Michal Trs

1 March 2010

Get avast! Free Antivirus or a „free“ upgrade with the Alureon rootkit

Go to comments Leave a comment

avast! Free Antivirus can be downloaded for free from our servers or from other download servers such as download.com, 01.fr and others. But why limit yourself to avast! Free Antivirus if there are other products available with additional functionality that can be downloaded for free?

At least, that is what some people are thinking.

Last week when I was checking files submitted as false positive alerts, l was looking to verify accurate, 100% detections. There were a few files named AIS (Avast Internet suite) from megaupload and uploading.com servers. Bad guys take our product, add an Alureon rootkit file (typically under the name codec.exe) and make new setup file with Nullsoft installer.

avast! detected this and put the infected files in the Virus Chest.

But, the story is not over. Some thieves are so cheeky, they reported this to us as a false positive. They should really be sending us a thank you note.

One advice to thieves: Be careful with what you are stealing. An active rootkit in your system is a hard task for any newly installed antivirus solution.

::29CECD094DBB93CBE4D08D03F2170C2EE0A34FBBA43D63D8791D65BA7C798E40:
  Detected by 10021700
  fp_desc.000=NAM: avast VER:5.0 PUB:alwil software all right.
  oripath.0000=http://fs74.uploading.com/get_file/...\avast! - pack\avast! Internet Security\setup_ais.exe\nsis.hdr
* Scan name: aswcmd.exe
* Started on: 1. březen 2010 12:39:52
* VPS: 100301-0, 01.03.2010
*
D:\False\work\29CECD09.dat.out\$EXEDIR\codec.exe [L] Win32:Alureon-FN [Rtk] (0)
D:\False\work\29CECD09.dat.out\$EXEDIR\setup_ais.exe [+] is OK
D:\False\work\29CECD09.dat.out\nsis.hdr [L] NSIS:Fasec-CB [Trj] (0)
Infected files: 2
Total files: 3

Virus Lab, avast, Alureon, rootkit, AIS