Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Archive for May, 2013
May 31st, 2013

Facebook profiles are cloned

A low-tech type of identity theft is threatening Facebook users in South Africa. Facebook “cloning” has been around for years, but has had a revival this past week. We learned about it in a personal way – the brother of an Avast colleague, Richard B. from South Africa, had his profile cloned and notified Richard.

facebook clone warning

 

The way it works is that a cybercrook copies the victim’s profile photos, then uses them to create fake accounts. Then, using the victim’s details, a friendship request is sent to friends. The clue that something fishy is happening comes when you receive the request, but thought you had already ‘friended’ that person. One Facebook user explained in an article on ENCA.com that he received a friendship request from his sister while she was sitting next to him.

Cloned accounts can be used to send spam messages, initiate scams, and possibly steal personal information that could be used for more serious identity theft. In the recent cases, there are reports that once the request has been accepted, the scammer starts soliciting money from ‘friends’.

It can also be used for social media sabotage. An experiment conducted in 2011 showed that the implications of this type of social engineering range from mere trickery to damaging reputations. You see, through the ‘trusted friends’ password recovery feature, it is possible that someone can reset your password and gain access to your account.

Check privacy settings and be cautious about who you friend and what you share. This video explains about the recent attacks and how to avoid your profile being cloned.

edit: changed image

May 29th, 2013

Twitter introduces a new security feature: login verification

tw_infoUsers of social networks save and share huge amount of data and become a favorite target of potential attacks. Therefore we, at AVAST Software educate You about online security and how to protect your privacy on social media. Check  a new security feature, introduced recently by Twitter.

With a growing amount of new users and increasing numbers to log in, Twitter decided to introduce a new feature. Login verification is another security level, preventing from compromising email phishing schemes, as well as breaching of passwords.

How does it work?

Read more…

Comments off
May 29th, 2013

Analysis of a self-debugging Sirefef cryptor

Recently I wrote a blog post about a legitimate website spreading Sirefef malware. Then I continued with a deeper analysis and noticed that it uses an interesting cryptor.

Malware authors spread many new variants of malware every day. These variants often look completely different at the first glance. That’s why regular updates of your antivirus is important. However, when we look deeper into most malware spreading these days, we see that the core functions do not change very often. Most of the variability of today’s malware is caused by encapsulating it by so-called “cryptors.”

In most cases, these cryptors are pretty boring pieces of software. They usually take seemingly random data from the malicious file, reshuffle them in a correct way, so that these bytes then become an executable code, and then they execute them. However, authors of Sirefef malware often come up with more interesting methods of loading their programs, and we will look at their method in this blog post.

Now, let’s get to Sirefef. Soon after it is executed, we can see the following scheme.

Read more…

Categories: analyses, Virus Lab Tags: ,
Comments off
May 28th, 2013

5 question with Marcus Taveira, our Brazilian support specialist.

marcusWe are excited to share news with you. Our social media team has added additional, professional support.  Marcus Taveira, our Latino sunshine, joins Peter Bucek to help our community by responding to technical and customer care enquiries on Facebook and Twitter. Marcus responds in Portuguese and English. We are pleased to welcome Marcus to our social media team and introduce him to YOU.

Marcus joined AVAST in 2010. He is smiling, enthusiastic, full of energy and ideas, and willing to help, making him a favorite colleague on the support team. Always ready to jump into a new project, Marcus is a very creative and cheerful person. Marcus is not only a professional member of AVAST’s technical support team, but also a talented musician. You simply CAN’T miss him.  Bem-vindo à nossa equipe Marcus!.:)  Read more…

Comments off
May 24th, 2013

avast! Be Free photo entries

The avast! Be Free photo contest has been active for over a week now, and we have received thousands of photos. We asked you to interpret what our slogan Be Free means to you. Here are some of the photos that we think does a good job. Look through the gallery and vote for your favorites.

be free creative

Be Free to be creative

 

 

 

 

 

 

 

 

 

have fun

Be Free to have fun

 

 

 

 

 

 

 

 

 

 

 

turtle

Be Free to explore

 

 

 

 

 

 

 

 

 

to enjoy your time with friend

Be Free to love

 

 

 

 

 

 

 

 

 

 

 

 

 

to enjoy

Be Free to enjoy simple things

 

 

 

 

 

 

 

 

 

 

 

 

 

to be calm

Be Free to draw

 

 

 

 

 

 

 

 

 

 

 

to dare

Be Free to dare

 

 

 

 

 

 

 

 

 

 

 

 

 

Enter your photo via the Facebook app, or simply tag it #avastBeFree and enter it via Instagram or Twitter. The image will appear in the Facebook Gallery where you can vote. Invite your friends to vote too. The last day to enter is Wednesday, May 29th. The last day to vote is Monday, June 3rd.

