Again and again and again… That’s what comes to my mind every time when I see a new variant of the Kavo family and, most recently, also the Hilot family. These malware samples are machine-generated and their authors can develop a “completely new” set of samples based on a simple change made to the generator itself. What’s the problem here? These changes are not random as we earlier thought, they’re precisely targeted against the most popular AV engines.
I’m really impressed how perfectly our user community works! A new web-based attack was discovered today and our users made a detailed analysis promptly and helped to clarify what’s going on there. What I’m talking about? And where’s the relation to the question in title? It is pretty simple :-).
One of our users sent us a sample of rogue AV for analysis. He didn’t attach further informations and the binary was heavily obfuscated, so I decided to give it a shot inside a virtual machine. A virtual image of clean (freshly installed) Win XP was used to run it and this screen appeared:
Hello again, I’m gonna tell you a story about an emulator that becomes 5x faster during one day. In the beginning there was an disassembler and a virtual execution environment. The disassembler liked the environment so much that they got together one day and the framework for our emulator was born. It was growing day by day, line by line – up to 20k+ lines of code – and here the “problem” begins.
Yesterday, when I was about to get something to eat, my attempt to check a menu online ended up with a warning about HTML:Iframe-LZ. Well, that’s quite spicy content of common daily offer. So, let’s look what’s under the hood.
Last few years can be called a “social networking era”. Just remember the rise ups (and depressions) of myspace.com, linked.in etc. These networks are now completely shadowed by FaceBook and Twitter. Even when myspace and similar networks are not that widespread today, they were at the beginning of all. It becomes more and more usual to identify a real ego with social network profile. That’s not too dangerous in its basis, but there’s a big problem – people completely loose a sense for their privacy on internet. This is not an attitude against social networks, it’s only a thought about dangerous habits appearing with the social networking phenomenon. The risk is not the existence of social networks, the risk is how people behave there.
Hello in 2010. I would like to wish you all the best in this year and I hope that our upcoming v5 will be your good fella starting from this January. Let me resume the previous article “Buggy file infectors” - as the release date for v5 is getting closer and closer, I think it would be good to inform you what to expect regarding the file infectors cleaning. Version 4.x was sometimes criticised due to its lower ability to cure most recent file infector families (more on this will be written later in this text). Good news for you – v5 will perform better.
Hello again, this time I would like to present a story of one successful malware family. Why successful? Because it established a new way of spreading some time ago and mainly because it always scored very well in our statistics of malware detected in the wild. And what’s Kavo? It’s a name derived from the filenames of some binaries used by the malware family (kavo0.dll, kavo1.dll etc.). The malware family is known under different names such as Oliga, Kavos, Kamso, OnLineGames, Taterf etc.
VB2009 took place at the Crowne Plaza Geneva, Switzerland (September 23 – 25). VB conferences always offer a opportunity to meet people from IT security sphere and share the knowledge. Some interesting news were already mentioned on our forums. This post is not intended to discuss technical topics, it should rather show you the beauty of Geneva and Swiss Alps and let you see the ambience of some special VB events (cabaret etc). The galleries are located here:
other galleries (or some slight changes) may follow in near future.
The question sounds promising, right? You’ll finally understand everything that avast! does while it’s running on your machine. However, this article is intended to discuss the topic from the other side – what avast! is absolutely not doing on your PC. The inspiration to write this article came from my short discussion with Vince. This article should continue the aim of his posts in making things clearer. I’m not used to writing such posts, I’m rather technically based, so if you have any questions, feel free to use the comments and ask me. So, let’s consider the main points.