Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Author Archive
April 24th, 2012

avast! Free Antivirus for Mac and the Flashback botnet

Mac computers running the beta version of avast! Free Antivirus for Mac were not infected by the Flashback Trojan.

“We’ve confirmed our app’s detection abilities for Flashback within the test lab and with reports from our beta testers,” says Jiri Sejtko, director of AVAST Virus Lab operations.

The Flashback Trojan linked to the Mac botnet is a derivative of last year’s DevilRobber Mac OS X Trojan. The AVAST Virus Lab now has 18 variants of this malware in its antivirus database.

“With an estimated 600,000 infected Macs, this botnet is just a large example that the Apple operating system is not immune from malware,” said Jiri. “Add a growing market share that makes Mac an attractive target for the bad guys together with a user base that insists they do not need a security app – you have all the conditions in place for an epidemic to rip through.”

The latest Flashback variants can infect vulnerable Macs without requiring the victim to enter a password. “Mac malware has historically been dependent on social engineering – convincing the user to enter the required password. Now these days are over and Mac users can pick up malware just by visiting an infected website,” adds Jiri. “Welcome to the real world.”

Flashback is a logical step in Mac malware’s steady evolution, he points out. Initial malware samples were rather simple, just compiler-generated code, with no encryption whatsoever, but it has since evolved to be more “custom”, with encrypted strings and code, and structured to avoid security apps like LittleSnitch(firewall software for Mac OS) or Apple’s XProtect. During 2011, there were some large-scale attempts to spread Mac malware via Google Image poisoning.

“It takes 1-2 years for malware guys to adapt to a new technology – it took a similar time when they switched from DOS to Windows. This latest botnet did not fall out of the clear blue sky. The conditions have been building for some time and I’m glad that our security app will soon be available for Mac users,” says Jiri.

avast! Free Antivirus for Mac is currently in the late  BETA stage. It includes the latest avast! antivirus engine, three shields (Web, File, and Mail) and the WebRep reputation and anti-phishing plugin for Safari browser. avast! Free Antivirus for Mac builds on the AVAST Software tradition of providing a full-fledged security app which is completely free. More details coming very soon.

Categories: Mac, Uncategorized, Virus Lab Tags: ,
April 20th, 2012

Malware ate my homework

Missing homework used to be blamed on the family dog, but now the focus has shifted to the computer. And sometimes – as this user note shows – malware really is to blame.

“My avast! Free version will not let me check teacher’s blogs at my daughter’s high school website.  avast! just started blocking this site about 1 week ago.  We can’t find any way on avast! Free to “allow” a trusted site.  What do we do?” wrote a concerned parent from Harrison High School in Georgia.

The problem was not with avast! – the school’s site (http://harrisonhigh.org) really did have an infection.

“For unprotected visitors, it was the same schema as usual, says Jan Sirmer, analyst at the AVAST Virus Lab. “A screen with a fake AV appears in browser and forces you to download that AV and pay money for it.”

“The attack, not surprisingly :), focused on WordPress,” he adds. “There were redirections to sub-sites at rr.nu. There we detected more sites such as cie69svoi.rr.nu and  ordonv12ectorct.rr.nu. Those sites redirected visitors to a site with the rogue antivirus.”

In this case, the concerned parents did the right thing. Instead of switching their avast! off to they could visit this “trusted” site, they wrote a note to the AVAST Virus Lab. That likely saved them from installing a fake antivirus on their computer. Read more…

Comments off
April 17th, 2012

Here comes the “Zahlungspflichtig bestellen” button

Germany leads EU in unpronounceable consumer protection

Germany has become the first country to enact a new EU law to protect online consumers against new types of fraud. One visible change will be a “Zahlungspflichtig bestellen” button on internet sites which translates into “order with an obligation to pay” button.

The law is designed to combat internet “subscription traps”, sites that lure consumers with a free offer but actually sign them up for a service where the real costs are hidden and conditions can be misleading if not fraudulent. By late 2012, customers at German ecommerce sites will have to click a button labeled “zahlungspflichtig bestellen” to complete their online purchases instead of the current “anmeldung” (registration) button.

The “Button Law” adopted by the German Bundestag is a result from EU Directive 2011/83/EU on consumer rights. And, it might be used as a model for the other EU countries to copy as the 2013 deadline on the consumer rights Directive approaches.  Since Germany is the largest economy in the European Union, this new law might just have a knock-on impact on consumer rights that goes outside of the country’s borders. Read more…

April 10th, 2012

Risky gaming with ZeuS and WordPress

Assassinscreedfrance.fr, a French fan site for the wildly popular computer game, is still infected.

For over 8 weeks, the site has been infected with a Trojan java script redirector that sends visitors to a Russian malware site and connects them to a ZeuS powered botnet. The infection was last confirmed by the AVAST Virus Lab at 12.00 CET, April 10, 2012. And, just to make it clear, this Assassinscreedfrance.fr site is not affiliated with Ubisoft, the developers of the Assassin’s Creed franchise.

So far, avast! has blocked over 179,800 visits by its users to this site. And, Assassinscreedfrance.fr is just one of 1,841 sites around the globe that has been infected with this specific Trojan during the month of March.

Powered by variants of the ZeuS Trojan, this collection of botnets has stolen over $100 million from small and medium-sized businesses.

