Malware samples received in the avast! Virus Lab Wednesday show that a spoofed email which looks like it has been sent from AVAST is spreading widely. Fortunately, AVAST detects this malware as Win32:Malware[Gen] and has been blocking the virus since 12:45 pm yesterday.
The email’s subject header says, “Your Order details and Additional information,” and the email message contains standard text that is sent when a person purchases a license from AVAST. The message includes an order number that is not authenticated and does not exist in the AVAST database.
The sender’s email address is firstname.lastname@example.org. This is a fake email address and was not created by AVAST. The email contains an attachment titled avast-Antivirus-Order-Details.
Our worldwide CommunityIQ sensors automatically detected and provided information to the avast! Virus Lab about these suspicious files, and the new threat was detected and neutralized immediately. So far, our virus lab has received 12,500 malware samples.
Avoid this attack by downloading the new avast! Antivirus 2014 for free.
Everybody knows the story of the beautiful Snow White. An evil queen with a bad temper gives a young girl a poisoned apple, because she apparently thinks that it would just make her day. Poor Snow White. All she wanted was a bite of this juicy apple. I guess this one particular bite didn’t make her very happy. Anyway, she apparently made some mistakes, that I can tell. For example, if she wanted an apple, she should have just picked one from a “genuine” tree. Or she could have had someone taste the apple first, like a brave knight that’s always there for her, protecting her every second.
Yes, it’s been a while since that famous apple incident happened. Nowadays, a girl wouldn’t just accept an apple from a stranger and take a bite right away. She would at least wash it first! If she’s smart enough, she’s going to have something that tells her more about the apple.
With the magic of fairy dust and special effects, let’s transform this story into the world of mobile security.
The Snow White fairy tale came to life a few days ago, when we found a fake Apple iMessage app for Android. There are lot of apps for Apple iOS that are not released for other platforms. For example, when two people have an iPhone, they can send each other messages for free via Apple’s iMessage service. The Android alternative for that service would probably be Google’s Hangouts app. The problem occurs when you want to send a free text message from iOS to Android. Yes, there’s WhatsApp, Viber, and similar apps, but there’s no way to send an iMessage to Android, nor iMessage from Android. That problem seems to bother some people, so they are eagerly waiting for a solution. The evil queen is aware of the need, so she makes poisoned apples and hands them out for free, telling others that they are sweet, juicy, and absolutely free from poison. Yes, I’m talking about fake apps that are trying to look like official Apple apps for Android. Read more…
Today is unfortunately the last day of the Virus Bulletin 2013 conference, but it has definitely been memorable. Last night, a gala dinner was held that went on into the wee morning hours. During the dinner there was a classic performance from a dancing cabaret group and a delicious meal was served. And as continuing the tradition for VB conferences, after dinner all the participants moved to our avast! Beer Bar and attempt getting their results to a higher level.
Today’s speaking line-up was concentrated on sophisticated malware on the Windows platform, online threats, and botnets. The afternoon panel discussion was moderated by Pedram Amini, our new AVAST colleague who joined the team a few weeks ago with the acquisition of Jumpshot. The discussion was about cyberwar and what we as a security industry can do about it.
Finally, the most important information: In the first blog chronicling this event, we mentioned the 7th IT Security Table Football World Championship. I asked you to wish us luck, and now I thank you for that! It definitely helped us a lot! And here are the final results!
1. Gdata – Germany
2. Avast – Czech republic
3. Microsoft – USA
Hurray, we came in second! From such a big competition, it’s a great success for the avast! Virus Lab team, and one that we hope our colleagues (and our boss) will appreciate. For example, by buying a new football table for our office! To be ready to reclaim the AVAST honor at VB2014, we need to increase our practice time! (Next year, Gdata. Next year…)
We had a second day of VB 2013, and today can definitely be classified as an Android day. Most of the presentations from first three blocks were concentrated on Android threats, potential unwanted applications and Adkits. This gave a strong signal that everyone should take Android security very seriously. Every big antivirus vendor has their own Android security applications, but a main point for me personally was that we should cooperate and share information to fight malware effectively.
In the last presentation block of the day, there were two presenters: First was Milos Korenko with his presentation The Best Things in Life are Free. I have to admit that listening to Milos is really inspiring. His high level public speaking abilities combined with the fact that he was speaking about such a good company as Avast made it one of the best presentations of the day.
During Miloš’ speech there were two hidden surprises. First, we announced the winners of the beer competition from Virus Bulletin 2012 held in Dallas. The top three from VB2012 are:
1. Dmitry (McAfee)
2. Jiri Bracek (AVG)
3. Roman Kovac (ESET)
The second surprise was from my colleagues in the avast! Virus Lab, Jaromir Horejsi and Peter Kalnai. Milos finished his speech quite quickly so he could share his free time with our analysts. They presented Are Linux desktop systems threatened by Trojans? Their talk, based on a blog post Hand Of Thief threat, published at the end of August, extended some philosophical thoughts about a real potential for Linux Desktops.
The avast! Beer Bar is open again! On the first day of VB2013, we spent an evening socializing with other colleagues. You can check our website for the beer rankings and see which IT security company has the best score.
