avast! antivirus blog

Avast! Free Antivirus 7 has the distinction of being the only free antivirus to receive the Advanced Plus certification rating from the annual “On-Demand Detection of Malicious Software” test from Anti-Virus Comparatives.

Approximately 300,000 pieces of malware were used in the testing, and avast! Free Antivirus 7 detected 98% of them; the highest detection rate of all tested free solutions which outperformed a number of paid-for products from other AV vendors. Complementing the high malware detection rate, avast! was also recognized for detecting few false positives during the test. The number of avast! false alarms was 14. The average was 48 false positives. Avast! Free Antivirus 7 is the only free antivirus to receive the Advanced Plus certification rating.

AV-Comparatives chooses which antivirus products are to be tested from a field of internationally well-known, up-to-date antivirus products. In order to ensure that test results give a complete and accurate picture of a product’s capabilities, AV-Comparatives has strict rules about which tests every product must take part in, and which tests are optional. A dynamic “real world” protection test is conducted which measures file-detection rates, the number of false positive alerts raised, as well as other tests that cover different features of the products.

Missing homework used to be blamed on the family dog, but now the focus has shifted to the computer. And sometimes – as this user note shows – malware really is to blame.

“My avast! Free version will not let me check teacher’s blogs at my daughter’s high school website.  avast! just started blocking this site about 1 week ago.  We can’t find any way on avast! Free to “allow” a trusted site.  What do we do?” wrote a concerned parent from Harrison High School in Georgia.

The problem was not with avast! – the school’s site (http://harrisonhigh.org) really did have an infection.

“For unprotected visitors, it was the same schema as usual, says Jan Sirmer, analyst at the AVAST Virus Lab. “A screen with a fake AV appears in browser and forces you to download that AV and pay money for it.”

“The attack, not surprisingly , focused on WordPress,” he adds. “There were redirections to sub-sites at rr.nu. There we detected more sites such as cie69svoi.rr.nu and  ordonv12ectorct.rr.nu. Those sites redirected visitors to a site with the rogue antivirus.”

In this case, the concerned parents did the right thing. Instead of switching their avast! off to they could visit this “trusted” site, they wrote a note to the AVAST Virus Lab. That likely saved them from installing a fake antivirus on their computer.

The AVAST Virus Lab is not sure how this school site came to be infected. It could have been vulnerable through outdated software or simply had the malware brought into school on an infected memory stick. Issues with WordPress and connected plugins are common. A recent review of over 6,000 infected sites with the “.com” top level domain showed that 13.6% of them involved WordPress vulnerabilities.

But, the moral of the story is clear: If you get a malware alert, pay attention. Especially if it is a trusted site like your kid’s school.

Germany leads EU in unpronounceable consumer protection

Germany has become the first country to enact a new EU law to protect online consumers against new types of fraud. One visible change will be a “Zahlungspflichtig bestellen” button on internet sites which translates into “order with an obligation to pay” button.

The law is designed to combat internet “subscription traps”, sites that lure consumers with a free offer but actually sign them up for a service where the real costs are hidden and conditions can be misleading if not fraudulent. By late 2012, customers at German ecommerce sites will have to click a button labeled “zahlungspflichtig bestellen” to complete their online purchases instead of the current “anmeldung” (registration) button.

The “Button Law” adopted by the German Bundestag is a result from EU Directive 2011/83/EU on consumer rights. And, it might be used as a model for the other EU countries to copy as the 2013 deadline on the consumer rights Directive approaches.  Since Germany is the largest economy in the European Union, this new law might just have a knock-on impact on consumer rights that goes outside of the country’s borders.

According to Jana Pattynova, a partner at the Prague office of Pierstone, an international law firm, pointed out that along with the new button, potential customers will get information on three basic points:

1. This is not a free service – Customers have to explicitly acknowledge that the service they have signed up for will cost them money.
2. What is it going to cost – Customers will get information – in a readable font size and color – on the real cost of the service.
3. What is the deal – Accurate summary of the contract terms, duration, and conditions.

Based on an interpretation of German law, in Ms Pattynova’s view, if a site has an incorrectly labeled order button, the contract is null and void.

Of course, any site asking for your credit card number should be looked at with certain degree of suspicion.

AVAST Software has ongoing conflicts with subscription traps that ostensibly offer our free antivirus products and combine this with hidden costs and conditions buried deep in the EULA contracts. Some of these sites we block as malware, others are listed in the knowledgebase section of our website. However, it is difficult to keep people from visiting these sites before they have initially downloaded avast!.

Our message to computer users worldwide is that avast! Free Antivirus is just that – free. If a site tries to charge for the privilege of downloading it – leave immediately and tell us about it.

