Today is unfortunately the last day of the Virus Bulletin 2013 conference, but it has definitely been memorable. Last night, a gala dinner was held that went on into the wee morning hours. During the dinner there was a classic performance from a dancing cabaret group and a delicious meal was served. And as continuing the tradition for VB conferences, after dinner all the participants moved to our avast! Beer Bar and attempt getting their results to a higher level.
Today’s speaking line-up was concentrated on sophisticated malware on the Windows platform, online threats, and botnets. The afternoon panel discussion was moderated by Pedram Amini, our new AVAST colleague who joined the team a few weeks ago with the acquisition of Jumpshot. The discussion was about cyberwar and what we as a security industry can do about it.
Finally, the most important information: In the first blog chronicling this event, we mentioned the 7th IT Security Table Football World Championship. I asked you to wish us luck, and now I thank you for that! It definitely helped us a lot! And here are the final results!
1. Gdata – Germany
2. Avast – Czech republic
3. Microsoft – USA
Hurray, we came in second! From such a big competition, it’s a great success for the avast! Virus Lab team, and one that we hope our colleagues (and our boss) will appreciate. For example, by buying a new football table for our office! To be ready to reclaim the AVAST honor at VB2014, we need to increase our practice time! (Next year, Gdata. Next year…)
We had a second day of VB 2013, and today can definitely be classified as an Android day. Most of the presentations from first three blocks were concentrated on Android threats, potential unwanted applications and Adkits. This gave a strong signal that everyone should take Android security very seriously. Every big antivirus vendor has their own Android security applications, but a main point for me personally was that we should cooperate and share information to fight malware effectively.
In the last presentation block of the day, there were two presenters: First was Milos Korenko with his presentation The Best Things in Life are Free. I have to admit that listening to Milos is really inspiring. His high level public speaking abilities combined with the fact that he was speaking about such a good company as Avast made it one of the best presentations of the day.
During Miloš’ speech there were two hidden surprises. First, we announced the winners of the beer competition from Virus Bulletin 2012 held in Dallas. The top three from VB2012 are:
1. Dmitry (McAfee)
2. Jiri Bracek (AVG)
3. Roman Kovac (ESET)
The second surprise was from my colleagues in the avast! Virus Lab, Jaromir Horejsi and Peter Kalnai. Milos finished his speech quite quickly so he could share his free time with our analysts. They presented Are Linux desktop systems threatened by Trojans? Their talk, based on a blog post Hand Of Thief threat, published at the end of August, extended some philosophical thoughts about a real potential for Linux Desktops.
The avast! Beer Bar is open again! On the first day of VB2013, we spent an evening socializing with other colleagues. You can check our website for the beer rankings and see which IT security company has the best score.
Virus Bulletin 2013 just started today and our company is participating in many ways! This conference is one of the biggest IT security conferences in the world which well known security companies can’t miss. And we are really proud to be there with more than 370 specialist from the security industry. We are a platinum sponsor, we have a few speakers here – but mainly we are the PROUD BEER SPONSORS for all participants.
Here is a quick review of the first day which was a pretty busy one! During the morning the conference started with a welcome speech from Virus Bulletin editor Helen Martin, and then the technical and corporate streams, represented by many speakers, began. We have one speaker from our company here today. It was Jindřich Kubec, with Eric Romang, presenting “Big bang theory of CVE-2012-4792” – a very successful presentation indeed. The main subject was forensics & detective model that describes the early development of the watering hole campaign which was mostly active from Dec. 2012 to Jan. 2013, targeting prominently energy industries, governments, non profit organizations and human rights websites. After the initial targeted attack, the vulnerability cooled sufficiently to allow its integration in different confidential or public exploit kits. They also dug into the past and showed that there had clearly been a connection with the previous Sept. 2012 watering hole attacks on industrial websites, and also with watering hole attacks through Twitter in May 2012. The earliest phases of the vulnerability, like the Big Bang, are subject to much speculation. They tried to observe the most distant things that a security researcher can see. The timeline of the attacks, together with the disclosure, detection and publication dates were shown. The code structure and changes were also analyzed, including the binary payloads – e.g. remote access tools.
I should also mention that there is an international IT security table football championship. And so far we have been successful! In the morning we won the first match against Sophos 6:1, 6:2 and second against Norman 6:0, 6:0. So cross your fingers and wish us luck for the next rounds. Stay tuned, we will definitely share more information in the next two days!
