English
Français 
Deutsch 
Italiano 
日本語 
Русский 
Español 
Čeština 
polski 
Português 
Türkçe 
Ukrainian Cat and mouse game
Again and again and again… That’s what comes to my mind every time when I see a new variant of the Kavo family and, most recently, also the Hilot family. These malware samples are machine-generated and their authors can develop a “completely new” set of samples based on a simple change made to the generator itself. What’s the problem here? These changes are not random as we earlier thought, they’re precisely targeted against the most popular AV engines.
Let’s describe it with the Hilot case. This malware family is detected algorithmically by our engine and the detection can be called a generic detection (this means not with a fixed signature or checksum). Once the authors notice a higher detection rate of their binaries, they have decided to change the generator. What surprised me was the tight boundary to our detection. We have been checking some characteristics of a significant block inside the binary as a part of our detection process and this block is a part of our cat and mouse game. But, the Hilot authors then shifted this significant block in response. It would be not that surprising generally, but they only moved the block exactly and only as far as our checking routine did not check. Well, the first time I thought it might be a coincidence and I also added a check to the moved block. But a few days afterwards, in new Hilot variants, this significant block shifted again and again only by the necessary amount of bytes to avoid our detection. This scenario has since repeated eight times (and I think it will never stop) and that can’t be a coincidence IMO. Sometimes, I even think that Hilot authors are continuously reversing our detection. It’s a precise approach, but if someone reads our detections, who’s the cat and who’s the mouse?
The logical conclusion for you is to always keep your AV and virus database up to date. No matter how efficient the heuristics and generic detections are, malware authors seem to be quite diligent when it comes to inventing new ways of tricking even the most proactive detections.
avast! on Twitter
avast! on Facebook
Hi Michal,
Whether Hilot attacks variant similar as like Kavo variants?
Or whether Hilot variant more advanced in attacking?
cheers,
yanto chiang
Well well this seems to be something that can pick you on your nerve
the forum says to press back button and enter CAPTCHA again if you forget to type it in, but at least on IE/Vista it doesn’t keep the message you had written and have to write it again
what I was trying to write before was that you could maybe have a random extra offset till where you check or something
@yanto chiang
Hilot is not a critical type of malware. Hilot seems to be a successor of Virtumonde.
thank u all @ avast for your service
HI Avast staff I would just love to say that I like surfing the internet since Avast is on my side I do not worry about surfing the internet or reading email. One thing can always be sure as long as avast keeps their avast free protection free for anyone to download the internet will continue to be safer no matter what malware the bad guys through at computers or if a virus gets loose on the internet avast will always update the defs to bock or detroy the virus all the time.
Keep the hard work avast staff I am proud of your work and how easy your avast free edition is easy to work with and use.
talk to you later.
good
HIHI Avast staff I would just love to say that I like surfing the internet since Avast is on my side I do not worry about surfing the internet or reading email. One thing can always be sure as long as avast keeps their avast free protection free for anyone to download the internet will continue to be safer no matter what malware the bad guys through at computers or if a virus gets loose on the internet avast will always update the defs to bock or detroy the virus all the time.
Keep the hard work avast staff I am proud of your work and how easy your avast free edition is easy to work with and use.
talk to you later.
Avast staff I would just love to say that I like surfing the internet since
Avast staff I would just love to say that I like
good serviess and avast
I recently suspected that I have a malware virus in C:\WINDOWS\System32\svchost.exe as this consumes a large amount of my available memory, approx. 80,000 K. I began to experience annoying full screen pop ups as well. This morning my Avast has detected four attacks from svchost.exe but I could not locate this file in my directory so I ran a scan for C:\WINDOWS but nothing was found. The object is 213.174.149.103/td?aid=A91469&said=20195&q= which is a URL:Mal My question is, how can I get rid of/stop these attacks.
Hi there,
I’m frequently getting unnecessary CHKDSK runs at startup (Win 7 x64), and I believe it could be caused by avast! somehow (as per the information on this thread: http://superuser.com/questions/106201/chkdsk-at-boot-time-on-windows-7-without-a-reason )
Drivers are discarded because I’ve been running pretty much the same drivers for a very long (except for Catalyst), and this problem has just recently started.
Sorry for posting this here, I just couldn’t find a better place to do so.
A little off topic but I would like to see more posts like this one from the developers on this blog. The last blog was quite a long time ago.
Hi Derek,
You may visit to : hxxp://forum.avast.com/index.php?board=4.0
At this forum, you will assisted by virus or malware fighter.
cheers,
yanto chiang
Help! I don’t know where else to ask this. I have the free edition and it says it “cannot connect to server” for virus definition updates. What can I do?
hi
@Derek
look in c:\documents and settings\yourname\local settings\temp (XP)
there are fake svchosts now. No .exe or dll should run from here.
I need antivirous file
Avast, can u please develop avast 4.8, Im still using it and i found out that 4.8 is better than 5
Any one? Can u help me or give me a tips to remove Win32 Malware gen? Pls help me!!!
@George Birbilis Why are you using IE?!? (Or Vista for that matter but that I can understand more)
@John
You may have a virus blocking access to the avast servers… use the boot time scan option ()if on x86/32 bit) or reinstall windows!
he Allied and the enemy submarine played a game of cat and mouse on checking up on each other’s whereabouts and supposed strategic plans.
The hackers played a cat and mouse game with the computer’s system administrators: The hackers kept trying new tricks, and the system administrators kept mounting electronic defenses to prevent damage and catch the hackers
Thanks Avast I’m been using it since the version 3.0 and I never had a problem before that I got malwares and other stuff in my computer not anymore