Emails containing fake invoices from Zalando and Deutsche Bahn distribute malware

We wrote before about the smart methods of fooling users to do things (execute files) which they would not normally do. Two weeks ago we’ve seen a mass mailing in the German language containing malicious payload pretending to be invoices from Apple and Plus.de.

Cybercriminals are sending again personalized emails in the German language pretending to come from the well-known website Zalando.de (shoes and women accessories) and from the Deutsche Bahn (German Railways).

zalando   Bahn Malware

Same as before, the text is addressed to the recipient of the email directly and it threatens him so that the user opens the ZIP archive and executes the malicious file.

All payloads are detected by Avira software as TR/Jorik.Androm.pqr and HIDDENEXT/Worm.Gen.

 

Sorin Mustaca

IT Security Expert

Posted on May 16, 2013, 9:43 am
Posted in Malware Analysis | Tagged , , , , , , ,

Avira Server Security is Windows Server 2012 certified

Following the certification of Avira Free Antivirus and Avira Premium Security, we are happy to announce you that the Avira Server Security obtained the certification for Windows Server 2012.

EN_WS12_Cert_Blu286_2_rgb

 

You can download and test the product from here.

 

Sorin Mustaca

Product Manager

Posted on May 16, 2013, 8:31 am
Posted in Avira Software, Awards | Tagged , , ,

A new ransomware trojan variant with children pornography

We wrote about the ransomware trojan (aka BKA Trojan) and its new methods of blackmailing people to pay: claim in the name of an official institution that the user did something illegal, like storing children pornography pictures on his computer.

The new variant of the BKA trojan attempts to blackmail the owners of infected computers with four pornographic pictures of children (last version had only one picture). It pretends to come from the press office of the BKA.

Revoyem_DE_2013-05                            Revoyem_DE_2013-04

But, if the last version only was mentioning that the user is in possession of pornographic materials with children, the difference this time is that the trojan actually copies pictures on user’s computer. To be even more credible, the trojan has names and birth dates of the children in the pictures (to prove that they are minors).

Same as the other variants known, the malware locks the user’s computer and asks 100€ (135 USD) to be paid via UKash or paysafe. Failing to do this has the consequence that all data on the computer will be destroyed and the user (identified with IP address and user agent string of the browser) will be condemned and punished. The cybercriminals are constantly trying new texts in order to look as convincing as possible.

The malware is distributed via drive by downloads as an executable file with temporary names.

Various media reported that this new version has also a better support for the webcam, so if the computer’s webcam is supported, the user can see himself in the small picture in the screen. Unfortunately, our VLAB could not test this scenario at this time. This social engineering technique creates an acute sense of emergency because it transfers the message that the BKA is “watching” the user.

 

Starting with the engine version 8.2.10.246 all Avira products detect the malicious files of the trojan with a generic detection as TR/Crypt.ULPM.Gen. Also the pictures that are dropped on user’s computer will be deleted. Please note that the full repair functionality is only available in the Windows products and not in the Rescue System and the command line scanner.

We strongly advise the user to never pay the ransom. Use the Rescue CD to clean up the malware from your computer or ask an expert to help you.

Sorin Mustaca

IT Security Expert

Posted on May 13, 2013, 2:33 pm
Posted in Malware Analysis | Tagged , , ,

How to protect your social media account

You’ve heard in the press that many celebrities and companies got their social media accounts hacked. Twitter even issued an official warning to all press agencies to protect their accounts better.

Here are useful tips how to easily protect your account:

 

1. Protect your social media account with a strong password.

Here are some good tips how to create a good password.

 

2. Enable two-factor authentication whenever possible.

The two-factor authentication assumes that the user is who he is (authentication via user/password) and in the same time that he has something that only he can have (phone, code, biometric data, etc.)

Here is how you can do this for the most common social media portals and not only.

 

3. Password protect your mobile device.

Many users access their social media accounts from mobile devices. But, mobile devices, due to their nature are being taken everywhere and sometimes get lost or stolen.

Make sure you password protect your mobile device and even encrypt it if it is possible.

Here are some tips how to do this.

 

4. Don’t use the same account for all activity you make.

Try to create a computer account for each user and if you work with sensitive data, even for each activity. Don’t forget that browsers and not only save confidential infos in cookies and databases. These infos are specific for each user. By creating an account for each user, you make sure that these data doesn’t reach the wrong user.

Here are some tips how to do this.

 

5. Keep your computer clean.

Make sure that your computer is not infected with a keylogger when you work with social media. A keylogger will copy all your input and send it to cybercriminals.

Always Use an antivirus software.

