Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


Author Archive
February 8th, 2013

Malware on LA Times

Yesterday evening (Prague time) I spotted a curious question on Twitter from journalist Brian Krebs asking about possible malware on one of LA Times websites:krebs1It made me wonder, because having such detection would definitely provoke few of our users to claim a false positive in avast! Read more…

Categories: Virus Lab Tags:
January 31st, 2013

Is your home updated?

The digitalization of our homes continues to grow, and with it the number of vulnerabilities your household devices can suffer from. We’re surrounded with many specialized minicomputers (which we usually fail to consider computers) that are subject to the same problems as the desktops or laptops. But, because of a psychological barrier, we’re unable to see them this way. Almost nobody thinks of their big TV as a computer and the same is true of phones, but there are many smaller, almost invisible devices like intelligent disk arrays (NAS) or routers, which are nothing else but ‘computers without the keyboards’. It was published in the past – it’s possible to hack/exploit/misuse such devices – there are exploits for printers, desk phones, Samsung TVs, all of these devices contain bugs which, when exploited by the bad guys, could run executable code which suits bad guys’ needs.

Read more…

Categories: Uncategorized Tags:
January 22nd, 2013

‘Reporters without Borders’ website misused in wateringhole attack

As mentioned by me on Twitter, it seems that the entity or entities behind the watering hole attacks don’t care to be caught or detected, and it also seems that they don’t care if the Internet Explorer and Java vulnerabilities are patched. They act as opportunists and try to take advantage from the time frame between the patch release and the patch application of some users, companies and non-governmental organizations.
Last week me and Eric Romang reported on watering hole attacks against multiple high value web sites, including as example major Hong Kong political parties. These websites used the latest Internet Explorer (CVE-2012-4792) vulnerability, patched in MS13-008, but also the latest Java (CVE-2013-0422) vulnerability, patched in Oracle Java 7 Update 11.
It seems that one week later, Reporters Without Borders (Wikipedia link), a French-based international non-governmental organization that advocates freedom of the press and freedom of information, is the new web site used for the watering hole campaign. Such an organization is an ideal target for a watering hole campaign, as it seems right now the miscreants concentrate only on human rights/political sites – many Tibetan, some Uygur, and some political parties in Hong Kong and Taiwan which are the latest hits in this operation. In our opinion the finger could be safely pointed to China (again). Read more…
Categories: analyses, Virus Lab Tags:
Comments off
January 15th, 2013

Watering hole attacks continue (with a twist)

Through a collaboration with Eric Romang (@eromang), independent security researcher we can confirm that the watering hole campaigns are still ongoing and are targeting multiple targets, including as an example a major Hong Kong political party website.

This website is actually using the new version of the original Internet Explorer (CVE-2012-4792) vulnerability attack, but right now it’s also using the latest Java (CVE-2013-0422) vulnerability.

Chinese language version of the web site is doing a remote javascript inclusion to “http://www.[REDACTED].org/board/data/m/m.js”.


This website is a legitimate compromised website used for hosting the exploit files, hosted in South Korea.

Read more…

Categories: analyses, Virus Lab Tags:
September 21st, 2012

MSIE 0day – continued (with a bit of Flash as well)

While we were researching the websites currently serving the new Microsoft Internet Explorer (IE) zero-day threat, we found that the new attack is being piggybacked on a slightly older attack aimed on industrial companies’ websites.

The hacked legitimate websites contain on their main pages a hidden iframe.

Read more…

Comments off
September 19th, 2012

New Microsoft IE Zero-day attack

It was brought to our attention by this thorough Eric Romang article that a new zero-day exploit (an exploit actively used by cybercriminals in the wild) targets a bug in Microsoft’s Internet Explorer (IE) 7 & 8, and with some help from Java, it could be also exploited on IE 9, as confirmed by the Metasploit firm. At this time, as there is yet no patch from Microsoft, what can you do?

Read more…

July 6th, 2012

How not to lose your internet access on Jul 9th 2012

Few years back a group of bad guys from Estonia had neat idea how to get between you and the sites you want to visit on internet. They created malware which was named by AV companies DnsChanger. The main purpose of the malware was to change DNS servers your computer uses for the name to ip address translation to the servers operated by the criminals. This way they can intercept your traffic and eventually monetize it. The gang was later arrested and the servers confiscated by FBI. And there lies the problem, because FBI was ordered by the court that they must turn off these servers on Monday July 9th 2012. There are still about 300 000 computers around which are using the wrong DNS servers, so although the probability you’re one of them is quite low, it’s better to be safe than sorry and check if it may concern you.

Read more…

Categories: General, Technology, Virus Lab Tags:
June 7th, 2012

LinkedIn and eHarmony passwords databases leaked

Yesterday, password databases from two popular websites were leaked in an underground forum popular with computer hackers.  6.5 million passwords from LinkedIn and a further 1.5 million passwords from internet dating site eHarmony were divulged following attacks on these sites.

LinkedIn has already acknowledged the leak, and have said they are changing the algorithm for storing sensitive data and will  email users instructions on how to reset  password.

eHarmony has also admitted a hack and has said it members will receive an email with instructions on how to reset their passwords. Read more…

Categories: General, Technology Tags:
Comments off
May 13th, 2011

Why we love specifications (not)!

A few days ago we blogged about another trick in PDF parsing. We got there a comment from a person recommending that we read specifications, which we (as AV guys, not pdf-reader-writing guys) usually don’t do to the full extent, because most of the specifications we’ve seen have been misleading at best. Read more…

Categories: analyses, Virus Lab Tags:
February 10th, 2010

Is George Clooney getting an Oscar this year?

Honestly, I don’t know, but according to my tastes he shouldn’t get it for his latest movie, it was a bit boring. I was commenting on it to a colleague, and because it’s late night here I wasn’t able to remember the movie name; I just remembered that George Clooney was nominated for leading actor Oscar for this movie. So I simply put “clooney oscar” in my Firefox address bar, which is the simplest way to get the search results for Google. But I wasn’t exactly “Feeling lucky” about the result I got. Read more…

Categories: analyses, Virus Lab Tags: