As announced, Adobe released the first updates for the critical security vulnerabilities in its products already. The first update is for Adobe Flash-Player – the new version 10.0.32.18 is supposed to close the security hole in the software. You can get it via Adobes web site.

During the day, Adobe wants to release further patches for Adobe Reader and Acrobat. Also, a new version of the Shockwave-Player is already available. Please install the updated versions as soon as possible.

Let me thank all the hardworking administrators out there at this place, especially the Avira admins. They have to roll out all these updates today and already had a busy week due to Microsoft’s out-of-band updates from Tuesday. Don’t forget, it’s System Administrator Appreciation day!

Dirk Knop
Technical Editor

The Risk Level describes the current phishing- and malware threats that we receive in real time from our sources in Internet. These threats are valid and can be accessed by any user in the Internet.

The levels are computed by comparing the amount of threats (malware and phishing separately) received in the last 24 h (called 24h threat value) to the average value from the last 30 days (called average threat value). These levels are computed every 15 minutes.

This is how the graphs with the values per day for the last 30 days looks like:

Fig. 1: Statistics per day, last 30 days

The graph with the values per hour for the last 24h:

Fig. 2: Statistics per hour, last 24h

Level 1 – Normal (Green)

Risk: Low – there is much less activity than the average we have seen in the last 30 days. This condition corresponds to no discernible malicious activity for the type of threat for which the risk level is issued. The Avira products should function and should be updated using the default settings.

Level 2 – Average (Yellow-Green)

Risk: Low to Moderate - there is relatively less activity than the average we have seen in the last 30 days. This condition corresponds to some malicious activity for the type of threat for which the risk level is issued. The Avira products should function and should be updated using the default settings. This risk level is usually “the calm before the storm”, so we advise our customers to keep an eye on our website for information and updates.

Level 3 – Suspicious (Yellow)

Risk: Moderate – there is the same activity as the average we have seen in the last 30 days. This condition corresponds to clear signs of malicious activity for the type of threat for which the risk level is issued. The Avira products should function with heuristics and generic settings enabled because it might be possible that there is a new variant of a known malware. This risk level means that some unknown malware might be starting to spread, so we advise our customers to keep an eye on our website for information and updates. Please keep the logfiles of the security products under careful observation.

Level 4 – Alert (Orange)

Risk: High – there is the more activity than the average we have seen in the last 30 days. This condition corresponds to known malicious activity for the type of threat for which the risk level is issued. The Avira products must be updated more often than the default. Do not forget to update both the signatures and the engine. This risk level means that known malware are spreading, and we strongly advise to keep the logfiles of the security products under careful observation.

Level 5 – Outbreak (Red)

Risk: Very High – there is much more activity than the average we have seen in the last 30 days. This condition corresponds to known malicious activity for the type of threat for which the risk level is issued. The Avira products must be updated more often than the default. Do not forget to update the signatures, the engine and the products. This risk level means that known malware are currently active, creating a severe risk to the infrastructure and normal operations. We strongly advise to keep the logfiles of the security products under careful observation.

Sorin Mustaca
Manager International Software Development

As announced last week, Microsoft released two security bulletins out-of-band. They cope with critical vulnerabilities in all Internet Explorer Versions and with a flawed Active Template Library (ATL) for developers using Microsoft’s Visual Studio.

Due to the flaw in the ATL – which gets used to build ActiveX controls for example – it is possible to bypass the kill bit restrictions within the Internet Explorer (IE). Manipulated Websites thus can call ActiveX modules with security vulnerabilities and inject malware on affected computers. Microsoft now closes three security holes in IE and hardens it against abuse of the flaws introduced by the ATL.

The error is based on flaws within the ATL of Visual Studio. Thus components build with this development environment can be affected, too. Cisco for example released a security advisory and announces workarounds and updates for the Cisco Unity software. Expect other software developers to release updates soon, too.

Interestingly, according to Microsoft’s Security Bulletins, Windows 7 is not affected by these vulnerabilities.

Install the updates as soon as possible, and if you are a developer, rebuild your components with the new ATL. A knowledge-base article from Microsoft explains the issue for developers.

