Already last week Opera released version 10.01 of its Web Browser. It closes some security holes. At least one of them can lead to code injection (for example to infect the computer with a Trojan). Users are advised to install the new version fast.

Meanwhile, the Mozilla Foundation has updated Firefox to version 3.5.5. The developers only mention stability fixes, this release doesn’t seem to fix security issues. Anyhow it is a good idea to install the update.

There was another security Update for Sun Java. Version 6 Update 17 fixes a lot of security vulnerabilities. Those flaws may lead to remote code execution, thus updating immediately is recommended.

What else? Adobe has released Shockwave Player 11.5.1.602 which also closes security holes in the software which allow for remote malware injection. Users of the Shockwave Player (which is different from Adobe Flash Player) should also update their software immediately.

Today also Google released an update for its Chrome browser. It fixes 2 security problems which put users at risk.

Dirk Knop
Technical Editor

For the upcoming Patch Tuesday next week, Microsoft plans to release 6 security bulletins. 3 of them handle critical rated security issues, the other 3 are rated important.

Affected are Windows Operating Systems starting from Windows 2000 up to Windows Server 2008. The “important” fixes are for Microsoft Office (also for Mac) and the Office Viewers.

Prepare to install the patches as soon as possible as usually exploits for these security vulnerabilities are released very soon after Microsoft ships the patches.

Dirk Knop
Technical Editor

In October we’ve seen a lot of spam carrying malware and by the speed with which the emails and the malware were detected, we all thought that it will stop soon.

Having a look in the first 3 days of November we have observed that the trend didn’t actually change. We did notice changes in the social engineering techniques used to advertise the various malware, though.

We have the good old trick with the

- notification “Attachment: no virus found” (detected as TR/Netsky.HB) ,

- “promised photos” from the last holidays (detected as TR/Crypt.ZPACK.Gen),

- boss sending a letter (detected as BDS/Small.ZO Backdoor server),

- undelivered DHL Package (detected as TR/Crypt.ZPACK.Gen),

- and of course the Facebook password change request (current versions detected as BDS/Small.ZO Backdoor server).

Except these malware emails which make up more than 60% of the spam we received so far, the trend is constant: Spam mails concerning online casinos, online pharmacies and various replicas clog up the inboxes.

If the trend from last year is going to be repeated this year, then we should start to see a lot more spam spreading malware and phishing soon. Last years November was pretty busy but we’ve recorded a very relaxed December.

All the above mails are being detected by our Antispam engine as Spam and by the Antivirus engine as already described. Avira users thus are well protected.

Sorin Mustaca
Manager International Software Development

Microsoft released another update for the Internet Explorer. It is supposed to fix some flaws that may occur after installing the cumulative update from the last Patchday, MS09-054. In a knowledgebase article Microsoft explains the issues that may arise:

- The offsetTop calculation for elements that are contained as children of scrolled elements may be reported incorrectly in Windows Internet Explorer 8

- You receive a VBScript “Type Mismatch” script error message in Internet Explorer after you install cumulative security update 974455

Fig. 1: The automatic windows update offers a new update for the Internet Explorer.

Though the Update is not critical, some users may experience the described problems with the last security update. Thus users should install the offered patch – which requires a reboot of the computer.

Dirk Knop
Technical Editor

The Mozilla Foundation just released Firefox 3.5.4 – the new version closes 11 security holes of which 6 are considered critical from the Mozilla developers. Those vulnerabilities can be abused by cybercriminals to inject malicious code like a Trojan into the computer. The release also fixes a few non-security related issues.

Some of the bugs also affect earlier versions of the Mozilla browsers and get fixed within Firefox 3.0.15 (though it is recommended to update to Firefox 3.5) and in SeaMonkey 2.0. Thunderbird doesn’t get mentioned in the security advisories.

As some of the vulnerabilities are quite serious security issues, users should update the software as soon as possible. The easiest way is to go to the “Help” menu and choose “Check for Updates”.

Dirk Knop
Technical Editor

Email malware is really getting trendy again. Now the malware authors use another social engineering scam: The spam mails claim that the password for the Facebook account has been reset. For getting the new password, the recipient of the spam is urged to open the attached ZIP file, which in turn contains the malicious .exe file.

Fig. 1: This fake email is trying to make the recipient execute the attached malware.

Such emails have been successful already a few years ago. I thought we wouldn’t see them again as the people should already know not to execute attachments from emails they didn’t request. Anyhow, the recent spam waves teach us something else.