 

6. Protect your computer so that only authorized users can access it.

Even if the computer is not infected, there might be others who have access to it. All websites allow the users to save their login information so that they can access the site faster next time. This has as consequence that if someone opens the browser and types the address of the social media website, they will land in your account.

Here are tips how to protect your computer easily.

 

7. Change your password often

No matter how secure your password is, it is necessary to change it regularly. Many portals get hacked and attackers might get their hands on your password, even if it is a good one.

 

8. Don’t use the same password on multiple accounts.

If one account gets hacked, then it is a matter of time until the attackers obtain, based on your email address, your other accounts.

 

9. Use a different email address and user name for each social media account.

By doing this you make sure that an attacker has a hard time to obtain your other social media accounts.

 

10. Restrict user permissions

On Facebook for example, you can have normal users and administrators for a page.

By allowing too many administrators, you have many attack targets. Also, it is harder to control and protect so many accounts.

 

Sorin Mustaca

IT Security Expert

Posted on May 10, 2013, 11:18 am
Posted in Improve your security, Security News | Tagged , , , ,

Avira Premium Antivirus is Windows 8 certified

As previously announced, we continue to improve the compatibility with Windows 8 of our products.

Win8_Blu286_M_rgb

After the Free Antivirus certification, we are happy to inform you that Avira Antivirus Premium is the next Avira product which is Windows 8 certified.

premium-win8

 

The certification of the other products will follow in the next weeks.

But don’t worry, all other products for Home and Business work on Windows 8 very well, they are just not yet certified by Microsoft.

Sorin Mustaca

Product Manager

Posted on May 7, 2013, 12:32 pm
Posted in Uncategorized | Tagged , ,

Planned cyberattack attack against the USA infrastructure (Updated)

After the #OpIsrael against Israel cyberspace, anonymous hackers called themselves “N4m3le55 Cr3w” announced that they have scheduled another cyber attack on USA based websites and servers on 07/05/2013. In the above mentioned text it is also explain what the reason for the attack is: “war crimes in Iraq, Afghanistan and Pakistan“.

announcement

Also noteworthy is that the activists also explain which means they will use to attack the USA infrastructure:

We will now wipe you off the cyber map. Do not take this as a warning. You can not stop the internet hate machine from doxes, DNS attacks, defaces, redirects, ddos attacks, database leaks, and admin take overs.

I also find extremely interesting their advice to the American people:

And to the American people we suggest switching your bank accounts from a big bank to a local union.

Can it be that these guys don’t understand that we live in an interconnected world and that if they bring down the headquarter of a big bank, then the entire system collapses?

The author of the article has also written which tools they will be using to attack the USA cyber infrastructure.

tools

 

The group has posted also a list of targets which will be hit by this attack. In the list are a lot of .gov and .mil websites and also well-known names of financial institutions.

No matter what this group will do or try to do, we do not think that the impact on the infrastructure will be so massive as they say. Maybe some websites will be defaced, the entire network segment in USA will be slowed down for a while, but it is very unlikely that someone will be actually harmed.

Nevertheless, we advise all readers to be aware of the fact that there will probably be a lot of opportunist criminals that will raise phishing websites which probably will respond faster than the original websites.

 

Update 17:40 CET+1:

Top 10 websites mentioned here are alive and running smoothly. Can it be that the cyber-criminals are waiting for the start of the USA business day? Or is it that they are just not successful?

 

Sorin Mustaca

IT Security Expert

Posted on May 6, 2013, 10:52 pm
Posted in Security News | Tagged , , , ,

New movies, same old malware tricks

 

You probably don’t live on this planet if you haven’t seen at least the trailers from these two movies. And, from curiosity, there is only one step to social engineering for the masses.

Iron Man 3 and Star Trek – Into Darkness are the titles that make the news these days.

ironman3    startrek

It didn’t take long until various criminal groups started to exploit the news and published so called “online” versions of the movies. This means nothing else that online streaming.

We leave aside the legal implications which streaming a movie for free has, as it is not the topic of this article.

If you run a search on Google for “watch iron man 3 online”, you find about 380 mil (yes, million) results. Many of these pages will drive you to a website that most of the time offers the movie  some but only through some special codecs or versions of known codecs.

flash

 

playercodec

There is nothing for free. Even if you don’t pay money, you pay by other means.

Once you download and install these programs, codecs, updates or whatever the pages require, you open the virtual door of your computer to malware. The so called player will download various malware on your computer thus transforming it in a bot.

We advise all users to not fall for these cheap tricks.

 

Sorin Mustaca

IT Security Expert

 

 

Posted on May 6, 2013, 1:24 pm
Posted in Security News | Tagged , , , , , , ,

Emails containing fake invoices from Apple and Plus.de distribute malware

The German users should be aware of a massive spam campaign with emails pretending to come from Apple and Plus.de (discounter) containing a invoice of a good they bought from their shop.

mahnung

plus_de-mahnung

The so called invoice is in a ZIP archive containing a … SCR file. SCR is the classical extension for screen saver programs in Windows. The file in the archive is called “Rechnung.scr” and it is currently detected by our products as TR/Rogue.957311 and TR/Kazy.169263.1.

So, what is that makes this spam campaign so special?

There are a couple of items which are not seen usually in such spam campaigns:

- They address the recipient using the full name.

- The archive attached is called “<First Name> <Last name> Dritte Mahnung store.apple.com/de <registration number>.zip” or “Kaufvertrag <First Name> <Last name> Plus.zip”

- Makes use of social engineering which addresses the German speaking countries directly. “Dritte Mahnung” is in German and it means the third demand to pay letter. Usually, after the third demand the companies send the unpaid invoices to a lawyer. This is public knowledge in the German speaking countries.

 

We can only make some wild guesses from where did the cyber criminals get the email addresses with full name. It can be that they got them from the companies that got hacked previously (Linkedin, Last.fm, Evernote, etc.)

 

 

Sorin Mustaca

IT Security Expert

Posted on April 30, 2013, 10:13 am
Posted in Spam/Phishing Analysis | Tagged , , , , ,

Is your smartphone infected?

With the exponential growth in the usage of mobile devices (smartphones, tablets) also the amount of threats has grown. Actually, most of us forget more often the wallet at home than the mobile phone. Despite the fact that the smartphone has become a tool from which we all became addicted, many see it just as a simple tool.
Few think of their smartphone like of a powerful computer with enough RAM and storage to hold a lot of data. This important data once it lands in the wrong hands can have serious financial, personal and professional repercussions.

This is probably also the reason why very few people protect their smart devices with a security solution.
For these people and not only, here is a short list of signs that can be associated with a malware infection of the mobile device.

 

Signs that your smart device might have malicious software installed

 

1. You notice that you pay more than usual for your mobile phone bill

This is a sign that some trojan might send SMSs or make phone calls to super expensive phone numbers, sometimes even oversees. The problem with these calls is that it is very hard to prove that you didn’t manually and intentionally made them. Most of the time the mobile phone operator will ask you to pay first and then explain later.

 

2. Data usage increase

Malware usually sends back your private data to the cybercriminals that created it.
If you notice an increase in the data usage or if your provider is slowing down your data transfer because you consumed too much in a month, it might be a sign that malicious software communicates without your knowledge.

 

3. Calls are interrupted often and SMSs don’t reach their destination

Even if you see that you have maximum reception sometimes the most basic functions of the phone don’t work reliably.
Sometimes malware tries to intercept the calls and even re-route them to more expensive numbers or through proxies.

mobile-malware

 

4. Battery consumption grows unexpectedly

If without using your phone more than usual you notice that the battery drains, there might be some program that is residing in the active memory. Such programs can be trojans that try to intercept the calls and SMSs you make.

 

5. Bad overall performance of the smartphone

If your smartphone becomes slower than usual and apps take much longer to start and function, something might be using the CPU and the memory of the phone. Review the last apps you installed and try to uninstall them to check whether one of them is consuming the resources. However, note that this might not solve your problem if you installed a malicious app. Most of the malicious apps install backdoors in your device and will download additional payload without you noticing.

 

6. Apps crash unexpectedly

If apps that usually worked without problems and didn’t get updated lately, suddenly start to crash, might be a sign that something is interfering with their functionality. It could also be that your smartphone doesn’t have anymore resources to run the app because something else is using it (see 5).

 

How to prevent infections

 

1. Don’t install apps from outside of the official stores

The official app stores have a process of filtering the apps and there is a good chance that malicious or simply buggy apps don’t make it there.

 

2. Check always the reputation of the app before you install it

There is a high probability that someone before you has tested it and ranked it.

 

3. Check the permissions the app is requiring. If it is too much, then probably there is something wrong.

There is no reason why a game should require you to allow it to send text messages or make phone calls. And these are just only few examples. If you notice that an app intended for something requires permissions to do actions that are not usually associated with its intended tasks then report it immediately to the store provider. Of course, don’t install it.

 

4. Install security software for mobile devices.

In the last two years more and more security providers have expanded their portfolio for mobile devices. Avira also has a free security tool for Android.

 

Sorin Mustaca

IT Security Expert

Posted on April 29, 2013, 7:48 am
Posted in Security News | Tagged , , , , ,