Protecting over 230 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Posts Tagged ‘malware’
March 27th, 2015

Not your father’s antivirus protection

avtest_certified_homeuser_2015-02

Avast received the AV-Test certification for home use products.

Do I really need security on my computer anymore?

Over the years, web standards have improved and the security of operating systems and browsers have become better. Because of these advances, some people question whether they need security protection at all. But you need to remember that in parallel to positive advances in protection, cybercrooks have improved their skills and become more stealthy and targeted.

Hackers are no longer mischievous kids breaking into government agencies because they can. “These days, cybercrooks have to make business driven-decisions like the rest of us because their resources are limited,” said Ondrek Vlcek, COO of Avast.

Current malware is often disguised as legitimate applications, malicious Android apps sneak by protocols of the huge download sites, and home and business networks are being attacked via weakly protected routers.

“Threats are no longer just targeting devices, but accounts and routers. A recent example is the iCloud hack where cybercrooks stole personal photos of more than 100 celebrities, including Jennifer Lawrence and Kate Upton,” said Vlcek. “This attack happened via their account and can as well be the result of a router hack. No matter which device you use, all Internet traffic flows through your router so you have to make sure it is secure. You don’t have to be Jennifer Lawrence to be attacked.

Not your father’s antivirus protection

Antivirus protection has come a long way since it scanned individual files. Avast has taken modern virus protection to a high art with real-time updates and heuristic scans that detect new threats it’s never even seen before.

Avast performs so well in protecting against “real-world” threats such as Trojans, worms and viruses as well as web and email threats, that it just received the AV-TEST certification for our home user products.

Avast scored perfectly in the detection of widespread and prevalent malware discovered in the last 4 weeks, and had very little incidence of disruptions caused by false positives. Our consumer products have basically no measurable impact on the performance of the computer while doing things that the average user does on a daily basis: Visiting websites, downloading software, installing and running programs and copying data.

March 18th, 2015

Don’t click on the porn video your Facebook friend shared

Fake Flash Player updates fool Facebook users.

facebook-fake-flash-small

Facebook users get malware from clicking on fake Flash Player updates.

Facebook users have fallen victim to a recycled scam, and we want to make sure that all of our readers are fore-warned. Cybercrooks use social engineering tactics to fool people into clicking, and when the bait comes from a trusted friend on Facebook, it works very well.

Here’s how the scam works – your friend sends you an interesting video clip; in the latest iteration you are tagged and lots of other friends are also tagged – this makes it seem more trustworthy. The video stops a few seconds in and when you click on it, a message that your Flash Player needs to be updated for it to continue comes up. Since you have probably seen messages from Adobe to update your Flash Player, this does not raise any red flags. Being conscientious about updating your software, as well as curious about what happens next in the video, you click the link. That’s when the fun really begins.

The fake Flash Player is actually the downloader of a Trojan that infects your account. Security researcher Mohammad Faghani, told The Guardian, …” once it infects someone’s account, it re-shares the clip while tagging up to 20 of their friends – a tactic that helps it spread faster than previous Facebook-targeted malware that relied on one-to-one messaging on Facebook.”

How to protect yourself from Facebook video scams

Don’t fall for it. Videos that are supposedly sensational or shocking are also suspect. Be very cautious when clicking.

Does your friend really watch this stuff? If it seems out of character for your friend to share something like that with you, beware. Their account may have been infected by malware, and it’s possible they don’t even know this is being shared. Do them a favor and tell them about it.

Be careful of shortened links. The BBB says that scammers use link-shortening services to disguise malicious links. Don’t fall for it. If you don’t recognize the link destination, don’t click.

Use up-to-date antivirus software like Avast Free Antivirus with full real-time protection.

Report suspicious activity to Facebook. If your account was compromised, make sure to change your password.

March 17th, 2015

Ransomware holds eSports players hostage

Dreaded ransomware, the malware that locks your files and demands payment for the key to unlock them, is now targeting gamers.

New ransomware targets gamers.

 

In the first report of gamers being targeted by ransomware, more than 2o different games, including World of Warcraft, League of Legends, Call of Duty and Star Craft 2, various EA Sports and Valve games, and Steam gaming software are are on the list.  This variant of ransomware looks similar to CryptoLocker according to a report from a researcher at Bromium Labs.

What is CryptoLocker?

