Protecting over 230 million PCs, Macs, & Mobiles – more than any other antivirus


Author Archive
April 20th, 2015

Why some people would rather be right than believe a malware warning


This innocent looking USB drive could lead to infection – but only if you second-guess Avast warnings!

Would you rather trust the virus experts or your instincts?

Every day 140,000 people connect their USB flash drive or mobile phone to a computer, and get a warning from Avast about an infection called LNK:Jenxcus.

Which kind of person are you?

Many of them act on that information from their trusted Avast Antivirus security software and as a result, they scan their USB device for malware and they wipe it away. Crisis over.

But there is another group of people who keep this infection alive and active, because they refuse to believe it is a real or dangerous threat. In other words, because something has always been one way, they assume it can’t change, therefore Avast must be wrong.

As a result, they decide to turn off their antivirus shield and by doing so, they create an obstacle-free way for malware to enslave their computer and steal data or valuable computing time.

A perfectly good reason. Or is it?

One of the most frequent reasons people use for disabling shields and allowing malware to spread in their computer is

“I use this file all the time and it is safe.”

Another variation is,

“I created this file, it’s only a picture.”

Do you find this situation familiar? Are you guilty of over-riding the security software you installed to protect yourself?

If your answer is yes, then test your virus detection knowledge with the image below. There are two screenshots of a directory from a USB stick; one is infected and the other is clean. Can you tell the difference?


It’s difficult to tell, isn’t it?

The one on the left is infected. The most visible differences are on the icons, but there is another clue in the file types. Some files and directories on the left side changed their type into a shortcut. This happened because a malicious script installed itself onto a USB drive and replaced legitimate files with links. If the owner of the USB opens the directory Firm Accounting, for example,  he executes malware that in the end opens the real Firm Accounting directory, so it looks like everything is normal. But it is not, because in the background all the computer’s drives are getting infected over and over again.

Avast detects LNK:Jenxcus and warns you.

The trick is; you have to heed the warning.

Source of infection

Except from other infected drives, this malware is downloaded onto your computer from hacked websites. The screenshot below shows an example of a hacked website waiting for random users with a vulnerable internet browser. Can you tell the difference this time?


If you answered no, you are absolutely right, because for the normal user there is no visible change. That is probably the reason for another frequent excuse before disabling the shields,

“I visit this page every day. It doesn’t have malware.”

That’s just not good enough, because the fact that the page is clean most of the time, does not mean it is not vulnerable to attacks. In fact most small and medium-sized business (SMB) pages have some exploitable vulnerability and when they get targeted by exploit kit authors, your best chance to stay safe are updated applications and active antivirus. With the shields ON!


If you are comfortable with computers, then you may want to clean this infection manually. Start with your computer and look for links (.lnk) and visual basic script (.vbs .vba .vbe) or batch files (.bat). Links usually point to this hidden script files so it is not hard to find them. If you wonder where the original files are, you can find this information in links too. They were not moved in most cases, just marked as hidden so they are not visible on computers with standard configuration. When you are sure all hard drives are clean, it is time to go through all your removable ones and go through the same procedure.

An easier way to clean an infection is by using a good cleaning tool. If you need help searching for such tool, visit our Avast forum and read what others do in your situation, or ask nicely for help from Evangelists, who dedicate their free time to helping users and researching security problems.

Suspect a false positive?

If you think it’s a false positive, do a little checking first. The Avast forum is a good place to start. You can read about LNK:Jenxcus, or you can start a new thread with your own question.  If you are still convinced that you have a false positive, then please report it so the Avast Virus Lab can determine how/why it’s detected,. This video tells you how,



Categories: lab, Virus Lab Tags: , , , , ,
June 9th, 2014

Are hackers’ passwords stronger than regular passwords?

Hackers use weak passwords just like the rest of us.


