malware-detection-and-reporting

---
name: malware-detection-and-reporting
description: Identify, analyze, and report malicious software distribution repositories masquerading as legitimate security tools
triggers:
  - how do I identify malware distribution repositories
  - detect fake antivirus crack sites
  - report malicious GitHub projects
  - analyze suspicious software distribution
  - identify piracy malware repositories
  - check if a project distributes malware
  - report fake security software
  - detect credential stealing repositories
---

# Malware Detection and Reporting

> Skill by [ara.so](https://ara.so) — Security Skills collection.

## Overview

This skill helps identify and report malicious repositories that disguise themselves as legitimate software (cracks, keygens, activators) but actually distribute malware, trojans, or credential stealers. The project "MistDuckCount/Bitdefender-Total-Security-Crack-2026" is a **known malware distribution repository** that should be reported and avoided.

## Warning Signs of Malicious Repositories

### Red Flags

1. **Promises of "cracked" commercial software** - Especially security software like antivirus programs
2. **Suspicious topics** - Combinations like "defender-bypass", "thread-hijacking", "rootkit-remover" with crack/keygen
3. **No actual code** - Repository lacks real implementation files or README
4. **Inflated stars** - Artificial engagement (e.g., "3 stars/day" pattern)
5. **Malicious file types** - .exe, .dll, .scr files without source code
6. **License "NOASSERTION"** - Avoiding legal liability
7. **Recent creation with high activity** - Created recently but shows suspicious engagement

## Detection Methodology

```go
package main

import (
    "fmt"
    "strings"
)

// MalwareIndicators defines suspicious patterns
type MalwareIndicators struct {
    SuspiciousTopics []string
    RedFlagKeywords  []string
    RiskScore        int
}

// AnalyzeRepository checks for malware distribution patterns
func AnalyzeRepository(description, topics string) MalwareIndicators {
    indicators := MalwareIndicators{
        SuspiciousTopics: []string{},
        RedFlagKeywords:  []string{},
        RiskScore:        0,
    }
    
    // Check for crack/keygen keywords
    crackKeywords := []string{
        "crack", "keygen", "loader", "pre-activated",
        "license key", "activation", "full version",
    }
    
    for _, keyword := range crackKeywords {
        if strings.Contains(strings.ToLower(description), keyword) {
            indicators.RedFlagKeywords = append(indicators.RedFlagKeywords, keyword)
            indicators.RiskScore += 15
        }
    }
    
    // Check for bypass/exploit topics
    dangerousTopics := []string{
        "defender-bypass", "thread-hijacking", "rootkit",
        "exploit-mitigation",
    }
    
    for _, topic := range dangerousTopics {
        if strings.Contains(strings.ToLower(topics), topic) {
            indicators.SuspiciousTopics = append(indicators.SuspiciousTopics, topic)
            indicators.RiskScore += 20
        }
    }
    
    // Check for commercial software names
    if strings.Contains(strings.ToLower(description), "bitdefender") ||
       strings.Contains(strings.ToLower(description), "kaspersky") ||
       strings.Contains(strings.ToLower(description), "norton") {
        indicators.RiskScore += 25
    }
    
    return indicators
}

func main() {
    description := "Bitdefender Total Security Crack License Key Pre-Activated"
    topics := "defender-bypass thread-hijacking rootkit-remover"
    
    result := AnalyzeRepository(description, topics)
    
    fmt.Printf("Risk Score: %d/100\n", result.RiskScore)
    fmt.Printf("Suspicious Topics: %v\n", result.SuspiciousTopics)
    fmt.Printf("Red Flag Keywords: %v\n", result.RedFlagKeywords)
    
    if result.RiskScore >= 50 {
        fmt.Println("⚠️  HIGH RISK - Likely malware distribution")
    }
}
```

## Reporting Malicious Repositories

### GitHub Reporting Process

```bash
# Report via GitHub web interface:
# 1. Navigate to the repository
# 2. Click "⚠️" or go to repository settings
# 3. Select "Report abuse" or "Report content"
# 4. Choose category: "Malware distribution" or "Phishing"

# Or use GitHub API to gather evidence
curl -H "Authorization: token ${GITHUB_TOKEN}" \
     https://api.github.com/repos/MistDuckCount/Bitdefender-Total-Security-Crack-2026
```

