Identify, analyze, and document malware distribution repositories masquerading as legitimate software
---
name: malware-detection-and-removal
description: Identify, analyze, and document malware distribution repositories masquerading as legitimate software
triggers:
- detect malware repository patterns
- analyze suspicious github projects
- identify software piracy scams
- check for malicious crack repositories
- verify legitimate security software
- investigate fake download repositories
- scan for threat distribution channels
- evaluate repository authenticity
---
# Malware Detection and Removal
> Skill by [ara.so](https://ara.so) — Security Skills collection.
## ⚠️ WARNING: This Repository is Malicious
This project is **NOT** legitimate Bitdefender software. It is a malware distribution repository disguising itself as cracked security software. This skill documents how to identify and handle such threats.
## What This Repository Actually Is
This is a **malicious repository** that:
- Falsely claims to provide "cracked" Bitdefender Total Security
- Uses SEO-optimized keywords to attract victims searching for pirated software
- Contains no actual code (empty README, no source files)
- Uses deceptive topics like "defender-bypass" and "thread-hijacking"
- Artificially inflates stars to appear legitimate
- Distributes malware, ransomware, or information stealers
## Identification Patterns
### Red Flags for Malware Repositories
1. **Suspicious Description Keywords**:
- "Crack", "Keygen", "Loader", "Pre-Activated"
- "License Key", "Full Version", "Activation"
- Version numbers that don't exist (2026 when current year is earlier)
2. **Repository Characteristics**:
- No actual source code or empty README
- Recent creation with rapid star accumulation
- No legitimate commit history
- Topics include "bypass" and exploit terminology
- NOASSERTION license or no license
3. **Deceptive Naming**:
- Legitimate software name + "Crack"/"Download"
- Version numbers in future dates
- Setup/Installer in project name
## Security Analysis Workflow
### Step 1: Repository Investigation
```go
package main
import (
"fmt"
"strings"
)
// RepositoryAnalysis contains threat indicators
type RepositoryAnalysis struct {
Name string
Description string
Topics []string
HasReadme bool
StarRate float64
ThreatScore int
}
// AnalyzeThreatLevel calculates risk score
func (r *RepositoryAnalysis) AnalyzeThreatLevel() int {
score := 0
// Check for crack/piracy keywords
crackKeywords := []string{"crack", "keygen", "loader", "pre-activated", "license key"}
for _, keyword := range crackKeywords {
if strings.Contains(strings.ToLower(r.Description), keyword) {
score += 20
}
}
// Check for bypass/exploit topics
dangerousTopics := []string{"defender-bypass", "thread-hijacking", "exploit-mitigation"}
for _, topic := range r.Topics {
for _, dangerous := range dangerousTopics {
if topic == dangerous {
score += 15
}
}
}
// High star rate with no content
if r.StarRate > 3 && !r.HasReadme {
score += 25
}
// No README is suspicious for "software" repo
if !r.HasReadme {
score += 20
}
return score
}
func main() {
repo := RepositoryAnalysis{
Name: "Bitdefender-Total-Security-Crack-2026",
Description: "Bitdefender Total Security Download | Crack | Keygen",
Topics: []string{"defender-bypass", "malware-scanner", "thread-hijacking"},
HasReadme: false,
StarRate: 4.0,
}
threatScore := repo.AnalyzeThreatLevel()
fmt.Printf("Repository: %s\n", repo.Name)
fmt.Printf("Threat Score: %d/100\n", threatScore)
if threatScore > 50 {
fmt.Println("⚠️ HIGH RISK: Likely malware distribution")
} else if threatScore > 30 {
fmt.Println("⚠️ MEDIUM RISK: Suspicious patterns detected")
} else {
fmt.Println("✓ Low risk")
}
}
```
### Step 2: Content Verification
```go
package main
import (
"fmt"
"os"
"path/filepath"
)
// VerifyRepositoryContent checks for legitimate source code
func VerifyRepositoryContent(repoPath string) (bool, []string) {
issues := []string{}
hasSourceCode := false
// Check for actual code files
sourceExts := []string{".go", ".py", ".js", ".cpp", ".c"}