CryptoLocker is “ransomware” malware that encrypts files on a victim’s Windows-based PC. This includes pictures, movie and music files, documents, and certain files, like the gamer’s data files, on local or networked storage media.

A ransom, usually paid via Bitcoin or MoneyPak, is demanded as payment to receive a key that unlocks  the encrypted files. In previous cases, the victim has 72 hours to pay about a relatively small amount of money, usually in the low hundreds of dollars, but after that the ransom rises to over thousands of dollars. We have seen reports that says the gamers are demanded a ransom of about $1,000 via PayPal My Cash Cards or 1.5 bitcoins worth about $430.

“There’s mostly no way to get the data back without paying the ransom and that’s the reason why bad guys focus on this scheme as it generates huge profit, “ said  Jiri Sejtko, Director of Avast Software’s Virus Lab Operations last year when ransomware was making the news. “We can expect some rise in ransomware occurrences,” predicted Sejtko. “Malware authors will probably focus on screen-lockers, file-lockers and even on browser-lockers to gain money from victims.”

That prediction came true, and now ransomware authors are targeting narrower audiences.

How do I get infected with CryptoLocker?

Infection could reach you in various ways. The most common is a phishing attack, but it also comes in email attachments and PDF files. In the new case targeting gamers, the Bromium researcher wrote, “This crypto-ransomware variant has been getting distributed from a compromised web site that was redirecting the visitors to the Angler exploit kit by using a Flash clip.” There is a detailed analysis in the report.

Read more…

March 5th, 2015

Malvertising is bad for everyone but cybercriminals

One rotten malvertisement not only ruins the bunch, but can damage your SMB's reputation.

One rotten malvertisement not only ruins the bunch, but can damage your SMB’s reputation.

Malvertising, sounds like bad advertising right? It is bad advertising, but it doesn’t necessarily include a corny jingle or mascot. Malvertising is short for malicious advertising and is a tactic cybercriminals use to spread malware by placing malicious ads on legitimate websites. Major sites like Reuters, Yahoo, and Youtube have all fallen victim to malvertising in the past.

How can consumers and SMBs protect themselves from malvertising?

Malvertising puts both website visitors and businesses at great risk. Site visitors can get infected with malware via malvertising that either abuses their system or steals personal data, while businesses’ reputations can be tarnished if they host malvertisments. Even businesses that pay for their ads to be displayed on sites can suffer financial loss through some forms of malvertising because it can displace your own ads for the malicious ones.

To protect themselves, small and medium sized businesses should make sure they use the latest, updated version of their advertisement system, use strong passwords to avoid a dictionary attack and use free Avast for Business to discover and delete malicious scripts on their servers. Consumers should also keep their software updated and make sure they use an antivirus solution that will protect them from malicious files that could turn their PC into a robot, resulting in a slowed down system and potential privacy issues. Avast users can run Software Updater to help them identify outdated software.

How does malvertising work?

Businesses use ad systems to place and manage ads on their websites, which help them monetize. Ad systems can, however, contain vulnerabilities. Vulnerabilities in general are a dream come true for cybercriminals because vulnerabilities make their “jobs” much easier and vulnerabilities in ad systems are no exception. Cybercriminals can take advantage of ad system vulnerabilities to distribute malicious ads via otherwise harmless and difficult to hack websites.

Why cybercriminals like malvertising

Cybercriminals fancy malvertising because it is a fairly simple way for them to trick website visitors into clicking on their malicious ads. Cybercriminals have high success rates with malvertising, because most people don’t expect normal looking ads that are displayed on websites they trust to be malicious. Targeting well-visited websites, not only raises the odds of ad clicks, but this also allows cybercriminals to target specific regions and audiences they normally wouldn’t be able to reach very easily. Another reason why malvertising is attractive to cybercriminals is because it can often go unnoticed, as the malicious code is not hosted in the website where the ad is being displayed.

Examples of malvertising

An example of an ad system platform with a rich history of vulnerabilities is the Revive Adserver platform, formerly known as OpenX. In the past attackers could obtain administrator credentials to the platform via an SQL injection. The attackers would then upload a backdoor Trojan and tools for server control. As a result, they were able to modify advertising banners, which redirected site visitors to a website with an exploit pack. If the victim ran outdated software, the software would download and execute malicious code.

