Restoro Scareware

My uncle shared this landing page with me- https://techloris.com/lp/de/error1.php

He told me that a fake windows alert came up to his screen while he was browsing the internet.

I am new to this community, I hope this might help you guys.
https://prnt.sc/v1afcp

This Tech Loris is some sort of PC repair blog- https://techloris.com/

@hector100#164228 can you check his browser history for the fake warning / popup and post a Screenshot or link here?

@NeeP#164290 I did check his browser’s history, the warning popup was uploaded on an IP link, something like http://249.123.456.001/error.

By the time I checked the IP it was already inactive. Only this techloris link was active.

MalwareBytes blacklisted

https://forums.malwarebytes.com/profile/188593-zynthesist/content/page/49/?type=forums_topic_post

104.27.150.48
in Website Blocking (PUP)
Posted August 13, 2018

@hector100#164294 was it that exact IP / link? Maybe I can find out more about it when I have the exact and correct IP link where the popup was on.

Hey all you may want to try VirusTotal for sites like that. I have the enterprise version so if you want I can get all the info. I’ll post link after I analyze.

Yep, malware and PUP nest

https://www.virustotal.com/graph/embed/g21d9e7bc66a04f14a0ec9afa660491da7d3ae0615e8e43159a365b0ac60331bb

When the ip is checked it downloads over 20 files.

@NeeP#164417 hi check my virus total link, it has all the IPs it connects

@Hax0rgurl#164462 well it’s a bit confusing. I don’t see the popup URL

@hector100#164294 even if it’s down, I need the exact IP or URL of the popup. The techloris landing page is somewhat fine and would not count as proper evidence for them conducting deceptive behavior.

@NeeP#164488 Okay I will check the computer’s history. Give me sometime

@NeeP#164488 Okay, I will check. Give me some time.

@NeeP#164488 ok just ask me about what is confusing and I will try to explain. I understand it looks like a mess of files but that’s all their connections and redirects. The ones in red are all malicious. I am going to see if I can do a YARA search for a pop up specifically and get back to you.

About proving they are conducting malicious activity, please show them that graph. There is no denying that they are sending malware and phishing links to unsuspecting people that land on their pages.

@NeeP#164488 hold on I’m confused, isn’t .php the way you make popups? The address is

https://techloris.com/lp/de/error1.php am I confusing something? That address pops up as suspicious, it’s the one in the middle of the graph. That is the address that links to a ton of malicious files. If you follow the arrow from that file, to the others, you will see that’s the bad file and it says error like Hector mentioned. So I believe that’s the right address. Now, I have no way of seeing if that is the specific pop up and I’m working off an ipad, so if any of you have a VM set up, maybe you can go on the site and make sure. Maybe it’s error.php or error2? Just throwing out ideas.

I think I found something…it must be one pf these…i can keep expanding but I didn’t want to make it super messy again.


I made the graph more organized…

VirusTotal Graph

I found all of these sites connected to the main one.

https://techloris.com/prevent-windows-10-automatic-updates
https://techloris.com/page-fault-in-a-non-paged-area/
https://techloris.com/kernel-security-check-failure/
https://techloris.com/create-a-windows-10-install-usb/

https://techloris.com/lp/it/error.php?&c=1537035995&ag=59766073198&k=pasty.link&p1=&p2=&p3=&gclid={gclid}

https://techloris.com/lp/au/error6.php?p1=Windows Update&p2=&p3=&c=1526323348&ag=62410810710&ad={adid}&k=www.bleepingcomputer.com&sq=&mt=&gclid=EAIaIQobChMIisrzjNz53QIVi3FgCh3BlQ5WEAEYAyAAEgJoafD_BwE

https://techloris.com/lp/uk/error.php?

https://techloris.com/lp/errors1.php?p1=Sound%20not)Working

https://techloris.com/lp/error9.php?&c=1555997749&ag=56566549142&ad={adid}&k=www.tenforums.com&p1=Windows%20Update&p2=&p3=&gclid=EAIaIQobChMI36-nzMny5QIVkQb5AB1UbgzuEAEYASAAEgIfQ_D_BwE&gclid=EAIaIQobChMI36-nzMny5QIVkQb5AB1UbgzuEAEYASAAEgIfQ_D_BwE

https://techloris.com/lp/fr/error4.php?p1=&p2=&p3=&c=1493871758&ag=56197397005&ad=296045633030&k=www.malekal.com&sq=&mt=&gclid=EAIaIQobChMI--qmlain6AIVDDHTCh3dqgySEAEYASAAEgK-GPD_BwE