Virus Bulletin 2013 just started today and our company is participating in many ways! This conference is one of the biggest IT security conferences in the world which well known security companies can’t miss. And we are really proud to be there with more than 370 specialist from the security industry. We are a platinum sponsor, we have a few speakers here – but mainly we are the PROUD BEER SPONSORS for all participants.
Here is a quick review of the first day which was a pretty busy one! During the morning the conference started with a welcome speech from Virus Bulletin editor Helen Martin, and then the technical and corporate streams, represented by many speakers, began. We have one speaker from our company here today. It was Jindřich Kubec, with Eric Romang, presenting “Big bang theory of CVE-2012-4792” – a very successful presentation indeed. The main subject was forensics & detective model that describes the early development of the watering hole campaign which was mostly active from Dec. 2012 to Jan. 2013, targeting prominently energy industries, governments, non profit organizations and human rights websites. After the initial targeted attack, the vulnerability cooled sufficiently to allow its integration in different confidential or public exploit kits. They also dug into the past and showed that there had clearly been a connection with the previous Sept. 2012 watering hole attacks on industrial websites, and also with watering hole attacks through Twitter in May 2012. The earliest phases of the vulnerability, like the Big Bang, are subject to much speculation. They tried to observe the most distant things that a security researcher can see. The timeline of the attacks, together with the disclosure, detection and publication dates were shown. The code structure and changes were also analyzed, including the binary payloads – e.g. remote access tools.
I should also mention that there is an international IT security table football championship. And so far we have been successful! In the morning we won the first match against Sophos 6:1, 6:2 and second against Norman 6:0, 6:0. So cross your fingers and wish us luck for the next rounds. Stay tuned, we will definitely share more information in the next two days!
In recent weeks, malware samples resolved as Win32/64:Napolar from AVAST’s name pools generated a lot of hits within our file and network shields. Independently, we observed an advertising campaign of a new Trojan dubbed Solarbot that started around May 2013. This campaign did not run through shady hacking forums as we are used to, but instead it ran through a website indexed in the main search engines. The website is called http://solarbot.net and presents its offer with a professional looking design:
For the Win32/64:Napolar Trojan, the pipe used to inter-process communication is named \\.\pipe\napSolar. Together with the presence of character strings like “CHROME.DLL,” “OPERA.DLL,” “trusteer,” “data_inject,” and features we’ll mention later, we have almost no doubts that the Trojan and Solarbot coincide. Let us look at some analysis.
Many of you might wonder how the avast! Virus Lab works. Who are those guys sitting behind the computers and analyzing malicious files? Well let us unveil some of the virus lab secrets and break some stereotypes at the same time:
1. The avast! Virus Lab team doesn’t work in a laboratory.
2. Virus analytic professionals are real, nice human beings, not robots.
3. Yes, there are also ladies in the virus lab team (although these pictures don’t prove that.)
4. They like to have fun and socialize!
Proof that they really exist
Here’s a challenge for you – the first person to discover the Director of the avast! Virus Lab will receive a one year free license of avast! Premier! Please respond in the comments section of this blog.
Recently, we have seen many Facebook posts with links leading to applications called Give Hearts, Drink It Up and Daily Horoscope. The applications are very popular – they have over 5 million monthly users – and are managed by the same provider called App Discovery Engine. The posts attracted my attention because they seem to be posted automatically. The entire post consists of the URL which contains quite long text separated with ‘+’. (Later we will see that the text is a horoscope that you see on the page of the application).
To begin investigating these apps I follow the link leading to the Give Hearts application. It redirects me directly to the application. But before I can use it I am asked to grant Give Hearts access to information on my Facebook account like my email or friend lists.
Yes! What a lucky day! I’ve just got a message that I won 2,000,000.00 British Pounds (2.4M EUR/3.1M USD), an Apple laptop, a T-shirt, and a cap emblazoned with a logo of The Free Lotto Company. Pretty awesome you might think, but appearances are deceptive. Unfortunately, this is just one of the ways bad guys try to get some of our money.
Well, I was thinking, it‘s worth a shot. So I decided to write to the email address and see what would happen. Actually, the hardest part was a making up a fake name for myself! You would never believe how rough this might be. In the end, I decided to call myself Robert Konmed.
Here’s how the conversation went down.
Me: Hello, I’ve got a winning message with information to contact your email address. How can I pick up my prize please? Thank you, Robert Konmed
Bad guys: Please find attached document for info to contact courier delivery company: EMAIL:email@example.com Regards Brian Calton
Me: Hello guys, I’m really excited about a winning prize. But would be possible to tell me how much I should prepare for a delivery company? And also I’m curious if there is possibility to charge delivery from my winning prize? Thank you & have a nice day! Best regards! Robert Konmed Read more…
A new threat for the Linux platform was first mentioned on August 7th by RSA researchers, where it was dubbed Hand of Thief. The two main capabilities of this Trojan are form-grabbing of Linux-specific browsers and entering a victim’s computer by a back-door. Moreover, it is empowered with features like anti-virtualization and anti-monitoring. With the level of overall sophistication Hand of Thief displays, it can be compared to infamous non-Windows threats such as the FlashBack Trojan for MacOsX platform discovered last year or Trojan Obad for Android from recent times.
A detailed analysis uncovers the following structure of the initial file with all parts after the dropper being encrypted (hexadecimal number displays starting offset of a block):