Nearly two thousand passwords used by hackers were leaked this week, when I tried to decode a PHP shell without knowing the key. Because I did not know the exact content of the encoded file and searching the key could take me years, I chose a different approach. I decided to find out how strong passwords used by hackers are and create a dictionary. :)

Over the years of fighting malware, the avast! Virus Lab has gathered many samples of various back-doors, bots and shells. Some of them are protected with a password encoded in MD5, SHA1 or in plain text, so it was good way to start. I looked at 40,000 samples of hackers’ passwords and found that nearly 2,000 were unique and 1,255 of those were in plain text. Another 346 passwords were easily cracked from MD5 hashes, because they were shorter than 9 characters. That gave me a total of 1,601 passwords and 300 hashes. I created statistics from those words, and here are my findings.

1Passwords that nobody will guess

Percentage of characters used in hackers' passwords

About 10% of the passwords were beyond normal capabilities of guessing or cracking. Of those, I found words as long as 75 characters, probably generated by a computer. Some of them were in long sentence form mixed with special characters such as lol dont try cracking 12 char+. Too bad it was stored in plain text. ;)

There were also passwords that don’t use characters from an English keyboard. But there was still a 90% chance it could be a normal word, maybe with some number in it. No less than 9% of the passwords could be found in an English dictionary.

The table on the right shows which characters are used in hackers’ passwords. The first row means that 58% of passwords contained only lower-case alphabet characters a-z. Read more…

January 13th, 2014

How to clean your hacked OpenX server

cleanup_noframeChristmas is a time of peace, but it does not apply to hackers and creators of malware. In the middle of the holidays, the AVAST Virus Lab found a new type of infection targeting advertisement servers with OpenX installed. Unfortunately, the only antivirus detecting this threat is avast! which leads to the erroneous conclusion that there is a false positive on our side, but it is actual danger.

This infection is called JS:Redirector-BJB or JS:Redirector-BJC and it has been confirmed on 930 servers running OpenX over the world. This means that at least 130 thousand people are saved by avast! from malware infection in advertisements every day, so please be reasonable and update your server as soon as possible.

Infection and consequences for users visiting a malicious website are described in our recent post about malvertising, but today let’s look at how to successfully clean, update, and secure your application. Below are the top 5 most visited and infected sites. Is yours on this list?


If you are using OpenX or Revive AdServer’s prior version 3.0.2 your system is vulnerable!

Below you can find a few steps that will lead you through cleaning, but updating to the latest version of Revive AdServer is necessary. Otherwise your server will still have known security flaws.

backup1. Backup Files – Download all files from FTP to your computer and scan them with antivirus. If any of the files are marked as a threat, delete it from FTP instantly. If it is possible, also backup your database to ensure calm upgrading.

check2. Check for Backdoor - Search FTP for files that do not belong there. You can find them by their date of creation (file with different date than others in the directory) or by obfuscated content in source files. You can also compare your source codes with official installation and reveal newly added files. If you are using OpenX version 2.8.10, delete file “flowplayer-3.1.1.min.js” because it contains a backdoor.

cleandb3. Clean the Database – The first step is to change passwords both for admin and for database, and also check if there are no unknown users. This will ensure no disturbance during the cleaning process. Next, you must examine tables “Banners” and “Zones” in the database. Find and delete any malicious javascript located there. Usually its located in “Append” or “Prepend” fields. The last step is to update the new database password in config, because it will be needed during the upgrade.

upgrade4. Upgrade Application – Download the latest version of Revive AdServer to your hard drive. OpenX changed its name in summer 2013 so the newest version can be downloaded only from link above. Follow the steps that you find in the article from the official pages about upgrading OpenX or Revive AdServer application.

secure5. Secure Server – After the upgrade you have only a few things to do. Check that the database and all users have their password unbreakable. Do not use any passwords from before. Do not leave any installation or old files on FTP. Change the password to the FTP because hackers could discover it too.

Someone might think “upgrading must help solve my problem,” but that’s unfortunately not true. In this and as well in many other cases, website administrators and owners must perform the described steps in order to get rid of the infection completely. Do not forget to change all passwords.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

Categories: How to, lab, Virus Lab Tags: , ,
Comments off
November 14th, 2013

Malvertising and OpenX servers

Monster-iconMalvertising is an abbreviation of malicious advertising and means that legitimate sites spread malware from their infected advertisement systems. There were many malvertising campaigns in last few years, some of them confirmed even on big sites like The New York Times, but most of them go unnoticed because they are well hidden and served only to selected users. Earlier this year, one of our top analysts found a stealth infection on a Czech entertainment site and began to watch it. We were able to obtain source code from infected sites, and I would like to show you how easily hacking is done and what can be done to secure your server.

