Let us present the long-term analysis of malware which was designed to steal credentials from more than 25 largest banking and payment systems in Brazil. The unique features of this banking malware include the usage of valid digital certificates, 3 years of evolution and stealing credentials from e-commerce admin pages. This feature opens doors for attackers, who can then log in to e-commerce systems and steal information about customers and their payments.

This malware family combines all of these powerful functionalities and serves as a comprehensive tool for stealing money and sensitive personal data with dangerous efficiency.

Download full whitepaper in PDF format here.

In this blog post, we will look at the attack originating from hxxp://www.spc.or.kr/ and targeting several major Korean banks.

The site, spc.or.kr, is a legitimate Korean website which belongs to Korea Software Property Right Council (SPC). After opening the site and showing its source code, we looked into the included script /js/common1.js. This script includes another two javascripts ( the third one is commented out ). When we opened both of these scripts, we noticed a suspicious iframe tag at the end of /js/screen1.js. This iframe tag led us to rootadmina2012.com, which is the main attack site.

Read more…

Several days ago we received a complaint about javascrpt.ru. After a bit of research, we found that it tries to mimic ajax.google.com and jquery, but the code is an obfuscated/packed redirector.

After removing two layers of obfuscation, we found a list of conditions checking visitors’ user Agent. From these conditions. we got a clue and focused on mobile devices.

Read more…

Recently we encountered a very suspicious piece of code on some Joomla-powered webpages. The code looks as if garbled and without any special meaning, and starts like this:

Upon closer observation, several strange things are to be noted. First, there are no alphanumerical symbols to be seen in any part of the code. Second, on the line before this code starts, there is actually an HTML tag indicating a start of Javascript code (<script>), preceded by 37 tabs. Therefore, when opening an infected file in a text editor, one cannot normally see the starting tag, because it is shifted all the way to the right. To be able to see it, you either have to horizontal scroll, or have word wrap on. The same trick is performed with the script closing tag as well. Why would anyone try to hide these tags? The answer is simple, to trick people into thinking this is not actually a Javascript code.

Read more…

I don’t know what kind of curiosity leads people to the dark corners of the internet, when they want to obtain a new version of antivirus software. It’s somehow irrational to find security software at insecure places. But…. it happens.

FP submission

As you can see, the file name is Avast_Antivirus_2012_Trial_Verion.exe – but it is definitely not a proper setup released by us. Here are some facts, that are worth remembering:

Read more…

In October we wrote on our blog about a spreading Russian Trojan horse named the Bicololo. Since that time, the malware has continued to evolve and spread even further. Nowadays avast! saves several thousand PCs every day from its infection.

Read more…

Through a collaboration with Eric Romang (@eromang), independent security researcher we can confirm that the watering hole campaigns are still ongoing and are targeting multiple targets, including as an example a major Hong Kong political party website.

This website is actually using the new version of the original Internet Explorer (CVE-2012-4792) vulnerability attack, but right now it’s also using the latest Java (CVE-2013-0422) vulnerability.

Chinese language version of the web site is doing a remote javascript inclusion to “http://www.[REDACTED].org/board/data/m/m.js”.

This website is a legitimate compromised website used for hosting the exploit files, hosted in South Korea.

Read more…

As a malware analyst, I sometimes have to deal with files, which cannot be classified as computer virus or malware, but their behavior when executed by user is still considered unwanted or suspicious. In this blogpost, we will look at an adware downloader. It comes in two different versions, one tiny – having only about 17KB and being written in .NET, and the other one bigger, using getrighttogo downloader builder.  In user’s computer, downloader was found in the following directory.

C:\Documents and Settings\Administrador\Meus documentos\Downloads\filme(1).exe

Users’ computer got infected via one of many sites similar to following ones – websites offering to download movies. After clicking on download links, .exe files were offered to download.

Figure 1 – Example of site the downloader was originally downloaded from

Read more…