Our users are sometimes confused what can some malware name mean. In fact – there are some names without an special meaning – they are mostly related to short-lived pieces of malware. Contrary to this daily stuff there are some malware families (long-lived, widespread or highly dangerous), which should have some unique name. One of the reasons could be the possibility of effective seeking through the results of search engines (check the difference when you type “Win32:Trojan-gen” and “Win32:Fasec” in your search engine). There’s not a mandatory naming convention applicable to all AV vendors. Our names contain these parts:

- platform (or file type) prefix

- malware name

- malware type

Read more…

Swizzor is the detection name for a highly sophisticated, long lived piece of malware / adware. It’s based on a huge distribution network and is made by highly skilled bad-guys. At first sight, Swizzor looks like the usual modern software. The bad code is divided into small pieces and is distributed in the whole file by some code-generator. This technique makes analysis and detection difficult.

Let’s look at Swizzor from the other side… What is the first thing the common user sees before running some file? Yes, it’s an icon. The icon is code-generated as well as the whole file. And here inter alia can be seen the mathematical skill of the bad-guys. As Swizzor evolves and each generation becomes harder to detect, the icon becomes more sophisticated too. It’s interesting to see bad-guys producing nice art.

Swizzor icon - 1st generation

Read more…

A patch is a utility that can be used to change a few bytes in the original file. It’s usually used to bypass license validation or to enable a hidden function. These patches are normally used with the knowledge and agreement of the user. However, another group of patches is actually malware which is used to perform the same functions without the user’s knowledge or agreement. In this case, system files are patched to gain backdoor access to a system (i.e. by changing the startup key to run the malware after booting). These files are detected by avast! as Win32:Patched.

The difference between file infectors (viruses) and patches is shown in the picture below. Patches just change a few bytes and can’t spread themselves. File infectors infect (patch) the victim file and add a virus body to perform a malicious action and can infect other files.

Differences between Patcher x File infector

Read more…

Are you always sure that what you are downloading is safe? Every day, many of our users report “false positive alerts” to us. I use quotes, because most of them are actually malware. See the picture below. The reported “wrong-detection” is Win32:Ardamax-LV [Spy].

False positive alerts report

Ardamax is a well known legitimate keylogger, but the “bad guys” often use it to steal account information. In this case, keylogger is a part of some hack. This is the reason why 90% of antivirus programs detect this keylogger as suspicious (VirusTotal report).

So, do you put your trust in unknown web sources such as RapidShare, MegaUpload etc. or in your antivirus program?

Few Avast viruslab guys & developers attended 3rd CARO workshop in Budapest/Hungary. We found a bit of time to make a short visit of the historical center. Here are some pictures caught by my “faithful friend” Canon EOS 400D.