Recently we encountered a very suspicious piece of code on some Joomla-powered webpages. The code looks as if garbled and without any special meaning, and starts like this:

Upon closer observation, several strange things are to be noted. First, there are no alphanumerical symbols to be seen in any part of the code. Second, on the line before this code starts, there is actually an HTML tag indicating a start of Javascript code (<script>), preceded by 37 tabs. Therefore, when opening an infected file in a text editor, one cannot normally see the starting tag, because it is shifted all the way to the right. To be able to see it, you either have to horizontal scroll, or have word wrap on. The same trick is performed with the script closing tag as well. Why would anyone try to hide these tags? The answer is simple, to trick people into thinking this is not actually a Javascript code.

Read more…

I don’t know what kind of curiosity leads people to the dark corners of the internet, when they want to obtain a new version of antivirus software. It’s somehow irrational to find security software at insecure places. But…. it happens.

FP submission

As you can see, the file name is Avast_Antivirus_2012_Trial_Verion.exe – but it is definitely not a proper setup released by us. Here are some facts, that are worth remembering:

Read more…

Yesterday evening (Prague time) I spotted a curious question on Twitter from journalist Brian Krebs asking about possible malware on one of LA Times websites:It made me wonder, because having such detection would definitely provoke few of our users to claim a false positive in avast! Read more…

In October we wrote on our blog about a spreading Russian Trojan horse named the Bicololo. Since that time, the malware has continued to evolve and spread even further. Nowadays avast! saves several thousand PCs every day from its infection.

Read more…

Hello Avast fans!

It is my pleasure to officially announce the new Avast bug bounty program. As a security company, we very much realize that security bugs in software are reality. But we also realize that companies that are able to use their user communities to find and fix bugs are generally more successful that those that don’t. Therefore, we have decided to reward individuals who help us find and fix security-related bugs in our own software. This makes us probably the first security vendor with a reward program like this: I think it’s mainly because the other companies generally take the position that ‘Hey, we’re a security company. So we know security and it can’t happen to us.’ But in reality, that’s not what’s happening. Just look at bugtraq or the CVE databases and you will find that security software is no more immune to these issues than any other programs. A bit of irony, given that people generally install security software to fight security issues in the first place, isn’t it?

We at Avast take this very seriously. We know that being a market leader (Avast has more users than any other AV company in the world), we’re a very attractive target for the attackers. So, here’s our call to action: let’s unite and find and fix those bugs before the bad guys do!

Here’s how it works:

• The bounty program is designed for security-related bugs only. Sorry, we’re not paying for other types of issues like bugs in the UI, localization etc. (nevertheless, if you find such a bug, we will of course very much appreciate if you report it).
• This program is currently intended only for our product, i.e. not the website etc.
• We’re generally only interested in these types of bugs (in the order of importance):
  • Remote code execution. These are the most critical bugs.
  • Local privilege escalation. That is, using Avast to e.g. gain admin rights from a non-admin account.
  • Denial-of-service (DoS). In case of Avast, that would typically be BSODs or crashes of the AvastSvc.exe process.
  • Escapes from the avast! Sandbox (via bugs in our code)
  • Certain scanner bypasses. These include include straightforward, clear bypasses (i.e. scenarios that lead to direct infection, with no additional user input), as opposed to things like deficiencies in the unpacking engine etc. In other words, we’re interested only in cases that cannot be mitigated by adding a new virus definition (please don’t report undetected malware)
  • Other bugs with serious security implications (will be considered on a case by case basis).
• The base payment is $200 per bug. Depending on the criticality of the bug (as well as its neatness) the bounty will go much higher (each bug will be judged independently by a panel of experts). Remote code execution bugs will pay at least  $3,000 – $5,000 or more.
• We might change these ranges based on the number and quality of incoming reports. Generally, the less reports we will get, the higher the bounty will go.
• We will only pay for bugs in Avast itself. For example, if you find a bug in a Microsoft library (even if it’s used by Avast), please report it to Microsoft instead (it would be great if you could also notify us, but unfortunately, we cannot offer any reward in such cases).
• The program is currently limited to consumer Windows versions of Avast (i.e.: Avast Free Antivirus, Avast Pro Antivirus, and Avast Internet Security). Only bugs in the latest shipping versions of these products will be considered.
• Payment will be done preferably by PayPal. If you can’t accept PayPal (e.g. because it doesn’t work in your country), please get in touch with us and we will try to figure out something else.
• Because of certain legal restrictions, we cannot accept submissions from the following countries: Iran, Syria, Cuba, North Korea and Sudan.
• It is the researcher’s own responsibility to pay any taxes and other applicable fees in their country of residence.
• In order to be eligible for the bounty, the bug must be original and previously unreported.
• If two or more researchers happen to find the same bug, the bounty will be paid only to the one whose submission came in first.
• You must not publicly disclose the bug until after an updated version of Avast that fixes the bug is released. Otherwise, the bounty will not be paid.
• The bounty will be paid only after we fix the issue (or, in specific cases, decide to not fix it).
• Some bugs may take longer to correct. We will do our best to fix any critical bugs in a timely fashion. We appreciate your patience.
• Employees of AVAST and their close relatives (parents, siblings, children, or spouse) and AVAST business partners, agencies, distributors, and their employees are excluded from this program.
• We reserve the right to change the rules of the program or to cancel it at any time.

