APWG has published an advisory document called “What to do if your site has been hacked by Phishers”. This document gives website owners hints for specific actions they can take when they have been notified that their website or webserver has been infiltrated and is used for Phishing. If you are a brand owner, takedown provider, or ISP, feel free to include a link to this document when you communicate with people who have had their sites compromised to host phishing.

If you know any brand owners, takedown providers, or ISPs that might be interested in using this document, please feel free to forward this document to them or notify them of its existence.

Here is the document:
http://www.apwg.com/reports/APWG_WTD_HackedWebsite.pdf

Many thanks to APWG (www.apwg.org) for their continuous fight against this Internet plague.

Sorin Mustaca
Manager International Development

While analysing the latest malicious PDF exploit documents, we found the embedded shellcode to have some interesting features. The shellcode gets executed once the exploit was successful.

The server the shellcode connects to sits in China.

The payload of the PDF is contacting a server in China – so far nothing uncommon here. The connected system belongs to the network of the cinese CHINA RAILWAY TELECOMMUNICATIONS CENTER. Very unusual though is the port which gets used for communicating with the command and control server – it’s port 220, which should be used by the IMAPv3 protocol. The protocol used seems to be proprietary and zlib compressed.

An unusual port gets used for communication with the command and control server.

There it downloads further malware. Among the malware we have seen is for example BDS/Agent.adsi, a Backdoor. It gets installed in the windows system directory.

As long as Adobe is working on the patch for this security vulnerability, make sure to disable JavaScript support in Adobe Reader and in Acrobat; also use an up-to-date antivirus software like Avira AntiVir. Avira AntiVir detects the known malicious PDF files and the downloaded malware. We plan to release a heuristics update today which will detect even more malicious PDF files, also yet unknown ones.

Dirk Knop
Technical Editor

Microsoft patched a security hole in Internet Explorer on the Black Tuesday last week (MS09-002). As expected, first public exploits appeared for the vulnerability, trying to install malware on computers of unsuspecting users.

A link is spread in spam mails with a Word document attached that opens a chinese website – which in turn tries to exploit the vulnerability on unpatched systems. The vulnerability can get exploited via drive-by-download as well, but we didn’t see this attack vector being used yet.

Avira detects the exploit site as being infected with HTML/Rce.Gen and warns the user. So users of Avira products are currently safe from the attack. Anyhow, now it’s time to patch the computers with the available update. Make sure all your computers are up to date!

Dirk Knop
Technical Editor

We already mentioned some of the major improvements in Avira AntiVir 9. What we didn’t cover yet are some of the minor changes which make AntiVir easier to control and to use.

For example our developers overhauled the upload mechanism for suspicious executable files from the quarantine. Up to AntiVir 8, you were needed to enter your email address and your mailserver so the samples could be sent via email. Now you can send us such samples by a simple click – the new implementation uses a so called http upload.

Also, our programmers improved the “kill protection” for AntiVir processes. This prevents malware from forcefully stopping the AntiVir Guard. Furthermore the file protection got enhanced. The gamers among the Avira users will like the new automatic game mode which disables popups from the firewall when AntiVir detects a running game on the computer.

For the more and more popular netbook devices – tiny notebooks with reduced display size and resolution -, we now adopt the size of the AntiVir user interface. Therefor it is now possible to properly control AntiVir even on netbooks.

We also listened to the demands of AntiVir users who didn’t like that the scanner waited for user interaction when it detected malware. A new configuration option will allow to scan the selected paths or devices and show a summary of detected malware at the end. There it is possible to clean up the infections with a single click.

In the summary all these tiny improvements help making AntiVir 9 an even easier to use and more user friendly antivirus solution. You should give it a try when it will be released.

Dirk Knop
Technical Editor

The AntiVir 9 product family will introduce a new scanning mode for the integrated on-demand scanner which we called “Optimized Scan”. Optimized Scan is designed to improve on-demand scan performance on multi core systems. This scan mode must be explicitly enabled in the configuration and will especially use the capabilities of modern multi core CPUs (or systems with multiple single core processors). Note that this check box is available on multi core systems only:

A new feature for speeding up Avira AntiVir: Optimized Scan

The performance gain of course depends on your system resources (RAM, Hard disk and CPU frequency). A quick test on two systems each scanning the complete system and program files partition produced the following results:

In our opinion these are pretty good results. However, Optimized Scan has some drawbacks which we accepted to receive maximum throughput:

• Optimized scan works on multi core systems only
• Logging mode is reduced to “Normal”
• As the CPU cores are heavily loaded the user might notice his system reacting slower than normal

How it works? We can’t tell too much but I can tell you the following: Optimized Scan spawns an additional worker thread (only a single one, so we use only 2 cores right now) which takes over some tasks from the main core.

There’s still room for further improvement. Stay curious what’s coming up next…

Thomas Salomon
Manager Windows Software Development

Following the ascending trend of global e-commerce, the Romanian e-commerce is growing fast. Many Romanians choose to pay their bills, bank or tax rates using Internet banking. However, besides the numerous advantages of these services, there are many disadvantages too. Most of the Romanian financial institutions, who offer online banking services to their clients, are not experienced in IT security. Also, the banks do not provide any information or recommendations related to phishing attacks.