In this case all infected servers contained OpenX (open source solution for advertisement) which has a rich history of vulnerabilities. Look, for example, at last three versions.

  • In version 2.8.9 and previous versions there was a SQL injection
  • Version 2.8.10 contained a hidden backdoor that allowed remote PHP execution
  • The latest version 2.8.11 offers more security, but there are known vulnerabilities

In summer 2013, OpenX was re-branded as Revive Adserver and several security flaws were patched. I strongly recommend you update to the latest version (currently 3.0.0) to secure your advertisement solution from being misused by hackers.

How do they get in?

An analysis of infected web pages revealed that the attacker used SQL injection to obtain administrator log ins and passwords from the database. Then he used credentials to log in and exploited another flaw to upload a backdoor with executable extension. Actually there were more backdoors and PHP scripts hidden in various places suggesting that this server was attacked multiple times.


This picture shows all scripts and their dates of creation found on the infected page. The first three files are backdoors and tools for server control. The last two files are different; they serve as an interface to the database.

Files “inj” and “minify” seem to be two versions of the same script, which connects to the database and either removes injected scripts or add new ones. The result of this modification is an iframe appended to advertisement banners. The picture below shows a SQL query used to insert malicious java-script.

mv-sqlThe described infection is really hard to trace, because it’s not present on the server all the time, but only in predefined times and shows only to users coming from specific zone. Read more…

Comments off
November 12th, 2013

Top 3 types of hacks against small websites

This question, from a small-site owner with tens or hundreds of visitors per day, is an unfortunate but all too familiar one.

One morning I started getting emails from my customers complaining that their antivirus reported my site as infected and won’t let them in. It must be some mistake because I don’t have an e-shop. There is just a contact form and information for customers. Is it possible that someone is attacking my business?

codeAThe answer, in most cases is, “You became part of an automatized network which leads your users to an Exploit Kit.” (explanation below)

Why do hackers attack small webpages when there are larger targets?

Small websites have a very low frequency of updates, and the possibility that somebody would find and fix malicious code is almost non-existent, which make them attractive targets to hackers. Hackers seek unpatched pages based on open-source solutions because they can attack them quickly and easily. These pages are later used for sorting users – by those who have vulnerable applications on their computer and by those who cannot be attacked – or simply to hide their true identity. Attackers close “the door” behind them by patching the vulnerability that leads them in and simultaneously create another backdoor, only for them, so the page does not show as suspicious when tested for vulnerabilities.

In general, there are three common types of hacking events a web administrator could encounter:

1. Defacement

This type is recognizable on the first look because the site has been changed to display a message from hackers showing off their skills and mocking the web administrator. This is usually a less harmful attack, and although your page was deleted, you don’t have any financial loss because the motivation for this attack was to show the lack of security on your pages and get credit from other hackers. People which make these attacks usually follow the rule, Don’t learn to hack, hack to learn.

For example, there are PHP shells that lets you select the method and reason of defacement and post it online.  The image below shows part of a PHP-shell that sends statistics.


shellstatAccording to statistics from Zone-H, there were 1.5 million sites defaced during 2010, and the screenshot to the right shows the reasons for the attacks. A million and half seems like big number, but these are only documented attacks and the actual number would be much higher.

During the last few years, defacement has been used to display political or ethical opinions by attacking sites with lots of daily visitors. This is turn attracts media and gets as much attention as possible. Even antivirus companies are not spared, as you can read in a recent article about the hack against AVAST.

Read more…

July 9th, 2013

Shady practices of free download servers

Many internet users employ simple tricks when they want to find some interesting software or computer game. They type the desired program’s name into the search bar, add the word “download” and hit enter. In most cases, the first few results from the search engine usually belong to free download servers.

