Be Free to be creative

Be Free to have fun

Be Free to explore

Be Free to love

Be Free to enjoy simple things

Be Free to draw

Be Free to dare

Enter your photo via the Facebook app, or simply tag it #avastBeFree and enter it via Instagram or Twitter. The image will appear in the Facebook Gallery where you can vote. Invite your friends to vote too. The last day to enter is Wednesday, May 29th. The last day to vote is Monday, June 3rd.

Question of the week:  First it was Facebook, then Living Social, then LinkedIn, now Twitter accounts have been hacked. How can I keep my business and personal accounts from being hacked, if the big boys can’t even protect theirs?

You are right. It seems like every week we hear about another major website or an account on a social network being hacked into. Your concern is genuine, because once hackers get in they can not only gain control of your account, but they can also get your email address, passwords, and even get access to your bank account.

There are some steps you can take.

Use Password Protection

Strong passwords are essential to protect your online accounts. The challenge comes in remembering your various usernames and passwords, so we suggest that you use avast! EasyPass. For less than it costs for lunch, you can protect all your passwords for an entire year. Here’s some of the highlights:

• One-click log ins Save all your log in details and log into your favorite websites with a single click.
• Single master password EasyPass securely stores all your website and Windows application passwords. From now on, you only need to remember one master password.
• Password generator Generate random passwords for all your different accounts for the most protection. 12345 just doesn’t cut it anymore.
• Fill in forms Store personal information which can be used later to automatically complete online forms, so you don’t have to manually type in the same details every time.

You can try a 1-month free trial of avast! EasyPass. Visit the avast! Store and click free trial Download.

Two-Factor Authentication

Google and Facebook offer two-factor authentication, and Twitter just announced that they added this extra security layer yesterday.  Two-factor authentication requires users to enter a second code along with their username and password.

As a barrier between your account and hackers, we suggest that you enroll in login verification programs when offered. For those who sign up, Twitter will send a six-digit code using a text message each time they sign in to Twitter.com. Besides their username and password, users will have to enter the code as well to log in. It’s a bit inconvenient, but it’s more of a pain to clean up your reputation if a hacker gets ahold of your account. Get started by going to the Twitter blog.

Log out

It is a little harder to log out when we access our accounts from a smartphone, but if you lost your phone, a hacker would not only have your phone; he’d have your identity!

Protect your smartphone from theft by installing avast! Free Mobile Security. With the Anti-Theft component enabled,  you will have remote options to locate and recover your phone.

Grum, one of the largest spamming botnets, suspected to be responsible for over 17% of worldwide spam (as described here), which was “killed” in July 2012, still lives.  We have been tracking its activity since January 2013.  We can confirm spiderlab’s doubts about the grum killing published in March 2013. The following article provides some details about registered grum activity.

We have seen grum activity on following sites:

• servercafe.ru
• hub.werbeayre.com
• sec.newcontrrnd.com
• sec.convertgame.com

Every bot client generates its own identification number (ID) on its first run. The length of the ID is 32 characters. The first three correspond with a bot version and the other 29 characters are randomly generated. It is also set to the HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\BITS\ID registry key, which is queried on every run.

After the bot sets its ID, it tries to connect to a C&C server.

1) The bot contacts C&C server with a HTTP GET request to get the FQDN of the client’s computer

http://%server/spm/s_get_host.php?ver=%botVer

2) The information is used to contact one of the SMTP servers obtained from DNS MX records from following domains which are used for sending spam:

• hotmail.com
• yahoo.com
• aol.com
• google.com
• mail.com
• mail.ru
• yandex.ru
• …

3) Then the C&C server is contacted by the following request

http://%s/spm/s_alive.php?id=%botID&ticks=%u&ver=%botVersion&smtp=%s&sl=%d&fw=%d&pn=%d&psr=

The smtp variable is set to ‘ok’ when the bot successfully contacts one of the SMTP servers and set to ‘bad’ if it does not.