So please, remember the drill: In case that someone sends an email with an attachment, make sure that the sender is real and that he/she really wanted to send you that file. Else it is most likely malware. In any case keep your antivirus software up to date so it can detect new malware.

Avira products detect the attached malware from that spam wave as TR/Dldr.Bredolab.AX with the vdf update to version 7.01.06.155.

Dirk Knop
Technical Editor

A new Koobface variant is currently spreading in the wild. New variants are not unexpected, but these have an unusual feature: Once the malware is installed on the computer, it locks the windows desktop every so often and forces the user to solve a Captcha – the user has 3 minutes to solve it, else the malware threatens to shut down the computer. It doesn’t actually shut it down though, the message window just stays on the desktop and locks it.

Fig. 1: The new Koobface variant forces the user to solve Captchas.

If the Captcha is entered correctly, the desktop is set free again – but the malware will open another pop up eventually. Avira detects the threat generically as TR/Downloader.Gen – it gets installed into the windows directory and then downloads the actual Koobface malware. Those files get detected as Worm/Koobface.cfm and Worm/Koobface.cci. This isn’t the end of the downloads yet – the Koobfaces download further components, which Avira warns of as TR/Dldr.Small.anlx and TR/PSW.LdPinch.102400D, respectively. Avira users thus are protected from this threat.

Viktor Gräber
Virus Researcher

After posting an article about Twitter Spam recently, some people started to follow my Twitter Feed. One of these users was an obvious spammer though which probably tried to distribute malware.

Unfortunately I was too slow in checking what the account was distributing. I can only guess that an account which is called Br.it.neyF***.Vids (drdtbwcxgaho) (some characters replaced with asterisks) might distribute links to some known fake codecs which are actually malware. Also the avatar of the account was specially chosen to attract the attention to those interested in such matters (this is why I masked it out).

Immediately after I clicked on the account, I’ve seen that Twitter already blocked it, taking my pleasure to report it as spam:

Nice to see that Twitter is not completely unaware of such things. By the way, this account was falling into the spammer-category according to my proposed template in my earlier article about Twitter Spam: Zero followers, following many , only a few tweets. Definitely a spammer!

Sorin Mustaca
Manager International Software Development

After last weeks outbreak of spam mails with malware with alleged settings for mail software (which still is ongoing, we still receive a lot of those mails) our analysts see a new bunch of emails which contain a trojan as attachment. These mails come with subjects like “Conflicker.B Infection Alert” and seem to stem from someone called “Microsoft Windows Agent”.

Fig. 1: The email claims to carry a Conficker removal tool.

The mail claims that the network where the PC is located is infected with Conficker.B and that the ISP has informed Microsoft about that. The attached tool allegedly offers a free system scan.

The attachment is a FakeAV solution though; also Microsoft would never send out an executable attachment without former consent via email. Do not execute the malware in the zip file from the mail! Avira detects it as TR/Vilsel.ior with the VDF 7.01.06.127.

Dirk Knop
Technical Editor

Our spam traps received a lot of spam emails during the last night which claim to lead to or to include a new settings file for Outlook Web Access (OWA). The mails seem to be sent by the technical staff of the domain and are made up quite well. Thus they are targeted for the organisation they are sent to.

Fig. 1: The spammed emails contain malware.

Different malware emails have been sent around: Some directly include the malware as attachment, others link to a web site where the malware can be downloaded (spear phishing). The Avira Risk Level indicates the phishing level 4 which acknowledges increased phishing activities.

Fig. 2: Another wave of emails is pointing to a fake web site.

While in the html email the malware link is shown as leading to the real domain, the link really points to an URL of the following form: http://EMAIL_DOMAIN.BADHOST.COM/owa/service_directory/settings.php?email=USER@EMAIL_DOMAIN&from=EMAIL_DOMAIN&fromname=USER . If the receiver of the mail is in a rush he might thus believe he is on the real OWA web site.

Fig. 3: The web site where the mail points too looks convincing, too.

While Avira Antispam detects the emails as spam and the URLs are being blacklisted, the virus lab released detections for the malware with a VDF update. The malware is detected as TR/Vilsel.iop and as TR/Spy.ZBot.9164.1, respectively, with the VDF file 7.01.06.111. The Vilsel trojan is yet another incarnation of the FakeAV plague while the ZBot is stealing information.

Anyway do not open these attachments or download the alleged setting files! They can lead to an infection of your system and put it under control of the malware authors!

Dirk Knop
Technical Editor

Sorin Mustaca
Manager International Software Development