In recent weeks, malware samples resolved as Win32/64:Napolar from AVAST’s name pools generated a lot of hits within our file and network shields. Independently, we observed an advertising campaign of a new Trojan dubbed Solarbot that started around May 2013. This campaign did not run through shady hacking forums as we are used to, but instead it ran through a website indexed in the main search engines. The website is called http://solarbot.net and presents its offer with a professional looking design:
For the Win32/64:Napolar Trojan, the pipe used to inter-process communication is named \\.\pipe\napSolar. Together with the presence of character strings like “CHROME.DLL,” “OPERA.DLL,” “trusteer,” “data_inject,” and features we’ll mention later, we have almost no doubts that the Trojan and Solarbot coincide. Let us look at some analysis.
Many of you might wonder how the avast! Virus Lab works. Who are those guys sitting behind the computers and analyzing malicious files? Well let us unveil some of the virus lab secrets and break some stereotypes at the same time:
1. The avast! Virus Lab team doesn’t work in a laboratory.
2. Virus analytic professionals are real, nice human beings, not robots.
3. Yes, there are also ladies in the virus lab team (although these pictures don’t prove that.)
4. They like to have fun and socialize!
Proof that they really exist
Here’s a challenge for you – the first person to discover the Director of the avast! Virus Lab will receive a one year free license of avast! Premier! Please respond in the comments section of this blog.
Recently, we have seen many Facebook posts with links leading to applications called Give Hearts, Drink It Up and Daily Horoscope. The applications are very popular – they have over 5 million monthly users – and are managed by the same provider called App Discovery Engine. The posts attracted my attention because they seem to be posted automatically. The entire post consists of the URL which contains quite long text separated with ‘+’. (Later we will see that the text is a horoscope that you see on the page of the application).
To begin investigating these apps I follow the link leading to the Give Hearts application. It redirects me directly to the application. But before I can use it I am asked to grant Give Hearts access to information on my Facebook account like my email or friend lists.
Yes! What a lucky day! I’ve just got a message that I won 2,000,000.00 British Pounds (2.4M EUR/3.1M USD), an Apple laptop, a T-shirt, and a cap emblazoned with a logo of The Free Lotto Company. Pretty awesome you might think, but appearances are deceptive. Unfortunately, this is just one of the ways bad guys try to get some of our money.
Well, I was thinking, it‘s worth a shot. So I decided to write to the email address and see what would happen. Actually, the hardest part was a making up a fake name for myself! You would never believe how rough this might be. In the end, I decided to call myself Robert Konmed.
Here’s how the conversation went down.
Me: Hello, I’ve got a winning message with information to contact your email address. How can I pick up my prize please? Thank you, Robert Konmed
Bad guys: Please find attached document for info to contact courier delivery company: EMAIL:email@example.com Regards Brian Calton
Me: Hello guys, I’m really excited about a winning prize. But would be possible to tell me how much I should prepare for a delivery company? And also I’m curious if there is possibility to charge delivery from my winning prize? Thank you & have a nice day! Best regards! Robert Konmed Read more…
A new threat for the Linux platform was first mentioned on August 7th by RSA researchers, where it was dubbed Hand of Thief. The two main capabilities of this Trojan are form-grabbing of Linux-specific browsers and entering a victim’s computer by a back-door. Moreover, it is empowered with features like anti-virtualization and anti-monitoring. With the level of overall sophistication Hand of Thief displays, it can be compared to infamous non-Windows threats such as the FlashBack Trojan for MacOsX platform discovered last year or Trojan Obad for Android from recent times.
A detailed analysis uncovers the following structure of the initial file with all parts after the dropper being encrypted (hexadecimal number displays starting offset of a block):
If thieves gain control of sensitive personally identifiable information (PII) on your computer, your identity can be stolen. Information such as your social security number, driver’s license number, date of birth, or full name are examples of files that should be encrypted. Confidential business data like individual customer information or intellectual property should also be encrypted for your safety.
In this blog post we will look at a service offering file decryption. This service helps you to decrypt files which were previously encrypted. But this is no helpful ‘Tips and Tricks’ blog for people who forgot the password to their documents and ask for help recovering it. Although breaking weak passwords is quite possible, noproblembro.com specializes in a different type of service.
InfoStealer is a Trojan that collects sensitive information about the user from an affected computer system and forwards it to a predetermined location. This information, whether it be financial information, log in credentials, passwords, or a combination of all of them, can then be sold on the black market. AVAST detects this infostealer as MSIL:Agent-AKP.
In this blogpost, we will look at a malicious .NET file served to a victim’s computer via an exploit kit. After opening the file in decompiler, we noticed resources containing only noisy images similar to the figure below.