4) The C&C server answers with a message which looks like a typical BASE64 encoding

For example:

Xu6hQoZL5+9/Hva9N3F3A2+gwPdLuk28BPA5Alm1IOS9MWvCLGp9r/UEqHksCNo4djEmA8SBk/tPRNvg1wc1rjZnwToThUorVw7kdU/h53sgoszvg0OX06MFQvEOxLqF7P4PQ+s=

Actually the message is encrypted by RC4 algorithm with key equals to the bot’s ID and then it is encoded by BASE64.

parts of low level BASE-64 decoding

low level decryption part of RC4

The whole decryption algorithm written in C# could look like this:

The bot id is 72176717204370682282907051332175 for the mentioned message.
After decryption process we can see the message:

http://84.200.70.131:9091/spm/s_task.php?id=72176717204370682282907051332175&tid=61853

5) The bot remembers the ot variable and sends the HTTP task request without the ot variable.

http://84.200.70.131:9091/spm/s_task.php?id=72176717204370682282907051332175&tid=61853

6) The C&C answers with spamming instructions including spam mail template which is also encrypted by the schema mentioned above.

The interesting thing is that sent spam is similiar to scam described on our blog in the past.

Finally, we provide a screenshot of encrypted instructions, a spam email and an example of decrypted instructions .

example of sended spam

encrypted spam instructions

<info>
taskid=61853
realip=x.x.x.x
dns=8.8.8.8
hostname=y
heloname=y
maxthread=25
from=usypc@ozucfx.net

type=0
try_tls=0
use_psr=0
use_dnsapi=1
try_mx_num=1
use_ehlo=1
</info>
<emails>
nadialee@hanmail.net
nadialee@hellokitty.com
…
nadialeitao@zipmail.com.br
nadia_leonita@yahoo.co.id
</emails>
<ac_list>
</ac_list>
<text>
Received: by work.ozucfx.net (Postfix, from userid %W_RND_INT[3])
id E%W_RND_INT[2]CE%W_RND_INT[5]E; %DATE
From: Work at Home <%FROM_EMAIL>
To: <%TO_EMAIL>
Subject: Your second chance in life just arrived

Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 8bi
Precedence: bulk
Message-Id: <%GMTDATA[yyyyMMddHHmm].E%W_RND_INT[2]C%W_RND_INT[5]F@web.ozucfx.net>

<html>
<body>
…
</body>
</html>
</text>

“Our Annual State of the Net Report revealed that home computers are no safer than they were last year. Effective security software, like the ones we recommend in our latest Ratings, is essential to protect against online threats,” said Jeff Fox , Technology Editor, Consumer Reports.

Consumer Reports’ latest Ratings of Security Software revealed that some free products are sufficient for most users, offering very good protection from online threats. The full report is in the June 2013 issue of Consumer Reports and online at ConsumerReports.org. This press release gives you the highlights.

Taking a closer look into the PE header, it was observed that the TimeDateStamp (02 / 27 / 13 @ 12:19:29pm EST) displayed a bit earlier date than the date of the arrests of the cybercriminals, and the URL was a part of larger botnet where plenty of Russian bots are involved. So the case was closed as a lost sample within a distribution process.

After using our internal Malware Similarity Search  to catch as many malware samples as possible, a cluster appeared. It contained some well-known families like Zbot, Dofoil, Gamarue, and some fresh families like Win32/64:Viknok and Win32:Lyposit. The latter is a dynamic link library and it caught our attention by a quite sophisticated loader and a final payload.

Loader Analysis

The starting dropper is a Microsoft Visual Basic executable that unpacks and loads the first hidden layer – another x86 PE executable. This layer decrypts data in newly allocated memory and the next step is performed there. Analysis is made more difficult by resolving WINAPI functions on the fly by a hash and using a multiple cooperating threads. The main decryption is done by repeating calls of RC2 cipher algorithm provided by Microsoft Base Cryptographic Provider v1.0. The next layer is a dynamic linked library and it drops the proper binary of the lockscreen.

Payload

Lockscreen tries to communicate with its servers through Background Intelligent Transfer Service (BITS) . It creates a single BITS Control Class with a background job that downloads files to the client (a parameter BG_JOB_TYPE_DOWNLOAD for the IBackgroundCopyManager:CreateJob method). It was reported that malware in the past used to bypass firewall rules in order to perform additional actions.

