Last Friday and Saturday, many people from Avira’s Technical department left their offices to take part at a Team Event in the Black Forest.

We used our creativity, we pushed our senses to maximum and last but not least, our muscles (yes, we do have such things).

Fig. 1: Ready at 3...!

Fig. 2: ...3!

Despite the bad weather – it was cold and raining most of the time – we had a lot of fun!

Sorin Mustaca
Manager International Software Development

The developers of Avira are always busy programming new features and detection routines. So sometimes it’s necessary to take a deep breath and clear the head for new ideas.

Fig. 1: Engine team is getting prepared for full throttle...

So our engine developers went on a trip recently and had some fun on Quads. The nature was beautiful around Amtzell – a place, where people usually are going on vacation. Small streets, nice Forrest, small hills – perfect terrain for vehicles like Quads. Everybody enjoyed the trip – if you have a chance to drive a Quad you should try it!

Dirk Knop
Technical Editor

According to the media, the Austrian hacker Peter Kleissner got a offer from Microsoft. This wouldn’t be news-worthy if Kleissner hadn’t programmed and offered to sell a so called bootkit – that is a rootkit that hides within the Master Boot Record of a hard disk and gets loaded before the operating system kernel and thus can hide very well within the OS. As it gets loaded so early, a bootkit in general is also capable of bypassing even full disk encryption for example with TrueCrypt.

Kleissner “wrote” this software after analysing the Sinowal bootkit. His publicly available code shows many similarities with Sinowal – also our detection routines for Sinowal got triggered by it. No wonder, it seems he just disassembled Sinowal and modified the sources a little so that the Vista/Win7 boot chain was working again (see Kleissners comment in the Sinowal analysis of RSA, near the bottom of the page).

So, Kleissner seems to have built his “breakthrough” code upon already existing malware, the work of those people trying to invade your systems and steal your data. Sadly his skills in self-marketing seem to exceed those he has in the fields of self-reflection, ethics and his sense of responsibility.

Unfortunately, he was working for an antivirus company while doing all this. His former employer reacted promptly after getting informed and dismissed him. You have to be able to trust someone to hunt for malware, not to produce it. Especially if you are offering security products – security is very much about who to trust.

Now obviously Microsoft thinks it is a good idea to work with people that proved to work on the bad side of security. This isn’t going to raise my trust in Microsoft and the products of the Redmond company. Quite contrary it is destroying the trust they earned over the last few years – where they introduced the Secure Development Lifecycle, showed increased attention for security problems and risks and also entered the antivirus market.

Security companies – like Microsoft is, too – should really think about their actions and the consequences those actions have on the trust of users. If the company can’t be trusted anymore because of their actions it has no chance in the security market anymore.

Dirk Knop
Technical Editor

First of all, the idea is not at all new. Bill Gates talked about a method to pay a very small fee for each sent email in 2004, but the idea proved to be not realistic. Yahoo’s CentMail does nothing else than to revive this idea in a new form: each sender pays 5$ for 500 virtual stamps and the money goes to a charity organization at user’s choice (a preselected list of charity organizations will be made available). Each email sent uses a unique virtual stamp plus a signature to promote the service. CentMail guarantees that the stamps cannot be faked nor reused, practically trying to destroy the business model of the spammers by making the sending of the emails too expensive for them.

So, one may ask : where is the catch? Will this idea really be the end of spam?
Of course not.

CentMail and Yahoo acknowledge this in their FAQ by providing answers to many legitimate questions. This is just a charitable twist on the old idea of email postage stamps which is simply not realistic because it hopes that everybody will pay. Of course, this is not going to happen, so this approach fails from the start.

CentMail says that the sender will only pay if the email is being received and read by the intended recipient.

What will happen to the massive mailings sent by commercial organizations? Will they accept to pay millions of dollars per year only because they send commercial email? Or, will an email notification service or a mailing list accept to pay for every notification it sends you? Of course not. The solution to this problem is to whitelist this category of senders (as CentMail suggested in their FAQ).

This means that the same rules do not apply for all email senders. The argument for this is that people and organizations donate anyway a lot of money per year to charity, CentMail being just an intermediary for this money.

As a conclusion, I have to admit that from time to time is nice to see an idea that wants to turn the world upside down in order to make good things. I like the idea, but I do not think that any user would ever pay for something that has been from the beginning free and that is sending emails for free!

Sorin Mustaca
Manager International Software Development

The comment about a possible security threat due to a web server in the web browser got picked up by Opera and the Media. The CEO of Opera, Jon von Tetzchner, doesn’t see implied security risks with such a feature. It would be safe as it wouldn’t be worth  to attack millions of computers. Those single computers wouldn’t be interesting because there isn’t much data lying around in a central place.

In order to explain where the security risks reside when having many computers registered in a central place, we have to describe the architecture of Opera Unite. Opera Unite implements the concept of a Peer To Peer (P2P) network in a different way than it was done so far.

We have P2P networks in two flavors: Using a central server where the shared resources are registered, also called centralized P2P network (e.g.: bittorrent, emule, etc.) and without having a central server for resource sharing, also called decentralized P2P network(e.g.: Gnutella). Opera Unite is implementing a little bit of both approaches: There is a central place where the computers are registered in order to get the Opera Unite name (http://sharename.myuser.operaunite.com/file_sharing/), but it doesn’t store the identifier of the shared resources (something like http://sharename.myuser.operaunite.com/file_sharing/admin/malware.exe).

We can see a couple of potential attack vectors here:

1. The Opera Unite central server(s)
containing the index of all the computers running the Opera Unite Software Once this server is compromised, all registered names are available and the attacker can access the user’s files. More information about the service’s architecture are presented here.

2. The Services of Opera Unite software running on user’s computer
Once the software is compromised, we can only assume the worst: The attacker can install programs, can download and upload files on user’s computer. The service is nothing else than a Opera Widget written in JavaScript.

3. The attacker is using the Opera Unite SDK and is building a malicious service for Opera Unite
If a malicious user is creating a service and is sharing it (on http://unite.opera.com/), he is able to create a controlled computer network, usually called by software security specialists a bot net.

Yes, there is an “Approval of Opera Unite Services” process described on dev.opera.com where, among other topics, the following issue is checked: “# The service must not contain malicious or destructive code”.

But how do you define malicious? Is downloading and executing a file malicious? It depends on the file. Is connecting to an SMTP server and send emails malicious? It depends on the content you’re sending and on how many emails you’re sending. There are a lot of scenarios which can be imagined.

We see attacks on millions of PCs on a daily basis. Whether these are from the web via drive-by-downloads, via email or directly on the network level against vulnerable services. Also, of course every single computer counts! A usual bot net consists of thousands of infected, remotely controlled PCs.

The new quality of this potential threat stems from the direction an attack would come from. Now, a user has to surf onto a hacked web site or to start the malware her-/himself after a successful social engineering attack. With a server built into the browser, the attackers can actively scan for victims and offload their malware onto vulnerable computers. Additionally, the other attacks still work, too.

But as Jon von Tetzchner also mentions, Opera takes security concerns seriously, and we don’t have a doubt about it. They will make sure to ship a well-tested, secure product. Anyway, now that the service is public, everybody in the security industry will keep an eye on it. We have already started.

Dirk Knop
Technical Editor

Sorin Mustaca
Manager International Software Development

As we were predicting upcoming threats for 2009 in the end of last year we now checked whether our guesses were correct. Unfortunately, they were.

We predicted that the use of polymorphic file infectors will increase again. This became true: W32/Virut, W32/Sality and W32/Almanahe are celebrating a comeback. The authors spread new variants of their polymorphism-engines. It seems that even older versions of those polymorphic viruses are still widespread, but W32/Virut is releasing the most updates – several dozens in the first six months of the year. The good news is that our detection routines withstand these bypass attempts.

Spreading malware via manipulated PDF documents still is one of the top threats on the Internet. In the last months the amount of exploit PDFs showing up for the vulnerabilities in PDF readers significantly increased – in the first half of 2009 we received several thousand samples. Every week the malware authors spread around ten newly obfuscated exploits, which in turn got used for plenty of PDF files each. We’re regularly releasing updates for new modified PDF exploits when necessary. Users should update their PDF readers regularly anyhow as this mitigates most of the threats.

As attack vector for infections of computers web-borne malware is further increasing. The malware gets more and more installed via drive-by-downloads, where the attackers hack into web servers with legitimate content and add references to their malware servers. Those servers then install for example trojans and/or bots on the vulnerable computers. It seems that there are plenty of construction toolkits out there with which anyone can produce malicious JavaScript simply by the click with the mouse: Malware-features like encryption, heap-spraying and shellcode seem to be more modular and repeating in parts of the malicious web pages we analyzed.

The usage of a recent antivirus product will help protecting from these threats. The WebGuard of our premium products additionally very efficiently remedies the web-borne malware distribution.

Dirk Knop
Technical Editor

Browser developer Opera today introduced a new feature of its upcoming browser generation 10 with the code name Opera Unite. Basically Opera added a web server to the browser and offers a dynamic DNS service along with it. So everyone can provide content on the Internet from his own computer. And due to the dynamic DNS service with a fixed domain like http://<mycomputer1>.<myusername>.operaunite.com/.

This does sound great and many people would like such a feature. Anyhow, I got scared when reading the news about this feature. Imagine, other browser developers like Mozilla, Apple or Microsoft would add such a feature, too! Everybody would be able to share documents publicly. And executable programs. But who makes sure that those aren’t infected or Trojans themselves?

Plenty of malware uses for example the shared folders of file sharing programs to spread itself; there is no reason not to use a web server which is accessible by everyone with a web browser – and not just for users of a file sharing program. The spreading mechanism can be very simple: Users could get a mail or instant message with a (proper) link to the malware. Or such a link is on another web site.

One indicator for antimalware programs can be a suspicious IP-only address where the executable file is located. Now it can be served with a fully qualified domain name, disabling this indicator (as http://a.b.operaunite.com/malware.exe looks less suspicious than http://143.145.23.45/malware.exe even to the human eye). Before adding such a feature to the browser/server combination for example a so called fast-flux DNS was necessary for adding a domain name for the infected computers. Additionally, a malware author doesn’t need to code an own web server anymore – just reconfigure the browser!

The idea of adding a web server to the browser sounds nice. But it has to be done correctly. Else we might be facing a new dimension of drive-by-downloads (or -uploads) and hacked “servers” in the near future.

Dirk Knop
Technical Editor

As we are monitoring the web for malware, spam and phishing, we often have to report “bad” URLs to the providers. We found some spam and phishing sites hosted by Microsofts live.com service; among other services Microsoft offers blog hosting there.

When we tried to report the abuse, this turned out to be close to impossible. See for yourself:

When trying to report an abuse, you have to fill out an online form.

Microsoft needs to know which site we want to report. Oh, and a CAPTCHA to solve to divide us from Spam-Bots.

Of course they need to know what is offensive - images, the messages...

...and we're still not done yet. Now we need to classify which kind of abuse we detected.

Finally! We can send the report. We also get a ticket-number from the support.

That is quite a torture for reporting spammers and phishers. For sure not too many people are willing to go through such a long form. On the other hand, we wanted to report a spammer’s site two weeks ago and did it this way. Until now we didn’t receive an answer.

This example shows that companies tend to make abuse-reports really complicated. It could be as easy as adding a permanent link on each live-com site which is labeled “Report Abuse” – just like the usual “Contact”-links.

Dirk Knop
Technical Editor

Sorin Mustaca
Manager International Software Development

In a “fake Interview” Symantec’s Stefan Wesche (original article) shot against free antivirus solutions like Aviras AntiVir Personal – FREE Antivirus. Symantec claims that a functionally reduced free version doesn’t offer enough protection, especially compared to products where you have to spend plenty of bucks for. We see this different, of course. In  our oppinion, Avira AntiVir Personal – FREE Antivirus is a second protection layer around companies: Malware doesn’t make its way into the company network e.g. on USB-Sticks, Digicams or MP3-Players anymore.

In the interview Wesche states that users need to be protected by a world wide network of researchers and specialists as well as plenty of sensors (like honeypots) that monitor the moves of the crime scene on the internet – just like Avira has. He approves that a free antivirus solution offers a basic protection. We state nothing more and nothing less. Of course for special features and more comfort users need to pay, but Avira helps making the internet a safer place by preventing over 50 million PCs of users of Avira AntiVir Personal from getting infected by and with malware out there.

Symantec doesn’t offer anything like this, and of course also not for free. They try to discredit our honest efforts, and to push people into buying their products.

If you look at all of the recent tests of major PC magazines you’ll find that Aviras detection performance is some significant percent points better than that of other companies products (see for example the signature-based detection of millions of samples of the recent PC Welt-Test); Also we’re always very close to 100 percent, usually over 99 percent. Our reaction time upon new threats is also great.  Avira has no noticeable performance impact while offering such good detection rates. Just ask your friends out there which use Symantec about their computer performance.

This publicity stunt from Symantec wasn’t their best idea. Nearly everyone saw through that.

Dirk Knop
Technical Editor