Dirk Knop
Technical Editor

Microsoft announced extraordinary updates for the Internet Explorer and for Visual Studio for this Tuesday to come. While the company rates the security issue in Visual Studio only as moderate, the IE-flaws – which also affect IE8 – are considered critical and allow for remote code execution.

Prepare for those updates as they are really critical and necessary if Microsoft decides to do an out-of-band release. Install them ASAP when available.

Dirk Knop
Technical Editor

There are security flaws within Adobe Reader and Acrobat and the Adobe Flash Player which are getting actively exploited on the net currently. The company has published a security advisory where it announces that they are currently investigating the problem and plan an update for the 30th of July.

Avira antivirus solutions already detect the malicious PDF files as EXP/Pidief.TH and the dropped malware by those documents as TR/Drop.Wmach and TR/Spy.WMach, respectively. Anyhow it is a good idea to take additional security measures until Adobe provides an update.

Adobe recommends to delete or rename the file authplay.dll that ships with the Reader and with Acrobat. Also, enabling Data Execution Prevention (DEP) and activating the User Access Control (UAC) in Windows Vista shall mitigate the risk according to Adobe.

Another solution would be using a different PDF reader and disabling Adobe PDF and Flash within the web browser via its add-ons-manager. The NoScript extension for Firefox also helps preventing Flash applications to run in the browser; it is possible that drive-by-downloads via malicious Flash applications embedded in web sites turn up soon.

Dirk Knop
Technical Editor

A common technique to make debugging harder and more time-consuming is scrambling the virus code and inserting “random” junk code that doesn’t really do anything useful. One example is the W32/Virut family. Despite already being a couple of years old, it is still one of the most active file infector families around. Its author(s) frequently update the way it tries to hide itself both from AV software and researchers.

It is polymorphic and has been manually adapted and extended by its author(s) multiple times. While analysing one of the latest W32/Virut variants, we came accross a block in the virus code that couldn’t be properly disassembled by the used debugger. Looking closer, it turned out that the problematic block of code contained a relatively unusual multi-byte no-operation instruction (NOP).

Fig. 1: Even modern disassemblers and debuggers can't decode the length of the NOP correctly (OllyDbg 1.10).

The usual NOP instruction of x86 processors is one byte long (opcode 0x90). But there is also a multi-byte NOP with the opcode 0x0F 1F which is used in the virus code. The multi-byte NOP can take up to 9 bytes. NOP instructions can get used for padding the code to align it to 8 or 16 byte boundaries – on modern processors this can speed up the code, mostly for caching reasons.

Intel officially documented this multi-byte NOP in 2006, but it has already been present in older processors for quite a while – apparently since Pentium Pro, but not the Pentium MMX.

Fig. 2: Older disassemblers and debuggers don't cope well with the multi-byte NOP instructions (older IDA variant).

The author(s) of the W32/Virut malware now use(s) the fact that these multi-byte NOP instructions are still quite unknown to complicate the analysis and to trick disassemblers and emulators. Some commonly used disassemblers and debuggers don’t support these opcodes. They cannot calculate the correct length of the instruction and as a result aren’t able to properly “translate” the code beyond this point.

Markus Hinderhofer
Engine Research & Development

Dirk Knop
Technical Editor

A few days ago we posted about Nigerian scam that is trying to get smarter. I was saying that they are trying without success to avoid common mistakes which are being done by the other scam authors. Well, it happened sooner than I imagined: I’ve seen two emails today, both overcoming these problems in different ways.

1. Scam with text and image

Usually, the scam emails do not contain images because they are just too expensive to be sent. This is why most of the filters have a kind of whitelisting system in place which reduces the spam score if they encounter large pictures (for example >= 200KB) attached to a message.

In the plain text part they still make use of some known words, like “Dear sir”, “seek your assistance”, “business opportunity”, etc. So, this text is easier to detect as a scam but not trivial. Still even so, there is no “story”, which makes the email useless. The real story behind the scam is attached in a JPG picture with the size of exactly 200KB. Did the scammers know about this limit? Of course they knew because there are a lot of antispam tools which can be downloaded and they can test with them.

Fig. 1: The scam mails try to circumvent email filters by using image attachments with the "hole story".

