avast! antivirus blog

Don’t worry, we’re not gonna watch movies marked with an asterisk . However, from the malware analyst’s point of view, following lines might be somehow “spicy”. We’ll take a look at a suspected false positive promoted as a regular GameMaster setup. The file appeared in our FP submission system with an usual comment “it’s clean” or something like that, thus we can only guess that the file has not been obtained from official source.

The submitted binary was detected as Win32:MalOb-II, but the particular infected file was not the setup itself (the topmost layer), but an included file FlashPlayer.exe (under InnoSetup {app} subfolder). So, if we want to analyse it, we must unpack the setup. FlashPlayer.exe has an icon stolen from WinRar archiver – that’s the first suspicious sign. It contains a lot of high-entropic data – another suspicious sign. This data block gets my attention – I’m curious what’s inside. And here we go: after a little bit of tracing, a dynamically allocated block of memory appears and guess what – it contains another executable binary (which is not dumped to the disc but directly executed). Great, another layer . Let’s dump this binary and take a detailed look at it. It contains high-entropic (encrypted) data as well, so let’s emulate it and see what’s inside. Bingo! It’s another executable binary, this time it is dumped to disc under a randomly generated name (it’s a dll). We can compare it to a typical matryoshka, as we go deeper and deeper through the layers. For those, who didn’t catch the flow of informations: is it better with the image below?

layers and their respective detection ratios

Still nothing? Ok, sorry . For those, who are still on the track: the initial setup file has a detection coverage lower than 35%, which is frankly a bad overall result. Go deeper! The fake FlashPlayer.exe gets much better score going close to 83%. Go deeper! The binary executed directly from memory gets again a lower detection ratio (an on-demand scan of the dump). Go deeper! And the detection ratio finally raises up to 75% for the last dropped binary. More details from the particular VT scans can be found here:

https://www.virustotal.com/file/bf66869e434a91cbdbc1410ec80915e5da91e2d6a1a4829ddaae6a998cd218bd/analysis/1336729518/

https://www.virustotal.com/file/1d7c19ca92c36997fb15b7f0483079b9fe6880ce2c59a96258b23e6d4e094e73/analysis/1336742483/

https://www.virustotal.com/file/5e69427b0062302b5b7bc9e95ff1439dff61e10c77b911d075e49d9b72335582/analysis/1336742673/

https://www.virustotal.com/file/e9a96a4a5c22ac94335871778e2aee0c0f74aeb17758f35ae3d5c93635e25f69/analysis/1336743210/

As you can see, all layers of this matryoschka “smell” like Vundo, which is definitely nothing what someone wants to install along with GameMaster. Leaving the binary as it is could raise a false feeling of safety – it’s a normally looking setup from outside, but if you can look inside and aggregate the suspicious signs with detection ratios, you can definitely say: “not a FP, next please”.

Pls, let me know – are such insights to our daily work interesting for you?

Avast! Free Antivirus 7 has the distinction of being the only free antivirus to receive the Advanced Plus certification rating from the annual “On-Demand Detection of Malicious Software” test from Anti-Virus Comparatives.

Approximately 300,000 pieces of malware were used in the testing, and avast! Free Antivirus 7 detected 98% of them; the highest detection rate of all tested free solutions which outperformed a number of paid-for products from other AV vendors. Complementing the high malware detection rate, avast! was also recognized for detecting few false positives during the test. The number of avast! false alarms was 14. The average was 48 false positives. Avast! Free Antivirus 7 is the only free antivirus to receive the Advanced Plus certification rating.

AV-Comparatives chooses which antivirus products are to be tested from a field of internationally well-known, up-to-date antivirus products. In order to ensure that test results give a complete and accurate picture of a product’s capabilities, AV-Comparatives has strict rules about which tests every product must take part in, and which tests are optional. A dynamic “real world” protection test is conducted which measures file-detection rates, the number of false positive alerts raised, as well as other tests that cover different features of the products.

In data de 11 Aprilie 2011, update-ul de definitii de virusi 110411-1 a inclus o eroare care a dus la raportarea unui numar mare de alerte false pe paginile web accesate, acestea fiind marcate de avast! antivirus ca si infestate.

Echipa tehnica avast! a descoperit problema rapid si  dupa blocarea update-ului gresit a lansat dupa aproximativ 45 de minute un nou update care corecteaza problema (VPS 110411-2).

Au fost afectati aproximativ 4% dintre utilizatorii avast! Antivirus.

Datorita acestor alerte false, echipa avast! isi cere scuze pentru eventualele neplaceri cauzate utilizatorilor avast! antivirus.  Utilizatorilor care au fost afectati de acest update le recomandam urmatorii pasi pentru a remedia problema:

1. Deschideti programul avast! Antivirus
2. Selectati “Maintenance/Mentenanta”
3. Executati “Update engine and virus definitions/Actualizati motorul de scanare si definitiile de virusi”
4. Selectati “Virus Chest/Carantina”
5. Sortati dupa “Time moved to Chest/Timp Transfer”
6. Selectati fisirele pentru care se doreste restaurare
7. Clic dreapta si selectare “Restore/Restaureaza”

Dupa restaurarea fisierelor, o copie a acestora va ramane si in Carantina.

Speram ca acesti pasi vor elimina orice confuzie. In cazul in care aveti nevoie de ajutor suplimentar va rugam sa ne contactati sau sa vizitati www.avast.com/support