Another malware family Avast has seen in the wild and reported on that spread via malvertising was Win32/64:Blackbeard. Blackbeard was an ad fraud / click fraud family that mainly targeted the United States. According to our telemetry, Blackbeard infected hundreds of new victims daily. Blackbeard used the victim’s computer as a robot, displaying online advertisements and clicking on them without the victim’s knowledge. This resulted in income for botnet operators and a loss for businesses paying to have their ads displayed and clicked.

Comments off
December 12th, 2014

Mobile advertising firms spread malware by posing as official Google Play apps

As a malware analyst, I find new pieces of malware day in and day out. In fact, I see so many new malware samples that it’s difficult for me to determine which pieces would be really interesting for the public. Today, however, I found something that immediately caught my attention and that I thought would be interesting to share.

Mobilelinks

The three URLs listed above are websites that offer mobile monetizing kits, which are advertising kits that developers can implement in their mobile apps. The goal for developers is to monetize from advertisements. If a user clicks on one of the ads delivered by one of the above listed providers, he may be lead to a malicious subdomain.

The most visited of the three URLs is Espabit. According to our statistics, we know that Espabit’s servers get around 150,000 views a day and nearly 100% of the views are from mobile devices. This may not seem like that much compared to the number of Android users there are in the world, but it is still a considerable number. Espabit is trying to position themselves as a world leader in advertising, and their website may appear innocent, but first impressions can be deceiving.

 

espabit

The most visited Espabit subdomain, with more than 400,000 views during the last few months, leads app users to pornographic sites via the ads displayed in their apps. The site displays a download offer for nasty apps (no pun intended) that have malicious behavior.

image

 

The above is just one example of the malicious links; there are many others hosted on the same server. The majority of the links lead to pornography or fake apps that all have one thing in common: They all steal money from innocent users.

How do they convince people to download their app? By posing as official Google Play apps. The apps are designed to look like they are from the official Google Play Store – tricking people into trusting the source. Since Android does not allow users to install apps from untrusted sources, the sites offer manuals in different languages, like English, Spanish, German, and French, explaining how to adjust Android’s settings so that users can install apps from untrusted sources, like these malicious apps. How considerate of them.

image_1

 

Now let’s take a deeper look at what the apps are capable of doing:

All of the “different” apps being offered by the three sites listed above are essentially the same in that they can steal personal information and send premium SMS. So far, we know about more than 40 of them stored on the websites’ servers. Most of the apps are stored under different links and, again, are offered in different languages (they want everyone to be able to “enjoy” their apps). The goal behind all of the apps is always the same: Steal money.

apps code1

 

 

 

 

Some of the permissions the apps are granted when downloaded…

apps code2

 

Once you open the apps, you get asked if you are 18 or older (they are not only considerate in that they offer their product in various languages, but they also have morals!).

sexyface

 

 

sexyface2

 

After you click on “YES” you are asked to connect your device to the Internet. Once connected to the Internet your device automatically starts sending premium SMS, each costing $0.25 and sent three times a week. That’s all the app does! The amount stolen a week does not seem like much, but that may be done on purpose. People may not notice if their phone bill is $3.00 more than it was the month before and if they don’t realize that the app is stealing money from them and don’t delete the app it can cost them $36.00 a year.

This malware is actually not unique in terms of the technique it uses. However, collectively, the three websites have around 185,000 views daily, which is a lot considering there is malware stored on their servers. Not everyone is redirected to malware, but those who are, are being scammed. Considering that the most visited malicious subdomain had around 400,000 views in the last quarter, it tells us that a large number of those visitors were infected. This means these ad providers are making a nice sum of money and it’s not all from ad clicks and views.

Although many mobile carriers around the world block premium SMS, including major carriers in the U.S., Brazil, and the UK, this case should not be taken lightly. These malware authors use social engineering to circumvent Google’s security and target innocent app users via ads. Think of how many apps you use that display ads, then think of all the valuable information you have stored on your phone that could be abused.

All malicious apps we found and described here are detected by Avast as:

Android:Erop-AG [Trj]
Android:Erop-AJ [Trj]|
Android:Erop-AS [Trj]

Some of SHA256:
DBEA83D04B6151A634B93289150CA1611D11F142EA3C17451454B25086EE0AEF
87AC7645F41744B722CEFC204A6473FD68756D8B2731A4BF82EBAED03BCF3C9B

Comments off
October 27th, 2014

Pony stealer spread vicious malware using email campaign

Most people want to stay on top of their bills, and not pay them late. But recently, unexpected emails claiming an overdue invoice have been showing up in people’s inboxes, causing anxiety and ultimately a malware attack. Read this report from the Avast Virus Lab, so as a consumer you’ll know what to look for, and as a systems administrator for an SMB or other website, you will know how cybercrooks can use your site for this type of social engineering scam.

