Currently we’re developing and testing the Avira products in version 9. Since the beta is already out, it’s time to take a look at some of the new features we were adding. The release of the new products should take place in March.

One of the features that users were asking for in our security suite were parental controls. We listened to those requests and our developers did a great job of adding them!

Fig. 1: The configuration screen for the parental controls in Avira Premium Security Suite 9.

The parental controls are meant for parents who want to restrict and/or control the internet usage of their children. Children shouldn’t need to look at pornographic web sites for example, and online gambling isn’t suitable for them either.

We implemented the web filter on protocol level as addition to the WebGuard so it works independant from the web browser in use – may it be the Internet Explorer, Opera, Firefox or Safari. The filtering is done based upon roles, where each account on the computer can get its own ruleset.

Say, you have two accounts, Administrator and Kids. Administrator can use the pre-defined profile for adults, and if someone logs into the machine as Kids, the rules (for example the pre-defined Child-profile) are active.

You can define your own profiles and choose from roundabout 15 categories like pornography, entertainment and so on and allow or forbid the users of such a profile to view web sites falling into these categories. Additionally the Administrator can add web sites to allow or forbid anyhow, even if the profile categories say otherwise (black- and whitelisting).

The administrator can (and should!) protect the configuration with a password, so that restricted accounts can’t modify the rules that are in place.

Dirk Knop
Technical Editor

During the last two weeks we have followed how a small spam meds campaign for penis enlargement pills has turned out into a real outbreak. The emails are very well crafted, and it is rather easy to confuse some spam filters.

Meds-Spam

The advertising email appears to be sent from the receiver’s email address, trying to convince the filter that the user sends to himself an email with some text and a picture. The text is always different, and has the following format:

You are receiving this newsletter because you subscribed to the <some company name> Group newsletter as <email>. If you wish to change or remove your email address, please visit <this link>.

<Some company name> Group respects your privacy. <Our privacy policy>.

The unsubscribe link has a very interesting format:
http://<subdomain>.<host>.cn/<number>.shtml?mail=<emailaddress>

In each email, the subdomain is different from the link where the site is located, but the host is the same. The host name is a random name registered in China. The url is specially crafted for the email address of the receiver. If someone clicks on the link, the spammers will probably know that someone is behind that email address and that the email was not blocked somewhere.

Also interesting is the link on top of the page „If this doesn’t appear correctly in your email client, please visit this <link>”. The link has the same unique ID as the unsubscribe link, without the email address.

Useless to say that all the links go to the main page of the meds site.

Sorin Mustaca
Manager International Software Development

Recently security consultant Thierry Zoller informed us about some defective RAR archives which our products didn’t process properly. Those archives were resulting in a division by zero error in our unpacker module. This would lead to a crash of the module. In very rare circumstances this bug could lead to reading 4 random bytes, and in even more seldom cases even a NULL pointer dereference might have occured. We don’t believe it was possible to execute injected code with specially prepared archives due to this bug, but anyhow we fixed the problem and pushed out an update last friday. By now, every Avira user should have received and installed the update automatically.

Dirk Knop
Technical Editor

Yesterday evening Microsoft issued a security bulletin concerning a security vulnerability in the SMB processing of Windows operating systems. The holes in the software are considered critical up to Windows Server 2003 and may allow attackers to execute remotely injected malware; in Vista and Windows Server 2008 they get rated less critical. Windows 7 only contains a DoS issue where the SMB service would fail and trigger a computer reboot.

Server administrators and users are advised to install the patch ASAP, even though Microsoft mentions that the security weakness should be hard to abuse. We’ve been taught better in the past.

Dirk Knop
Technical Editor

We are observing a new method to host spam information using Google Docs. Google Docs is an online application which allows users to create and share documents online.

Quoting Google about what does this application allow to do:
“• Upload from and save to your desktop
• Edit anytime, from anywhere
• Pick who can access your documents
• Share changes in real time
• Files are stored securely online
The biggest asset of it is: It’s FREE!”

And this is exactly why the spammers use it.

Fig.1: Spam using Google Docs

Once accessed, the content hosted by Google is a simple HTML document, as shown in Figure 2.

Fig.2: HTML page hosted on Google Docs

Why are the scammers going through this trouble? The Google domain will never be blocked by an antispam product. Furthermore, an antispam product which sees such a “non-spammy” link inside the email will likely mark the email in favor of ham instead of spam. Just to confuse the web filters which can heuristically detect the website as spam, they added also some junk text at the end of the document.

This is already the second attempt to misuse Google online application. We have seen in the past spams using Google Calendar, another online application.

Sorin Mustaca
Manager International Software Development

We alert our customers that in this moment there is a phishing outbreak targeted against the Volksbank-Raiffeisen and Sparkasse Banks. The email claims to inform the customers that they have to login on the Internet Banking website in order to fill a form.

Fig.1: Phishing mail

There are at least 10 different target websites with the same graphical interface. This shows us that some kind of generator has been used to spread the code of the website.

Fig.2: Volksbank Phishing website

Fig.3: Sparkasse Phishing website

Avira customers which use the Mailguard (with Antispam-Antiphishing) and Webguard modules are protected against this kind of websites. Mailguard will mark the email as “Phishing” and Webguard will block the link because it recognizes it as a phishing URL.

Sorin Mustaca
Manager International Software Development

Microsoft is planning to release only one Security Bulletin on next tuesday, the first Patchday in the new year. The problem it solves is rated critical for Windows 2000, XP and Windows Server 2003. In Vista and Windows Server 2008 Microsoft rates it “moderate”.

In the last few days plenty of critical errors have been found in several Media Players for Windows. Manipulated media files can result in buffer overflows and therefor inject malicous code like a trojan for example. Proof-of-concept exploit code is publicly available for GOM Player 2.0.12.3375, VUPlayer 2.49, CoolPlayer build 219, Rosoft Media Player 4.2.1, Destiny Media Player 1.61, WinAmp GEN_MSN Plugin and the audio editor Audacity 1.6.2 (and earlier versions of these programs). Users of this software should look out for an update from the respective vendor/programmer group. Until updates are available, they shouldn’t play downloaded content from the internet with these Media Players.

Dirk Knop
Technical Editor