Protecting over 230 million PCs, Macs, & Mobiles – more than any other antivirus


Posts Tagged ‘trojan’
February 17th, 2014

Fake Korean bank applications for Android – PT 1

About a year ago, we published this analysis about a pharming attack against Korean bank customers. The banks targeted by cybercriminals included NH Bank, Kookmin Bank, Hana Bank, ShinHan Bank, and Woori Bank. With the rise of Android-powered devices, these attacks now occur not only on the Windows platform, but also on the Android platform. In this blogpost we will look at a fake bank application and analyze several malware families which supposedly utilize them.

Original bank application

We will show just one bank application for brevity. For other banks the scenario is similar. The real Hana Bank application can be downloaded from Google Play. It has the following layout and background.

Read more…

January 23rd, 2014

WhatsApp bogus email tries to install Zeus Trojan on your computer

whatsapp-logoHave you received an email from WhatsApp? No? That’s because the company usually sends their users messages directly via the app itself, typically notifying them of updates. If you have received an email from WhatsApp recently, we urge you to not open it and to delete it immediately. The email is a hoax that contains malware.

Within the last few days, an email with the subject line “Missed voice message” has spread with the sender name “WhatsApp Messenger.” The message asks recipients to “please download attached file,” a file named “”

Our antivirus lab expert, Peter Kálnai, told us, “It has never been WhatsApp’s strategy to send you missed voice messages in an email and they haven’t started to do so now. Instead of a voice message, it includes a zipped attachment with an executable file under the same name missed-message.exe. This file is able to download any malware attackers want to load onto their victim’s computer, including the Zeus Trojan, also known as one of the most dangerous banking trojans.”

Zeus lies silently on users’ computers until they log on to a banking website. Once on a banking site, Zeus collects the users’ personal data and online banking information. Read more about how avast! Antivirus blocks Zeus Trojans.

The popular mobile messaging service, WhatsApp, recently announced they now have more than 430 million Android and iPhone users. This is a great success for WhatsApp, but at the same time makes it an attractive target for cybercriminals, as the amount of potential victims is huge.

Does avast! Antivirus protect against the WhatsApp malware?

Yes! AVAST detects the executable files spread in the ZIP file in different versions and protects all of its more than 200 million users from this threat. Besides using AVAST, we recommend users use common sense and think twice when they receive an email from an app that usually never chooses to address its users via email. Also, in general, trustworthy companies don’t send attachments unless you have requested specific documents, so do not open any email attachments if you haven’t requested them, and always use caution when downloading files from the Internet.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

Categories: General Tags: , ,
Comments off
January 22nd, 2014

Win32/64:Blackbeard & Pigeon: Stealthiness techniques in 64-bit Windows, Part 2


Last week we promised to explain in detail how the “Blackbeard” Trojan infiltrates and hide itself in a victim’s system, especially on its 64-bit variant. Everything described in this blogpost happens just before Pigeon (clickbot payload) gets downloaded and executed. The most interesting aspects are the way it bypasses the Windows’ User Access Control (UAC) security feature and switches the run of 32-bit code of the Downloader to 64-bit code of the Payload. And finally, how the persistence is achieved.

From 32-bit Loader to 64-bit Payload

As almost all other malware, this downloader is encapsulated with a cryptor. After removing the first layer cryptor, we can see that the downloader is written in a robust way. The same code can be run under either a 32-bit or 64-bit environment, which the code itself decides on the fly based on the entrypoint of the unpacked layer. Authors can therefore encapsulate their downloader in either a 32-bit or 64-bit cryptor and it will get executed well in both environments.

Read more…

January 15th, 2014

Win32/64:Blackbeard & Pigeon: Stealthiness techniques in 64-bit Windows, Part 1

clickfraud2At the turn of the year we started to observe a Trojan, not much discussed previously (with a brand new final payload). It has many interesting aspects: It possesses a complex structure containing both 32-bit and 64-bit code; it achieves its persistence with highly invasive methods; and it is robust enough to contain various payloads/functionalites.

Evolution of Blackbeard

Confronting this threat for the first time, we wondered about its classification. Using AVAST’s Malware Similarity Search, we found an old sample (the TimeStamp said “02 / 20 / 12 @ 3:30:55am UTC”) in the malware database that shared the threat’s structure of PE header. Moreover, it also contained debug info with a string “Blackbeard,” so we decided to dub it like that.


The development of the code evolved in time. We can connect a part of the infection chain of this Trojan with the threat called Win32/64:Viknok. For both the historic and the current variant of Blackbeard, the complexity of the structure is sketched on this scheme:


Read more…

September 25th, 2013

Win32/64:Napolar: New Trojan shines on the cyber crime-scene

In recent weeks, malware samples resolved as Win32/64:Napolar from AVAST’s name pools generated a lot of hits within our file and network shields. Independently, we observed an advertising campaign of a new Trojan dubbed Solarbot that started around May 2013. This campaign did not run through shady hacking forums as we are used to, but instead it ran through a website indexed in the main search engines. The website is called and presents its offer with a professional looking design:


For the Win32/64:Napolar Trojan, the pipe used to inter-process communication is named \\.\pipe\napSolar. Together with the presence of character strings like “CHROME.DLL,” “OPERA.DLL,” “trusteer,” “data_inject,” and features we’ll mention later, we have almost no doubts that the Trojan and Solarbot coincide. Let us look at some analysis.