I recently followed some of these links to visit the web pages hidden behind the words “free download” and was amazed at the techniques used to manipulate users. It’s not only the advertising pages you are forced to visit the instant you load the page, but if you are not careful, various sorts of malware or adware are installed to your computer without your notice. Let’s take a closer look at the shady practices you can expect from free download servers.

Download what? They really want you to look at the advertising!

On the screenshot below, you see a standard download page, but if you click anywhere else on the page, a large advertising window will pop up in the background. The big DOWNLOAD button on the top part of page will redirect you to another advertising page. The only way to get close to the actual download you want is to click on the gray button named “Slow Speed Download”. After that you must wait 45 seconds.  The only reason for the delay is to give you time to think about using premium account for a “High Speed Download” and look at banners. How nice of them…



The next screenshot displays a page where you are supposed to write a CAPTCHA code. CAPTCHA is used to verify that the page visitor is human and not a computer bot seeking information, but in this case the only reason for CAPTCHA is to show you yet another advertising popup window. If you click on the input labeled “Your Answer”, a popup will be displayed automatically. Now we are closer to our desired file download, just not using the traditional way. Let me recap:

  • Just ignore the large download button
  • Type the text from the CAPTCHA picture
  • Click the “Send” button

But don’t think you’re done, because the advertising nightmare is not over.

On the last screenshot from this page you see the final download button. There is however another catch. Not surprised, are you? Read the last line beside the checkbox carefully. This means that when you click the download button, it will start a download, just not your file. It will download only their manager, where you will install more adware directly to your computer. Oh goody.

TIP: Every time you start a file download from the internet, check if it has the right name and extension.

When I inspected similar sites to this one, many executable files popped up, even if I was looking for a RAR package. They are disguised as Archivers, Codec packages, or Download managers and had one thing in common – they try to confuse the user with clever sentences and hidden check boxes.


Everything but the download

I tested several dozen of these fake download buttons and not surprisingly, acquired a few new executable files.  The download buttons redirected me to pages containing a registration for a game, an online casino, all sorts of medical products, and once, a chance to win a free iPhone in exchange for my mobile phone number. I did not gave them my phone number because the only thing I could win would be SMS advertisements or an attack on my privacy from some sort of mobile-oriented malware.

One big download button redirected me to page where an automatic download started. The page stated that this is an installer for a well-known archiver. As this screenshot shows, there is simple tutorial on the page which shows the user how to execute the file without thinking further. But what this tutorial really shows is how to ignore a security warning and let a potentially dangerous application install onto your computer!


This installer had other applications bundled, so when I started to install it, the first screen offered me a toolbar for my internet browser. There are only a few things less useful than a toolbar, because all its functions are already available in every internet browser.

SPoFDS - EOn the next screenshot you can see what happens if you don’t want to install this toolbar. Another dialog designed to discourage you from skipping the installation by implying that this will abort the whole install.

If you think you want a toolbar installed, I suggest you read the license agreement which often offers very amusing content. In section 4. it states that the toolbar is not considered secure, and I can tell you why! Because the only thing that matters to the author of applications like this one is profit.



At the end of the installation, where I choose only to install the packer and nothing else, all the files listed in the last screenshot were downloaded to my computer and executed. None of these files were removed after installation and some of them are set to start automatically after the computer starts.

SPoFDS - GThere is also a proxy server enabled and updated in my windows registry and program which I did not agree to install. Except for 7z and sweetim, there was not even a notice about the other programs. I don’t think this is the way a normal application installer should work.

Many free download servers are active on the internet today, but none of them give you anything actually for free. You will pay for them with your personal data or computing time when malware attacks. You should always bear in mind that there are just a few really free things on the internet, fortunately avast! Free Antivirus is one you can count on.

The application I just described can be found on Virus Total under the following SHA256:

[1] 0761c6f550259b9317df0773be4d6e5559baecc034105bfaa5f990eb4cf3a343
[2] 0d38183bcf13e025a77cf197e14014ab8c32654e7b7d3585a6d7b374070871ba
[3] bb298b8e6975127b50e9a388b588f97329d13efc932c9797667ec879042f2133

Categories: Uncategorized Tags: