Due to the fast growing amount of malware out there in the wild our virus definition files grow fast as well. We monitored the situation with our Updates very closely. We realise that users of the free Avira AntiVir Personal had issues fetching the Updates in time recently and did come up with a few ideas how we could solve the problem and to better satisfy the needs of our users.

Two of the results are getting realized today: First, we switch from our current virus definition files (called iVDF) to a new format called nVDF. iVDF consists of 4 VDF files, while nVDF uses at least 32 files – we need to transfer less data for updating our virus definitions effectively in the future.

This means that we need to deliver about 25 MByte to every Avira installation starting today for switching to the new update system. This might lead to some delays for some users, especially for the users of our free version Avira AntiVir Personal. Just to get an idea about what we’re talking here: More than 100.000.000 Users are trying to get the update more or less on the same day. That is more than 2.5 Petabytes (or 2,500 Terabytes) of traffic.

To ease the bandwidth bottleneck, we decided to additionally use a Content Delivery Network (CDN). We were first testing a CDN built up by our current Internet service provider. Shortly after activating the CDN, the redirectors – which redirect the update requests to servers close to the users location – were overloaded and couldn’t answer the requests anymore. The situation was solved a little later on, but the CDN isn’t big enough yet to spread this huge update in time. So we decided to switch to a global player in the CDN market to deliver the update.

We hope that the data is transfered much faster this way so also the users of free Avira AntiVir Personal can enjoy their security solution without any problems: After this Update the situation will get much better for the users of Avira AntiVir Personal.

N.B.: Users of commercial Avira products like Avira AntiVir Premium, Avira Premium Security Suite or Avira AntiVir Professional don’t face any of these problems as they access our servers with reserved bandwidth.

Dirk Knop
Technical Editor

Most of the spam emails circulating these days contain one or two URLs showing a picture and pointing to the spam website. Something like this:
<a href=”http://spam-site.com”><img src=”http://picture-site.com/picture.jpg></a>

Some spams also contain URLs pointing to highly reputable websites like msn.com, Microsoft.com and others. This technique is used to confuse the spam filters by poisoning the spam content. Basically, we have some suspicious URLs (or should I call them malicious?) which can be blacklisted without any problem.

The spammers are, of course, aware of this functionality and have found long time ago different vectors of advertising their URLs: Through various groups (Yahoo, Google, etc.), Blogs, Social Networking sites like Twitter, Google Docs, search engine redirects, and so on.

Another method, which was not so much used until recently, is Google Notebook. Some days ago I stumbled upon a spam email which has nothing else inside than a single URL pointing to Google Notebook: http://google.com/notebook/public/<large-number>/<large-text>.

After clicking on the picture, the user gets redirected to an intermediary page for a couple of seconds. This intermediate site then redirects the user to a pharmacy site.

This looks like a “usual” meds advertisement for German customers. But before closing the website, the link “More by >>” caught my eye so I followed it:

Obviously, this “campaign” started out already in February this year and it is still ongoing. All of the notes were still active except the two from February.

As this spam method has a little new twist, we took a closer look on it: In the first image of this article we see that Google assumes no responsibility for the content in Notebook entries. This is expected – but how can I report this as spam? It is not possible, as we’re talking about a major service like Google here.

Out of interest I tried to reproduce how they added a picture into the Note. This seems to be not supported by Google Notebook.

The first link in my test note goes to www.avira.com, the second one goes to a picture from the TechBlog. As you can see, there is no image appearing, even though I activated the option to include miniature previews that Google Notebook offers.

How did they manage to show that picture automatically and with a link on it? Looking at the source code of the note, we see something exactly like the example at the beginning of the article: <a href=”http://spam-site.com”><img src=”http://picture-site.com/picture.jpg></a>

In this case, http://picture-site.com is pointing to http://www.google.com/base_media?hl=en&amp;fact=12e&amp;size=3&amp;q=<url> and the URL is pointing to the picture hosted somewhere.

Maybe it is just a delay from Google or a hick-up that in my tests no image or preview showed up in my note. I will continue to investigate this and post the results then. If you know how to add such a linked image to a note, please let me know!

Sorin Mustaca
Manager International Software Development

In a spam wave that currently is active, fake alert emails clog the inboxes of Internet users. The mails pretend to stem from the Microsoft Support and make the recipient believe that the computer is infected with Conflicker.B (and/or Conficker.B, both name variants are in the mail). The attachment of the mail is allegedly a cleaning tool – but beware, it is malware in fact!

The mails have this text in their body:

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly.Microsoft has been advised by your Internetprovider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,

Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

The subject of the mails is “Conflicker.B Infection Alert”. Don’t open the malware attachment of this email and just delete the email altogether. Users of Avira solutions are protected: The attached file is detected generically as TR/Crypt.ZPACK.Gen – without an update.

Dirk Knop
Technical Editor

Apple just released their web browser Safari in version 4.0.4 – both for Mac OS X and for Windows. Previous versions have some serious security vulnerabilities which can lead to remote code execution, crashes or to information disclosure, for example. More details can be found in Apples security advisory.

Just after the November patchday this week new reports about an issue with Microsofts SMB implementation in Windows 7 and Windows Server 2008 popped up. Rob VandenBrink of the Internet Storm Center took the publicly available exploit code, fixed a line of code – et voilà, a machine with Windows 7 or Server 2008 connecting to this faked server instantly freezes. There are no reports yet about Microsoft investigating this issue.

Update: Microsoft has released a security advisory this weekend where the company explains that it investigates the reports and is preparing a patch.