Read more…

September 11th, 2013

Fake Antivirus Android application discovered

AVAST virus lab analyst Filip Chytrý has discovered a fake Android Antivirus application impersonating avast! Free Mobile Security.  The malicious application called com.avastmenow has a user interface that looks very similar to the genuine one by AVAST Software. After the installation of the fake program, an icon with the text of PornHub is displayed to users.  The Trojan displays fake alert pop ups in an attempt to convince the user he is infected even when he is not. Users who download the fake application might end up with their Smartphone device blocked and be requested to pay 100$ to unlock the phone.

Our virus lab specialists are currently working on samples, so the AVAST virus database will be updated shortly. The goal is to protect all avast! Antivirus users and prevent them from downloading the malicious application. We will update our community on the progress here and on our social media channels.

Meanwhile we recommend all users to use trusted source and download avast! free Mobile Security only from here.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun, and contest information, please follow us on FacebookTwitterGoogle+ and Instagram.

August 27th, 2013

Linux Trojan “Hand of Thief” ungloved

A new threat for the Linux platform was first mentioned on August 7th by RSA researchers, where it was dubbed Hand of Thief.  The two main capabilities of this Trojan are form-grabbing of Linux-specific browsers and entering a victim’s computer by a back-door. Moreover, it is empowered with features like anti-virtualization and anti-monitoring. With the level of overall sophistication Hand of Thief displays, it can be compared to infamous non-Windows threats such as the FlashBack Trojan for MacOsX platform discovered last year or Trojan Obad for Android from recent times.

A detailed analysis uncovers the following structure of the initial file with all parts after the dropper being encrypted (hexadecimal number displays starting offset of a block):


Read more…

August 14th, 2013

AVAST detects and blocks 100% of Zeus Trojans in Banking Security Test

MRG Effitas certificationavast! Internet Security detects and blocks 100% of the world’s most malicious Zeus Trojan strains.

The Zeus Trojan is the most prevalent type of financial malware. Zeus infects a user’s computer and lies in wait until the user logs on to a banking website. Once that occurs, it attempts to steal the user’s bank account information, passwords, and other personal information. This summer Zeus made its way to Facebook, showing how it can evolve to avoid detection and circumvent countermeasures employed by banks and security vendors.

This dangerous Trojan is detected by avast! Antivirus. In a recent simulation for MRG Effitas Online Banking / Browser Security Assessment Project,  avast! Internet Security prevented the simulator from capturing user data and detected and blocked results for the 100 Zeus samples, all from live URLs. The same top-rated antivirus and anti-malware protection is available in all AVAST products, including avast! Free Antivirus.

Protect your online identity while securing your sensitive online financial transactions by using avast! Internet Security.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun, and contest information, please follow us on FacebookTwitterGoogle+ and Instagram.

Comments off
June 6th, 2013

Facebook virus empties bank accounts

ZeuS Trojan

A dangerous Trojan named ZeuS is making its way among Facebook users. This old Trojan horse has infected millions of computers over the years, stealing banking credentials and other personally identifiable information. Zeus can lie dormant on infected computers until the unsuspecting victim logs into their bank’s website. Once you’re logged in, cybercrooks can steal your log in credentials and empty your account without your knowledge.

The virus is spread through phishing messages either from a funny or shocking video from a friend posted on their page or in a message to you, or through an ad for videos or products. If you click the link to watch the video, a notification will say that you need to update the player. When you click update, you are actually downloading the Trojan. Clicking the Play button automatically gives your “Like” to the virus page, and it’s through this action that the link will spread to all of your friends.

All avast! Antivirus products detect and block Zeus if a user tries to install or run the .exe file, but the best way to protect yourself is to avoid it! avast! SafeZone is recommended for safe banking, financial transactions, and shopping online. It gives you a private, secure, and isolated desktop which keeps you safe from keyloggers like the ZeuS Trojan. avast! SafeZone is available in avast! Pro, avast! Internet Security, and avast! Premier.


Please share this with your family and friends.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun, and contest information, please follow us on FacebookTwitter,  Google+ and Instagram.

November 28th, 2011

R2D2 – Forget the jargon, it’s a wiretap

A short time ago in a galaxy very close by, the German Police and their R2D2 Trojan gave us a simple reminder of what modern malware is all about. It’s wiretapping.

Technical buzzwords usually leave me more puzzled than enlightened. How many of these terms can you identify: backdoor Trojan with mfc42ul.dll, winsys32.sys key logger, Speex codec, full registry access, CJPEG, or acrd~tmp~.exe for a hidden executed application.

Did I lose you? Just think wiretapping in the digital age.

Recently, the German Police had their R2D2 outed by the Chaos Computer Club. It seems that after the Police loaded their R2D2 Trojan onto a suspect’s computer, the defenders of law and order could do the following: Read more…

Comments off