The text in the picture is a typical scam-text with references to real facts and so on. The email is sent via Gmail. Again, it is very unfortunate that Google doesn’t scan outgoing emails against spam, as they do for malware.

2. Bilingual Scam

This email is a 3K plain text message using the UTF-8 character set. Because of this, it comes encoded in base64. There are two text paragraphs in the body, the first one written in French and the second in English. They are different formulated, but basically they express the same idea: transfer of money to your account. There are some important differences between the two texts.

The English text is

• making use of the word “millions” while the French one is writing the sum in numbers
• not telling the story of the money, specifying a simple “lying dormant for eight years” when the French one is specifying that the money belongs to a dead relative of a customer of the bank.
• using the first name of the women when the French one is using the formal addressing with the full name.

The subject of the email is written only in French. I assume that the reason for this is the fact that the email has been sent from a free email provider from France (ifrance.com).

Fig. 2: Another twist is sending bilingual scam mails.

Both messages show a very clear trend in the Nigerian scam business: They are adapting to the fast changing rules of the game. They have to do this because we are in a deep economic crisis and now is the perfect moment for them to recruit new “customers”. In such hard economic times people are more susceptible to this kind of methods of gaining easy money.

Never respond to such requests no matter if they are written in your language or not, how credible and how well documented they are presented.

Sorin Mustaca
Manager International Software Development

The Mozilla Foundation released Firefox 3.5.1 today. The new version fixes an issue which could get abused by web sites to inject malicious code into a victim’s computer. The vulnerability was in the Just-In-Time compiler for JavaScript which is a new feature in Firefox 3.5. Please update your Firefox to the most recent version by clicking on “Help” and selecting “Search for updates” now.

Dirk Knop
Technical Editor

We blogged already about Nigerian scams which make the usual mistakes associated with this kind of fraud. This time, we received an email which seemed to be adapted to the European civilization.

Fig. 1: Nigerian scam mails seem to get better adopted to the target audience.

I got really excited when I’ve seen that he is not “Mr.”, “Doctor” or “Barister”, his email address is not mr.something@host.com, he wants to invest Euros and not US dollars, and so on. But, this was only at the first sight.

A closer look reveals that it is the same old scam:

• Bad English language
• The country prefix of the telephone number is from Ivory Coast (I don’t know if the number exists)
• The headers show that the email was sent through a bot residing in Germany (see also our “Phishing and Malware Statistics” for Germany)
• They start the email with “Dear Sir” and any decent filter will penalize them for this
• The subject of the email is written with capital letters
• It mentions something about “account” and money “transfer”

An interesting thing showing how different our cultures are, is the fact that all these scams have something in common: They write the contact email address in the body of the email, even if they use the same address in either “From” or “Reply-To” field.

Would you write your email address in the body of the email if you expect the recipient of your email to get back to you?

Avira Antispam from the Premium Security Suite detects this message as Spam without even making use of the RBLs. As usual, we recommend that you never contact these guys and never believe offers which are too good to be true.

Sorin Mustaca
Manager International Software Development

Microsoft released 6 security bulletins as announced. The actively exploited security hole in a video ActiveX component gets fixed by the updates, also flaws in DirectShow, the Embedded OpenType Font Engine, VirtualPC and -Server, ISA Server and Office 2007. A fix for the recently discovered vulnerability in Office, ISA Server 2004 and 2006 which also gets exploited on the net already is still missing though – so please apply the workarounds described in Microsofts security advisory or use the provided Fix-it-tool.

Microsoft expects exploits for all fixed vulnerabilities within the next 30 days according to the Exploitability Index of the security bulletin summary. The patches should be applied as soon as possible therefore to protect the own computer and/or network.

The Mozilla Foundation issued a warning of a security hole in the Just-in-time compiler for JavaScript of the new Firefox 3.5 web browser. As exploit code is already publicly available they recommend to turn of the compiler temporarily. From the security advisory:

1. Enter about:config in the browser’s location bar.
2. Type jit in the Filter box at the top of the config editor.
3. Double-click the line containing javascript.options.jit.content setting the value to false.

The developers are currently working on a fix. Until then it is a good idea to implement the described workaround.

Dirk Knop
Technical Editor