The infection, a Trojan redirector, sends users to Russian malware distribution server with an IP registered in Saint Petersburg, Russia. And yes, this sever is still working, even after Microsofts’ recent takedown of a few dozen botnet servers. Read more…

March 23rd, 2012

Misspelling goes criminal with typosquatting

Inaccurate spelling means more than poor marks at school, it is a billion dollar business opportunity for typosquatters. At a single IP address, the AVAST Virus Lab has identified 8,600 typosquatting sites, registered variations of well-known sites or brands. Two identifiable targets were the Craig’s List online classified ad service and YouTube, other site addresses were parodies of Hotmail, Google, and YouTube – basically everyone.

After going to one of the identified typosquatting sites, visitors are redirected to one of several hundred “quiz” sites where they receive an offer of a “free” prize such as an iPhone. The sites typically make money through premium phone calls, selling advertisements, and reselling the emails collected from visitors.

Spelling errors are a huge moneymaker on the internet. A Harvard research paper[1] estimated that a major search engine alone could be making nearly a half billion dollars annually just on pay-per-click ads from typosquatting sites. Add in the other search engines and the revenue from the sites identified by AVAST, and typosquatting could easily be a billion dollar market.

“It is not technically malware, but it is online fraud and features like AutoCorrect in Microsoft Word have really let people get lazy with their spelling,” pointed out Jindrich Kubec, head of the AVAST Virus Lab. “The popularity of Craigslist with this one gang gives us a great sample set to demonstrate the types of spelling errors the bad guys are looking for.” Read more…

March 9th, 2012

This time, the bad guys want your tax accountant

While taxpayers are the regular target of springtime malware schemes, this year the bad guys are aiming for the accountants.

A series of imposter emails are threatening recipients with the removal of their professional accreditation if they fail to respond promptly. The tax-phish appear to be from organizations such as the American Institute of Certified Public Accountants(AICPA), Better Business Bureau(BBB), and Intuit tax services.

After clicking on the email, users are redirected through a hacked legitimate site to the final malware distribution center where their computer can download fake antivirus or another malware package selected by the bad guys.

This spam campaign started in the last week of February. A tax-themed attack is a traditional feature of March and April as Americans prepare their income tax returns.

The tax-time malware is the latest example of the BlackHole Exploits Kit at work – and shows that the bad guys’ graphic and language skills are improving. Read more…

Comments off
February 28th, 2012

Sounds, links, and languages

How often do you receive links in your email box – and then discover that they are malware?

I get them frequently – and was even sent some malware by my cousin and sister(see blog.avast.com/2012/01/27/relative-exposure-to-malware/).

But this time, the link is a great cartoon – which reminds me of three important avast! features.

http://9gag.com/gag/2976257

Sounds – I like the avast! updates. For people that do not want this information, or find them annoying, turning them off is simple. Just go to the avast! settings and then to the “Sounds” tab. You can even pick and choose which announcements to hear.

Links – Randomly clicking on links, even from friends,  is an easy way to pick up some malware. This is why running the browser in the sandbox (only with avast! Pro and Internet Security) is a good idea.

Languages – Normally my computer is set to “Pirate English” but I try out other languages for fun. avast! comes in over 30 official languages plus an additional 20+ special versions such as “Redneck” and “Slaski”. To try out a different language pack, just visit the avast! website at http://www.avast.com/fun.

 

February 27th, 2012

Don’t shoot the messenger

Not everyone appreciates an avast! warning. Some IT professionals find it hard to believe that an infection has taken place on the computers and the networks under their supervision.

“In today’s update you have included their website as being infected and harmful,” complained one web developer in an email to AVAST Software. “For the last month, it has been a brand new site. I have scanned the site with several online website scanners and they all come up clean.”

AVAST Software sends out a lot of warnings to users. During January of 2012, we recorded 1.87 billion incidents of our users encountering malware.

In this specific case, the company owners had avast! on their own computers and they were getting warnings that their site was infected. Even worse, because their avast! was blocking them from accessing their own site, they realized potential customers were also getting shut out – costing them money.

While online scans from two other security suppliers did not detect anything, Jiri Sejtko at the AVAST Virus Lab did. Read more…

January 27th, 2012

Relative exposure to malware

If you work at an antivirus company, be sure that family members will soon ask you questions about computers and the latest malware. Sometimes, they will even send you some. The other day, I got an odd email from my cousin, soon followed by a similar note from my sister that contained this:

The two of them – completely unintentionally – sent me a personalized bit of spam/malware. This was quite nice. After all, there aren’t so many Lyle’s in the world and I thought it was really considerate of some malware writers to address me directly. So I asked Jan Sirmer in the AVAST Virus Lab to tell me about how it was done and the goal of this malware. Here are his comments: Read more…

Comments off
January 13th, 2012

From color pink to infectious binary

My daughter should be credited (or blamed) with the  Cute, Pink, and Infected release.

She was playing games on my computer and suddenly screamed: “The internet has stopped!”

Yes indeed, the browser had shut down on her. All I knew at the time was that this involved some online games and a google search using the word “games” or “hry” (games in Czech).

Back at the office, I started sifting through the list of infected sites for those with “game” or “arcade” in the URL and found quite a few. Even better, there were even two sites, cutearcade.com and hiddenninjagames.com, that looked something like the game sites she had been visiting. Read more…