AVAST typically has a lot of great news to report and we’re looking for a full-time native speaker of English — with a background in IT journalism (this is important!) — to join our team in Prague.
For more information, please visit our job description for PR News Writer – English native speaker (click link).
Please note that questions about the position will NOT be answered here. Thanks.
Hello Avast fans!
It is my pleasure to officially announce the new Avast bug bounty program. As a security company, we very much realize that security bugs in software are reality. But we also realize that companies that are able to use their user communities to find and fix bugs are generally more successful that those that don’t. Therefore, we have decided to reward individuals who help us find and fix security-related bugs in our own software. This makes us probably the first security vendor with a reward program like this: I think it’s mainly because the other companies generally take the position that ‘Hey, we’re a security company. So we know security and it can’t happen to us.’ But in reality, that’s not what’s happening. Just look at bugtraq or the CVE databases and you will find that security software is no more immune to these issues than any other programs. A bit of irony, given that people generally install security software to fight security issues in the first place, isn’t it?
We at Avast take this very seriously. We know that being a market leader (Avast has more users than any other AV company in the world), we’re a very attractive target for the attackers. So, here’s our call to action: let’s unite and find and fix those bugs before the bad guys do!
Here’s how it works:
- The bounty program is designed for security-related bugs only. Sorry, we’re not paying for other types of issues like bugs in the UI, localization etc. (nevertheless, if you find such a bug, we will of course very much appreciate if you report it).
- This program is currently intended only for our product, i.e. not the website etc.
- We’re generally only interested in these types of bugs (in the order of importance):
- Remote code execution. These are the most critical bugs.
- Local privilege escalation. That is, using Avast to e.g. gain admin rights from a non-admin account.
- Denial-of-service (DoS). In case of Avast, that would typically be BSODs or crashes of the AvastSvc.exe process.
- Escapes from the avast! Sandbox (via bugs in our code)
- Certain scanner bypasses. These include include straightforward, clear bypasses (i.e. scenarios that lead to direct infection, with no additional user input), as opposed to things like deficiencies in the unpacking engine etc. In other words, we’re interested only in cases that cannot be mitigated by adding a new virus definition (please don’t report undetected malware)
- Other bugs with serious security implications (will be considered on a case by case basis).
- The base payment is $200 per bug. Depending on the criticality of the bug (as well as its neatness) the bounty will go much higher (each bug will be judged independently by a panel of experts). Remote code execution bugs will pay at least $3,000 – $5,000 or more.
- We might change these ranges based on the number and quality of incoming reports. Generally, the less reports we will get, the higher the bounty will go.
- We will only pay for bugs in Avast itself. For example, if you find a bug in a Microsoft library (even if it’s used by Avast), please report it to Microsoft instead (it would be great if you could also notify us, but unfortunately, we cannot offer any reward in such cases).
- The program is currently limited to consumer Windows versions of Avast (i.e.: Avast Free Antivirus, Avast Pro Antivirus, and Avast Internet Security). Only bugs in the latest shipping versions of these products will be considered.
- Payment will be done preferably by PayPal. If you can’t accept PayPal (e.g. because it doesn’t work in your country), please get in touch with us and we will try to figure out something else.
- Because of certain legal restrictions, we cannot accept submissions from the following countries: Iran, Syria, Cuba, North Korea and Sudan.
- It is the researcher’s own responsibility to pay any taxes and other applicable fees in their country of residence.
- In order to be eligible for the bounty, the bug must be original and previously unreported.
- If two or more researchers happen to find the same bug, the bounty will be paid only to the one whose submission came in first.
- You must not publicly disclose the bug until after an updated version of Avast that fixes the bug is released. Otherwise, the bounty will not be paid.
- The bounty will be paid only after we fix the issue (or, in specific cases, decide to not fix it).
- Some bugs may take longer to correct. We will do our best to fix any critical bugs in a timely fashion. We appreciate your patience.
- Employees of AVAST and their close relatives (parents, siblings, children, or spouse) and AVAST business partners, agencies, distributors, and their employees are excluded from this program.
- We reserve the right to change the rules of the program or to cancel it at any time.
