Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Archive for the ‘lab’ Category
November 7th, 2012

Just in case… before you pay (!)

The phishing scam creators are really getting creative.  Of course one could question their targeting such in this case.  Czech republic is known for our quite lenient view of laws and rules and – especially – the need to pay (or the lack of there off) of any fines especially when imposed by so called municipal police.  Who would bother…   Hence, an email urging to pay a fine is normally filed directly into the ‘round file’.   Known as trash.  Well in this case… there actually might be a good reason to look at this closely ;) Read more…

Categories: analyses, lab, Virus Lab Tags: ,
October 8th, 2012

Russian Odnoklassniki spamming

Recently, we’ve noticed that there are too many legitimate domains popping up in our url filters with malware. At first we thought we had a huge false-positive (FP) problem, but after analysis we found a pattern.

All of the referring links came from the Russian Odnoklassniki server, which is a quite-popular Russian social network. Users of that network are getting fake messages with links to photos.

Read more…

September 4th, 2012

High-profile, legitimate site contains malware

Not only users visiting high-risk sites need avast! protection, but also, for example, visitors of the well-known site samsungimaging.net (the Samsung SMART CAMERA blog) were able to notice that their avast! protected them from a threat.

Yesterday, on this site AVAST began to detect malicious Java content.

Read more…

Comments off
August 15th, 2012

Oh wait, that’s not what I wanted!

Got a brand new smartphone and want to be protected from all the dangerous malware that’s out there? So you go and get some Android antivirus software. But, what you don’t know is that you just got tricked. And, it’s going to cost you some money. Yes, even if you downloaded if for free.

The latest trend in Android malware is to hide behind something that seems to be legit. Guys at GFI Labs pointed that out, so let’s take a closer look behind the scenes and add some interesting info from the AVAST Virus Lab’s perspective. Imagine yourself as a virus maker. You create an app that will do something evil like steal or delete people’s texts (you’re a nice virus maker), or you want to milk the cow even more and you create an app that’s going to get you some money from the victim by making it silently send text messages to premium-rate phone numbers.

But, how do you spread your evil milking machine among Android users? Just take a look at the apps that are already popular and trusted, like Angry Birds, Opera Browser, or even better, an antivirus app! What can feel safer than installing antivirus on your phone, right? So you take your evil app and make it look, for example, like avast! Mobile Security or any other antivirus suite. Then you make it available for free download, easy to find, placed on a web page that is not guarded like the Play Store, Amazon App Store, or any other genuine Android market. Most of the people only download apps from these genuine stores, but there are always some of them that somehow get tricked or that are just unlucky and run into some fraudulent apps like the one I’m talking about.

Let’s take a closer look at one of the cases. Android:FakeInst-AB Read more…

Comments off
July 16th, 2012

Click for me, thanks!

Social sites are great for people who want monetize theirs ideas. But sometimes these ideas are far more sinister.

Over the last few last weeks,  researchers at the Avast antivirus labs in Prague have noticed new attack based on a combination of social sites, fake Flash Players and the promise of illicit videos of well-known Hollywood stars. Read more…

Categories: analyses, lab, Virus Lab Tags:
Comments off
April 10th, 2012

Risky gaming with ZeuS and WordPress

Assassinscreedfrance.fr, a French fan site for the wildly popular computer game, is still infected.

For over 8 weeks, the site has been infected with a Trojan java script redirector that sends visitors to a Russian malware site and connects them to a ZeuS powered botnet. The infection was last confirmed by the AVAST Virus Lab at 12.00 CET, April 10, 2012. And, just to make it clear, this Assassinscreedfrance.fr site is not affiliated with Ubisoft, the developers of the Assassin’s Creed franchise.

So far, avast! has blocked over 179,800 visits by its users to this site. And, Assassinscreedfrance.fr is just one of 1,841 sites around the globe that has been infected with this specific Trojan during the month of March.

Powered by variants of the ZeuS Trojan, this collection of botnets has stolen over $100 million from small and medium-sized businesses.

The infection, a Trojan redirector, sends users to Russian malware distribution server with an IP registered in Saint Petersburg, Russia. And yes, this sever is still working, even after Microsofts’ recent takedown of a few dozen botnet servers. Read more…

February 27th, 2012

Don’t shoot the messenger

Not everyone appreciates an avast! warning. Some IT professionals find it hard to believe that an infection has taken place on the computers and the networks under their supervision.

“In today’s update you have included their website as being infected and harmful,” complained one web developer in an email to AVAST Software. “For the last month, it has been a brand new site. I have scanned the site with several online website scanners and they all come up clean.”

AVAST Software sends out a lot of warnings to users. During January of 2012, we recorded 1.87 billion incidents of our users encountering malware.

In this specific case, the company owners had avast! on their own computers and they were getting warnings that their site was infected. Even worse, because their avast! was blocking them from accessing their own site, they realized potential customers were also getting shut out – costing them money.

While online scans from two other security suppliers did not detect anything, Jiri Sejtko at the AVAST Virus Lab did. Read more…

January 13th, 2012

From color pink to infectious binary

My daughter should be credited (or blamed) with the  Cute, Pink, and Infected release.

She was playing games on my computer and suddenly screamed: “The internet has stopped!”

Yes indeed, the browser had shut down on her. All I knew at the time was that this involved some online games and a google search using the word “games” or “hry” (games in Czech).

Back at the office, I started sifting through the list of infected sites for those with “game” or “arcade” in the URL and found quite a few. Even better, there were even two sites, cutearcade.com and hiddenninjagames.com, that looked something like the game sites she had been visiting. Read more…

October 31st, 2011

Following WordPress into a Blackhole

When we looked into the recent wave of WordPress site hacks, our investigation took two separate paths: uncovering the TimThumb vulnerability and the Black Hole Toolkit used to exploit it.

Now it is time to talk more in detail about what  the Blackhole Toolkit is.

For starters, the Blackhole exploit kit is used to spreading malicious software to users through hacked legitimate sites. It was most likely made by Russia developers. The big clue for this is that operators can switch between Russia and English languages. The full version of this toolkit costs around $1500 on the black market. However, bargain hunters  can find a stripped down version for the  free online.

But, much more important than acquiring Blackhole is finding out how to get rid of it. More precisely, simply finding out if you have been infected. So, how can website owner recognize that his page was infected and has been blocked by an antivirus program because it is being misused as a redirector to site with Blackhole exploit kit? And how do they compromise your site?

Read more…

Comments off
September 7th, 2011

Unpacking the “Unitrix” malware

The “Unitrix” exploit takes several Unicode features designed for right-to-left languages and uses them to mask malicious executables as safe text or video files. Here is a short list of the main options.

We described Unitrix in a recent release Hackers flip filenames to create “safe” file extensions. But, this was just the start of the detective work. Analysis of this exploit showed that the hackers do not directly takeover the infected computers. Instead, they have a “pay per installation” network that provides outsourced infection and malware distribution services for other cybergangs – apparently based in Russia and the Ukraine  – after giving each infected computer its own identification number. And, this gang has the ability to change the final payload thanks to its downloader: rootkit today, tomorrow something else.

We’ve titled this malware W32:Fivfrom. It’s a malware downloader which, after activation, connects to several distribution centers to download and install malware to the infected computer.  We analyzed over fifty separate files, all of which initially looked quite different. But when we looked inside, Read more…