einen Kommentar

Theme von BenediktRB • Powered by Wordpress • Abonniere den RSS Feed