Many credit card owners, who make online purchases, are not familiar with cyber frauds and they cannot avoid becoming targets of these attacks. That’s why, the phishers are taking advantage of the banks’ lack of security measures, customers’ lack of malware knowledge and last but not least, the naivety of people, in order to conceive these phishing scams.

Fig. 1: The email (Romanian)

A new massive spam attack was spotted on the Internet starting with 5th of February with the following subject: „SSL-Secure, Siguranta utilizatorului Internet banking“ („SSL-Secure, The internet banking user’s security”).

This spoof email, sent under the pretext of a false security alert, contains a hidden link, which redirects the users to this fake website.

Fig. 2: The fake website

Usually, the fraudulent website is an identical copy of the original one, but this time the link used by scammers doesn’t even exist on the orginal Raiffeisen website.

Fig. 3: The original website is not available

After submitting some information in the above website (Figure 2), there is an attempt to a redirect to the original website. But, something went wrong this time and the browser goes into an infinite loop:

Fig. 4: Wrong redirect

Avira warned the owners of the websites used for hosting the phishing pages to delete those pages and reminds the users to be extremely careful with suspicious emails and to remember that the banks will never request the PIN card or any other bank details.
The users of Avira AntiVir Premium and Avira Premium Security Suite are automatically protected against these threats. Both are blocking the links and the AntiSpam module detects the email as phishing.

Laura Dobre
Marketing Officer

Sorin Mustaca
Manager International Software Development

Microsoft released 4 updates for overall 8 security vulnerabilities in Internet Explorer, Exchange Server, MS SQL Server and for Visio from the office suites on the February Black Tuesday. The company considers the two vulnerabilities in Internet Explorer as being critical because attackers could inject malicious code with prepared webpages.  One of the flaws in Exchange can lead to a server takeover by criminal individuals, another bug can lead to a denial of service.

Attackers can abuse an error in the SQL server to take control of it, but therefore they need another flaw in an SQL application that makes an SQL injection possible. Three vulnerabilities were closed in Visio which also made remote code execution possible.

It is likely that malicious web pages will popup soon on the web that abuse the security holes in the Internet Explorer. In the past it didn’t take long that exploits for the patched vulnerabilities appeared on the web, so the other Updates should be installed as soon as possible as well.

Dirk Knop
Technical Editor

The latest AMTSO meeting took place last week in Cupertino, CA, USA. It was hosted by Symantec and therefore the members met in the buildings of Symantec headquarter.

Again, many representatives from major security companies attended the meeting, as well as testing organisations like AV-Test, ICSA, NSS, AV-Comparatives and the PC Magazine.

After successfully publishing important documents following the last meeting in Oxford, the group was now working on new documents, which include among others

• AMTSO Whole Product Testing
• AMTSO Review of Reviews
• Educational documents on obtaining and verifying samples

The new documents focus on testing new methodologies of AV-Products and also on how testers may obtain working samples for their tests, which hopefully helps to increase the quality of upcoming anti-malware tests.

For more information about AMTSO, please also have a look at the official website at www.amtso.org.

Philipp Wolf
Viruslab

Several months it became silent around W32/Virut – yet another file infector virus that was very active and widespread in the past. All of a sudden, new instances of the W32/Virut family surfaced a short time ago.

The malware author has further refined the polymorphic engine of W32/Virut to make it harder to detect. It infects executable files it finds on the harddisk with several methods, for example some different Entry Point obfuscation techniques. Also, it uses different complex encryptions – sometimes one layer, sometimes even two.

Another remarkable property of W32/Virut is the anti-emulation and anti-debugging tricks used within. This is meant to make the analysis more difficult. After system infection, the malware injects amongst other things Iframes into HTML-files. It seems to try to download further malware that way. With our update from last friday, Avira AntiVir products detect all currently known new samples of W32/Virut again.

Dirk Knop
Technical Editor

When we talk about Nigerian Scams (also known as 419 scam) we always assume that the social engineering part is about transferring large sums of money from some African country into the receiver’s personal account. It seems that the business is not working so well anymore since the fraudsters now start to change their twist. In our spamtraps we found the email below, allegedly from a girl from Congo, who appears to search for a partner.

Fig. 1: Spam mail for Advance Fee Fraud.

This kind of fraud is not new at all. It started years ago with Eastern European girls (remember the already famous “Russian bride” trick). The deal is that the “partner” must send some amount of money to the “poor” girl in order to arrange for her arrival in his country. But, after some time, the girl is reporting that she has problems with the passport or with her sick relatives and needs some money. And then she asks for more and more money for various problems.

When the money “partner” figures out that there is something phishy going on and stops sending money, it is too late. The girl just disappears and the “partner” never hears from her again and the money are also gone.

Sorin Mustaca
Manager International Software Development