Two of the results are getting realized today: First, we switch from our current virus definition files (called iVDF) to a new format called nVDF. iVDF consists of 4 VDF files, while nVDF uses at least 32 files – we need to transfer less data for updating our virus definitions effectively in the future.

This means that we need to deliver about 25 MByte to every Avira installation starting today for switching to the new update system. This might lead to some delays for some users, especially for the users of our free version Avira AntiVir Personal. Just to get an idea about what we’re talking here: More than 100.000.000 Users are trying to get the update more or less on the same day. That is more than 2.5 Petabytes (or 2,500 Terabytes) of traffic.

To ease the bandwidth bottleneck, we decided to additionally use a Content Delivery Network (CDN). We were first testing a CDN built up by our current Internet service provider. Shortly after activating the CDN, the redirectors – which redirect the update requests to servers close to the users location – were overloaded and couldn’t answer the requests anymore. The situation was solved a little later on, but the CDN isn’t big enough yet to spread this huge update in time. So we decided to switch to a global player in the CDN market to deliver the update.

We hope that the data is transfered much faster this way so also the users of free Avira AntiVir Personal can enjoy their security solution without any problems: After this Update the situation will get much better for the users of Avira AntiVir Personal.

N.B.: Users of commercial Avira products like Avira AntiVir Premium, Avira Premium Security Suite or Avira AntiVir Professional don’t face any of these problems as they access our servers with reserved bandwidth.

Dirk Knop
Technical Editor

You can download the Update from Apples web site or just use the updater of Mac OS X. As some of the vulnerabilities allow for remote code injection and execution, the Update is recommended.

The Apple platforms will soon be targeted with more energy by cyber criminals: Just recently hackers attacked for example Apples iPhones which are jailbreak’ed – they broke into the phone through the standard password for the SSH installation. So at least change the default passwords if you used jailbreak.

Dirk Knop
Technical Editor

Meanwhile, the Mozilla Foundation has updated Firefox to version 3.5.5. The developers only mention stability fixes, this release doesn’t seem to fix security issues. Anyhow it is a good idea to install the update.

There was another security Update for Sun Java. Version 6 Update 17 fixes a lot of security vulnerabilities. Those flaws may lead to remote code execution, thus updating immediately is recommended.

What else? Adobe has released Shockwave Player 11.5.1.602 which also closes security holes in the software which allow for remote malware injection. Users of the Shockwave Player (which is different from Adobe Flash Player) should also update their software immediately.

Today also Google released an update for its Chrome browser. It fixes 2 security problems which put users at risk.

Dirk Knop
Technical Editor

Now upon starting the assumed keygen, instead of providing the user with a serial number, it infects the system. It drops three files on the hard disk:
<%AllUsers Profile%>\Local Settings\Application Data\scvhost.exe
C:\Sys.exe
C:\autorun.inf

The dropped scvhost.exe also gets added to the autorun registry keys so it gets executed after every reboot. The autorun.inf and sys.exe aren’t only created on the system hard disk, but also on all removable drives. This seems to be the spreading mechanism of the worm.

If you take a closer look at the malware, one thing sure catches attention. At the end you find the strings “VaQxiNe-steam=1firefox=1cookies=1sandboxie=1zonealarm=1
wireshark=1anubis=1virtualpc=1keyscrambler=1startup=1usb=1task=1″. This hints that the Vaqxination toolkit got used. The construction kit has some features interesting for cybercriminals:

Fig. 2: The Malware Toolkit used to create the worm.

Further Features of the toolkit according to the advertisement of the Toolkit programmer:
- Vista UAC Bypass
- Run-as-admin Bypass
- Fully stealth
- “Legit” Windows Process
- Stronger output encryption
- Only 15 US-$ for the Toolkit.

That string seems to be the configuration that the malware creator used with the Malware Construction Kit. The features seem to work as described, for example the malware is undetectable by the Anubis sandbox system:

Fig. 1: The autorun-worm uses some anti-sandboxing tricks.

The Vaqxination Malware Construction Toolkit currently steals passwords from Firefox and Steam and also logs all keystrokes. Those log files get sent to the email account the creator has chosen before building the malware.

Avira detects the bogus key generator as Worm/Autorun.sxa with VDF version 7.01.06.18. For malware authors, keygens are a simple way to infect user PCs for a longer time already. If an antivirus solution warns from malware within such a keygen, this is nearly always a correct detection – the probability of a false positive detection is extremely low. Also the websites where such keygens usually are offered often try to infect PCs via drive-by-downloads. So be very careful when searching for software like this!

Dirk Knop
Technical Editor

Opera released the final version 10 of their Web browser. It fixes some security issues and has some new and improved features. They are listed in the changelog.

The OpenOffice.org developers released OpenOffice.org 3.1.1 (changelog). This version fixes a security flaw in the Word document processing which can lead to system compromise. Users of OpenOffice.org should download the new version and update immediatly.

Dirk Knop
Technical Editor

The text of the email is:

“Achtung – Wichtige Virenwarnung:

Nach Berichten des Bundesamts für Sicherheit in der Informationstechnik (BSI) ist derzeit ein besonders gefährlicher Virus/Trojaner im Umlauf.

Ihr PC ist ungeschützt und damit potentiell gefährdet. Bitte laden Sie unbedingt in Ihrem eigenen Interesse einen aktuellen Virenscanner herunter.

Die aktuellste Version erhalten Sie direkt hier:

http://www.<Abzock-Webseite>.info/

Mit freundlichen Grüßen

Ihr Virenwarndienst”

It says that the German government authority for IT Security has issued a warning because a dangerous Virus/Trojan is in the wild. It then advises all users to download a security solution (note: Avira AntiVir isn’t mentioned there) in order not to endanger their computer. Once following the link in the mail and trying to download the software, the unsuspecting users are forced to register:

Fig. 1: The fraudsters need the address data in order to send bills for downloading the free software.

Almost nobody reads the AGB (EULA) which specifies somewhere that you are signing a contract for two years, for 8 euro per Month.

The users who want to obtain the free version of Avira AntiVir, called Avira AntiVir Personal, can visit the website www.free-av.com and download the software for free.

Sorin Mustaca
Manager International Software Development

During the day, Adobe wants to release further patches for Adobe Reader and Acrobat. Also, a new version of the Shockwave-Player is already available. Please install the updated versions as soon as possible.

Let me thank all the hardworking administrators out there at this place, especially the Avira admins. They have to roll out all these updates today and already had a busy week due to Microsoft’s out-of-band updates from Tuesday. Don’t forget, it’s System Administrator Appreciation day!

Dirk Knop
Technical Editor

Prepare for those updates as they are really critical and necessary if Microsoft decides to do an out-of-band release. Install them ASAP when available.

Dirk Knop
Technical Editor

Avira antivirus solutions already detect the malicious PDF files as EXP/Pidief.TH and the dropped malware by those documents as TR/Drop.Wmach and TR/Spy.WMach, respectively. Anyhow it is a good idea to take additional security measures until Adobe provides an update.

Adobe recommends to delete or rename the file authplay.dll that ships with the Reader and with Acrobat. Also, enabling Data Execution Prevention (DEP) and activating the User Access Control (UAC) in Windows Vista shall mitigate the risk according to Adobe.

Another solution would be using a different PDF reader and disabling Adobe PDF and Flash within the web browser via its add-ons-manager. The NoScript extension for Firefox also helps preventing Flash applications to run in the browser; it is possible that drive-by-downloads via malicious Flash applications embedded in web sites turn up soon.

Dirk Knop
Technical Editor

Dirk Knop
Technical Editor