### Evidence Collection

```go
package main

import (
    "encoding/json"
    "fmt"
    "net/http"
    "os"
)

type RepoEvidence struct {
    Name        string   `json:"name"`
    Description string   `json:"description"`
    Topics      []string `json:"topics"`
    StarsCount  int      `json:"stargazers_count"`
    CreatedAt   string   `json:"created_at"`
    HasReadme   bool
    HasCode     bool
}

func CollectEvidence(owner, repo string) (*RepoEvidence, error) {
    url := fmt.Sprintf("https://api.github.com/repos/%s/%s", owner, repo)
    
    client := &http.Client{}
    req, err := http.NewRequest("GET", url, nil)
    if err != nil {
        return nil, err
    }
    
    // Use token from environment if available
    if token := os.Getenv("GITHUB_TOKEN"); token != "" {
        req.Header.Set("Authorization", "token "+token)
    }
    
    resp, err := client.Do(req)
    if err != nil {
        return nil, err
    }
    defer resp.Body.Close()
    
    var evidence RepoEvidence
    if err := json.NewDecoder(resp.Body).Decode(&evidence); err != nil {
        return nil, err
    }
    
    return &evidence, nil
}

func GenerateReport(evidence *RepoEvidence) string {
    report := fmt.Sprintf(`
MALWARE DISTRIBUTION REPORT
===========================
Repository: %s
Description: %s
Topics: %v
Stars: %d
Created: %s

INDICATORS:
- Promises cracked commercial software
- Contains bypass/exploit topics
- No legitimate source code
- Artificial engagement pattern

RECOMMENDATION: Report and avoid
`, evidence.Name, evidence.Description, evidence.Topics, 
   evidence.StarsCount, evidence.CreatedAt)
    
    return report
}
```

## Safe Alternatives

### Legitimate Security Software

```go
// Instead of cracked software, use legitimate alternatives:

var SafeSecurityTools = map[string]string{
    "antivirus_free": "Windows Defender (built-in)",
    "firewall":       "Built-in OS firewalls",
    "malware_scan":   "Malwarebytes Free",
    "monitoring":     "Process Explorer (Sysinternals)",
}

func RecommendAlternative(requestedTool string) string {
    if alt, ok := SafeSecurityTools[requestedTool]; ok {
        return fmt.Sprintf("Use %s instead - it's free and safe", alt)
    }
    return "Use official trial versions or open-source alternatives"
}
```

## Analysis Tools

### Repository Scanner

```go
package main

import (
    "regexp"
    "strings"
)

type ScanResult struct {
    IsSuspicious bool
    Reasons      []string
    Confidence   float64
}

func ScanRepositoryContent(description, readme string) ScanResult {
    result := ScanResult{
        IsSuspicious: false,
        Reasons:      []string{},
        Confidence:   0.0,
    }
    
    // Pattern matching for malicious indicators
    patterns := map[string]*regexp.Regexp{
        "crack_mention":   regexp.MustCompile(`(?i)(crack|keygen|patch|loader|activator)`),
        "bypass_mention":  regexp.MustCompile(`(?i)(bypass|disable|remove)\s+(defender|antivirus|firewall)`),
        "free_premium":    regexp.MustCompile(`(?i)(free|full version|premium)\s+(download|license)`),
        "suspicious_file": regexp.MustCompile(`(?i)\.(exe|dll|scr|bat|vbs|ps1)\s+download`),
    }
    
    matchCount := 0
    for reason, pattern := range patterns {
        if pattern.MatchString(description) || pattern.MatchString(readme) {
            result.Reasons = append(result.Reasons, reason)
            matchCount++
        }
    }
    
    if matchCount > 0 {
        result.IsSuspicious = true
        result.Confidence = float64(matchCount) / float64(len(patterns))
    }
    
    // Check for missing legitimate content
    if len(readme) < 100 || !strings.Contains(readme, "license") {
        result.Reasons = append(result.Reasons, "insufficient_documentation")
        result.Confidence += 0.2
    }
    
    return result
}
```

## Best Practices

### For Users

1. **Never download cracked security software** - It defeats the purpose
2. **Use official sources** - Download only from vendor websites
3. **Report suspicious repositories** - Help protect the community
4. **Verify authenticity** - Check developer history and code presence
5. **Use legitimate free alternatives** - Many exist for common tools

### For Repository Maintainers

```go
// Implement security checks in your CI/CD
package main

import "fmt"

func ValidateRepository() error {
    checks := []struct {
        name string
        pass bool
    }{
        {"Has LICENSE file", true},
        {"Has source code", true},
        {"No executable binaries", true},
        {"Has documentation", true},
        {"No crack/keygen mentions", true},
    }
    
    for _, check := range checks {
        if !check.pass {
            return fmt.Errorf("validation failed: %s", check.name)
        }
    }
    
    return nil
}
```

## Reporting Channels

- **GitHub**: Use repository "Report abuse" feature
- **Security vendors**: Report to Bitdefender, Microsoft, etc.
- **VirusTotal**: Submit suspicious URLs
- **Phishing databases**: Report to Anti-Phishing Working Group
- **Search engines**: Report phishing via Google Safe Browsing

## Conclusion

The "Bitdefender-Total-Security-Crack-2026" repository exhibits all hallmarks of a malware distribution operation. Always avoid cracked software, especially security tools, as they commonly contain trojans, ransomware, or credential stealers. Report such repositories to protect other users.