Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Author Archive
June 20th, 2011

Fear of the HTML5

Right at the beginning of this article – I must admit that I’m definitely not a specialist for the newest trends in web development. Consider following contemplation only as a thinking of an amateur. Today I’ve noticed an article about the first MP3 codec written in JavaScript (http://jsmad.org/play/160426) in order to support this media format in all browsers (even when they have no native support/codec for such media). Sounds great for such kind of  inexact specification like <audio> and <video> tags, that can encapsulate variable media formats. The particular media format does not matter (MP3, OGG, FLAC etc.), the only thing you need is to provide a codec.

Read more…

June 16th, 2011

Win32:SuspBehav strikes again

I’m glad to announce that Win32:SuspBehav – an advanced heuristic set of detections -  is back on track now. It has been in a maintenance mode quite a while because there were some scheduled changes made to the underlying emulator. Following these changes, I was really curious about what the real-world feedback would be and this is what I found:

few of the SuspBehav submissions

Wait! There’s a path to the legitimate IncrediMail installation directory. Hmmm, it is either a false positive or something really strange is going on here…..

Read more…

June 1st, 2011

Wrong specifications [reloaded]

I can confirm that we at the Virus Lab “love” product specifications and documentation. My recent experience shows a discrepancy between MSDN and the real behavior of VirtualAlloc.

I’m currently revising and tweaking the memory management inside one of the emulators used in the avast! antivirus engine. The goal of my effort is to bring this emulated environment closer to the real world environment, thus I decided to make the memory management conform precisely with MSDN. But after doing that…. suddenly….. about a sixth of my test set (around 400 malware families in total) refused to emulate deep enough (as usual). And the problem was in VirtualAlloc emulation:

MSDN documentation of VirtualAlloc

Read more…

May 27th, 2011

Friendship and an immortal virus

Yes, an immortal virus seems to exist … at least in comparison to the usual life cycle of malware. While there are lots of malware families with very short half-life, there are only few with a long life. Parite (aka Pinfi) – a real long-playing evergreen – is one of them. Parite will reach the 10-year milestone this October. Gosh! Ten years! Can you remember what your computer looked like ten years ago? Ten years is an eternity in the world of IT. Just try to list what has changed and evolved during this period. There’s the obvious evolution of Windows and antivirus software for starters. But, despite all these changes, Parite is still with us.

Read more…

May 19th, 2011

Early warning may save your bacon :-)

Another day, another entry in the avast! Virus Lab submission system for reporting false positives:

just another groovy submission?

Processing hundreds of possible false positives each day is usually routine work, but a submission from a live internet link is always interesting and needs more individual attention. The reason is obvious – it can do more harm to potential site visitors than a file on a local system which isn’t linked anywhere. Considering the fact that we detect this bit of malware with two different detection systems (regular detection for Sality along with a heuristic detection) is a clear hint – there’s definitely something fishy here.

Read more…

February 19th, 2011

Crum is not (yet) dead, long live Morphex

Have you ever heard about the Morphex PE32 Loader? You are certainly not alone. Even the mighty “Uncle Google” can’t find the proper results:

all quiet on the Google front

But … it definitely does exist.

Even if this is an “unknown” name, you should be concerned. Morphex PE32 Loader is supporting the most successful and fastest growing AutoRun worm of 2011.

Read more…

Categories: Virus Lab Tags: , , ,
December 20th, 2010

Malware: It’s all in the gift-wrapping

There is a market for gift-wrapping services in cyberspace – especially for malware.

There are thousands of malware variants out in cyberspace, including the well-known Alureon, Koobface, FakeAV, and Zeus. Behind this myriad assortment is a surprisingly small group of packers with the task of slipping malware past antivirus programs. These packers can generate an almost unlimited number of unique instances of a single underlying malware binary. And what is good news for the bad guys – and rather bad news for the rest of us – is that these software packages make malware more accessible to the more “average” cybercriminal.

Read more…

Categories: Virus Lab Tags: , , , ,
September 16th, 2010

Accurate file names – part 2

Malware writers seem to never sleep and this time their activity refers also to my last article (published yesterday). How is it possible? When I used google today to find references to my blog post, these results appeared:

google search results

Read more…

September 15th, 2010

Accurate file names

It is always nice when we know what a file does, where it comes from, etc. Most of the time spent on deeper file (samples) analysis goes to uncovering this information. But, sometimes we don’t have to try when everything is obvious like in this case:

fp submission

Read more…

Categories: analyses, Virus Lab Tags: , ,
August 13th, 2010

To trust or not to trust?

Trust brings together two hot topics that concern our users. First topic – Win32:Injected-AZ which is suspected by many users of being a false positive. Second topic – the reliability of digital signatures (authenticode). Here these two topics intersect with some interesting circumstances (that will be soon elaborated):

examples of software packages affected by Win32:Injected-AZ

Read more…