URL names are encoded in the data section of a binary file and they appear non-standard on the first sight:

An example of a query to a C&C server:

The string before the equality sign is randomly generated for length between 1 and 5 and the sequence of numbers after the equality contains packed information about the victim’s location and computer name. The following picture reveals what’s behind the previous request after a decryption ( the first double word is a return of GetTickCount() call,  followed by a constant byte 0×18 and an internal code of procedure that calls the request; then we see a magic string  ”RLA5″, a value of local identifier, a hash of the DigitalProductId xored with the value of the InstallDate and finally a hash of Computer Name ).

A reverse algorithm that reveals this buffer works like this:

Communication protocol is encrypted and the following decryption algorithm is used:

Applying decryptBITS algorithm twice on a received buffer an archive with a complete HTML page finally displayed is obtained.

Depending on the location setting of the victim’s computer, particular content for a ransom message is chosen on a the server-side. If it is not Switzerland, Italy, Spain, Germany, Russia, Ukraine or possibly other non-US countries, it could look like this:

Observe that the background picture (btw. it is called “US.jpg” in the archive) and the font style of commands output is definitely not a Microsoft Windows command line. Moreover, the highlighted string “MacOs vers” whispers what the platform pretends to be. But we did not get tricked; this is not another threat for Mac OS systems. We can only speculate about the reasons why the malware authors chose this strange masking. One that comes to mind is the fact that Mac OS X has a bigger market share in North America and users are more used to this style. Who knows…

Persistence
The lockscreen secures its execution after every start-up using two methods. The first one is fairly regular and its idea is to silently register malicious library with the correct setting in the registry:

The second method is more unconventional. The malware registers itself as an extension of the command processor. It means that the malware would become a common component after every run of cmd.exe:

Manual Removal of Win32:Lyposit

1. Boot your computer with a live CD

2. Find upper mentioned registry keys that serve for the persistance of the lockscreen.

3. Find and delete the referenced file in those keys.

4. Restart your computer in Normal Mode.

Sources

Finally MD5 of some selected samples with the detections of avast! engine:

Acknowledgment

Sincere gratitude goes to my colleague Jaromír Hořejší for cooperation on this analysis.

With the release of the summer blockbuster Star Trek: Into Darkness, I started thinking about the Star Trek universe, Trek-nology, and what it would be like if avast! Antivirus was adopted by Starfleet. Wouldn’t it be amusing to hear the voice of the computer echoing through the bridge, “avast! Virus Database has been updated”? As Captain Picard would say, “Make it so!”

Our beloved U.S.S. Enterprise, space station Deep Space 9, the far-flung Voyager, and even the sentient android Data experienced computer malfunctions, some of them caused by a virus. Here are a few episodes that come to mind as I imagine the possibility of avast! in the Final Frontier.

ST: TNG The Contagion

Captain Jean-Luc Picard is a student of archaeology. When a distress call comes in from the U.S.S. Yamato, engaged in an archeological investigation looking for the legendary planet Iconia, the Enterprise responds right away. But not in time to save the 1000+ crew and ship from destruction due to a computer virus. The weaponized virus was transmitted by a scan from an Iconian probe and caused dangerous systems failures by overwriting software. The Enterprise becomes infected when it downloads the Yamato logs. During the investigation, a Romulan Warbird shows up and an interstellar incident becomes imminent.

Shields up!

Apparently Starfleet’s ships don’t come equipped with virus protection software because the Yamato was destroyed when hostile, malicious threats took over their computer system, and the Enterprise was threatened as well. Avast’s shields protect different aspects of computer functions. If anything suspicious is detected, the file system shield will prevent the program from being started or the file from being opened to prevent any damage being caused to your computer and data.

ST: TNG 11001001

The U.S.S. Enterprise is at Starbase 74 for a maintenance layover. Service and software upgrades, including an overhaul of the Enterprise‘s main computer, are being made by the Bynars, alien technicians who work as unified pairs. While in dock, the Bynars stage a fake warp core breach and all personnel are evacuated. Unknowing of the situation, Captain Picard and Commander Riker are in the newly repaired and enhanced holodeck, distracted by a charmingly responsive hologram woman named Minuet in a New Orleans Jazz club. The incident is later learned to have been engineered by the Bynars in an effort to save their home planet Byanus. Their main computer system was damaged in a supernova, and the data was backed up in the Enterprise‘s main computer.