If you aren’t sure where to look, just visit the official www.avast.com site which will automatically redirect you them to the nearest reputable download location.

Be free with avast!

As a part of the April’s “Patch Tuesday”, Microsoft released a fix for the MS12-024 / CVE-2012-0151 vulnerability.

This issue was discovered and researched by us; we have been in contact with Microsoft engineers for the past few months to fix this problem. The aim of this blog post is to explain the problem, the risks, and possible consequences of the fix.

The title of CVE-2012-0151 is “WinVerifyTrust Signature Validation Vulnerability”. Now, what is this special “WinVerifyTrust” thing? It is a part of the operating system which is responsible for the verification of digital signatures. So, when somebody – be it the operating system itself, an application wanting to check its integrity, or the user manually checking a file’s integrity from the Properties tab – wants to validate a file, this is the piece of code that gets called to process the digital signature. The processing consists of two steps; the first step is to make sure that the file hasn’t been tampered with. The code applies complex mathematical algorithms to verify that the file has not been modified in any way, and the file is exactly the same as it was at the moment it was signed. When this is confirmed, the second step is to check whether the particular signer is actually trusted by the system. The system’s certificate store is consulted and the chain of trust is verified.

However, as it turns out, there is a problem in the first step. A signed executable can be modified in such a way that it uses/executes a modified (and possibly malicious) part of the code, yet the file’s signature still remains valid. This destroys the key property of digital signatures – ensuring that a signed file has not been tampered with.

So, what are the consequences? Are digital signatures really that critical? Signing of executable files has become more and more important in the past years; many programs and services have gone online, the amount of malicious files on the Internet has grown vastly, and the social engineering techniques attempting to deliver those files to the victims have only improved. Digital signatures make it possible to distinguish between files coming from trusted sources and those faked by a malicious attacker. In 64bit editions of Windows operating systems, Microsoft has gone even further by enforcing special signing of driver files, with the goal of preventing installation of anonymous/unauthorized kernel code into new systems. (Note that we did not find any evidence that this discussed vulnerability also affects driver verification code – it seems to be safe.)

When you download a file from the Internet and try to run it, or when the UAC prompt appears announcing that a program needs to be run with administrator privileges, the digital signature is checked and the name of the signer is displayed. However, if you cannot be sure that the file is genuine, you can’t really say “this file comes from the company I trust, it’s OK to run it”. Or, to reverse the situation, if a fake file is signed by a known company and you are presented with that information by the operating system itself, there is a very good chance that you will fall for that trap and run the file – a much higher probability than if the file was signed by somebody unknown or wasn’t signed at all. So this vulnerability gives malware authors a chance to increase the perceived trustworthiness of their creations, and subsequently increase their distribution.

Another possible scenario is an Evilgrade-style attack. Many current applications (browsers, browser add-ons, PDF readers, Java, Windows itself) automatically check online for their updates – which is good, because it speeds up fixing of other vulnerabilities found in those programs. When an update is found, it’s downloaded, verified, and finally installed. Why the verification step? First, to make sure there wasn’t any corruption during the file download, and second to check that there wasn’t any network redirection (either local, such as a HOSTS file hijack, or remote – by an evil ISP or hacked router) and if the file wasn’t actually downloaded from a completely unrelated location.

How do they do such verification? Yes, checking the digital signature of the downloaded file is a natural choice. But, if it’s possible to fake the content of the file and keep the digital signature valid… we have a problem; imagine a rogue ISP serving fake browser updates to all the connected clients, installing arbitrary code on their machines. This rogue “ISP” might range from a simple WiFi hotspot placed in a public place to a whole country with the government controlling the Internet connectivity – and trying to get into the people’s computers as well.

Even security products themselves might be affected. Checking the digital signature of a file and assigning that file a certain level of trust according to the outcome – that’s a fairly common practice. Applications signed by specific trusted vendors might get whitelisted – either for certain operations or completely. But of course, it’s imperative that the file in question really originates from the expected vendor; if it was modified by a 3rd party, the trust is unjustified.

As we can see in the few examples above, not being able to trust digital signatures of executable files can be a serious problem. So, what now? The patch is released, everyone installs it and we are back in the world where all is fine again? Well… mostly. The thing is that there are multiple ways to modify signed executables. Some of them can be easily detected because the resulting files are so twisted that no one would ever create such a file without actually trying to exploit the vulnerability. Others are harder to avoid because they are not enabled by any bug in Windows code – they are partly a design flaw (and since we are talking about the format of executable files and digital signatures, it’s something that cannot be easily changed because it would invalidate millions of signed executables out there), and partly a bug in the modifiable executables themselves (i.e. a problem in those 3rd party applications susceptible to this kind of attack). And while the patch tries to do its best to prevent even those harder-to-detect methods, there likely are some applications out there that still can be tampered with while keeping their signature valid.