https://techloris.com/go/asr

https://techloris.com/vidmate-for-pc/

https://techloris.com/lp/fr/error4.php?p1=&p2=&p3=&c=1597757226&ag=65934315812&ad=303093069518&k=www.malekal.com&sq=&mt=&gclid=CjwKCAjwydP5BRBREiwA-qrCGlQqzn_TRXCjK45t_LbuJSn5WHRgR2L1nc0iNzO8alpv2NSJkfWLShoCdUIQAvD_BwE

https://techloris.com/go/restoro

https://techloris.com/lp/error8.php?&c=1503301621&ag=66415359828&ad=416881052600&k=www.reviewjournal.com&p1=&p2=&p3=&gclid=EAIaIQobChMI6r-s7O236AIVBEJyCh0oRACqEAEYASAAEgJYlPD_BwE&gclid=EAIaIQobChMI6r-s7O236AIVBEJyCh0oRACqEAEYASAAEgJYlPD_BwE

https://techloris.com/microsoft-compatibility-telemetry/

@Hax0rgurl#164496 The https://techloris.com/lp/de/error1.php is just the landing page. It means from wherever you come from, probably a popup, you land there. I don’t think the site itself is malicious. It doesn’t look super nice but it’s not deceptive or illegal. Like it does not make false claims or pretend to be Microsoft. Hence no problem with that so far.

As per the Virustotal graph with the “malicious” files: the files are not malicious. They are detected by 1 out of 59 AVs and the only detection is by “Babable”, an AV I’ve never heard of before and it only classifies the file as PUP which isn’t malicious (enough).

As per the URLs / websites on that 104.26.5.188 IP address, these are just websites hosted on the same web server. I don’t think there’s a real connection between that landing page and these websites.

So sadly this isn't enough to prove malicious activity. I would need a screenshot or link of the popup itself. Or a real infected file. :/

This is a screen shot of the latest graph…

https://www.icloud.com/sharedalbum/#B0e5oqs3q8Gp3kU

Did you see these links? One of them has to be it. If not then I got nothing...lol

I tried. 🤷🏻‍♀️

@Hax0rgurl#164503 I don’t see why these should malicious Did you find a virus there or why do you think that they’re malicious? If you go to these links, e.g. the error9.php, it’s basically the same site as error1.php but it has a different title: “how to fix windows NA errors”. These are just the landing pages. But it’s not malicious, there’s no virus on it or the page doesn’t pretend to be Microsoft or something.

The only thing that I find deceptive or at least borderline is that it claims "Restoro is highly recommended to repair Windows 10 errors" which is bs. Microsoft does not recommend this software. So this could be something they fked up :P
[IMG]https://i.imgur.com/1khBoG5.png[/IMG]
We'd need the popup message which claims something like "Warning! Your PC has 5 Viruses" which was probably what @hector100#164489 was talking about that his uncle had on the computer.

Btw I'm using the AppEsteem certification checklist (https://customer.appesteem.com/home/checklist) and the deceptor checklist (https://customer.appesteem.com/home/checklist?minbar=y) to determine if something is bad or good. They've made a pretty good checklist of what is considered deceptive and what is considered acceptable. If we find something that is violating these rules, I can submit it to AppEsteem, they'll blacklist the software and since a lot of AVs are listening to them, the whole software gets detected as PUP or virus idk on **all** AVs.

@NeeP#164513 hi some of them have pages that download things in the background and call back to other IPS did you check my graphs? I found EXEs on there I think that restoro was one. If you can go on the site then you need to check the back end of the code. I mean sure any site at first glance can look okay but they can be sending you a malicious javascript that quietly installs a remote caller on your system without you even seeing it happen. My computer is fried from a virus so I’m unfortunately not able to VM at the moment and I don’t trust any of those sites. Maybe I should do a screen video of virus total as it’s creating the graph so you understand all the files just landing on one page calls or downloads.

I’m not sure their level of malware sophistication but even script kiddie shit these days is getting complicated. Did you know for example STUXNET is on github? Yeah. Anyone cam go and use it and change the code to their needs. So intelligence isn’t needed for good coding anymore. You can just steal code.

@NeeP#164513 ok I will check the checklist.

@Hax0rgurl#164554 callbacks to other IPs are no problem. If you check the graph, it even goes to real Microsoft. Yes, EXEs are Restoro which makes sense because the landing page is a Restoro website, advertising the download of Restoro/ReImage (which is the same? idk). I didn’t check for any malicious javascript but if we haven’t found anything, we can’t claim one is there. Innocent until proven guilty.

The malicious EXEs are all Restoro/ReImage and usually they’re detected as PUP which means they’re not true malware. I think it needs a close examination of ReImage and Restoro according to the AppEsteem certification guidelines.