Again and again and again… That’s what comes to my mind every time when I see a new variant of the Kavo family and, most recently, also the Hilot family. These malware samples are machine-generated and their authors can develop a “completely new” set of samples based on a simple change made to the generator itself. What’s the problem here? These changes are not random as we earlier thought, they’re precisely targeted against the most popular AV engines.
Read more…
I’m really impressed how perfectly our user community works! A new web-based attack was discovered today and our users made a detailed analysis promptly and helped to clarify what’s going on there. What I’m talking about? And where’s the relation to the question in title? It is pretty simple 
.
Read more…
One of our users sent us a sample of rogue AV for analysis. He didn’t attach further informations and the binary was heavily obfuscated, so I decided to give it a shot inside a virtual machine. A virtual image of clean (freshly installed) Win XP was used to run it and this screen appeared:
Read more…
Hello again, I’m gonna tell you a story about an emulator that becomes 5x faster during one day. In the beginning there was an disassembler and a virtual execution environment. The disassembler liked the environment so much that they got together one day and the framework for our emulator was born. It was growing day by day, line by line – up to 20k+ lines of code – and here the “problem” begins.
Read more…
Yesterday, when I was about to get something to eat, my attempt to check a menu online ended up with a warning about HTML:Iframe-LZ. Well, that’s quite spicy content of common daily offer. So, let’s look what’s under the hood.
Read more…
avast! Free Antivirus can be downloaded for free from our servers or from other download servers such as download.com, 01.fr and others. But why limit yourself to avast! Free Antivirus if there are other products available with additional functionality that can be downloaded for free?
At least, that is what some people are thinking. Read more…
The malware usually spreads through web infection placed on innocent, badly secured websites. The ad infiltration method is growing in popularity alongside with the website infections. Now we are facing probably the biggest ad poisoning ever made – all important ad services are affected. It means that users might get infected just by reading their favorite newspaper or by doing search on famous web indexers. User interaction is not needed in this attack – infection begins just after poisoned ad is loaded by the browser – it is not a type of social engineering. We named the source of this attack JS:Prontexi – JavaScript code which initiates infection on victims computer using various vulnerabilities including latest PDF exploits.
Read more…
Honestly, I don’t know, but according to my tastes he shouldn’t get it for his latest movie, it was a bit boring. I was commenting on it to a colleague, and because it’s late night here I wasn’t able to remember the movie name; I just remembered that George Clooney was nominated for leading actor Oscar for this movie. So I simply put “clooney oscar” in my Firefox address bar, which is the simplest way to get the search results for Google. But I wasn’t exactly “Feeling lucky” about the result I got. Read more…
In this time, most of all new computers are sold with Windows 7 64bit. This new operation system and new processor features (DEP + ASLR) makes exploiting more difficult. Easier way how to run attacker’s code on victim computer is to convince users to download it voluntarily. Last week we received one interesting example. Let see it… Read more…
Javascript or HTML encryption/obfuscation “may” help to protect web designer’s work from stealing their know-how. But this statement is very controversial – obfuscation or encryption mainly belongs to malicious scripts. Such a technique may fool automatic antivirus scanners, but anyone can look under the obfuscation because the decryption script is usually distributed alongside with the script itself. We have released today the detection for very strange script we’ve found yesterday, it’s name was JS:LoverCrypt-A [Trj].
Read more…