We have not found any malware using this vulnerability prior to the release of the patch (we have run multiple probes across our 150m+ strong user base to get some intelligence on that). However, we have discovered a few companies that use it in their legal (non-malicious) files – most likely to avoid repetitive signing. Those companies might be in for a little surprise – because their files won’t be signed anymore after the patch is installed (i.e. the signature on these files won’t be verified on systems where the patch is present). This is not to say that you shouldn’t install the patch – you certainly should! The files in question are not “properly signed” anyway.

To conclude – you can never be too careful when it comes to downloading and installing programs. Even a digital signature by someone you trust doesn’t give a 100% assurance that the file is safe. The reason doesn’t even have to be the vulnerability discussed here – the signing certificate may have been stolen, the company computers may have been infected by a virus that embedded itself into the file before the signing, a certificate authority may have been hacked and a fake signing certificate created by the attacker; we have seen all of those. So, don’t download files from suspicious sources, always double check where you download files from, keep your system up-to-date – and use a good antivirus that protects your computer from similar attacks.

Modern teenagers would rather socialize with friends on the web than get in a car and go see them in person. Is this a glitch in the matrix, or for real?

It’s real. Recent studies reveal that being digitally connected is more important to young people than the freedom a car brings. The University of Michigan Transportation Research Institute found that the current number of American 17 year-olds with driver’s licenses has dropped by 50% from 30 years ago. The pattern is repeated in countries with quality Internet access, including Canada, Great Britain, Germany, Japan, Sweden, Norway and South Korea, where the number of young drivers has also declined over recent years.

The theory is that virtual contact has reduced the need for young people to get together face-to-face. A November Gartner study supports this, showing that 46% of people aged 18 to 24 would take internet access over access to a car of their own. This is not too surprising when you consider the price of a car, insurance and fuel compared to the price of an iPhone, for example.

Does this mean that dependence on digital devices instead of wheels for socializing can save lives? Could be. The CDC says that motor vehicle crashes are the leading cause of death for U.S. teens, accounting for more than one in three deaths.  The risk of motor vehicle crashes is higher among 16 to 19 year-olds than among any other age group. If those teenagers are now staying home to surf the web, the statistics should reflect that pretty soon.

How could this trend effect global warming? Gas prices? Dividends from Apple? Looks like this could actually be pretty good for everyone – except maybe the car manufacturers. But they are looking at ways to converge technology to make your car into a big smartphone. Last month at the Geneva car show, manufacturers were displaying how smartphones or tablets will become a seamless extension of the dashboard. And you thought texting was dangerous?

Meanwhile, a survey from last week shows that right now 34% percent of U.S. teenagers own an iPhone, and a further 40% have aspirations to buy one in the next 6 months.

Which one is more important to you -  your car or your smartphone? What new technology would you like to see in new cars? Share your thoughts in the comments below.

Assassinscreedfrance.fr, a French fan site for the wildly popular computer game, is still infected.

For over 8 weeks, the site has been infected with a Trojan java script redirector that sends visitors to a Russian malware site and connects them to a ZeuS powered botnet. The infection was last confirmed by the AVAST Virus Lab at 12.00 CET, April 10, 2012. And, just to make it clear, this Assassinscreedfrance.fr site is not affiliated with Ubisoft, the developers of the Assassin’s Creed franchise.

So far, avast! has blocked over 179,800 visits by its users to this site. And, Assassinscreedfrance.fr is just one of 1,841 sites around the globe that has been infected with this specific Trojan during the month of March.

Powered by variants of the ZeuS Trojan, this collection of botnets has stolen over $100 million from small and medium-sized businesses.

The infection, a Trojan redirector, sends users to Russian malware distribution server with an IP registered in Saint Petersburg, Russia. And yes, this sever is still working, even after Microsofts’ recent takedown of a few dozen botnet servers.

The infection at Assassinscreedfrance.fr is located in the countdown timer in the JavaScript module, a common WordPress plugin. Other sites had infections hitting a wide range of WordPress vulnerabilities. “The bad guys are using an automatic tool that is looking for some holes,” said Jan Sirmer, analyst from the AVAST Virus Lab. “Assassinscreedfrance.fr may have become vulnerable by using an outdated version of WordPress, even though their JavaScript plugin is up-to-date. For the rest of these sites, we can safely say that older programs and plugins are common ways to get infected.”

A quick look at over 6,000 infected sites with the “.com” top level domain showed that 13.6% of them involved some WordPress vulnerabilities. “It is not an uncommon problem,” pointed out Jan. “And it’s mostly resulting from owners forgetting to update their plugins.”