malware-analysis-warning

Warning system for identifying potentially malicious software distribution repositories

Skill file

Preview skill file↓↑

---
name: malware-analysis-warning
description: Warning system for identifying potentially malicious software distribution repositories
triggers:
  - analyze this security software repository
  - check if this antivirus download is legitimate
  - verify this bitdefender crack project
  - is this security software safe to use
  - evaluate this antivirus keygen repository
  - identify malware distribution patterns
---

# Malware Distribution Repository Detection

> Skill by [ara.so](https://ara.so) — Security Skills collection.

## ⚠️ CRITICAL SECURITY WARNING

This repository exhibits **HIGH-RISK INDICATORS** of malware distribution disguised as legitimate security software. **DO NOT DOWNLOAD, INSTALL, OR EXECUTE ANY FILES FROM THIS SOURCE.**

## Threat Indicators

### 1. **Malicious Intent Signatures**
- Offers "cracked" or "pre-activated" commercial security software
- Claims to provide license keys, keygens, or activation loaders
- Uses star inflation tactics (artificial GitHub stars)
- No legitimate source code in repository

### 2. **Social Engineering Tactics**
- Impersonates trusted security brand (Bitdefender)
- Uses technical jargon to appear legitimate ("heuristic-analysis", "rootkit-remover")
- Targets Windows 10/11 users seeking free antivirus
- Creates urgency with "Latest Build" and version numbers

### 3. **Distribution Pattern**
- Repository name includes "Crack" - immediate red flag
- No actual source code for security features
- Topics designed for SEO manipulation
- Missing README (common in malware repos to avoid detection)

## What This Actually Is

This is a **malware distribution vector** that likely contains:
- **Trojans** - Remote access backdoors
- **Ransomware** - File encryption malware
- **Infostealers** - Credential/data theft tools
- **Cryptominers** - Unauthorized cryptocurrency mining
- **Botnet agents** - Device hijacking malware

## Protection Guidelines

### For Developers

```go
// NEVER execute code from untrusted sources
// Example: Detecting malicious repository patterns

package main

import (
    "fmt"
    "strings"
)

type RepoRiskAnalysis struct {
    Name        string
    Description string
    Topics      []string
    HasReadme   bool
    RiskScore   int
}

func (r *RepoRiskAnalysis) AssessRisk() string {
    riskFactors := []string{}
    
    // Check for crack/keygen keywords
    if containsAny(r.Name, []string{"crack", "keygen", "loader", "activated"}) {
        r.RiskScore += 50
        riskFactors = append(riskFactors, "Crack/keygen terminology in name")
    }
    
    // Check for piracy indicators in description
    if containsAny(r.Description, []string{"pre-activated", "license key", "full version"}) {
        r.RiskScore += 40
        riskFactors = append(riskFactors, "Piracy indicators in description")
    }
    
    // Check for legitimate commercial software being "cracked"
    if containsAny(strings.ToLower(r.Name), []string{"bitdefender", "norton", "kaspersky", "mcafee"}) {
        r.RiskScore += 30
        riskFactors = append(riskFactors, "Impersonating commercial security software")
    }
    
    // Missing README is suspicious
    if !r.HasReadme {
        r.RiskScore += 20
        riskFactors = append(riskFactors, "No README documentation")
    }
    
    // Assess overall risk
    if r.RiskScore >= 80 {
        return fmt.Sprintf("CRITICAL THREAT (Score: %d)\nFactors:\n- %s", 
            r.RiskScore, strings.Join(riskFactors, "\n- "))
    } else if r.RiskScore >= 50 {
        return fmt.Sprintf("HIGH RISK (Score: %d)\nFactors:\n- %s", 
            r.RiskScore, strings.Join(riskFactors, "\n- "))
    }
    
    return fmt.Sprintf("Risk Score: %d", r.RiskScore)
}

func containsAny(text string, keywords []string) bool {
    lowerText := strings.ToLower(text)
    for _, keyword := range keywords {
        if strings.Contains(lowerText, strings.ToLower(keyword)) {
            return true
        }
    }
    return false
}
```

### Automated Detection

```go
// GitHub repository scanner for malware patterns
package scanner

import (
    "context"
    "os"
)

type MalwareScanner struct {
    ApiToken string
}

func NewScanner() *MalwareScanner {
    return &MalwareScanner{
        ApiToken: os.Getenv("GITHUB_TOKEN"),
    }
}

func (s *MalwareScanner) ScanRepository(ctx context.Context, repoURL string) (*ThreatReport, error) {
    report := &ThreatReport{
        URL:         repoURL,
        Threats:     []string{},
        Severity:    "UNKNOWN",
    }
    
    // Pattern matching for common malware repository traits
    patterns := []string{
        "crack", "keygen", "loader", "activator",
        "pre-activated", "bypass", "patch",
    }
    
    // Check repository metadata
    // Check commit history for suspicious patterns
    // Analyze file types (executables without source)
    // Verify against known malware signatures
    
    if len(report.Threats) > 3 {
        report.Severity = "CRITICAL"
    }
    
    return report, nil
}

type ThreatReport struct {
    URL      string
    Threats  []string
    Severity string
}
```

## Safe Alternatives

### Legitimate Bitdefender Sources

```bash
# Official Bitdefender download (trials available)
# Visit: https://www.bitdefender.com/downloads/

# Official free antivirus options
# Windows Defender (built-in, free, and effective)
# Turn on: Settings -> Privacy & Security -> Windows Security

# Other legitimate free options:
# - Avast Free Antivirus (avast.com)
# - AVG AntiVirus Free (avg.com)
# - Kaspersky Free (kaspersky.com/free-antivirus)
```

## Reporting Malicious Repositories

```bash
# Report to GitHub
# https://github.com/contact/report-abuse

# Report to Google Safe Browsing
# https://safebrowsing.google.com/safebrowsing/report_badware/

# Report to Microsoft
# https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site
```

## Key Takeaways

1. **Never trust "cracked" security software** - It's an oxymoron and always malicious
2. **Stars don't indicate safety** - Malware repos use bots to inflate popularity
3. **Use official sources only** - Download security software from vendor websites
4. **Free alternatives exist** - No need to risk malware for free antivirus
5. **When in doubt, don't download** - Your system security is worth more than any "free" software

## Environment Variables

```bash
# For automated scanning tools
export GITHUB_TOKEN="your_token_here"
export VIRUSTOTAL_API_KEY="your_api_key_here"
export MALWARE_DB_URL="https://your-malware-db.example.com"
```

## Additional Resources

- [VirusTotal](https://www.virustotal.com) - Scan suspicious files
- [Hybrid Analysis](https://www.hybrid-analysis.com) - Malware analysis
- [Any.run](https://any.run) - Interactive malware sandbox
- [URLhaus](https://urlhaus.abuse.ch) - Malware URL database

---

**FINAL WARNING**: This repository is a security threat. Protect yourself and others by reporting it and avoiding any downloads.

Source

Creator's repository · aradotso/security-skills

View on GitHub ↗

Security

Security checks in progress

Results will appear here once audits complete

What this skill can do

Reads your filesConnects to the internetRuns code on your machine

Checked by 3 independent security firms

Does it try to trick the AI?Not yet checkedPending · Gen Agent Trust Hub

Does it sneak in hidden code?Not yet checkedPending · Socket

Does it have known bugs?Not yet checkedPending · Snyk