Red alert!

The Bynars used scareware and social engineering in their desperate attempt to steal the Enterprise. They staged a fake emergency similar to bogus antivirus programs that urgently claim you have hundreds of threats and have to take immediate action, which includes sending them money. The beautiful hologram, Minuet, was designed like hard-to-resist social media scams enticing you to click further. Avast’s fully integrated firewall could monitor all communication between the Enterprise’s computer and the outside world and can block unauthorized communication, therefore limiting external connections. Avast! would, of course, have built-in protection to detect mischievous holograms. Look for it in an upcoming version.

ST: DS9 Babel

On space station Deep Space 9, a hibernating virus designed by the Bajorans 18 years earlier to infect their enemies the Cardassians, turn replicators into bots and eventually infect people through the atmosphere causing them to speak incoherently.  (We told you that viruses can jump from computers to people!) A weary Chief O’Brien attempts to fix broken down systems under pressure from Commander Sisko. Quark complicates matters by hacking the Starfleet computer to find a replicator that works so he can continue serving at his bar.

We are the Bot. You will be assimilated.

The Bajoran virus created a botnet which turned the DS9 replicators into zombies which spread the infection around the station. Each time someone would use the replicator to create, for example a cup of coffee, the malware would be executed. When the Bajoran application started, avast! would have detected it, and automatically run the application in the avast! Auto-Sandbox. That would have given the Chief time to check the suspicious application while remaining completely protected against any malicious actions that it might try to perform.

To boldly go where no antivirus has gone before

Avast! Antivirus is obviously needed in the Star Trek universe of the 23^rd century. Hackers, scammers, and cybercrooks continue to take advantage of various humanoid and machine vulnerabilities. As we wait for Zefram Cochrane to invent warp drive, first contact to be made, and the United Federation of Planets to be established, our developers are working on LCARS compatibility and avast! Free Antivirus for PADDs, tricorders, and the occasional android too.

Avast! Antivirus protects your computer and mobile phone around the clock, so you can BE FREE to enjoy your life. Show us what you do when you are free from worry and frustration. Take a photo of what it means to you to BE FREE, and enter it into our avast! Be Free photo contest. It’s easy. You can enter on our Facebook app, or through your own Twitter or Instagram account using the hashtag #avastBeFree. Once your photo is entered, invite your friends to vote for it in the photo gallery. The top voted photos will win a new Nexus 4 mobile phone or a Nexus 7 or Nexus 10 tablet!

Here are some examples of photos that were already entered to give you inspiration.

You can BE FREE to spend time with your loved ones…

You can BE FREE to play…

You can BE FREE to fly…

You can BE FREE to relax…

The avast! BE FREE photo contest runs through Wednesday, May 29. Submit your photo soon, and invite your friends to vote for it. You could win one of eight Nexus mobile phones or tablets.

ENTER NOW!

Now, 1 1/2 years after release, we receive tons of feedback from users around the globe. Every day we hear of several customers who were able to recover their phone or their tablet by using our solution. Honestly, this makes us happy, more than you could imagine. We see that our tool actually makes sense and gives REAL value to our users. Which is the dream for every developer.

Of course, sometimes phones just got lost and were easily recovered. But sometimes we really hear nice recovery stories that could be described as almost or real adventures. As is the story of our user FridgeWheeL who managed to recover his device even from a foreign country. We decided that the story needs to be shared, so thanks for FridgeWheeL to give us a summary. Enjoy:

To the Avast Team

I believe to give credit where credit is due, and due to this belief I want to give a big thanks to the Avast team for their assistance in recovering my stolen mobile handset.

I live in South Africa & if your phone is stolen and you do not have insurance, the chance of seeing your phone ever again is very grim. Stolen phones here get exported or sold to foreigners since you are able to black list your phone to prevent any further use of the phone on our local networks.

With the above in mind & since I did not have insurance on my mobile phone due to high costs at the time when I bought my Samsung Galaxy S3 on a two year contract, I installed the free version of Avast Mobile Security and ran through the Anti-theft setup as a precaution should my phone get stolen.