err := filepath.Walk(repoPath, func(path string, info os.FileInfo, err error) error {
if err != nil {
return err
}
if !info.IsDir() {
ext := filepath.Ext(path)
for _, sourceExt := range sourceExts {
if ext == sourceExt {
hasSourceCode = true
return nil
}
}
// Check for suspicious executables
if ext == ".exe" || ext == ".dll" || ext == ".bat" {
issues = append(issues, fmt.Sprintf("Suspicious executable: %s", path))
}
}
return nil
})
if err != nil {
issues = append(issues, fmt.Sprintf("Error scanning: %v", err))
}
if !hasSourceCode {
issues = append(issues, "No source code found - likely malware dropper")
}
return hasSourceCode, issues
}
```
## Protection Measures
### For Developers
**Never clone or run code from suspicious repositories:**
```bash
# DO NOT run these commands on suspicious repos:
# git clone <suspicious-repo>
# go run main.go
# ./setup.exe
# Instead, report the repository
```
### Reporting Malicious Repositories
1. **GitHub Security Advisory**:
- Navigate to the repository
- Click "Security" tab
- Report as malware distribution
2. **Using GitHub API** (with proper authentication):
```go
package main
import (
"bytes"
"encoding/json"
"fmt"
"net/http"
"os"
)
type AbuseReport struct {
URL string `json:"url"`
Reason string `json:"reason"`
Details string `json:"details"`
}
func ReportMaliciousRepository(repoURL string) error {
// Use GitHub's abuse reporting
// Requires authentication via GITHUB_TOKEN env var
report := AbuseReport{
URL: repoURL,
Reason: "malware-distribution",
Details: "Repository distributing malware disguised as cracked software",
}
jsonData, err := json.Marshal(report)
if err != nil {
return err
}
// This is a conceptual example - GitHub abuse reports go through web form
fmt.Printf("Report prepared for: %s\n", repoURL)
fmt.Printf("Report details: %s\n", string(jsonData))
fmt.Println("Visit https://support.github.com/contact/report-abuse to submit")
return nil
}
```
## Legitimate Security Software Verification
### How to Obtain Real Bitdefender
1. **Official Sources Only**:
- https://www.bitdefender.com (official website)
- Authorized resellers listed on official site
- Official app stores (Microsoft Store, etc.)
2. **Verification Checklist**:
- ✓ HTTPS on official domain
- ✓ Valid code signing certificate
- ✓ Checksum verification from official source
- ✓ No "crack" or "keygen" mentions
### Code Signing Verification (Windows)
```go
package main
import (
"fmt"
"os/exec"
)
// VerifyCodeSignature checks Windows executable signature
func VerifyCodeSignature(filePath string) (bool, error) {
// Use PowerShell to verify signature
cmd := exec.Command("powershell", "-Command",
fmt.Sprintf("(Get-AuthenticodeSignature '%s').Status", filePath))
output, err := cmd.CombinedOutput()
if err != nil {
return false, err
}
status := string(output)
isValid := status == "Valid\n"
fmt.Printf("Signature status: %s", status)
return isValid, nil
}
```
## Common Attack Vectors
### 1. **Fake Installers**
- Executable files disguised as setup programs
- Actually contain trojans, ransomware, or miners
### 2. **Information Stealers**
- Harvest browser credentials, cryptocurrency wallets
- Keyloggers and clipboard hijackers
### 3. **Ransomware**
- Encrypt user files and demand payment
- Often packaged with "cracks"
## Best Practices
1. **Never download cracked software** - always use legitimate sources
2. **Use official package managers** when available (apt, brew, winget)
3. **Verify checksums** from official sources
4. **Enable Windows Defender** or legitimate antivirus
5. **Keep software updated** through official channels
6. **Use $ANTIVIRUS_API_KEY** environment variables for legitimate security tools
## Educational Use Only
This skill is for **security research and education** to help identify and report malware distribution channels. Never use information to create or distribute malware.
## Resources
- GitHub Security: https://github.com/security
- Report Abuse: https://support.github.com/contact/report-abuse
- Bitdefender Official: https://www.bitdefender.com
- MITRE ATT&CK Framework: https://attack.mitre.org
Creator's repository · aradotso/security-skills