Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


September 13th, 2011

Three strikes and you’re out

Don’t worry, this article is not about baseball, something which I find boring (well, reading sporadic gossip from Virus Lab might be boring as well). We are talking about “unwise” people here. Frankly, I would like to use some harder adjective (unwise is a real euphemism), but it’s up to you to give them a proper name :-). So, let me show you the chain of events that resulted in these strikes — and let you make your own decision.

FP submissions

It all started when three avast! users had a virus alert on their computers and sent us the offending binaries with a a protest note: These can’t possibly be malicious!

We know that each of the three submitted samples shown above differ from the original binaries which are distributed through legit/vendor site(s). It is clear that the users must have gotten these particular setups somewhere else. Why on earth would someone download freeware in a grey zone or even at an illegal site? The fishy source triggers the first: Strike One!

Just for the record: when we looked at the binaries, we can see that not one of them is properly signed. All setups are encapsulated in an UPX layer and contain a password-protected zip archive with the original content attached at the end of stub. We can, of course, unpack the stub from UPX and look deeper inside. In fact, a short look at the original entry point is enough here – there’s a zero-byte padding followed by regular code (a well-known trick from the LockScreen and Zbot malware families) and the first referenced API is advapi32.dll->GetCurrentHwProfileW, which is quite unusual. All in all, this is suspicious as hell.

But the users who sent us these samples don’t trust their antivirus solution. C’mon, we’re doing our best to protect you and you don’t believe us? Strike Two!

Furthermore, they want us to remove our detection of it. Gosh, someone who downloads fishy binaries from fishy sources wants to be smarter than our detection. But, you know, we’re quite conceited – Strike Three, Strikeout! You’re outta here :-D

What do you think? Does an user deserve the “gift” inside such a setup (whatever it does) if he downloads suspicious binaries from suspicious sources and ignores warnings from his AV? It’s your turn, you be the umpire.

BTW: all samples from this group/family were in Russian and the majority of them were related to Lovivkontakte (probably quite popular in Russia), but there were also such setups for Skype or WinRAR.

VT results: http://www.virustotal.com/file-scan/report.html?id=ac19d64b3249c8688d581eccfcb7e7baa96b8190e188dc1f6069fb0346588c11-1315915470

  • heh

    I am always having a laugh when I read somewhere – this is 100 % legit, you might be experiencing AV false positives, solution is to turn the AV off ;o)

    Anyway did you tell those three guys, that they were wrong?

  • http://www.rejzor.tk RejZoR

    I’ve seen too many times where users were disabling the antivirus because it’s showing those annoying warnings and erasing the files when they want to download them. It’s like users wanting to disable airbag in a car because it migt smear your makeup in even of a car crash. WTF!?

  • http://www.avast.com Michal Krejdl

    @heh
    Yes, I did – through this article :-). The sumbmission is anonymous, thus there’s no other way to contact these users (and it would only waste our time imho).

  • http://intelliginixconsulting.info Intelliginix

    I get tired of people who think they know things that they don’t know. I tell my users if you don’t do things a certain way, and you bypass your virus protection YOU GET WHAT YOU GET!

  • http://spgscott.wordpress.com spg SCOTT

    What do you think? Does an user deserve the “gift” inside such a setup (whatever it does) if he downloads suspicious binaries from suspicious sources and ignores warnings from his AV? It’s your turn, you be the umpire.

    Hmmm…Not sure where I stand on that one…maybe closer to yes…lets say I am not overly sympathetic.

    Another side of it, is that one subtle purpose of an antivirus is to educate the common user of the perils of things like this, and teach them to trust their AV. (Or better yet, question everything, good or bad)

    You see this a lot on the forum, especially with hacked sites, where a user comes in and says that their site is clean and that no other AV alerts…turns out that there is some script added to the end of the page that points god knows where.

    Said user comes to the forum confused/angry/worried, leaves educated and understands that all is not always as it appears and that in fact their AV can be correct. Thanks to a detection.

    My personal preference is to confirm/disprove the detection by investigating myself, rather than
    a) put my fingers in my ear and sing out loud, ignoring everything my AV tells me.
    b) unquestionably believe everything that my AV tells me.

    In some sense maybe that is what the users in the example here are doing (heres hoping that they are infact naive computer users that don’t know otherwise…)

    Scott

  • ZEIGHY

    hahaha, I’ve download a lot of stuff and never have I had the need to turn Avast off… EVER. I trust it. When it says it’s bad, I know it is.

    This “It might be false positive, turn your AV off” idea came from users of that big AV that always marks pirated software as a virus… and some other kinds of files. Which are legit, and safe.

    And just like Scott said, I would investigate it myself to see if either a) my AV is wrong, or that b) it is right. Which is why I have Virtual Machines, to try them out and see if it is a virus or not. But then again, not all viruses are immediate, some hide and only go out after a while.

    Anyway, to be safe, NEVER download something from an external website unless the main website actually linked to it. For example, Skype offers their latest version up on their site for free at no cost. Why would you download it elsewhere? Meanwhile Avast links to download.com (by Cnet) to provide the download to users, which is totally legit since it’s an official download from the official people.

    Downloading elsewhere is just plain dumb.

  • grinch

    i don’t know how and where they do it, but they deserve it, also it would be better if in cases like this their own av would tell them “yeah, go ahead and do it we trust your skills!”, they better give up using internet, and pc also;

  • dartigen

    I don’t turn Avast off, ever. Not even when I was once told to by tech support (because what the hell kind of antivirus would mess with my DNS settings anyway?).

    Usually, if I know what I’m downloading is good, I’ll just stop it from alerting on that particular program. It’s gone off with a couple of save editors and other game utilities before, probably because they came from forums and were hosted on various free hosting sites, which Avast would probably flag as suspicious just on principle.

