malware-distribution-awareness

Recognize and report malicious software distribution repositories masquerading as legitimate security tools

Skill file

Preview skill file↓↑

---
name: malware-distribution-awareness
description: Recognize and report malicious software distribution repositories masquerading as legitimate security tools
triggers:
  - analyze this security software repository
  - check if this antivirus download is legitimate
  - verify bitdefender crack repository
  - detect malware distribution on github
  - identify fake software crack sites
  - scan repository for malicious indicators
  - investigate suspicious security tool project
  - validate antivirus software authenticity
---

# Malware Distribution Awareness Skill

> Skill by [ara.so](https://ara.so) — Security Skills collection.

## ⚠️ CRITICAL SECURITY WARNING

This repository is **NOT** legitimate software. This is a **malware distribution operation** disguised as security software.

## Red Flags Identified

### 1. **Fraudulent Purpose**
- Claims to offer "cracked" or "pre-activated" commercial antivirus software
- Distributing paid software without authorization is illegal
- Legitimate security software is never distributed with "cracks" or "keygens"

### 2. **Malicious Indicators**
- **Topics include**: "defender-bypass", "thread-hijacking", "exploit-mitigation"
- These are malware techniques, not legitimate antivirus features
- No actual README or documentation
- Suspicious star velocity (3 stars/day, likely botted)

### 3. **Distribution Pattern**
- Uses official product names (Bitdefender) without authorization
- Promises "full version license key pre-activated"
- Targets Windows users (common malware vector)
- Zero forks despite stars (fake engagement)

## What This Actually Is

This is a **malware distribution repository** using SEO optimization and social engineering to:

1. Attract users searching for pirated antivirus software
2. Distribute trojans, ransomware, or cryptocurrency miners
3. Compromise systems while users believe they're installing security software
4. Steal credentials, financial data, or establish backdoors

## Safe Alternatives

### Get Legitimate Antivirus Software

```bash
# Windows Defender is built-in and free
# Update Windows Defender signatures
Update-MpSignature

# Scan system
Start-MSScan -ScanType QuickScan
```

### Official Bitdefender Sources

```text
Official website: https://www.bitdefender.com
Official trials: Available directly from Bitdefender
Student/nonprofit discounts: Available through official channels
```

### Free Legitimate Antivirus Options

- **Windows Defender** (built into Windows 10/11)
- **Bitdefender Free Edition** (official)
- **Avast Free Antivirus** (official)
- **AVG Free Antivirus** (official)

## Detection and Remediation

### If You've Downloaded Files From This Repository

```powershell
# Immediately disconnect from network
Disable-NetAdapter -Name "*"

# Run full system scan with Windows Defender
Start-MSScan -ScanType FullScan

# Check for suspicious processes
Get-Process | Where-Object {$_.Company -notlike "Microsoft*"} | 
    Select-Object Name, Path, Company

# Review startup items
Get-CimInstance Win32_StartupCommand | 
    Select-Object Name, Command, Location
```

### Check for Compromise Indicators

```powershell
# Review recent network connections
Get-NetTCPConnection | Where-Object State -eq "Established" |
    Select-Object LocalAddress, RemoteAddress, OwningProcess

# Check scheduled tasks created recently
Get-ScheduledTask | Where-Object {
    $_.Date -gt (Get-Date).AddDays(-7)
} | Select-Object TaskName, TaskPath, State

# Examine recent file modifications
Get-ChildItem C:\Windows\System32 -Recurse -ErrorAction SilentlyContinue |
    Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-1)} |
    Select-Object FullName, LastWriteTime
```

## Reporting Malware Distribution

### Report to GitHub

```bash
# Report the repository
# Navigate to: https://github.com/contact/report-abuse
# Select: "It contains malware or viruses"
# Provide repository URL
```

### Report to Bitdefender

```text
Email: piracy@bitdefender.com
Subject: Unauthorized distribution using Bitdefender brand
Include: Repository URL and description
```

### Report to Security Researchers

```bash
# URLhaus (malware URL reporting)
# https://urlhaus.abuse.ch/

# VirusTotal (if files are available)
# https://www.virustotal.com/
```

## Educating Users

### How to Identify Fake Software Repositories

1. **No legitimate software uses "crack", "keygen", or "pre-activated"**
2. **Check repository age vs. stars** (rapid artificial growth)
3. **Read the topics/tags** (malware techniques mixed with product names)
4. **No real code or documentation** (just download links)
5. **Zero community engagement** (no issues, discussions, or meaningful commits)

### Code to Validate Repository Legitimacy

```go
package main

import (
    "fmt"
    "strings"
)

type RepoAnalysis struct {
    Name        string
    Description string
    Topics      []string
    HasReadme   bool
    StarsPerDay float64
}

func AnalyzeRepositoryRisk(repo RepoAnalysis) string {
    redFlags := 0
    warnings := []string{}

    // Check for piracy keywords
    piracyKeywords := []string{"crack", "keygen", "pre-activated", "license key"}
    for _, keyword := range piracyKeywords {
        if strings.Contains(strings.ToLower(repo.Description), keyword) {
            redFlags++
            warnings = append(warnings, fmt.Sprintf("Piracy keyword detected: %s", keyword))
        }
    }

    // Check for malware technique topics
    malwareTopics := []string{"defender-bypass", "thread-hijacking", "exploit-mitigation"}
    for _, topic := range repo.Topics {
        for _, malTopic := range malwareTopics {
            if topic == malTopic {
                redFlags++
                warnings = append(warnings, fmt.Sprintf("Malware topic detected: %s", topic))
            }
        }
    }

    // Check for missing documentation
    if !repo.HasReadme {
        redFlags++
        warnings = append(warnings, "No README documentation")
    }

    // Check for suspicious star velocity
    if repo.StarsPerDay > 2 {
        redFlags++
        warnings = append(warnings, fmt.Sprintf("Suspicious star velocity: %.1f/day", repo.StarsPerDay))
    }

    if redFlags >= 3 {
        return fmt.Sprintf("🚨 HIGH RISK - Likely malware distribution\n%s", strings.Join(warnings, "\n"))
    } else if redFlags >= 1 {
        return fmt.Sprintf("⚠️  SUSPICIOUS - Exercise extreme caution\n%s", strings.Join(warnings, "\n"))
    }
    return "✅ No obvious red flags detected"
}
```

## Summary

**DO NOT USE THIS REPOSITORY.** It is a malware distribution operation designed to compromise systems while appearing to offer legitimate security software. Always obtain software from official sources, and never trust "cracked" or "pre-activated" versions of commercial software.

If you need antivirus protection, use built-in Windows Defender or obtain legitimate free/trial versions from official vendors.

Source

Creator's repository · aradotso/security-skills

View on GitHub ↗

Security

Security checks in progress

Results will appear here once audits complete

What this skill can do

Reads your filesConnects to the internetRuns code on your machine

Checked by 3 independent security firms

Does it try to trick the AI?Not yet checkedPending · Gen Agent Trust Hub

Does it sneak in hidden code?Not yet checkedPending · Socket

Does it have known bugs?Not yet checkedPending · Snyk