getkmspico.com: Badware

[ghost]

Prerequisites

• [X] This is NOT a YouTube, Facebook, Twitch or a shortener/hosting site report. These sites MUST be reported by clicking their respective links.
• [X] I read and understand the policy about what is a valid filter issue.
• [X] I verified that this issue is not a duplicate. (Search here to find out.)
• [X] I did not remove any of the default filter lists, or I have verified that the issue was not caused by removing any of the default lists.
• [X] I did not enable additional filter lists, or I have verified that the issue still occurs without enabling additional filter lists.
• [X] I do not have custom filters/rules, or I have verified that the issue still occurs without custom filters/rules.
• [X] I am not using uBlock Origin along with other content blockers.
• [X] I have verified that the web browser's built-in content blocker/tracking protection, network wide/DNS blocking, or my VPN is not causing the issue.
• [X] I have verified that other extensions are not causing the issue.
• [X] If this is about a breakage or detection, I have verified that it is caused by uBlock Origin and isn't a site issue.
• [ ] I did not answer truthfully to ALL the above checkboxes.

URL(s) where the issue occurs.

http://getkmspico.com/

Description

This website is a total nightmare. It is filled with malicious and phishing ads and pop-ups. Clicking anywhere results in a random malicious website appearing. I recommend blocking this domain entirely, as there are multiple associated malicious domains. Something might slip past uBO, potentially leading to users being scammed or worse.

Here are a few of the many malicious/phishing/adware domains it connects to:

download.artificusbrowser.com
poperblocker.com
ak.itponytaa.com
ad.install-adblockers.com
veepteero.com
rnofor4ht.top
ads.download-adblockers.com
file.fan
file.fan/38131da0f904a05
baldappetizingun.com
tracking.trackingrouter.com
app-rush.com
ak.oneegrou.net

Other extensions used

none

Screenshot(s)

Screenshot(s)

Configuration

Details

```yaml ```

[stephenhawk8054]

I can't reproduce the popup despite clicking many places on the page.

[ghajini]

there's nothing malicious ads on this site its just activator which iam pretty sure all av softwares will block

[ghost]

uBO does a good job of blocking popups, however, there is always a chance it could miss a future malicious ad or popup. Try visiting the website with uBO turned off, and you'll understand what I mean. Wouldn't it be better if this domain were blocked altogether? It's not a legitimate website anyway, and even the activator it offers is malware, as seen here: https://www.youtube.com/watch?v=mDyODRZq1GA

[ghajini]

yeah pretty sure every illegal software patchers are malware

[JobcenterTycoon]

https://www.virustotal.com/gui/file/67547d29f8cb79697566a4446c617ffca59dc0bdc982afbf64cd7de189999098?nocache=1

Most AV vendors flagging the download as a "HackTool", "Crack" or "AutoKMS" so its not malware. Same for the downloads on many sites you reported in https://github.com/uBlockOrigin/uAssets/issues/24193

"I get popups with uBO off" is not a reason to hard block a site. When we would start to block sites with this reason we would block the half internet...

"Maybe it spreading malware in the future" is not a reason to block a site.

[ghost]

Okay, I understand.

However, most of these websites distribute software that, after installation, contact other malicious domains, download InfoStealers from them, and send users' data without their knowledge.

They're (the websites I reported) sources of malware and offer no benefit to users, only harmful software. Thats why I reported them.

[JobcenterTycoon]

[ghost]

Interesting. From what I saw on one sample, it connects to rnofor4ht.top and mofor4ht.top for example.

Also, the downloaded file from kms-full.com is obfuscating its files to avoid analysis, is avoiding being run in a VM and is using delayed execution, which is suspicious. VirusTotal


[JobcenterTycoon]

kms-full.com got added 10 hours ago already https://github.com/uBlockOrigin/uAssets/commit/5dc64eed2e6876a9e9e34ba290522614c4a0f128

[ghost]

Anyways, I will test them analytically and report again if I find anything new and specific beyond what was already blocked earlier.