Through a collaboration with Eric Romang (@eromang), independent security researcher we can confirm that the watering hole campaigns are still ongoing and are targeting multiple targets, including as an example a major Hong Kong political party website.

This website is actually using the new version of the original Internet Explorer (CVE-2012-4792) vulnerability attack, but right now it’s also using the latest Java (CVE-2013-0422) vulnerability.

Chinese language version of the web site is doing a remote javascript inclusion to “http://www.[REDACTED].org/board/data/m/m.js”.

This website is a legitimate compromised website used for hosting the exploit files, hosted in South Korea.

Read more…

As a malware analyst, I sometimes have to deal with files, which cannot be classified as computer virus or malware, but their behavior when executed by user is still considered unwanted or suspicious. In this blogpost, we will look at an adware downloader. It comes in two different versions, one tiny – having only about 17KB and being written in .NET, and the other one bigger, using getrighttogo downloader builder.  In user’s computer, downloader was found in the following directory.

C:\Documents and Settings\Administrador\Meus documentos\Downloads\filme(1).exe

Users’ computer got infected via one of many sites similar to following ones – websites offering to download movies. After clicking on download links, .exe files were offered to download.

Figure 1 – Example of site the downloader was originally downloaded from

Read more…

The Avast Research Lab is where some of the Avast’s brightest brains essentially create new ways of detecting malware. These are either features inside the product (such as FileRep and autosandboxing, including all of its recent development) as well as components that run on our backend – i.e. things that users don’t necessarily see but that are equally important for the overall quality of the product.

In fact, working on the backend stuff takes up more of their time these days, as more and more intelligence in Avast is moving to the cloud and/or is being delivered in almost real time via the avast! streaming update technology. Read more…

AVAR Conference is organized by the Association of anti Virus Asia Researchers (AVAR – http://www.aavar.org) every year in a different city in Asia region. This year the conference was held in Hangzhou, China. We sent two proposals for a presentation. And both of them were accepted – “Injecting custom payload into signed Windows executables” by Igor Glucksmann (AVAST) and “Your Every Click Counts (But All the Money Goes to Me)”  by Lukas Hasik & Jan Sirmer. We spent a week in China at this conference at the beginning of November. Let me share a few photos and comments with you.

We reserved a little bit of time to recover from the jet-lag after more than 11 hours on plane to Shanghai. So we had some time to discover a bit of China.

Shanghai view from the Bund

Hangzhou is a very nice city, or at least I really enjoyed the West Lake. And there is no better way to enjoy it more (in China) than on a bike, of course.

West Lake, Hangzhou, China

Read more…

What a weird positive we’ve just spotted on CNET’s Download.com…

Win32:SaliCode blocked

Read more…

Potentially Unwanted Program – that’s what PUP stands for. You probably already had a chance to meet some PUPs on a Windows PC, but how does a PUP look on an Android phone? How will you know how to handle it?  All of this will be explained here.

When a PUP alert attacks you, don’t panic.

For starters, it’s just a warning. It’s not a standard virus and, no, your life is not in danger. PUP detections were made to warn people when a suspicious component or ability is detected within the application.

Let’s say you downloaded an app that’s called “Christmas Carols” (don’t panic about that, either; it’s still a month and a half till Christmas) and a PUP warning hits you. The detection name reads “Android:SpyPhone-E [PUP]”. What should you do? Well, what I would do is to sing Silent Night to that app and wave goodbye while uninstalling it. Why? Well, it’s an app that’s supposed to play Christmas carols and not “SpyMyPhone” or whatever that PUP warning says.

Read more…

The phishing scam creators are really getting creative.  Of course one could question their targeting such in this case.  Czech republic is known for our quite lenient view of laws and rules and – especially – the need to pay (or the lack of there off) of any fines especially when imposed by so called municipal police.  Who would bother…   Hence, an email urging to pay a fine is normally filed directly into the ‘round file’.   Known as trash.  Well in this case… there actually might be a good reason to look at this closely Read more…

Earlier this week, a new variant of the Dorkbot/Ruskill malware attacked users of the Skype video calling service. This malware can affect a huge amount of sites and online services and can attack almost all known web browsers such as Internet Explorer, Firefox, Chrome, Opera, Flock and other programs such as MSN, wlcomm.exe etc.

The avast! VirusLab analyzed this malware, which you can read about in articles published on the web, but none analyzed the new module that can hijack Skype messenger which is now the bigger threat to users. This module has a packed form around 70KB. After the removal of the custom packer / loader the pure size is 16 384b. The module is very small but includes 31 known language versions of phishing messages that appear in the Skype messenger window. This localization is based on OS language via GetLocaleInfo API. After bypass return value you can see different language mutations.

Phishing messages in various languages

Sample of phishing messages in various languages:

• lol is this your new profile pic?
• hey é essa sua foto de perfil? rsrsrsrsrsrsrs
• hej je to vasa nova slika profila?
• hey c’est votre nouvelle photo de profil?
• ?hey esta es tu nueva foto de perfil?
• hey ini foto profil?
• hei er dette din nye profil bilde?
• hej to jest twój nowy obraz profil?
• hey ito sa iyong larawan sa profile?
• ?aquesta és la teva nova foto de perfil?
• hej detta är din nya profilbild?
• hej jeli ovo vasa nova profil skila?
• hey la anh tieucua ban?
• sa k’vo profili lusankary
• hey e la tua immagine del profilo nuovo? Read more…