Recently we saw an email campaign which attempted to convince people to pay an overdue invoice, as you can see on the following image. The user is asked to download an invoice from the attached link.

mail1

The downloaded file pretends to be a regular PDF file, however the filename “Total outstanding invoice pdf.com” is very suspicious.

When the user executes the malicious file, after a few unpacking procedures, it downloads the final vicious payload. The Avast Virus Lab has identified this payload as Pony Stealer, a well-known data-stealing Trojan which is responsible for stealing $220,000, as you can read here.

We followed the payload URL and discovered that it was downloaded from a hacked website. The interesting part is that we found a backdoor on that site allowing the attacker to take control of  the entire website. As you can see, the attacker could create a new file and write any data to that file on the hacked website, for example, a malicious php script.

backdoor

Because that website was unsecured, cybercrooks used it to place several Pony Stealer administration panels on it, including the original installation package, and some other malware samples as well.  You can see an example of Pony Stealer panel’s help page written in the Russian language on the following picture.

panel

Avast Virus Lab advises:

For Consumers: Use extreme caution if you see an email trying to convince you to pay money for non-ordered services. This use of “social engineering” is most likely fraudulent. Do not respond to these emails.

For SMBs: If you are a server administrator, please secure your server and follow the general security recommendations. As you learned from this article,  you can be hacked and a backdoor can be put in your website allowing anyone to upload whatever he wants to your website. Protect yourself and your visitors!

SHA’s and detections:

4C893CA9FB2A6CB8555176B6F2D6FCF984832964CCBDD6E0765EA6167803461D

5C6B3F65C174B388110C6A32AAE5A4CE87BF6C06966411B2DB88D1E8A1EF056B

Avast detections: Win32:Agent-AUKT, Win32:VB-AIUM

Acknowledgement:

I would like to thank Jan Zíka for discovering this campaign.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

September 24th, 2014

Avast! Mobile Security gets award from AV Comparatives

AV Comparatives Aug2014AV Comparatives awarded avast! Mobile Security for its malware protection and highly developed theft-protection.

Most people would not dream of neglecting the security of their PCs or laptop, but those same folks forget that the device in their pocket is just as powerful, if not more so. You’ve heard it before –your expensive smartphone, which stores personal data, private photos, Internet banking information and even company data, is an attractive target for cybercrooks and thieves.

AV Comparatives, an independent organization which tests antivirus products and mobile security solutions, released new testing results and gave avast! Mobile Security the highest “Approved Award” for Android security products.

avast! Mobile Security has a wide range of features with innovative functionality. We particularly liked the wide range of configuration options and remote commands, which provide the user with a comprehensive remote control function,” wrote the authors of the final report.

AV Comparatives gives avast! Mobile Security it's Approved Award for mobile security and anti-theft features.

AV Comparatives gives avast! Mobile Security it’s Approved Award for mobile security and anti-theft features.

Malware protection

Mobile phones attacks are getting more and more sophisticated, and it is growing exponentially. “We now have more than 1 million malicious samples in our database, up from 100,000 in 2011,” said Avast’s CCO, Ondřej Vlček. “Mobile threats are increasing – we expect them to reach the same magnitude as PC malware by 2018.”

avast! Mobile Security scans all installed applications for malware and has various real-time protection shields which protect against

  • Malicious apps and phishing sites
  • Sites containing malware
  • Typo-squatting if an incorrect URL is entered
  • Incoming messages with phishing/malware URLs
  • Malicious behavior during read or write processes

Anti-theft protection

Avast! Anti-theft is a stand-alone app that can be installed separately from avast! Mobile Security. The app is hidden from view, and can be accessed remotely for functions such as lock, locate and wipe, redirection of calls, texts and call logs, etc.

In addition to the malware and anti-theft protection, AV Comparatives liked the standalone avast! Mobile Backup which enables personal data to be backed up to Google Drive.

The Backup, App Locker and Privacy Scan features, which were promised last year, have now been implemented and complete the program’s functionality. (avast! Mobile Security) is a very comprehensive security product with a wide range of configuration options.

