Some hype established around the malware known as Psyb0t. It is unusual as it doesn’t infect windows machines, but MIPS-based Internet-routers and DSL-modems – which are very widespread. (This is only half of the story. There is a windows malware floating around which starts infecting the Internet gateway; this malware is detected and removed by Avira AntiVir though.)

In our analysis we found plenty of interesting strings in the Psyb0t-variant 2.9L.

Fig. 1: Disassembled Psyb0t and its function graph.

This malware is quite sophisticated and has a whole lot of functions which a bot master may need. Psyb0t connects to an IRC-Server and can be controlled from there.

It tries to exploit weak passwords on devices reachable via the Internet and contains an extensive list of default passwords and some often used passwords, too. Also it attacks SQL servers and software like PHPMyAdmin. So it doesn’t only infect Netcomm-DSL-Modems as has been reported on the media sometimes, but can break into plenty of other MIPS-based devices from other brands as well – even in OpenWRT installations, if they use some insecure service versions.

How can you detect if your router is infected? There is no easy way to tell. But the malware adds a firewall rule to block telnet connections (iptables -A INPUT -p tcp –dport 23 -j DROP). So if there is a telnet deamon running on your router and you can’t reach it, it would be a bad sign.

How to get rid of an infection? You have to connect via wired network to your Internet gateway in this situation. Fetch the latest firmware version available from a different network, maybe at a neighbour’s place or at a friend’s. Then you usually have to initiate a hard reset on the Internet gateway. Most devices reset their settings to the default ones when pressing the reset knob for 10 seconds, then pulling the power plug and reinserting the plug again.

After that, first change the default password to a good and safe one – you know the drill: Small and capital letters, special characters and numbers in most random fashion. Then upgrade the firmware to the most recent version. After that you can start configuring your Internet gateway again.

Dirk Knop
Technical Editor

Markus Hinderhofer
R&D Engine Team

Sun has published a security alert and recommends users of their Java Runtime Environment (which is in fact nearly everyone out there) to install the provided update as soon as possible. According to Sun’s document the loader for Java Applets contains integer and buffer overflow vulnerabilities.

This may lead to untrusted Java Applets escalating their access privileges at the system. Doesn’t sound scary? Well, it is: A specially prepared website may load such an applet and gain full system access, a.k.a. own the computer.

You can check if your installed Java Runtime Environment is up to date by visiting a web page from the manufacturer. It’ll offer you the latest recommended version for download. This is currently JRE 6 Update 13 and JRE 5 Update 18, repectively. Sun notes that JRE 1.4.2 and 1.3.1 are not affected by these vulnerabilites.

For newer Java versions Sun has finally managed to correct their installer so it removes the old version that is getting replaced. If you update from an older version (say, from before JRE 6 Update 11), you have to remove the old Java version in the software applet of the system control yourself. As Java Applets can request the runtime version they like, the system would still be vulnerable if you don’t uninstall the previous versions!

Dirk Knop
Technical Editor

Starting on 23.03.09 we began to receive a new type of spam mails having a rather interesting format: HTML with tables having certain cells colored with a special background. The result is really nice, as you can see below:

Fig. 1: The resulting mail

The body contains two parts, as any decent and proper formed email: text/plain and text/html. The two parts are identical from a content point of view. So, if we would render the HTML part, we obtain exactly the plain/text part. This makes the email even more credible. Analyzing the HTML content we see that there is actually not a single ASCII character in the table where the word VIAGRA is created.

Fig. 2: The HTML part of the email

In the details of one of the rows we can see how each row is created:

Fig. 3: The html of the single cells of a table-row

There is a matrix created as a table with 31 columns and 6 rows and the words are formed using colored cells. This is not yet detected by most spam filters – a simple word filter fails.

The link “Click Here” in the spam mail points to Microsofts blogging service on spaces.live.com. Trying to report the URL to live.com was impossible – but this is yet another story.

Sorin Mustaca
Manager International Software Development

As you may have heard, we released version 9 of Avira AntiVir last week. From our update servers we can tell that up to yesterday more than half of Avira AntiVir Premium users as well as those using Avira AntiVir Personal have upgraded to the new version. Looking at the support statistics, the new version runs very well and smoothly.

But questions arose due to a new feature which many people seem to activate (which is good, by the way.). It scans the system files and checks their integrity by verifiying their digital signature. If someone or something like malware tampered with those system files, it will invalidate the digital signature and cause Avira to warn about this.

A digital signature is a checksum of the file which is stored together with a digital certificate of the producer of the software. If the file gets changed, the checksum changes as well and the digital signature isn’t valid anymore. By checking the certificate it can be validated that the producer is the “real” one.

This leads to some confusion whether the systems of affected users are in fact infected or not. This is hard to tell on end-user-systems. There are patches available which lift the connection limit of half open TCP/IP connections in Windows XP and newer versions by directly modifying the responsible DLL. Other programs tamper with the system files for adding themes to windows (NB: you don’t need to change executable system files for applying themes to windows, better stay away from such software).

