Recently we identified a threat which uses Twitter and Facebook to spread. The origin of the infection begins by clicking malicious tweets or Facebook posts.
In the “real world” of monthly bills and rising expenses, a decision about antivirus protection often comes down to the best protection for the money – and that’s where avast! Free Antivirus wins out over the rest.
In the May 2013 Real-World Protection Test by AV-Comparatives, avast! Free Antivirus was up against 19 paid-for internet security suites which could cost the customer up to $60 per year. avast! Free Antivirus passed the tests with honors and was the only free solution to receive the Advanced+ rating!
The test created a real-world scenario using a typical setup that many of us have; Windows 7 and software such as Adobe Flash and Acrobat Reader, Java, etc. To show how well antivirus products protect the user’s computer when surfing the web, the testers pitted AVAST and the others against threats we encounter in everyday life. They used 431 current dangerous exploits, URLs with known malware, and even a few malicious files from email attachments. avast! Free Antivirus blocked 99.3% of the threats.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun, and contest information, please follow us on Facebook, Twitter, Google+, and now, Instagram.
This is a loose sequel to the Cutwail botnet analysis blogpost published on the malwaremustdie.blogspot.com. In this blogpost I will primarily focus on the downloaded PE executable itself (SHA256: 5F8FCC9C56BF959041B28E97BFB5DB9659B20A6E6076CFBA8CB2D591184C9164) and the network traffic that it generates. I will also reveal a hidden C&C server.
But first let’s quickly go through the things it does at the beginning:
- It registers an exception handler that will only start the process again using CreateProcess().
- It performs a check whether it has admin privileges.
- It checks or creates a mutex named “xoxkycomvoly” (hardcoded identifier used on multiple occasions).
- It checks or creates couple of registry entries under HKCU\Software\Microsoft\Windows\CurrentVersion.
- It checks if the process image filename is “xoxkycomvoly.exe” (it restarts for the first time).
- It nests into the system by creating autorun entry in registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
- It copies itself to the user’s profile directory named as “xoxkycomvoly.exe”.
Then on the first time an exception occurs and the sample is restarted from the user’s profile location named as “xoxkycomvoly.exe”.
After these initial steps, the sample starts communicating heavily over the network.
The title of this blog post may make you think that we will discuss the security of your Facebook account. Not this time. However, I will analyze an attack which starts with a suspicious email sent to the victim’s email account.
The incoming email has the following subject, ‘Hey <name> your Facebook account has been closed!‘ or ‘Hi <name> your Facebook account is blocked!‘. The email has a ZIP file attachment with name <name>.zip, which contains a downloader file named <name>.exe. <name> stands for a random user name. After a user downloads and executes the executable file, he is presented with the message saying that “Your Facebook connection is now secured! Thank you for your support!” It tries to convince you that there was a problem with your Facebook account, which was later successfully solved by executing the application from the email attachment.
Let’s look inside the executable file!
If you had the privilege to meet Android:Obad, which Kaspersky earlier reported to be the “most sophisticated android malware,” you are in a real bad situation and this will probably be the moment to which you’ll be referring to in the future as “The time I learned the hard way what better-safe-than-sorry means.” A few days ago we identified a new variant of that threat. There is a chance you bumped into this bad guy before we started detecting it, because if our generic detections don’t catch the malware there is always a short delay before it gets to us. In most cases, it isn’t a problem to get rid of a malicious app – you just uninstall it after you find it. This time, that won’t work.
The problem we are facing here is called “Device administrator.” After you launch an app infected with Android:Obad, you will be asked to make the app the current device administrator, which will be only a few buttons away so it isn’t hard to do. After you do so, there is no way back because this piece of malware uses a previously unknown vulnerability which allows it to get deeper into the system and hide itself from the device administrator list – the only place you can manage device administrators. You won’t be also able to uninstall the app via Settings, because all the buttons will be grayed out and will not function.
Lucky for you, avast! Mobile Security will save you from doing a factory reset and losing your data, which certainly is one of the solutions. But don’t worry, you are safe with us. Read more…
by Thomas Salomon, head of AVAST Software ‘s German Software Development team
In a previous blog post we wrote about the statistics from avast! Browser Cleanup. These statistics have become even worse:
- More than 1,000,000 (one million!) browser add-ons are available for the three main browsers
- More than 82% of all add-ons have a bad or very bad rating from our user community
- Two thirds of all add-ons in our database are from only three companies
- We see around 30,000 new add-ons per day of which 90% have a bad or very bad rating
As we can easily see the numbers are still rising. It’s now time to share some more details about the bad add-ons we’ve noticed so far. Read more…
More than 58 million American adults had at least one malware infection that affected their home PC’s performance last year. The cost of repairing the damage from those infections was nearly $4 billion. These findings are from the latest Consumer Reports’ Annual State of the Net Report published in the June issue of their respected magazine. The magazine is trusted by millions of US consumers to give honest appraisals of products.
“Our Annual State of the Net Report revealed that home computers are no safer than they were last year. Effective security software, like the ones we recommend in our latest Ratings, is essential to protect against online threats,” said Jeff Fox , Technology Editor, Consumer Reports.
Consumer Reports’ latest Ratings of Security Software revealed that some free products are sufficient for most users, offering very good protection from online threats. The full report is in the June 2013 issue of Consumer Reports and online at ConsumerReports.org. This press release gives you the highlights.
Question of the week: I have avast! Free Antivirus on my computer and I love it, but isn’t antivirus for a smartphone overkill? I mean, there are not so many threats to a phone, are there?
This is a question being asked by lots of security firms lately, and the answer is a resounding, YES. As smartphones and tablets become increasingly popular, so do threats that target mobile devices exclusively. Two particular studies published lately have pointed to an increase in mobile malware over the past year.
Android is in the bull’s eye
Make sure you friend Avast on Facebook so you won’t miss our original comic strip, MALWARE ATTACKS!!. Here’s a quick catch-up in case you missed the first installment -
We meet unfortunate aliens fleeing their embattled home world in search of help against the evil Malware Empire. The fate of their planet rests on their success.
Alien visitors come to Earth seeking help from Avast against the evil Malware Empire.
The desperate aliens visit Avast headquarters to ask for help to defeat the evil Malware Empire. Just like 177 million Earthlings who use Avast to protect themselves, the aliens find what they are looking for.
Armed with avast! Free Antivirus 8, the aliens race back to their home planet. Victory against the evil Malware Empire is assured.
Thanks to avast! Free Antivirus 8, the galaxy is once again protected against Malware. Our heroes are awarded with the medal for bravery, and avast! 8 takes its place of honor in history.
Protect your world with avast! 8. From avast! Free Antivirus to our newest top-tier suite, Avast Premier 8, it can all be found on http://www.avast.com
Recently we encountered a very suspicious piece of code on some Joomla-powered webpages. The code looks as if garbled and without any special meaning, and starts like this: