We are currently delivering another huge update to our clients. This leads to the situation that users of the free Avira AntiVir Personal have some issues getting their updates fast.

The situation should get better today or tomorrow. We hope that we have our improved, faster system up and running for the next big update so that this situation won’t come up again!

Please be patient – the update will be over soon! By the way, as usual, users of Avira AntiVir Premium, Avira Premium Security Suite and the Professional products are not affected – they have dedicated download servers and reserved bandwidth available.

Dirk Knop
Technical Editor

10 days ago first exploit code for the security vulnerability in the SMBv2 protocol appeared in the underground. Today working exploit code for the open source penetration testing framework Metasploit was released. Therewith it is possible for the cybercriminals to produce malware which infects vulnerable systems – Windows Vista, Windows Server 2008 and Windows 7 up to Release Candidate 1.

Now administrators should take countermeasures if they haven’t done so yet. Microsoft doesn’t provide a patch to solve the issue, but offers a “1-click-tool” which disables SMBv2 services on the affected systems. This can have a small performance impact. Another suggested solution by Microsoft is to block traffic to the TCP Ports 139 and 445 – which would disable Windows Network Sharing altogether.

We’re constantly monitoring the malware scene – if malware using this attack vector appears we can protect our customers very fast. Anyhow it is a good idea to implement the workaround with the Fix-it-for-me-tool.

Dirk Knop
Technical Editor

Our users located in the US currently are under attack from an IRS malware/spamming campaign. In the last 3 days we have constantly detected and blocked a spam outbreak containing links pointing to websites similar to IRS’, which ask the users to download an ZBOT Trojan file.

Fig. 1: The spam mail pointing to the malware site.

All Avira products detect the Trojans as TR/Spy.ZBot (in several variants). Our users of Avira AntiVir Premium, Avira Premium Security Suite and WebGate are protected because the URLs are being blocked.

The emails are having the address of the recipient in the URL in order to confirm that somebody actually clicked on the URL: http://www.irs.gov.<host>.com/fraud_application/directory/statement.php?email=ngthisleter@<email.com>&tid=ngthisleter-00000174073547US

Fig. 2: The fake IRS site with the malware.

The URLs are highly volatile, we see them only active for a couple of hours. However, the hosts which host the malware file called “tax-statement.exe” are still active. So please don’t follow those links!

Update from 30 September 2009: This spam wave now came to an end, from one day to the other there were no new malware mails!

Sorin Mustaca
Manager International Software Development

The 3rd and last day of the VB Conference was less crowded compared to the other two days, but it was by far more interesting.

The first half of the technical track was dedicated to Spam. The speakers presented methods of how to combat spam email, social networking spam and how to test antispam products (for email).

In the second part of the day, there was a discussion about how dangerous JavaScript is and that any website that uses it can be theoretically exploited. JavaScript is also heavily used in the Firefox plugins and a speaker presented how a computer can be compromised with a malicious plugin.

In the corporate track there were presentations about web 2.0 issues, its threats and possible targets, deployment of AV Updates and automatic malware analysis and classification.

The conference ended with a Panel Discussion about “Free AV vs. Paid AV and Rogue AV”. The discussions were not so intense as one would expect because the 3 companies that provide free AV solutions were not represented in the discussion. The panel discussion was more an entertainment topic in the conference’s program.

Sorin Mustaca
Manager International Software Development

The second day of the VB Conference was also very interesting, so we had to split in order to cover as many as possible presentations. The most interesting presentations, from my point of view, in the Corporate track were those about the need for standardization of malware testing and of how to raise alert levels in case of outbreaks.

In the Technical track were presentations about crowd-sourcing (use human input to solve different problems), threats on Twitter, possibility to create IPhone v3 malware and botnets.

Another hot topic was cloud computing. There were two perspectives shown: From the testers point of view and from the developers side. Fortunately, both sides agree in a central point: In-the-cloud-computing is not the holy grail of the Antivirus and Antispam industry. It helps to fix some of the problems, but it is definitely not the panacea, the solution to all problems.

A very interesting topic for me was was the fact that IEEE decided to get involved in the standardization of malware exchange between specially chosen companies. For this, a group was created inside the IEEE, called ICSG (Industry Connections Security Group). Another category of presentations was about analysis of special malware outbreaks like Koobface and Waledac.

Sorin Mustaca
Manager International Software Development

The first day of VB Conference 2009 in Geneva was very interesting in both tracks (Corporate and Technical).

The speakers in the Technical track have shown various techniques to analyze malware at the lowest level, described problems from the past and how they reacted at that time to solve the issue. The question of the day was: Would it have been so bad if the vulnerability wasn’t made public (fixed silently)?

The corporate track was a little less crowded, but still very important questions arose. The most important: Isn’t cybercrime as bad as classical crime? If it is, shouldn’t the classical Police take care of the online fraudsters?