    If I’m not sure about it, sandbox is there for a reason. Avast’s coders didn’t just stick it in for the fun of it.

    If people turn off their antiviruses because ‘oh, it’s annoying me’ then they deserve the consequences. Warning dialogues don’t just pop up for no reason. As for false-positives, I prefer to trust my own judgement rather than that of others. And as I said, the sandbox is there for a reason.

  • Jon

    In reply to the ’3 strikes and out’, I’ve downloaded from numerous websites and never had a problem. I’m not what you would say an “advanced user”, but I do have the common sense to check things out even if AV says NO! Then I will preside over the 2 outcomes and make my own decision, with the prominence of adhering to AV.

    Therefore AV is a a fantastic machine that keeps your comp’ running smooth as silk, hence you wouldn’t have installed it in the first place!!!

    Plus It gets updated at least once or twice daily, hence this is one of the best, if not the best machine available on the net’. Currently in the top ten at position 1 or 2.
    Therefore trust it, and don’t make silly complaints for sth you did yourself. COMMON SENSE should prevail after all!!!!

  • S.V.R.S.n. Shashank

    Of Course! I always believe my antivirus and if not for that why on earth do I have one running in my laptop all the time….

    Also the article is very excellent which educated me how disguised the downloads can be(In spite of bearing reliable titles). Thank you very much Michael Krejdi….

  • S.V.R.S.n. Shashank

    spg SCOTT :

    What do you think? Does an user deserve the “gift” inside such a setup (whatever it does) if he downloads suspicious binaries from suspicious sources and ignores warnings from his AV? It’s your turn, you be the umpire.

    Hmmm…Not sure where I stand on that one…maybe closer to yes…lets say I am not overly sympathetic.
    Another side of it, is that one subtle purpose of an antivirus is to educate the common user of the perils of things like this, and teach them to trust their AV. (Or better yet, question everything, good or bad)
    You see this a lot on the forum, especially with hacked sites, where a user comes in and says that their site is clean and that no other AV alerts…turns out that there is some script added to the end of the page that points god knows where.
    Said user comes to the forum confused/angry/worried, leaves educated and understands that all is not always as it appears and that in fact their AV can be correct. Thanks to a detection.
    My personal preference is to confirm/disprove the detection by investigating myself, rather than
    a) put my fingers in my ear and sing out loud, ignoring everything my AV tells me.
    b) unquestionably believe everything that my AV tells me.
    In some sense maybe that is what the users in the example here are doing (heres hoping that they are infact naive computer users that don’t know otherwise…)
    Scott

    Mr Scott, as a Computer science student I would like to know your method of confirming whether a detection of infection is true or not. Please reply asap…

  • S.V.R.S.n. Shashank

    @spg SCOTT
    Mr Scott, as a Computer science student I would like to know your method of confirming whether a detection of infection is true or not. Please reply asap…

  • http://spgscott.wordpress.com spg SCOTT

    @S.V.R.S.n. Shashank

    Well, generally…

    -First step, is to actually look at the information of the file that is given in the detection (location, filename etc.) I feel that this is often overlooked somewhat.
    -I check the source of the file (i.e. where did the file come from, did I download it from the real website?)
    -I send it to VirusTotal, to see whether the others agree/disagree
    -I google it, to see whether it appears elsewhere
    –Other computer forums usually have some info – though, as always, it may not be the most reliable source of info.
    –Also, a file with almost no hits is also a signifigance…i.e. very new, and more likely to be questionable.
    -I may post in the avast forum, to get more opinions.

    At the end of it, if I am still not sure, I will more than likely give my av the benefit of the doubt that it was right and the detection was good.

    Scott

  • shre54321

    Heh! of course no avast! user deserves such a infection….+1 for that….nice article!

    Go avast! go!!!

  • Philip

    Please don’t do this “gotten.” It is got. You either have or you have not got. There is no such word has gotten it serves no purpose got have got got please put got!

  • Mandy

    I was at a local Curry’s today and I mentioned to a young assistant that I was using Avast! he told it was a load of rubbish and it didn’t update daily! He then tried to sell me Norton for £25 I’ve had that eats all your memory! I told him straight that Avast updates at least twice a day! It is true the clever ones don’t know what they’re on about!

  • dictionary_user
  • jp

    UNDETECTED VIRUS
    Avast is on this computer and works normally very well
    about a year ago I opened a Google search cache
    I didn’t want to open the search result page itself
    because I didn’t trust the website Angelfire, source of the page
    I think I received viruses from angelfire before
    so I thought Google would not cache a page with a virus and put it on searchresult
    I further thought since I only wanted text I would cut and paste text to wordpad
    immediately when I pasted the text into wordpad, the document acted as if the backspce key was pressed and began deleting back letters from end of text line to beginning and then from end of next text line etc…
    that was the beginning of long story of deletes and backspace and other random keypress mimic
    avast and avira both did not report virus
    I turned them both on and off, letting the other one scan completely alone
    I usually only have avast on, but I wanted to check with avira
    both negative, no virus reported
    I took computer to two separate repair stores they found nothing
    One reformatted the hard drive, but then put a lot of files back on
    the keypress mimic continued
    the delete key doesn’t work at all, (I can only delete with mouse or ctrl/D)

    after many months of the keypress mimic changing different types of keypress
    the mimic stopped for a few weeks went back on stopped then back on etc…
    and right now hasn’t activated for a few months

    on another computer I saw a similar keypress mimic that also disabled the delete key

    has anybody seen similar things? is it a type of virus not detected by the AV?
    I would send a file but it was a cut and paste of text
    the cache page was from Google search
    the computer runs windows 7

    thanks

  • Craig Stock

    When Avast says “RED ALERT” I get out with no questions.