How to report a bug and qualify for the bounty:

• Please submit the bug to a special email address bugs@avast.com
• If you’d like to encrypt your email (recommended), please use this PGP key.
• A good bug report needs to contain sufficient information to reliably reproduce the bug on our side. Please include all information that may be relevant – your exact environment, detailed bug description, sample code (if applicable) etc. It also needs to contain a decent analysis – this is a program designed for security researchers and software developers and we expect certain quality level.
• You will receive a response from an Avast team member acknowledging receipt of your email, typically within 24 hrs. If you do not receive a response, please do not assume we’re ignoring you – we will do our best to follow up with you asap. Also, in such a case it is possible your email didn’t make it through a spam filter.

Finally, I’d like to say thanks to everyone who helps to find and fix bugs in our products. Hopefully, this new reward program will take this initiative to a whole new level.

Happy [bug]hunting!

P.S. The bug bounty rules are also available on our main website here.

Today, I received an email from one of my coworkers (yes, even careful employees of security vendors are in danger:) ). This email has more recipients and contains only one link, without any text or subject.

Fortunately, I am a really paranoid person about emails containing only a link to an unknown site. At this link, you can notice two really suspicious things: The directory is images and there’s a file called yahoo12.php. That should warn users to avoid clicking on this link.

Read more…

Through a collaboration with Eric Romang (@eromang), independent security researcher we can confirm that the watering hole campaigns are still ongoing and are targeting multiple targets, including as an example a major Hong Kong political party website.

This website is actually using the new version of the original Internet Explorer (CVE-2012-4792) vulnerability attack, but right now it’s also using the latest Java (CVE-2013-0422) vulnerability.

Chinese language version of the web site is doing a remote javascript inclusion to “http://www.[REDACTED].org/board/data/m/m.js”.

This website is a legitimate compromised website used for hosting the exploit files, hosted in South Korea.

Read more…

As a malware analyst, I sometimes have to deal with files, which cannot be classified as computer virus or malware, but their behavior when executed by user is still considered unwanted or suspicious. In this blogpost, we will look at an adware downloader. It comes in two different versions, one tiny – having only about 17KB and being written in .NET, and the other one bigger, using getrighttogo downloader builder.  In user’s computer, downloader was found in the following directory.

C:\Documents and Settings\Administrador\Meus documentos\Downloads\filme(1).exe

Users’ computer got infected via one of many sites similar to following ones – websites offering to download movies. After clicking on download links, .exe files were offered to download.

Figure 1 – Example of site the downloader was originally downloaded from

Read more…