Protecting over 230 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Author Archive
July 16th, 2012

Click for me, thanks!

Social sites are great for people who want monetize theirs ideas. But sometimes these ideas are far more sinister.

Over the last few last weeks,  researchers at the Avast antivirus labs in Prague have noticed new attack based on a combination of social sites, fake Flash Players and the promise of illicit videos of well-known Hollywood stars. Read more…

Categories: analyses, lab, Virus Lab Tags:
Comments off
July 11th, 2012

Harvester: Beware of simple social engineering attacks

Sometimes, the use of simple scams and well-known brands are used to trick people into giving up login names and passwords.  By making people aware of these scams, we can better protect against the hackers.

You don’t need any obfuscated scripts or blackhat SEO tricks. Sometimes it is as easy as creating a Google document and sending it to trusting users. Anyone can create a simple form without any checks and this can be as a link to docs.google.com. This form is seeded at social sites and via emails. The hackers then wait for responses from any visitors.

Read more…

Categories: analyses, Uncategorized, Virus Lab Tags:
Comments off
July 9th, 2012

Scam Phone call

Scams involving bogus telephone callers tricking users into divulging private information or parting with money for useless software are not new. However, it is worth reminding people of how the crooks are updating their tricks to better protect the innocent.

We received some emails from our users telling us that they spoke with some guy from ‘Microsoft’ who called to tell them that their computer is  badly infected with malware and need repairs. The ‘Microsoft’ guy convinces the victims to use Ammyy remote administrator software to allow the ‘Microsoft guy’ to  repair the computer. Ammyy remote admin is legitimate non-malicious program but it is a really easy way for scammers to connect to the victims’ computers and convince  them that they are helping.

The crooks then they try to force victims to buy support service. In the first call reported to us they offered a “cheaper” service for only $177.00 plus tax for lifetime support. In the second case, the price had gone up to €300 for 5 years support.

The biggest problem with phone call scams is that the only protection is a common sense. Antivirus can protect against malware from websites and downloads but no software can offer protection when victims allowed access to their computer and are tricked into to paying for fake ‘support & service’.

Categories: analyses, Uncategorized, Virus Lab Tags:
October 31st, 2011

Following WordPress into a Blackhole

When we looked into the recent wave of WordPress site hacks, our investigation took two separate paths: uncovering the TimThumb vulnerability and the Black Hole Toolkit used to exploit it.

Now it is time to talk more in detail about what  the Blackhole Toolkit is.

For starters, the Blackhole exploit kit is used to spreading malicious software to users through hacked legitimate sites. It was most likely made by Russia developers. The big clue for this is that operators can switch between Russia and English languages. The full version of this toolkit costs around $1500 on the black market. However, bargain hunters  can find a stripped down version for the  free online.

But, much more important than acquiring Blackhole is finding out how to get rid of it. More precisely, simply finding out if you have been infected. So, how can website owner recognize that his page was infected and has been blocked by an antivirus program because it is being misused as a redirector to site with Blackhole exploit kit? And how do they compromise your site?

Read more…

Comments off
August 8th, 2011

Four browser nets and one phish

Not all browser nets can catch the same phish. One Friday evening, just before I wanted to go home, I received an interesting email.

It contained sentences like “ We recently reviewed your account, and suspect that your PayPal account
may have been accessed by an unauthorized third party” and words like “protected“, “security” and “unauthorized“.  Of course, at the end of the email, there were directions to click on a “Paypal” link to update information like login name and password.

Read more…

May 17th, 2011

Google-images poisoning stats

I think most of you have probably heard about Google-images poisoning, but what is it?

When a user performs a Google Image search, images from an attacker’s page can be shown at a certain position in the results page. The exploit happens when a user clicks on the image. Google displays an iframe to a legitimate site. The  browser will  then send a request to the page running the attacker’s script. This script checks the referrer and, if it is Google, the script starts new JavaScript. This causes the browser to be redirected to another site that is serving a fake antivirus.

More thorough technical  information about this attack could be found on the Unmask Parasites blog or the ISC site. In this blog, we only tried to focus on the data from the avast! Community IQ database to show how big this attack was, and to look at how many domains are still infected — with their admins either unknowing or not paying much attention to their websites. Read more…

November 3rd, 2010

Malware running on AutoRun

A normal part of using a computer is seeing the “Removable Device Inserted” announcement when plugging in a memory stick.

This is AutoRun, a really useful tool built into Microsoft operating systems. In addition to helping people pick the application for opening the new files, it is also a very common way of spreading malware. Did you know that AutoRun is a way for spreading around about two-thirds of current malware?

Read more…

Categories: analyses, Virus Lab Tags: ,