Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


Author Archive
August 30th, 2012

Blackhats adopt latest Java 0day

New vulnerabilities in the Oracle’s Java Runtime Environment (JRE) have been recently discovered in the wild (first vulnerability originally reported by Fireeye, the second described by Esteban Guillardoy). The vulnerabilities targets newest version of JRE (1.7) and even with the latest update (JRE 1.7 update 6) your machine is in danger and easily exploitable. According to the Oracle’s patching cycle the patch is out of sight. So scary and Java again! But it is even worse!

The most successful exploit kit has quickly adopted these bugs which was predicted by the Brian Krebs earlier. So, all the current Blackhole campaigns  use these exploits in order to infect victims. In addition, the exploitation is confirmed to work using Internet Explorer, Firefox, Opera, Google Chrome and also Safari on multiple platforms including Windows, Linux and MacOS.

Do you really think this can’t be worse? Oracle knew about these (and also other) vulnerabilities since April according to the Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations.

Read more…

April 22nd, 2011

Another nasty trick in malicious PDF

A new method of producing malicious PDF files has been discovered by the avast! Virus Lab team. The new method is more than a specific, patchable vulnerability; it is a trick that enables the makers of malicious PDF files to slide them past almost all AV scanners.

Overall, PDF specifications allow many different filters (such as ASCII85Decode, RunLengthDecode, ASCIIHexDecode, FlateDecode, …) to be used on raw data. In addition, there is no limit on the number of the filters used for a single data entry. Anyone can create valid PDF files where the data uses, for example, five different filters or five layers of the same filter. All of these features are based on extremely liberal specifications, a fact which allows bad guys to utilize malicious files in a way that does not allow antivirus scanners access to the real payload.

The new trick is based just on one filter, so it doesn’t sound exciting, does it? So what’s the reason for posting this blog post?

The filter used to encrypt text data is meant to be used only for black and white images. And apart from avast!,  probably no other AV scanner is currently able to decode the payload because no other AV can detect those PDF files.

Read more…

February 18th, 2010

Ads poisoning – JS:Prontexi

The malware usually spreads through web infection placed on innocent, badly secured websites. The ad infiltration method is growing in popularity alongside with the website infections. Now we are facing probably the biggest ad poisoning ever made – all important ad services are affected. It means that users might get infected just by reading their favorite newspaper or by doing search on famous web indexers. User interaction is not needed in this attack – infection begins just after poisoned ad is loaded by the browser – it is not a type of social engineering. We named the source of this attack JS:Prontexi – JavaScript code which initiates infection on victims computer using various vulnerabilities including latest PDF exploits.

Read more…

Categories: analyses, Virus Lab Tags: , ,
February 3rd, 2010

“ILOVEYOU” again! Or not?

Javascript or HTML encryption/obfuscation “may” help to protect web designer’s work from stealing their know-how. But this statement is very controversial – obfuscation or encryption mainly belongs to malicious scripts.  Such a technique may fool automatic antivirus scanners, but anyone can look under the obfuscation because the decryption script is usually distributed alongside with the script itself.  We have released today the detection for very strange script we’ve found yesterday, it’s name was JS:LoverCrypt-A [Trj].

Read more…

Categories: analyses, Virus Lab Tags:
August 12th, 2009

Exploit Pack as the way to infect!

Various exploit packs are getting very popular these days. Using them is easy way to infect thousands computers around the world.  Each exploit package is composed of several exploits (mostly actual vulnerabilities).  Sometimes it is single file which contains all the exploits. More often, each exploit is represented by a different file. This technique seems to be more successful for attack, because antivirus software may detect only part of the exploit pack. The rest of the pack which is still undetected may serve new malware to users. This article describes the structure and activities of one of the more complex exploit pack.

Read more…

Categories: analyses, Virus Lab Tags:
June 26th, 2009

avast! strip #1

First edition of a very irregular strip…


Categories: Virus Lab Tags:
Comments off
June 25th, 2009

Chameleon redirectors

Infections inserted into valid websites are often an iframe/script tag itself, sometimes the simple encryption functions are used and sometimes very complex algorithms are used to hide the redirection process. But all these methods have the same objective – to redirect users to malware distribution websites hosting various exploit packs. There are also infections that are trying to imitate well-known and often used services – mostly Google related services – with Google Analytics being number one. It started with small changes in the urls used by these services, for example “analytics” -> “analitics” and so on. In this article I will describe two new infections that imitate well-known Google service in more complex manner, which at first look seem to be legitimate.

Read more…

June 18th, 2009

Google – new malware hosting

A new type of malware has been found today which uses the Google search engine database for hosting.  Werner Klier (virus researcher from GData) pointed us to one very puzzling result of Google search. This result was detected as malware with avast! from the beginning. It is however a very interesting approach from malware creators – using Google to host their malware. Here I’ll describe how this infection works (virus researchers from GData, Ralf Benzmüller and Armin Büscher, reached the same conclusion).

Read more…

June 3rd, 2009 summary

In the previous month the World Wide Web was subject to one of the heaviest attacks since it first came into existence. Thousands of legitimate websites were attacked by the Trojan horses JS:Redirector-H and JS:Redirector-J, the aim of which was to infect millions of unsuspecting users.  avast! was the first antivirus program to detect the infection right at the start and all users of avast! were protected throughout the duration of the attack. Now, more than a month after the attack was first detected, it is possible to assess the attack.

Read more…

Comments off
May 21st, 2009

Rogue malware ranking

Nowadays the internet is full of hacked websites that redirect browsing users to various malware distribution networks. Website hacking consists basically of adding an iframe, script tag or some more sophisticated javascript to the clean code. These methods are dependent only on the reputation of infected domains. Last week (2009-05-13) we released the detection signatures of one interesting redirector – Its name is JS:Redirector-I [Trj]. The source is a type of Rogue malware which is comonly known to use social engineering to spread. Now we can talk about ’search engine related’ social engineering. The redirector itself doesn’t look particularly sophisticated – simple code is hidden as shown in next image:

Read more…

Categories: analyses Tags: