This time malicious Android applications are hosted on several domains:

layers and their respective detection ratios

Still nothing? Ok, sorry . For those, who are still on the track: the initial setup file has a detection coverage lower than 35%, which is frankly a bad overall result. Go deeper! The fake FlashPlayer.exe gets much better score going close to 83%. Go deeper! The binary executed directly from memory gets again a lower detection ratio (an on-demand scan of the dump). Go deeper! And the detection ratio finally raises up to 75% for the last dropped binary. More details from the particular VT scans can be found here:

https://www.virustotal.com/file/bf66869e434a91cbdbc1410ec80915e5da91e2d6a1a4829ddaae6a998cd218bd/analysis/1336729518/

https://www.virustotal.com/file/1d7c19ca92c36997fb15b7f0483079b9fe6880ce2c59a96258b23e6d4e094e73/analysis/1336742483/

https://www.virustotal.com/file/5e69427b0062302b5b7bc9e95ff1439dff61e10c77b911d075e49d9b72335582/analysis/1336742673/

https://www.virustotal.com/file/e9a96a4a5c22ac94335871778e2aee0c0f74aeb17758f35ae3d5c93635e25f69/analysis/1336743210/

As you can see, all layers of this matryoschka “smell” like Vundo, which is definitely nothing what someone wants to install along with GameMaster. Leaving the binary as it is could raise a false feeling of safety – it’s a normally looking setup from outside, but if you can look inside and aggregate the suspicious signs with detection ratios, you can definitely say: “not a FP, next please”.

Pls, let me know – are such insights to our daily work interesting for you?

During the contest, we received a few (silly) estimates that ranged from a high of 202,020,302,050,206… down to a negative 156,000,000,000,000. With guesses like that, we didn’t expect 8 people to be so lucky!

Here is a list of the participants who provided us with the exact number and the time and date of their entries:

Among them, Daniel from Maceió, Alagoas, in Brazil, was the first correct participant to respond, with his entry made on March 10, 2012 at 6:50 PM CET.

Daniel, we are looking forward to getting in touch with you, to discuss where you want to plan your holidays!

Have you ever wondered what happens when you “buy” the activation key? Will the program really do something for you, will it just disappear… or, maybe, it will keep annoying you. Let’s look at a program called “S.M.A.R.T. Repair”.

Figure 1

If we execute the “S.M.A.R.T. Repair”, it disappears from its original location and copies itself into “Documents and Settings” under a randomly generated name, for example “@t)f9K70Sh&Z^.exe” (see figure 2) – this is the first sign of a suspicious behavior.

Figure 2

The second suspicious sign is that you are not able to exit the application in a normal way. If you press the ‘X’ in the top right corner, it only minimizes. If you right click “S.M.A.R.T. Repair” icon in the tray, there is no exit option (see figure 3).

Figure 3

When the main window appears, the program immediately starts scanning your hard disk (see figure 2). After a while, the scan finishes and a diagnosis report displays.  Then, some users might get scared from the possibility of losing their data, so they click “Repair 7 Issues” and the screen in figure 4 appears.

Figure 4

Ideal for malware creators, the user often clicks “Buy license now”, gives his/her credit card number, gets an activation key, clicks “I already have an activation code. Click here to activate” and enters the activation number.

Anyway, people, who are fans of reverse engineering already know there is another (cheaper ) way. We skip the “Buy license now” step and go directly to “I already have an activation code”. Enter arbitrary email and activation number (in our case email: aaa, activation number: 123456), press “Activate” and, not surprisingly, a red message displays “The code is invalid. Please contact the support service” (figure 5).

Figure 5

We open our favorite debugger (tool used to test and debug other programs), attach it to the weirdly named program “@t)f9K70Sh&Z^.exe”, set breakpoint at USER32.GetWindowsTextA/W (OS function, which is able to read contents of text fields), then click “Activate”.  The debugger stops once (to read the email text field), then stops again to read the activation key field, then it displays a message that says the activation code is invalid. After the first debugger stop, we may see the same screen as in figure 6.

Figure 6

Then we step through the program until we find something like in figure 7. There is a call to “strstr” function which according to documentation “returns a pointer to the first occurrence of a search string in a string”. In our case, it tests whether string “08869246386344953972969146034087” is contained within string “123456” (the string we entered to activation key field).

Figure 7

Therefore, try to guess what happens when we insert “08869246386344953972969146034087” into the activation key field (figure 8). Yes, we are registered now.

Figure 8

After successful registration, the program also opens notepad with the following text:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thank you for purchasing Data Recovery!

Your activation code: 08869246386344953972969146034087

You can always download your activated program through this link: http://www.backup-download-license.com/support/backup/download/setup_data_recovery.exe (for example, if you need to reinstall your operating system).

Also you can use it to install on any other computer.

For any questions please contact us at Customer Support section or call +1-888-717-7595 (USA/Canada tollfree number), +44-186-552-1441 (UK landline number for international calls).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the above displayed text snippet, we can see the reference to www.backup-download-license.com – it is hosted at IP address 31.184.244.15. According to various IP location tools, this server is located in United Arab Emirates, but belongs to ISP Petersburg Internet Network, Saint-Petersburg, Russia. However, not only one address is hosted at this IP address. There are several more – download-backup-license.com, license-backup-download.com, licensepos.com, licenseres.com, licensetoc.com, ns1.yourordergete.com. All domains were registered on the dates 2012-04-25 or 2012-04-02, by registrar BIZCN.COM, which is a Chinese fraudulent domain registrar. License-backup-download.com also contains an interesting information in Registrant Contact – “Privacy-Protect.cn”, which is a known domain related to a fake antivirus program.

Anyway, these are not the only URLs that we encountered during our research. The application tries to connect to several more URLs, which are hidden from users without a special monitoring tool. The following table shows URL, date of registration, name of domain registrar, and the last column shows in which country the actual server that the domain points to is located.

meijeroneca.com                           10-apr-2012         BIZCN    Netherlands

whatisadebima.com                      16-apr-2012         BIZCN    Sweden

pliesamdalu.com                            26-apr-2012        BIZCN    Moldova

psardcreator.com                           22-mar-2012       BIZCN    Romania
nardelfire.com                                17-apr-2012         BIZCN    Switzerland

After entering the correct activation key and pressing “OK”, the program “fixes” all problems with your hard disk (figure 9), asks you to restart your computer (figure 10), after reboot scans your computer again, and now finds no more errors (figure 11). It even becomes possible to exit the application by right-clicking the tray icon (figure 12).

Figure 9

Figure 10

Figure 11

Figure 12

Now, you can click “Quit” and get rid of this annoying piece of software.

Conclusion:

S.M.A.R.T. Repair is fake scanning tool often detected as Win32:FakeSysdef. It pretends to scan your computer and fix errors, but in reality it does nothing – it only displays something on the screen. You can’t exit the application normally if you don’t have an activation key. Through the analysis above, we have seen that its protection scheme is not very strong. An activation key can be seen in plain text. It is important to mention that these activation keys change very often, so it does not have to work for all FakeSysdef samples. However, the method for obtaining activation keys is always more or less the same. S.M.A.R.T. Repair contains references to several domains, which are registered by a suspicious Chinese domain registrar and are hosted on servers all around the world. Our recommendation: STAY AWAY FROM THIS APP.

avast! Free Antivirus for Mac contains the same light, award-winning, certified, and highly acclaimed antivirus and anti-spyware engine as its avast! version 7 Windows counterpart. Learn more about it here.

Win a MacBook Air

Thanks to loyal avast! users like you, avast! is the most liked antivirus on Facebook. As of this writing, we have over 1.1 million likes and rising. Thanks, avast! fans.

Like avast! on Facebook and enter to win a MacBook Air! Take a photo of yourself with an apple and submit it to our contest by Friday, May 18. You must be a registered avast! user and a fan of avast! on Facebook. After the photos are in, the fun begins when all the participants vote for their top 5 favorite photos. Those five will each win a MacBook Air! So get those apples polished and cameras snapping. We want your best photo!

“We’ve confirmed our app’s detection abilities for Flashback within the test lab and with reports from our beta testers,” says Jiri Sejtko, director of AVAST Virus Lab operations.

The Flashback Trojan linked to the Mac botnet is a derivative of last year’s DevilRobber Mac OS X Trojan. The AVAST Virus Lab now has 18 variants of this malware in its antivirus database.

“With an estimated 600,000 infected Macs, this botnet is just a large example that the Apple operating system is not immune from malware,” said Jiri. “Add a growing market share that makes Mac an attractive target for the bad guys together with a user base that insists they do not need a security app – you have all the conditions in place for an epidemic to rip through.”

The latest Flashback variants can infect vulnerable Macs without requiring the victim to enter a password. “Mac malware has historically been dependent on social engineering – convincing the user to enter the required password. Now these days are over and Mac users can pick up malware just by visiting an infected website,” adds Jiri. “Welcome to the real world.”

Flashback is a logical step in Mac malware’s steady evolution, he points out. Initial malware samples were rather simple, just compiler-generated code, with no encryption whatsoever, but it has since evolved to be more “custom”, with encrypted strings and code, and structured to avoid security apps like LittleSnitch(firewall software for Mac OS) or Apple’s XProtect. During 2011, there were some large-scale attempts to spread Mac malware via Google Image poisoning.

“It takes 1-2 years for malware guys to adapt to a new technology – it took a similar time when they switched from DOS to Windows. This latest botnet did not fall out of the clear blue sky. The conditions have been building for some time and I’m glad that our security app will soon be available for Mac users,” says Jiri.

avast! Free Antivirus for Mac is currently in the late  BETA stage. It includes the latest avast! antivirus engine, three shields (Web, File, and Mail) and the WebRep reputation and anti-phishing plugin for Safari browser. avast! Free Antivirus for Mac builds on the AVAST Software tradition of providing a full-fledged security app which is completely free. More details coming very soon.

Approximately 300,000 pieces of malware were used in the testing, and avast! Free Antivirus 7 detected 98% of them; the highest detection rate of all tested free solutions which outperformed a number of paid-for products from other AV vendors. Complementing the high malware detection rate, avast! was also recognized for detecting few false positives during the test. The number of avast! false alarms was 14. The average was 48 false positives. Avast! Free Antivirus 7 is the only free antivirus to receive the Advanced Plus certification rating.

AV-Comparatives chooses which antivirus products are to be tested from a field of internationally well-known, up-to-date antivirus products. In order to ensure that test results give a complete and accurate picture of a product’s capabilities, AV-Comparatives has strict rules about which tests every product must take part in, and which tests are optional. A dynamic “real world” protection test is conducted which measures file-detection rates, the number of false positive alerts raised, as well as other tests that cover different features of the products.

“My avast! Free version will not let me check teacher’s blogs at my daughter’s high school website.  avast! just started blocking this site about 1 week ago.  We can’t find any way on avast! Free to “allow” a trusted site.  What do we do?” wrote a concerned parent from Harrison High School in Georgia.

The problem was not with avast! – the school’s site (http://harrisonhigh.org) really did have an infection.

“For unprotected visitors, it was the same schema as usual, says Jan Sirmer, analyst at the AVAST Virus Lab. “A screen with a fake AV appears in browser and forces you to download that AV and pay money for it.”

“The attack, not surprisingly , focused on WordPress,” he adds. “There were redirections to sub-sites at rr.nu. There we detected more sites such as cie69svoi.rr.nu and  ordonv12ectorct.rr.nu. Those sites redirected visitors to a site with the rogue antivirus.”

In this case, the concerned parents did the right thing. Instead of switching their avast! off to they could visit this “trusted” site, they wrote a note to the AVAST Virus Lab. That likely saved them from installing a fake antivirus on their computer.

The AVAST Virus Lab is not sure how this school site came to be infected. It could have been vulnerable through outdated software or simply had the malware brought into school on an infected memory stick. Issues with WordPress and connected plugins are common. A recent review of over 6,000 infected sites with the “.com” top level domain showed that 13.6% of them involved WordPress vulnerabilities.

But, the moral of the story is clear: If you get a malware alert, pay attention. Especially if it is a trusted site like your kid’s school.

Germany has become the first country to enact a new EU law to protect online consumers against new types of fraud. One visible change will be a “Zahlungspflichtig bestellen” button on internet sites which translates into “order with an obligation to pay” button.

The law is designed to combat internet “subscription traps”, sites that lure consumers with a free offer but actually sign them up for a service where the real costs are hidden and conditions can be misleading if not fraudulent. By late 2012, customers at German ecommerce sites will have to click a button labeled “zahlungspflichtig bestellen” to complete their online purchases instead of the current “anmeldung” (registration) button.

The “Button Law” adopted by the German Bundestag is a result from EU Directive 2011/83/EU on consumer rights. And, it might be used as a model for the other EU countries to copy as the 2013 deadline on the consumer rights Directive approaches.  Since Germany is the largest economy in the European Union, this new law might just have a knock-on impact on consumer rights that goes outside of the country’s borders.

According to Jana Pattynova, a partner at the Prague office of Pierstone, an international law firm, pointed out that along with the new button, potential customers will get information on three basic points:

1. This is not a free service – Customers have to explicitly acknowledge that the service they have signed up for will cost them money.
2. What is it going to cost – Customers will get information – in a readable font size and color – on the real cost of the service.
3. What is the deal – Accurate summary of the contract terms, duration, and conditions.

Based on an interpretation of German law, in Ms Pattynova’s view, if a site has an incorrectly labeled order button, the contract is null and void.

Of course, any site asking for your credit card number should be looked at with certain degree of suspicion.

AVAST Software has ongoing conflicts with subscription traps that ostensibly offer our free antivirus products and combine this with hidden costs and conditions buried deep in the EULA contracts. Some of these sites we block as malware, others are listed in the knowledgebase section of our website. However, it is difficult to keep people from visiting these sites before they have initially downloaded avast!.

Our message to computer users worldwide is that avast! Free Antivirus is just that – free. If a site tries to charge for the privilege of downloading it – leave immediately and tell us about it.

If you aren’t sure where to look, just visit the official www.avast.com site which will automatically redirect you them to the nearest reputable download location.

Be free with avast!

This issue was discovered and researched by us; we have been in contact with Microsoft engineers for the past few months to fix this problem. The aim of this blog post is to explain the problem, the risks, and possible consequences of the fix.

The title of CVE-2012-0151 is “WinVerifyTrust Signature Validation Vulnerability”. Now, what is this special “WinVerifyTrust” thing? It is a part of the operating system which is responsible for the verification of digital signatures. So, when somebody – be it the operating system itself, an application wanting to check its integrity, or the user manually checking a file’s integrity from the Properties tab – wants to validate a file, this is the piece of code that gets called to process the digital signature. The processing consists of two steps; the first step is to make sure that the file hasn’t been tampered with. The code applies complex mathematical algorithms to verify that the file has not been modified in any way, and the file is exactly the same as it was at the moment it was signed. When this is confirmed, the second step is to check whether the particular signer is actually trusted by the system. The system’s certificate store is consulted and the chain of trust is verified.

However, as it turns out, there is a problem in the first step. A signed executable can be modified in such a way that it uses/executes a modified (and possibly malicious) part of the code, yet the file’s signature still remains valid. This destroys the key property of digital signatures – ensuring that a signed file has not been tampered with.

So, what are the consequences? Are digital signatures really that critical? Signing of executable files has become more and more important in the past years; many programs and services have gone online, the amount of malicious files on the Internet has grown vastly, and the social engineering techniques attempting to deliver those files to the victims have only improved. Digital signatures make it possible to distinguish between files coming from trusted sources and those faked by a malicious attacker. In 64bit editions of Windows operating systems, Microsoft has gone even further by enforcing special signing of driver files, with the goal of preventing installation of anonymous/unauthorized kernel code into new systems. (Note that we did not find any evidence that this discussed vulnerability also affects driver verification code – it seems to be safe.)

When you download a file from the Internet and try to run it, or when the UAC prompt appears announcing that a program needs to be run with administrator privileges, the digital signature is checked and the name of the signer is displayed. However, if you cannot be sure that the file is genuine, you can’t really say “this file comes from the company I trust, it’s OK to run it”. Or, to reverse the situation, if a fake file is signed by a known company and you are presented with that information by the operating system itself, there is a very good chance that you will fall for that trap and run the file – a much higher probability than if the file was signed by somebody unknown or wasn’t signed at all. So this vulnerability gives malware authors a chance to increase the perceived trustworthiness of their creations, and subsequently increase their distribution.

Another possible scenario is an Evilgrade-style attack. Many current applications (browsers, browser add-ons, PDF readers, Java, Windows itself) automatically check online for their updates – which is good, because it speeds up fixing of other vulnerabilities found in those programs. When an update is found, it’s downloaded, verified, and finally installed. Why the verification step? First, to make sure there wasn’t any corruption during the file download, and second to check that there wasn’t any network redirection (either local, such as a HOSTS file hijack, or remote – by an evil ISP or hacked router) and if the file wasn’t actually downloaded from a completely unrelated location.

How do they do such verification? Yes, checking the digital signature of the downloaded file is a natural choice. But, if it’s possible to fake the content of the file and keep the digital signature valid… we have a problem; imagine a rogue ISP serving fake browser updates to all the connected clients, installing arbitrary code on their machines. This rogue “ISP” might range from a simple WiFi hotspot placed in a public place to a whole country with the government controlling the Internet connectivity – and trying to get into the people’s computers as well.

Even security products themselves might be affected. Checking the digital signature of a file and assigning that file a certain level of trust according to the outcome – that’s a fairly common practice. Applications signed by specific trusted vendors might get whitelisted – either for certain operations or completely. But of course, it’s imperative that the file in question really originates from the expected vendor; if it was modified by a 3rd party, the trust is unjustified.

As we can see in the few examples above, not being able to trust digital signatures of executable files can be a serious problem. So, what now? The patch is released, everyone installs it and we are back in the world where all is fine again? Well… mostly. The thing is that there are multiple ways to modify signed executables. Some of them can be easily detected because the resulting files are so twisted that no one would ever create such a file without actually trying to exploit the vulnerability. Others are harder to avoid because they are not enabled by any bug in Windows code – they are partly a design flaw (and since we are talking about the format of executable files and digital signatures, it’s something that cannot be easily changed because it would invalidate millions of signed executables out there), and partly a bug in the modifiable executables themselves (i.e. a problem in those 3rd party applications susceptible to this kind of attack). And while the patch tries to do its best to prevent even those harder-to-detect methods, there likely are some applications out there that still can be tampered with while keeping their signature valid.

We have not found any malware using this vulnerability prior to the release of the patch (we have run multiple probes across our 150m+ strong user base to get some intelligence on that). However, we have discovered a few companies that use it in their legal (non-malicious) files – most likely to avoid repetitive signing. Those companies might be in for a little surprise – because their files won’t be signed anymore after the patch is installed (i.e. the signature on these files won’t be verified on systems where the patch is present). This is not to say that you shouldn’t install the patch – you certainly should! The files in question are not “properly signed” anyway.

To conclude – you can never be too careful when it comes to downloading and installing programs. Even a digital signature by someone you trust doesn’t give a 100% assurance that the file is safe. The reason doesn’t even have to be the vulnerability discussed here – the signing certificate may have been stolen, the company computers may have been infected by a virus that embedded itself into the file before the signing, a certificate authority may have been hacked and a fake signing certificate created by the attacker; we have seen all of those. So, don’t download files from suspicious sources, always double check where you download files from, keep your system up-to-date – and use a good antivirus that protects your computer from similar attacks.