Several speakers pointed out that despite the fact that they are the “good guys”, their companies got sued by fraudsters in order to force them to remove the detection of their software. Avira has had the same problems in the past when the Dialers were detected as well as in the present when the fraud websites are being blocked. In both cases the business model of the fraudsters was damaged and they took the issue in court.

Sorin Mustaca
Manager International Software Development

Today the VB Conference 2009 in Geneva has started!

According to the VB Team, this year the registered numbers of participants is a record – despite of the global economic crisis.

There are a lot of good papers in both Technical as well as in the Corporate track.
We’ll keep you updated with details of the conference.

Sorin Mustaca
Manager International Software Development

On a popular Bittorrent site during the last weekend there appeared a package that allegedly contains Avira AntiVir Premium and a so called keygen. A keygen is a tiny piece of software that calculates a license number for a commercial software, for free.

Now upon starting the assumed keygen, instead of providing the user with a serial number, it infects the system. It drops three files on the hard disk:
<%AllUsers Profile%>\Local Settings\Application Data\scvhost.exe
C:\Sys.exe
C:\autorun.inf

The dropped scvhost.exe also gets added to the autorun registry keys so it gets executed after every reboot. The autorun.inf and sys.exe aren’t only created on the system hard disk, but also on all removable drives. This seems to be the spreading mechanism of the worm.

If you take a closer look at the malware, one thing sure catches attention. At the end you find the strings “VaQxiNe-steam=1firefox=1cookies=1sandboxie=1zonealarm=1
wireshark=1anubis=1virtualpc=1keyscrambler=1startup=1usb=1task=1″. This hints that the Vaqxination toolkit got used. The construction kit has some features interesting for cybercriminals:

Fig. 2: The Malware Toolkit used to create the worm.

Further Features of the toolkit according to the advertisement of the Toolkit programmer:
- Vista UAC Bypass
- Run-as-admin Bypass
- Fully stealth
- “Legit” Windows Process
- Stronger output encryption
- Only 15 US-$ for the Toolkit.

That string seems to be the configuration that the malware creator used with the Malware Construction Kit. The features seem to work as described, for example the malware is undetectable by the Anubis sandbox system:

Fig. 1: The autorun-worm uses some anti-sandboxing tricks.

The Vaqxination Malware Construction Toolkit currently steals passwords from Firefox and Steam and also logs all keystrokes. Those log files get sent to the email account the creator has chosen before building the malware.

Avira detects the bogus key generator as Worm/Autorun.sxa with VDF version 7.01.06.18. For malware authors, keygens are a simple way to infect user PCs for a longer time already. If an antivirus solution warns from malware within such a keygen, this is nearly always a correct detection – the probability of a false positive detection is extremely low. Also the websites where such keygens usually are offered often try to infect PCs via drive-by-downloads. So be very careful when searching for software like this!

Dirk Knop
Technical Editor

I received today what I think is the longest Nigerian Scam I have ever seen. Nothing special in the text, maybe except that it is written with only a few punctuation signs and in a terrible English.

Fig. 1: The longest Nigerian scam I've seen yet.

The special thing about it is that it has 1253 words on 50 lines. As you can imagine, on a computer with a decent resolution you have to scroll quite a lot in order to see the entire email. That’s also because Outlook is also wrapping the words and the message gets even longer.

Did you ever receive a Nigerian Scam so long? If you did, then please send it to us at antispam@avira.com.

Sorin Mustaca
Manager International Software Development

I usually sort the spams I receive in my personal email after the date I receive them. I do this once a week and then I move them to the spam archive. This time, two emails draw my attention because they were very old: 23.05.2009. Well, considering the above mentioned rule, this is simply not possible. This is a very old method to draw reader’s attention by being either post the first or the last. So, I decided to take a closer look at them.

Fig. 1: Roulette spam mail

The email seems to be the reply of someone to the request of a friend to share some tricks about playing at the roulette. The idea is simple… play the same color and raise the bet by a factor of 2.5 until you win. I wondered why exactly 2.5 and what happens if you change the ratio. Let’s have a look into the mathematics of this rule to see if it is indeed correct all the time.

I wrote a small Perl script to simulate the roulette play. Let’s see how it goes:

So, the algorithm is clear and is correct. Where is the catch ? Why 2.5 ?

Let’s simulate with a ratio of 2:

The winning is no longer so interesting when using a too small ratio. One has to play a lot in order to win something substantial in this case. The catch is that you have to play with a decent ratio of minimum 2.5 until you win. If you stop, you lose all you have invested so far.

Behind this clever way to make advertisements is an online casino website which works only if you install their software on your PC. I downloaded the software and Avira promptly detected it as GAME/Casino.Gen. Avira Antispam detects the email as Spam with probability very High. Unfortunately, Google looses again on protecting the world from its users: the spam email was sent through a Gmail account.

As usual, we advise everybody to never fall for such scams. Even if you win online, it is possible that the software you install brings some other “surprises” with it. And I am not referring to money.

Sorin Mustaca
Manager International Software Development