Dirk Knop
Technical Editor

Let’s start off with the definition of spam according to Wikipedia:

E-mail spam, also known as junk e-mail, is a subset of spam that involves nearly identical messages sent to numerous recipients by e-mail. A common synonym for spam is unsolicited bulk e-mail (UBE). Definitions of spam usually include the aspects that email is unsolicited and sent in bulk.

The keywords here are: “identical messages”, “unsolicited bulk email”. What if you manage to simulate that the users have requested the spams by subscribing their email addresses to an email list and automatically approve their membership?

Usually, when someone subscribes to a list, an email is sent to the subscriber to ask him/her to validate the submission of the email address to the list. Make something to skip this step and you have the perfect form of spamming.

Send them an email as this one and you might be surprised to see how many are curious enough to check what does the membership mean. If the user clicks the link, he is prompted to login or register in order to see what this is all about.

But – why register? The address is already registered. The user only has to click on “Forgot password” to receive the password.

If the amount of users which recover the password is not big enough, then make them even more curious by sending them a message:

If still not enough curious people have recovered their password, send them a password reset notification. They are registered after all!

If this still doesn’t work, then just keep spamming them every day until they get their password and try to cancel the membership.

This method of creating a list on a reputable server for social networking like ning.com is not new. All renowned sites are getting abused to send spam: LinkedIn, Orkut, Twitter, live.com, and so on. This technique is very effective. The email is 100% valid and cannot be simply marked as spam because the server has a good reputation.

The From field is not a real person but an automated bot running on the server (mail@<list>.ning.com). In order to subscribe to a list hosted on ning.com one needs an account registered at ning.com. This means that our spam trap was automatically subscribed to ning.com without having to confirm the account. There is, of course, the possibility that the account was hacked and somebody was actually able to confirm the subscription in our account. But this is very unlikely.

In order to check this, I have actually retrieved the password from ning.com and set a new one.

Immediately after this, I tried to leave the group for which the account was automatically subscribed. It wasn’t possible though. Of course, I will try again in the next few days. If it still won’t work, I will contact ning.com to see what’s going on. So this article ends with “to be continued…”.

Sorin Mustaca
Manager International Software Development

The Redmond company released 6 security bulletins with according patch-sets for this November Black Tuesday. These patches close security holes mainly in Microsoft Office and in the Windows Kernel which allow for example for drive-by-downloads, privilege escalation and remote code injection and execution.

Affected are all Microsoft operating systems (including Server 2008 core installations) and nearly all Office versions – as well as the office viewers. Installing the updates fast is recommended as according to Microsofts threat matrix it is very likely that exploits for these vulnerabilities will appear very soon on the Internet.

Dirk Knop
Technical Editor

Just a few hours before Microsoft will release Updates for its software, Apple released version 10.6.2 of Mac OS X and Security Update 2009-006, respectively. This Update fixes numerous of security issues within the Mac operating system.

You can download the Update from Apples web site or just use the updater of Mac OS X. As some of the vulnerabilities allow for remote code injection and execution, the Update is recommended.

The Apple platforms will soon be targeted with more energy by cyber criminals: Just recently hackers attacked for example Apples iPhones which are jailbreak’ed – they broke into the phone through the standard password for the SSH installation. So at least change the default passwords if you used jailbreak.

Dirk Knop
Technical Editor

Already last week Opera released version 10.01 of its Web Browser. It closes some security holes. At least one of them can lead to code injection (for example to infect the computer with a Trojan). Users are advised to install the new version fast.

Meanwhile, the Mozilla Foundation has updated Firefox to version 3.5.5. The developers only mention stability fixes, this release doesn’t seem to fix security issues. Anyhow it is a good idea to install the update.

There was another security Update for Sun Java. Version 6 Update 17 fixes a lot of security vulnerabilities. Those flaws may lead to remote code execution, thus updating immediately is recommended.

What else? Adobe has released Shockwave Player 11.5.1.602 which also closes security holes in the software which allow for remote malware injection. Users of the Shockwave Player (which is different from Adobe Flash Player) should also update their software immediately.

Today also Google released an update for its Chrome browser. It fixes 2 security problems which put users at risk.

Dirk Knop
Technical Editor

For the upcoming Patch Tuesday next week, Microsoft plans to release 6 security bulletins. 3 of them handle critical rated security issues, the other 3 are rated important.

Affected are Windows Operating Systems starting from Windows 2000 up to Windows Server 2008. The “important” fixes are for Microsoft Office (also for Mac) and the Office Viewers.

Prepare to install the patches as soon as possible as usually exploits for these security vulnerabilities are released very soon after Microsoft ships the patches.

Dirk Knop
Technical Editor

In October we’ve seen a lot of spam carrying malware and by the speed with which the emails and the malware were detected, we all thought that it will stop soon.

Having a look in the first 3 days of November we have observed that the trend didn’t actually change. We did notice changes in the social engineering techniques used to advertise the various malware, though.

We have the good old trick with the

- notification “Attachment: no virus found” (detected as TR/Netsky.HB) ,

- “promised photos” from the last holidays (detected as TR/Crypt.ZPACK.Gen),

- boss sending a letter (detected as BDS/Small.ZO Backdoor server),

- undelivered DHL Package (detected as TR/Crypt.ZPACK.Gen),

- and of course the Facebook password change request (current versions detected as BDS/Small.ZO Backdoor server).

Except these malware emails which make up more than 60% of the spam we received so far, the trend is constant: Spam mails concerning online casinos, online pharmacies and various replicas clog up the inboxes.

If the trend from last year is going to be repeated this year, then we should start to see a lot more spam spreading malware and phishing soon. Last years November was pretty busy but we’ve recorded a very relaxed December.

All the above mails are being detected by our Antispam engine as Spam and by the Antivirus engine as already described. Avira users thus are well protected.

Sorin Mustaca
Manager International Software Development