So the computer isn’t necessarily infected when Avira warns about invalid signatures in system files. In companies you may want to take such systems offline and analyse them anyways. Computer users should be aware that they can’t really trust their system anymore once these signatures are invalidated, as malware may modify those binaries as well – and now the user can’t see that this happened as the signature was invalid already before.

Dirk Knop
Technical Editor

In the last months we have noticed an increased phishing activity targeted at  users of the well known social portal Facebook. The specific functionality which is attacked is the free redirect feature. Facebook can redirect to any website using a simple URL like this: http://www.facebook.com/l.php?u=<website>.

This misuse of the feature made Facebook an extra step in the redirect.

Fig. 1: Redirecting to avira.com: http://www.facebook.com/l.php?u=http://www.avira.com

We would like to urge the Facebook users to never click on links in the emails which seem to go to facebook.com.  Always write the address by yourself in the browser or use a bookmark created by yourself.

Sorin Mustaca
Manager International Software Development

While analysing a recent version of the often adapted Trojan Dropper CeeInject we stumbled over following message in the malware (in plain text):

Hi Dear sniffer
If you want to find the net
You better put some effort in doing it
Because anubis wont do the job for you
Bitch.

Anubis is a sandbox system reachable on the Internet where you can upload suspicious executable files to. Those are run in a safe environment and changes done to the system during that run are shown after a few minutes. Obviously, malware authors are upset about those sandboxes and now start to prepare their binaries so that the malicious activity is not detectable by them anymore.

Dirk Knop
Technical Editor

For the popular Foxit PDF Reader, an alternative for Adobes Reader, there is now exploit code available. Many people use Foxit in the hope that it doesn’t contain the same vulnerabilities as the “original” software from Adobe. But a few issues had been found with the alternative PDF Reader as well.

As well as in the Adobe Reader there are security weaknesses within Foxit. Not very common, there is now also exploit code publicly available which can be abused to smuggle malicious code into a victims computer with specially prepared PDF documents. Since there is an update available, make sure to install it immediately!

Dirk Knop
Technical Editor

Not only Microsoft published security updates – also Adobe managed to provide a fix for some versions of Adobe Reader and Acrobat to close an actively exploited security hole in these products.

Microsoft issued 3 security bulletins. One vulnerability in the Windows kernel could lead to code execution while viewing manipulated EMF or WMF graphics; another weakness in Microsofts SChannel (Secure Channel) implementation and one in Microsofts DNS and WINS server could be abused to spoof another identity. An update fixing Microsofts Excel isn’t available yet though.

Adobe released patches for Acrobat and Reader Version 9 as announced earlier in February. Patches for older versions will be following in a week, according to Adobe.

As some of the closed security holes allow for (remote) code execution, it is advised to apply the provided patches as soon as possible.

Dirk Knop
Technical Editor

The Professional Edition of AntiVir 9 will introduce a new feature which we have called Configuration Profiles. The idea behind this feature is to better support mobile users. Probably you have faced the problem yourself when running an enterprise antivirus: as long as you are located in the company the product should update from a server in the Intranet and (in most cases) the security policy is very restrictive. However, when you are at home or somewhere at a customer or in the hotel, updates should take place from Avira servers and the security policy might be less restrictive: there’s no help desk available but you urgently need to install something etc.

The new Configuration Profiles now offer an effective and flexible way to configure AntiVir Professional according to these needs. The feature allows you to define up to 3 individual configuration sets called a Profile. A Profile includes all AntiVir options. For example you can define different update servers, activate or deactivate mail or web protection (e.g. in the company the user is protected by a gateway, at home or at the customers he’s not protected), etc. This allows an administrator to configure the system according to the individual situation.

Configuration Profiles can be switched automatically by the detected Gateway.

Each Profile (configuration) can be set active by an automatic rule. A rule can be:

• Use profile it the current default gateway or the default gateways MAC address matches
• Use profile if no other rule fits (default rule)
• Do not use a rule

If a rule is set accordingly AntiVir will automatically switch the configuration options in use depending on the current location of the notebook.

Configuration Profile can be also switched manually (not recommended as most users will ‘forget’ to do so):

Users can select the Configuration Profile manually, too.

Of course Configuration Profiles are also supported by the Avira Management Console for centralized management. The administrator can define the configuration sets and the rules but – obviously – he cannot switch between the Profiles.

We think that this is a somehow complex but useful feature in enterprise environments. Btw, if you do not want to deal with these profiles you can continue working the old way, of course.

Thomas Salomon
Manager Windows Software Development

While fixing the false positive detection from a few days ago, PCTools managed to add a new false alarm in their Google Pack version of Spyware Doctor: Today, the program alerts the user that Avira’s ccev.dll contains the Backdoor.Bandok. Of course this is a false alert, the Avira software is clean.

We contacted PCTools again and hope that they remove the faulty signature as soon as possible. Until an update is available please deactivate Spyware Doctor from Google Pack.

Update:

PCTools published an update that remidies the issue. You can update Spyware Doctor and reactivate it again.

Dirk Knop
Technical Editor