Protect your Android smartphone and tablet with avast! Mobile Security and Antivirus from the Google Play store.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

 

 

August 28th, 2014

Bad news for SMBs: Target’s “Backoff” malware attack hits 1,000 more businesses

PoS attacks

avast! Endpoint Protection can protect your network

U.S. merchants advised to protect themselves against same PoS hack that hit Target and Neiman Marcus last year.

More than 1,000 U.S. businesses have had their systems infected by Backoff, a point-of-sale (PoS) malware that was linked to the remote-access attacks against Target, Michaels, and P.F. Chang’s last year and more recently, UPS and Dairy Queen. In the Target breach alone, 40 million credit and debit cards were stolen, along with 70 million records which included the name, address, email address, and phone number of Target shoppers.

The way these breaches occur is laid out in BACKOFF: New Point of Sale Malware, a new U.S. Department of Homeland Security (DHS) report. Investigations reveal that cybercrooks use readily available tools to identify businesses that use remote desktop applications which allow a user to connect to a computer from a remote location. The Target breach began with stolen login credentials from the air-conditioning repairman.

Once the business is identified, the hackers use brute force to break into the login feature of the remote desktop solution. After gaining access to administrator or privileged access accounts, the cybercrooks are then able to deploy the PoS malware and steal consumer payment data. If that’s not enough, most versions of Backoff have keylogging functionality and can also upload discovered data, update the malware, download/execute further malware, and uninstall the malware.

General steps SMBs and consumers can take to protect themselves

  • You should use a proper security solution, like avast! Endpoint Protection, to protect your network from hacking tools, malicious modules, and from hackers using exploits as a gateway to insert malware into your network.
  • Regularly monitor your bank and credit card statements to make sure all the transactions are legitimate.
  • Change default and staff passwords controlling access to key payment systems and applications. Our blog post, Do you hate updating your passwords whenever there’s a new hack?, has some tips.
  • Monitor your credit report for any changes. You’re entitled to one free report per year from each of the three reporting agencies.

Read more…

Comments off
August 19th, 2014

Reveton ransomware has dangerously evolved

The old ransomware business model is no longer enough for malware authors. New additions have made Reveton into something even more powerful.

Reveton

The latest generation of Reveton, the infamous “police” lock screen/ransomware, targets new black market business. The authors upped the ante of the despised malware from a LockScreen-only version to a dangerously powerful password and credentials stealer by adding the last version of Pony Stealer.  This addition affects more than 110 applications and turns your computer to a botnet client.

Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 German banks and depends on geolocation. In all cases, Reveton contains a link to download an additional password stealer. The most common infection is via the well-known exploit kits, FiestaEK, NuclearEK, SweetOrangeEK, etc.

Pony stealer module

Reveton use one of the best password/credentials stealer on the malware scene today. Pony authors conduct deep reverse engineering work which results in almost every password decrypted to plain text form. The malware can crack or decrypt quite complex passwords stored in various forms.

The stealer includes 17 main modules like OS credentials, FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc and over 140 submodules.
Reveton modules

Read more…

Comments off
August 4th, 2014

AVAST blocks all malware in real-world test

avast! Free Antivirus blocked 100% of malware attacks in AV-Test’s “Real World” detection test.

AV-Test-June-2014Respected IT Security and Antivirus Research lab, AV-Test, put 23 antivirus products designed for the home user to the test for real-world malware blocking and detection of false positives in June. The testing scenario replicated the set-up of almost a quarter of AVAST’s 200 million users who still use Windows XP (SP3, 32-Bit, English). Just like your antivirus protection at home, the products were allowed to update themselves at any time and query their in-the-cloud services.

av-test_cert_2014_Consumer_06Avast! Free Antivirus scored 100% in protection against malware infections, such as viruses, worms or Trojan horses. AV-Test used widespread and prevalent malware discovered in the last 4 weeks, including malicious email attachements.

Avast! Free Antivirus had zero false positive detections, giving it a perfect score of 100%. False positives happen when your antivirus software erroneously identifies a file or a download as being malicious. The test included false warnings or blockages when visiting websites or when installing and using legitimate software.

Our customers are concerned about the impact antivirus protection has on their computer speed when visiting websites, downloading software, installing and running programs, and copying data. AV-Test measured the influence of each product in daily usage. On a scale with 5 being the lowest possible impact and 25 the highest impact, avast! Free Antivirus has minimal impact on system performance, scoring a very low 8.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.