Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Archive for the ‘lab’ Category
August 8th, 2011

Four browser nets and one phish

Not all browser nets can catch the same phish. One Friday evening, just before I wanted to go home, I received an interesting email.

It contained sentences like “ We recently reviewed your account, and suspect that your PayPal account
may have been accessed by an unauthorized third party” and words like “protected“, “security” and “unauthorized“.  Of course, at the end of the email, there were directions to click on a “Paypal” link to update information like login name and password.

Read more…

May 5th, 2011

CARO: Half of all computers running vulnerable versions of Adobe PDF Reader

Half of all avast! users are running an older versions of Adobe Reader on their computers that are vulnerable to a variety of malware attacks.

The avast! Virus Lab found that 49.41% of avast users were using the older Adobe Reader versions as of end-April. The number was also surprisingly stable, dropping by around five percentage points from the early March level of 55.71%.

“The numbers were a surprise to us,” said Jiri Sejtko, head virus analyst. Read more…

April 11th, 2011

False positive issue with virus defs 110411-1

Virus definition update 110411-1 contained an error that resulted in a good number of innocent sites being flagged as infected. Generally, all sites with a script in a specific format were affected.

Our virus lab staff discovered the problem quickly after releasing the bad update and immediately started working on a fix. The fix was released about 45 minutes after the problematic update and has version number 110411-2. Anyone who still has this problem is kindly asked to manually update the definitions to the latest version, e.g. by right-clicking the avast taskbar icon (the orange (a) ball), and selecting Update -> Engine and Virus Definitions.

 

We sincerely apologize for the inconvenience. As this typically only affected remote sites (and not local files), simply updating to the latest definitions should completely solve the issue (no local files have been quarantined).

Categories: General, lab, Technology, Virus Lab Tags:
April 5th, 2011

5 Questions with Lukáš Rypáček (Senior Software Developer)

I don’t know much about Lukas, other than that he is respected and liked by his colleagues (or they wouldn’t have suggested him as a potential interviewee). On facebook, I discovered he has an interest in photography. In communicating with him for this interview, I found him to be unassuming, communicative, and laid-back. Considering I’m no software developer (and only a very amateur kind of geek), I would say that those are qualities that have contributed well toward the avast! software we all use and love. –Jason Mashak

Lukas Rypacek (Senior Software Developer)

1: You’ve been at AVAST since there were only a few handfuls of employees… what, for you, are some of the more memorable moments in the company’s history since you’ve been here?

I joined AVAST seven years ago [2004] when there were around 20 employees. Some of the core team members of today were still at university, studying along with their work. You would see them in the office only once or twice a week. This was a big difference from the 140-something we have today, when we hardly fit into any room all at once. For example, there used to be a habit to celebrate birthdays together in the offices. But as the number of employees grew, we would have to celebrate almost every other week. And we also started to have problems fitting into any one room, so the tradition was abandoned over time.

Moving into a new building, the one we are now in, was also quite exciting. We watched it being built, visiting it several times before it was finished. One of the last things moved were our company servers Read more…

April 1st, 2011

avast! in the AV-Comparatives Security Survey 2011

Source: AV-Comparatives Security Survey 2011

 

The AV-Comparatives Security Survey 2011 (pdf) released by AV-Comparatives.org in mid-March reveals that, from a list of 70 well-known security solutions, avast! ranks second in terms of which products respondents wish to continue to see reviewed.

Notably, 5 of the top-7 requested brands are based in Central and Eastern Europe. Read more…

January 18th, 2011

I swear, I didn’t write this rootkit

As of January 19, we have lived 25 years with  malware. The first ever virus for the personal computer was written by two Pakistan brothers, Basit and Amjad Farooq Alvi. ©Brain was the name of this virus, it infected the MS-DOS FAT boot sector and it was harmless. This MBR rootkit just promoted their company with following text:

Welcome to the Dungeon © 1986 Basit * Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 NIZAM BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE: 430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination...

Read more…

Categories: lab, Virus Lab Tags: ,
September 6th, 2010

Spring cleaning in our virus database

We would reach 3 millions of detections in our virus database (VPS)  this week, but … this huge number means that when you put all the detections together, there is no difference between sophistical algorithmic detection and “temporary” machine generated detection.

Read more…

Categories: lab, Virus Lab Tags: , ,
July 29th, 2009

What to imagine behind Win32:MalOb [Cryp]

Our users are sometimes confused what can some malware name mean. In fact – there are some names without an special meaning – they are mostly related to short-lived pieces of malware. Contrary to this daily stuff there are some malware families (long-lived, widespread or highly dangerous), which should have some unique name. One of the reasons could be the possibility of effective seeking through the results of search engines (check the difference when you type “Win32:Trojan-gen” and “Win32:Fasec” in your search engine). There’s not a mandatory naming convention applicable to all AV vendors. Our names contain these parts:

- platform (or file type) prefix

- malware name

- malware type

Read more…

Categories: lab Tags: , , ,
July 3rd, 2009

Swizz with me

Swizzor is the detection name for a highly sophisticated, long lived piece of malware / adware. It’s based on a huge distribution network and is made by highly skilled bad-guys. At first sight, Swizzor looks like the usual modern software. The bad code is divided into small pieces and is distributed in the whole file by some code-generator. This technique makes analysis and detection difficult.

Let’s look at Swizzor from the other side… What is the first thing the common user sees before running some file? Yes, it’s an icon. The icon is code-generated as well as the whole file. And here inter alia can be seen the mathematical skill of the bad-guys. As Swizzor evolves and each generation becomes harder to detect, the icon becomes more sophisticated too. It’s interesting to see bad-guys producing nice art.

Swizzor icon - 1st generation

Swizzor icon - 1st generation

Read more…

Categories: lab Tags: ,
Comments off
June 11th, 2009

What is Win32:Patched [Trj]

A patch is a utility that can be used to change a few bytes in the original file. It’s usually used to bypass license validation or to enable a hidden function. These patches are normally used with the knowledge and agreement of the user. However, another group of patches is actually malware which is used to perform the same functions without the user’s knowledge or agreement. In this case, system files are patched to gain backdoor access to a system (i.e. by changing the startup key to run the malware after booting). These files are detected by avast! as Win32:Patched.

The difference between file infectors (viruses) and patches is shown in the picture below. Patches just change a few bytes and can’t spread themselves. File infectors infect (patch) the victim file and add a virus body to perform a malicious action and can infect other files.

Different between Patcher x File infector

Differences between Patcher x File infector

Read more…

Categories: lab Tags:
Comments off