 

 

May 23rd, 2013

How do I protect my online accounts from being hacked?

How_toQuestion of the week:  First it was Facebook, then Living Social, then LinkedIn, now Twitter accounts have been hacked. How can I keep my business and personal accounts from being hacked, if the big boys can’t even protect theirs?

You are right. It seems like every week we hear about another major website or an account on a social network being hacked into. Your concern is genuine, because once hackers get in they can not only gain control of your account, but they can also get your email address, passwords, and even get access to your bank account.

There are some steps you can take.

Read more…

May 22nd, 2013

Grum lives!

 

Grum, one of the largest spamming botnets, suspected to be responsible for over 17% of worldwide spam (as described here), which was “killed” in July 2012, still lives.  We have been tracking its activity since January 2013.  We can confirm spiderlab’s doubts about the grum killing published in March 2013. The following article provides some details about registered grum activity.

We have seen grum activity on following sites:

  • servercafe.ru
  • hub.werbeayre.com
  • sec.newcontrrnd.com
  • sec.convertgame.com

Every bot client generates its own identification number (ID) on its first run. The length of the ID is 32 characters. The first three correspond with a bot version and the other 29 characters are randomly generated. It is also set to the HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\BITS\ID registry key, which is queried on every run.

 Black Energy bot id schema

 

After the bot sets its ID, it tries to connect to a C&C server.

1) The bot contacts C&C server with a HTTP GET request to get the FQDN of the client’s computer

http://%server/spm/s_get_host.php?ver=%botVer

2) The information is used to contact one of the SMTP servers obtained from DNS MX records from following domains which are used for sending spam:

  • hotmail.com
  • yahoo.com
  • aol.com
  • google.com
  • mail.com
  • mail.ru
  • yandex.ru

3) Then the C&C server is contacted by the following request

http://%s/spm/s_alive.php?id=%botID&ticks=%u&ver=%botVersion&smtp=%s&sl=%d&fw=%d&pn=%d&psr=

The smtp variable is set to ‘ok’ when the bot successfully contacts one of the SMTP servers and set to ‘bad’ if it does not.

4) The C&C server answers with a message which looks like a typical BASE64 encoding

For example:

Xu6hQoZL5+9/Hva9N3F3A2+gwPdLuk28BPA5Alm1IOS9MWvCLGp9r/UEqHksCNo4djEmA8SBk/tPRNvg1wc1rjZnwToThUorVw7kdU/h53sgoszvg0OX06MFQvEOxLqF7P4PQ+s=

Actually the message is encrypted by RC4 algorithm with key equals to the bot’s ID and then it is encoded by BASE64.

Grum bot low level Base64

parts of low level BASE-64 decoding

Grum bot low level RC4

low level decryption part of RC4

 

The whole decryption algorithm written in C# could look like this:

Grum decrypt

The bot id is 72176717204370682282907051332175 for the mentioned message.
After decryption process we can see the message:

http://84.200.70.131:9091/spm/s_task.php?id=72176717204370682282907051332175&tid=61853

5) The bot remembers the ot variable and sends the HTTP task request without the ot variable.

http://84.200.70.131:9091/spm/s_task.php?id=72176717204370682282907051332175&tid=61853

6) The C&C answers with spamming instructions including spam mail template which is also encrypted by the schema mentioned above.

The interesting thing is that sent spam is similiar to scam described on our blog in the past.

 

Finally, we provide a screenshot of encrypted instructions, a spam email and an example of decrypted instructions .

