The Mozilla Foundation just released Firefox 3.5.4 – the new version closes 11 security holes of which 6 are considered critical from the Mozilla developers. Those vulnerabilities can be abused by cybercriminals to inject malicious code like a Trojan into the computer. The release also fixes a few non-security related issues.

Some of the bugs also affect earlier versions of the Mozilla browsers and get fixed within Firefox 3.0.15 (though it is recommended to update to Firefox 3.5) and in SeaMonkey 2.0. Thunderbird doesn’t get mentioned in the security advisories.

As some of the vulnerabilities are quite serious security issues, users should update the software as soon as possible. The easiest way is to go to the “Help” menu and choose “Check for Updates”.

Dirk Knop
Technical Editor

Email malware is really getting trendy again. Now the malware authors use another social engineering scam: The spam mails claim that the password for the Facebook account has been reset. For getting the new password, the recipient of the spam is urged to open the attached ZIP file, which in turn contains the malicious .exe file.

Fig. 1: This fake email is trying to make the recipient execute the attached malware.

Such emails have been successful already a few years ago. I thought we wouldn’t see them again as the people should already know not to execute attachments from emails they didn’t request. Anyhow, the recent spam waves teach us something else.

So please, remember the drill: In case that someone sends an email with an attachment, make sure that the sender is real and that he/she really wanted to send you that file. Else it is most likely malware. In any case keep your antivirus software up to date so it can detect new malware.

Avira products detect the attached malware from that spam wave as TR/Dldr.Bredolab.AX with the vdf update to version 7.01.06.155.

Dirk Knop
Technical Editor

A new Koobface variant is currently spreading in the wild. New variants are not unexpected, but these have an unusual feature: Once the malware is installed on the computer, it locks the windows desktop every so often and forces the user to solve a Captcha – the user has 3 minutes to solve it, else the malware threatens to shut down the computer. It doesn’t actually shut it down though, the message window just stays on the desktop and locks it.

Fig. 1: The new Koobface variant forces the user to solve Captchas.

If the Captcha is entered correctly, the desktop is set free again – but the malware will open another pop up eventually. Avira detects the threat generically as TR/Downloader.Gen – it gets installed into the windows directory and then downloads the actual Koobface malware. Those files get detected as Worm/Koobface.cfm and Worm/Koobface.cci. This isn’t the end of the downloads yet – the Koobfaces download further components, which Avira warns of as TR/Dldr.Small.anlx and TR/PSW.LdPinch.102400D, respectively. Avira users thus are protected from this threat.

Viktor Gräber
Virus Researcher

After posting an article about Twitter Spam recently, some people started to follow my Twitter Feed. One of these users was an obvious spammer though which probably tried to distribute malware.

Unfortunately I was too slow in checking what the account was distributing. I can only guess that an account which is called Br.it.neyF***.Vids (drdtbwcxgaho) (some characters replaced with asterisks) might distribute links to some known fake codecs which are actually malware. Also the avatar of the account was specially chosen to attract the attention to those interested in such matters (this is why I masked it out).

Immediately after I clicked on the account, I’ve seen that Twitter already blocked it, taking my pleasure to report it as spam:

Nice to see that Twitter is not completely unaware of such things. By the way, this account was falling into the spammer-category according to my proposed template in my earlier article about Twitter Spam: Zero followers, following many , only a few tweets. Definitely a spammer!

Sorin Mustaca
Manager International Software Development

After last weeks outbreak of spam mails with malware with alleged settings for mail software (which still is ongoing, we still receive a lot of those mails) our analysts see a new bunch of emails which contain a trojan as attachment. These mails come with subjects like “Conflicker.B Infection Alert” and seem to stem from someone called “Microsoft Windows Agent”.

Fig. 1: The email claims to carry a Conficker removal tool.

The mail claims that the network where the PC is located is infected with Conficker.B and that the ISP has informed Microsoft about that. The attached tool allegedly offers a free system scan.

The attachment is a FakeAV solution though; also Microsoft would never send out an executable attachment without former consent via email. Do not execute the malware in the zip file from the mail! Avira detects it as TR/Vilsel.ior with the VDF 7.01.06.127.

Dirk Knop
Technical Editor

Our spam traps received a lot of spam emails during the last night which claim to lead to or to include a new settings file for Outlook Web Access (OWA). The mails seem to be sent by the technical staff of the domain and are made up quite well. Thus they are targeted for the organisation they are sent to.

Fig. 1: The spammed emails contain malware.

Different malware emails have been sent around: Some directly include the malware as attachment, others link to a web site where the malware can be downloaded (spear phishing). The Avira Risk Level indicates the phishing level 4 which acknowledges increased phishing activities.

Fig. 2: Another wave of emails is pointing to a fake web site.

While in the html email the malware link is shown as leading to the real domain, the link really points to an URL of the following form: http://EMAIL_DOMAIN.BADHOST.COM/owa/service_directory/settings.php?email=USER@EMAIL_DOMAIN&from=EMAIL_DOMAIN&fromname=USER . If the receiver of the mail is in a rush he might thus believe he is on the real OWA web site.

Fig. 3: The web site where the mail points too looks convincing, too.

While Avira Antispam detects the emails as spam and the URLs are being blacklisted, the virus lab released detections for the malware with a VDF update. The malware is detected as TR/Vilsel.iop and as TR/Spy.ZBot.9164.1, respectively, with the VDF file 7.01.06.111. The Vilsel trojan is yet another incarnation of the FakeAV plague while the ZBot is stealing information.

Anyway do not open these attachments or download the alleged setting files! They can lead to an infection of your system and put it under control of the malware authors!

Dirk Knop
Technical Editor

Sorin Mustaca
Manager International Software Development

Not only Microsoft released a bunch of patches to close security holes in their products, but also Adobe now ships updated software to fix several vulnerabilities in Adobe Reader and Acrobat which already get attacked with specially prepared PDF documents to take over control of vulnerable computers – Avira AntiVir protects its users and detects the currently circulating exploit PDF as Exp/Pidief.xam.

Users of Adobe Reader and Acrobat with earlier versions than the new 9.2 are advised to install the updated software immediately to protect themselves from the attacks; Adobe rates the vulnerabilities as critical. New versions of Reader are available for Windows, Mac and Unix. Further links for updates for different Acrobat versions are listed in Adobes security advisory.

Dirk Knop
Technical Editor

As many other millions people, I also have a Twitter account. I never use it through the twitter.com website because I don’t really have time to tweet. But, I have created an account on a website which publishes automatically any Avira Techblog post to my Twitter account. You may see them prefixed with “Avira Techblog:”. I sometimes write things through another service which publishes whatever I write to my Facebook, LinkedIn and Flickr accounts. So, everything happens with only one click. This means that I very seldom visit these websites in order to publish something using their dedicated interface.

This weekend, however, I decided to pay Twitter a visit. This wasn’t because I had nothing to do, but I noticed that I have a couple of new followers, which I suspected to be spammers. Usually, it is very easy to detect a spam account on Twitter. It follows a lot of users and  it has 1 post and is followed only by a few persons usually. So, I took the first in the list:

Observe that this account follows 830 users and is followed by 47! And it has only one tweet, the URL pointing to an online brokerage website. If we check its followers, we see that some of them are similar accounts, but most of them are real persons who posted recently. So, it doesn’t really fit our profile.

Let’s see the next follower: 778 following, 0 followers, a single post. Ok, it fits our template. The URL is redirected to a porn website.

The other follower is following 790 users and is being followed by 3 real users. It has only one tweet, but some users, so it doesn’t really fit our template. It points to the same porn site as the one before, using a different landing URL, in order to get a different short URL from burnurl.com.

Last, but not least, is the glamorous Jaime from Seattle, with 1103 following and… record… 337 followers. “Jamie” is breaking another record as well: 727 tweets. Having a quick look at the tweets, I can clearly see that this is an industry…

Visiting that URL, we see a classical pyramid game for making money. A lot of people behind it, a strong marketing campaign, a really well done website.

Having a look on the followers list, I see only real persons, writing real tweets (no API automated posts). All of them want to make money.

As a conclusion: Teaching people how to make money sells better than sex.

We strongly advise everybody to never fall for such scams because not only you don’t gain a thing, but you will probably lose a lot of money.

We all agree that Twitter should do something to stop these spams. But what?

There is no simple algorithm to detect these spam accounts. There are real people probably desperate enough to accept and follow such information. How can an automated system decide whether an account is spammy or not ?

The spam account has followers and posts, there are real people behind those followers. The Twitter’s Terms of Service don’t prohibit anyone to post things like these.

You are no longer forced to follow your followers (as it was happening at the beginning of Twitter), so theoretically, anybody may follow you without you having to follow them.

Or should we maybe reconsider the definition of a Twitter spam? I am afraid that, slowly, the coolness of Twitter will be buried behind a huge amount of spam and the same that happened to email may happen to Twitter as well.

Sorin Mustaca
Manager International Software Development

PS: I blocked the 4 spam accounts which were following my Twitter account.

Just as announced last Friday, Microsoft ships updates for plenty of products and closes 34 security holes. Many of them are rated critical which means that attackers can infiltrate vulnerable systems remotely.

The patches affect the Windows operating systems starting from Windows 2000 up to the brand new Windows 7. The vulnerable software is a lengthy list too: Internet Explorer, Media Player, Office from XP up to 2007, .Net runtimes, SQL server, Visual Studio 2003 up to 2008, Visual FoxPro, Report Viewer, the antivirus solution Forefront and Silverlight 2.

As the patches deal with critical security vulnerabilities which in some cases are already abused (like the FTP hole in IIS) it is advised to install them ASAP.

Dirk Knop
Technical Editor

Last Friday and Saturday, many people from Avira’s Technical department left their offices to take part at a Team Event in the Black Forest.

We used our creativity, we pushed our senses to maximum and last but not least, our muscles (yes, we do have such things).

Fig. 1: Ready at 3...!

Fig. 2: ...3!

Despite the bad weather – it was cold and raining most of the time – we had a lot of fun!

Sorin Mustaca
Manager International Software Development