How to report a bug and qualify for the bounty:
- Please submit the bug to a special email address firstname.lastname@example.org
- If you’d like to encrypt your email (recommended), please use this PGP key.
- A good bug report needs to contain sufficient information to reliably reproduce the bug on our side. Please include all information that may be relevant – your exact environment, detailed bug description, sample code (if applicable) etc. It also needs to contain a decent analysis – this is a program designed for security researchers and software developers and we expect certain quality level.
- You will receive a response from an Avast team member acknowledging receipt of your email, typically within 24 hrs. If you do not receive a response, please do not assume we’re ignoring you – we will do our best to follow up with you asap. Also, in such a case it is possible your email didn’t make it through a spam filter.
Finally, I’d like to say thanks to everyone who helps to find and fix bugs in our products. Hopefully, this new reward program will take this initiative to a whole new level.
P.S. The bug bounty rules are also available on our main website here.
We are excited to share news with you. Our two-person, social media team now offers professional support. Since December 2012 Peter Bucek has been helping us respond to your technical and customer care inquiries in English, Spanish, and of course, Czech language. We are pleased to welcome Peter on the board and introduce him to YOU.
I have known Peter since I started 5 years ago with AVAST Software. When I joined the company in 2008 we have been working together in the support team. Peter is a very friendly, kind and cheerful person, always willing to help not only the customers but also other colleagues. Despite the rather routine job, he kept his creative and innovative attitude towards everyday tasks. He came up with idea of creating video manuals. Now thanks to Peter we can easily check: How to download, install and customize avast! Antivirus. He is a proud father of two lovely kids: a boy Jonáš and a girl Emma .
So let’s hear the voice of Peter.
Peter has worked in AVAST Software since November 2006. Peter, how, in your opinion, has the company changed during this time and how is our support team changing?
A few months ago, Google announced a new feature in Android. Version 4.2 Jelly Bean has an integrated real-time app scan which should be able to check if applications you install are clean or malicious. But is this enough? Sleazy Android app developers continue to sneak their fake apps by the Google Play gatekeepers. These guys rip off popular apps in an attempt to fool unsuspecting users.
“In the start of this week, Google released a few applications from a developer called GILBERT8332 which pretend they are legitimate applications. Between these applications you can find quite common games such as The Sims 3, Asphalt 6, Ninjago Lego and so on. And compared to original developers they are free,” said Filip Chytrý, a researcher from Avast Virus Lab.
The common result of downloading a bogus app is that personal information like your email address and mobile phone number are stolen and you are served an unending stream of spam and unwelcome offers.
Chytrý warns, “When you download them and install in your android device you will be surprised. All of them are malware. They all start quite innocently with a license agreement of AirPush advert. (AirPush is a advert system which allows to show advertisement in notification bar of your Android device.)”
“And then the funny parts come up. The Game will ask you if you want to change your main page in browser and put a search icon on desktop. Even if you decline, it’s too late. Your browser is already changed for another search page and your device is filled with uncomfortable adverts and as a bonus, the device will send personal information to a third party,” said Chytrý.
Block fake apps
avast! Free Mobile Security blocks fake apps and our new signature targeting protects you against
malware distributed with them. Our popular anti-virus/anti-theft app for Android stops downloads of fake apps and games, so you won’t be duped.
“All of these apps use multiple advert services, steal your personal data and they even are hidden under different creators. But don’t worry. Avast detects all of the mentioned applications as Android:FakeInst-DL, and urls of fake searchers are blocked also,” said Chytrý.
Get avast! Free Mobile Security for your Android device from Google Play. Please add a review and share with your friends if you like it!
Today, I received an email from one of my coworkers (yes, even careful employees of security vendors are in danger:) ). This email has more recipients and contains only one link, without any text or subject.
Fortunately, I am a really paranoid person about emails containing only a link to an unknown site. At this link, you can notice two really suspicious things: The directory is images and there’s a file called yahoo12.php. That should warn users to avoid clicking on this link.
It is a credit to the quality of our Facebook and Twitter fans that so many take the time to write us with appreciation and praise. It is extremely meaningful for us to receive your feedback, positive or negative, but we are especially motivated and thrilled to learn when we are satisfying our customers. Here are some examples of messages we have received lately on social media. Thanks to all who have written to us.