 

Spam

example of sended spam

encrypted spam instructions

encrypted spam instructions

 

 

<info>
taskid=61853
realip=x.x.x.x
dns=8.8.8.8
hostname=y
heloname=y
maxthread=25
from=usypc@ozucfx.net

type=0
try_tls=0
use_psr=0
use_dnsapi=1
try_mx_num=1
use_ehlo=1
</info>
<emails>
nadialee@hanmail.net
nadialee@hellokitty.com

nadialeitao@zipmail.com.br
nadia_leonita@yahoo.co.id
</emails>
<ac_list>
</ac_list>
<text>
Received: by work.ozucfx.net (Postfix, from userid %W_RND_INT[3])
id E%W_RND_INT[2]CE%W_RND_INT[5]E; %DATE
From: Work at Home <%FROM_EMAIL>
To: <%TO_EMAIL>
Subject: Your second chance in life just arrived

Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 8bi
Precedence: bulk
Message-Id: <%GMTDATA[yyyyMMddHHmm].E%W_RND_INT[2]C%W_RND_INT[5]F@web.ozucfx.net>

<html>
<body>

</body>
</html>
</text>

 

Categories: analyses, Virus Lab Tags: , , ,
Comments off
May 21st, 2013

Consumer Reports recommends free security software in 2013 State of the Net Report

CRMore than 58 million American adults had at least one malware infection that affected their home PC’s performance last year. The cost of repairing the damage from those infections was nearly $4 billion. These findings are from the latest Consumer Reports’ Annual State of the Net Report published in the June issue of their respected magazine. The magazine is trusted by millions of US consumers to give honest appraisals of products.

“Our Annual State of the Net Report revealed that home computers are no safer than they were last year. Effective security software, like the ones we recommend in our latest Ratings, is essential to protect against online threats,” said Jeff Fox , Technology Editor, Consumer Reports.

Consumer Reports’ latest Ratings of Security Software revealed that some free products are sufficient for most users, offering very good protection from online threats. The full report is in the June 2013 issue of Consumer Reports and online at ConsumerReports.org. This press release gives you the highlights.

May 20th, 2013

Lockscreen Win32:Lyposit displayed as a fake MacOs app

When the mastermind hackers of the notorious Carberp Banking Trojan were arrested, we thought the story had ended. But a sample that we received on May 7th, a  month after the arrests, looked very suspicious. It connected to a well known URL pattern and it really was the Carberp Trojan. Moreover, the domain it connected to was registered on April 9th!

Taking a closer look into the PE header, it was observed that the TimeDateStamp (02 / 27 / 13 @ 12:19:29pm EST) displayed a bit earlier date than the date of the arrests of the cybercriminals, and the URL was a part of larger botnet where plenty of Russian bots are involved. So the case was closed as a lost sample within a distribution process.

After using our internal Malware Similarity Search  to catch as many malware samples as possible, a cluster appeared. It contained some well-known families like Zbot, Dofoil, Gamarue, and some fresh families like Win32/64:Viknok and Win32:Lyposit. The latter is a dynamic link library and it caught our attention by a quite sophisticated loader and a final payload. Read more…

Categories: analyses, Mac, Virus Lab Tags:
Comments off
May 16th, 2013

avast! in the Final Frontier

startrek

With the release of the summer blockbuster Star Trek: Into Darkness, I started thinking about the Star Trek universe, Trek-nology, and what it would be like if avast! Antivirus was adopted by Starfleet. Wouldn’t it be amusing to hear the voice of the computer echoing through the bridge, “avast! Virus Database has been updated”? ;-) As Captain Picard would say, “Make it so!”

Our beloved U.S.S. Enterprise, space station Deep Space 9, the far-flung Voyager, and even the sentient android Data experienced computer malfunctions, some of them caused by a virus. Here are a few episodes that come to mind as I imagine the possibility of avast! in the Final Frontier.

ST: TNG The Contagion

Captain Jean-Luc Picard is a student of archaeology. When a distress call comes in from the U.S.S. Yamato, engaged in an archeological investigation looking for the legendary planet Iconia, the Enterprise responds right away. But not in time to save the 1000+ crew and ship from destruction due to a computer virus. The weaponized virus was transmitted by a scan from an Iconian probe and caused dangerous systems failures by overwriting software. The Enterprise becomes infected when it downloads the Yamato logs. During the investigation, a Romulan Warbird shows up and an interstellar incident becomes imminent.

 

Shields up!

Apparently Starfleet’s ships don’t come equipped with virus protection software because the Yamato was destroyed when hostile, malicious threats took over their computer system, and the Enterprise was threatened as well. Avast’s shields protect different aspects of computer functions. If anything suspicious is detected, the file system shield will prevent the program from being started or the file from being opened to prevent any damage being caused to your computer and data.

Read more…

Categories: General Tags: , ,
Comments off