On the 2nd of March 2013 I was at a Samsung Galaxy World Tour music festival where my phone was pick pocketed amongst the crowed. This was honestly a very bad experience for me since I did not have insurance and still have to pay a hefty monthly payment up until December 2014.

Having completely forgotten that I installed Avast Anti-Theft on my mobile, I tried finding my phone via the stock tracking applications and tools that came with my mobile but all of these were dependant on an active internet connection on my stolen mobile phone. These tools could not assist me in any way and I made peace with the fact that my phone was lost forever.

On the 1st of May 2013, my fiancé at the time (my wife now ) received an SMS that a SIM card change was detected on my phone and another SMS followed with a link on the approximate location based on the mobile network service of the new SIM card in my phone. With this information it clearly showed that my phone was in Lusaka Zambia. I then got a hold of the Police in Lusaka Zambia and explained to them the whole situation. Within 45 minutes after speaking to the Zambian Police, they located my phone and opened a case and followed procedures to ensure that the phone was indeed mine.

I provided all necessary information to the Police as well as the tracking SMS’s from Avast and the Police confirmed that the phone was indeed legally mine. They happily couriered my phone back to South Africa and my mobile is due for collection tomorrow from my local post office.

Special thanks to Avast & the professional service from the Lusaka Zambian Police.

- FridgeWheeL

FridgeWheeL, thanks for your message and your permission to publish it! Such news always encourage us to develop even more great stuff to get it our to our millions of users. Now, we hope you’ll never loose your phone again. But if it happens at least you know you’re protected .

The avast! Anti-Theft development team.

Hello Julia!

Micah with her prize from Avast!

Attached here is my picture with the Microsoft Surface tablet. I am very thankful of having such reward. But not only that, I am very thankful also of using Avast as my antivirus because it’s very fine and does excellent performance for my devices. I hope you guys will still make such events or contests like this Member gets Member game and keep on giving such awards for those Avast supporters and users.

Thank you so much and more power!

Micah L
One of the Microsoft Tablet Winner

We are glad to learn that you are enjoying your Microsoft Surface, Micah, and we’re happy to inform you that tomorrow a new opportunity to win will begin.

NEW PHOTO CONTEST

The #avastBeFree Photo Contest lets you express your creativity in photos. All you do is interpret our slogan avast! Be Free and enter your photo on our Facebook app, or through Twitter or Instagram using the hashtag #avastBeFree. We are giving away eight Nexus devices – mobile phones and tablets, plus 100 free license of avast! Internet Security. You could be a winner!

The #avastBeFree Photo Contest begins tomorrow, Wednesday, May 15. Learn more about the contest from our blog post.

Watch the video here

Your enthusiatic reponse told us that:

• You are playful
• You like to compete for nice prizes
• You love social media and avast 

Enter our new Photo Contest and Win!

We are happy to introduce a new photo contest. This time, however, we leave it up to your creativity. Your assigment is simple: Show us your creativity and visual interpretation of our slogan avast! Be free!

To make it even easier,  this time you can enter not only via Facebook, but also upload your best photo via Twitter and Instagram using the #avastBeFree hashtag.

FAQ: WHEN? HOW? WHAT?

WHEN?

• May 15 – 29: Submit photos and vote for your favorites
• By June 5: We annouce the winners!

CHOSE ONE SOCIAL NETWORK TO ENTER:

• Facebook
• Twitter: Just type #avastBeFree and upload your photo -> check your photo in the Facebook gallery 
  
• Instagram: Just type #avastBeFree and upload your photo -> check your photo in the Facebook gallery
• Go to Facebook app, vote and invite your friends to do so

HOW TO GAIN VOTES?

• Go to Facebook app, vote and invite your friends to do so

WHAT PRIZES CAN YOU WIN?

Since a picture is worth a thousand words, here is a short summary.

HOW TO WIN PRIZES?

The Top 150 voted photos will get to the finals. So make sure you get all your friends to vote for your photo. An AVAST jury will select their favorites from among the Top 150 , and award them First, Second, and Third prizes. The next 100 Honorable Mentions will receive a 1-year free license of avast! Premiere!