Do you use your mobile device to check email, use social networks or log in to your bank account while sipping a double mocha latte at your favorite coffee shop or while waiting for your next flight? That’s risky considering you cannot count on public Wi-Fi hotspots that you find in cafes, coffee shops, airports, schools, and hotels to be secure. Remote cybercrooks, and even the guy sitting a couple of tables from you sipping coffee, can use software to eavesdrop and snoop which could result in stolen credit card information and passwords or full-blown identify theft.
With new avast! SecureLine for iOS you can secure your wireless internet connection when using your iPad, iPhone, or iPod on a Public/Open Wi-Fi network. Here’s how it works:
VPN stands for Virtual Private Network. avast! SecureLine VPN creates a private ‘tunnel’ through the internet for your data to travel through, and everything inbound and outbound through the tunnel is encrypted. Data is decoded at the VPN server, using advanced encryption protocols. Handy features also detect and filter malicious URLs, block ads in the browser and apps, or can compress your transferred data which saves your mobile data plan and enables access to US-only content.
A serious new vulnerability notice about Java exploits has been issued by the Department of Homeland Security’s Cybersecurity Division. Java 7 Update 10 and earlier contain a vulnerability that can allow a remote attacker to execute malware on vulnerable systems.
A French researcher called Kafeine discovered that a number of websites using the exploit are able to download files directly to the victim’s computer, and execute actions such as installing ransomware. “Hundreds of thousands of hits daily where i found it,” he wrote on his blog. “This could be a mayhem.”
Disable Java in web browsers
Some webpages may include content or apps that use the Java plug-in. There is no fix for this yet, so it is recommended that you protect yourself by disabling Java in your particular browser. Please see our previous blog How do I disable Java in my browser for instructions.
For a higher level of security, it is possible to entirely prevent any Java apps from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab. Disabling Java through the Java Control Panel will disable Java in all browsers.
Security experts agree that enterprise security is growing more complex this year with the continued development and growth of big data, mobile useage, BYOD (bring-your-own-device), and cloud computing. The impact that malware had across the financial and business sectors in 2012 even have IT pros rethinking traditional models of security.
Jonathan Penn, Avast Software’s Direct of Strategy, looks at some of the security trends that will put pressure on IT professionals in 2013.
Mobile as an attack vector
As business use of smartphones and tablets increases, attackers will target your employees’ mobile devices; not to compromise the device itself, but to gain entry into your corporate IT environment for purposes of data theft.
Big Data = Big Target
Many “big data” analytic efforts are maturing, and with that they are starting to migrate to the cloud and are being opened up to use by 3rd party partners. All this means more opportunity for inappropriate access and compromise of treasure troves of data.
Growth in security outsourcing
Use of managed security services (MSS) is an ever-expanding trend, but is being further propelled by corporate BYOD challenges and by advances in security analytics that bolster the case for having MSSPs monitor your IT environment for signs of attack.
Shift in endpoint security perspectives
IT security professionals look at iPhone and iPads and wish that their corporate systems could be as trustworthy. While there are many reasons why you can’t draw an equivalence between Windows and iOS, we will start so see organizations try to bridge this gap by shifting to a more “default-deny” attitude. In 2013, we will see notable strides in enterprise use of application whitelisting, virtualization and sandboxing, and other techniques that either assume programs are malicious unless proven otherwise or simply isolate them as a just-in-case measure.
As a malware analyst, I sometimes have to deal with files, which cannot be classified as computer virus or malware, but their behavior when executed by user is still considered unwanted or suspicious. In this blogpost, we will look at an adware downloader. It comes in two different versions, one tiny – having only about 17KB and being written in .NET, and the other one bigger, using getrighttogo downloader builder. In user’s computer, downloader was found in the following directory.
C:\Documents and Settings\Administrador\Meus documentos\Downloads\filme(1).exe
Users’ computer got infected via one of many sites similar to following ones – websites offering to download movies. After clicking on download links, .exe files were offered to download.
Figure 1 – Example of site the downloader was originally downloaded from