Is Government Malware unstoppable?


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

What is Regin?

According to Virus Bulletin, we are looking at a multi-staged threat (like Stuxnet) that uses a modular approach (like Flame), a combination that makes it one of the most advanced threats ever detected. Researches show that Regin has been used in espionage campaigns for the last 6 years. This sophisticated backdoor Trojan affects Microsoft Windows NT, 2000, XP, Vista, and 7 and it is able to take control of input devices, capture credentials, monitor network traffic, and gather information on processes and memory utilization.

Protection against government malware

In this context, we would like to remind our users that Avira is a founding member of IT Security made in Germany and we pride on providing our customers a guarantee of Quality and Reliability.

We thus committed ourselves, among other things, to:

  • Exclusively provide IT security solutions no other third party can access.
  • Offer products that do not cause the transmission of crypto keys, parts of keys or access recognition.
  • Eliminate vulnerabilities or avoidance methods for access control systems as fast as possible once detected.

Additionally, we would like to clarify our standpoint on malware developed by government. Whenever we discover a new piece of malware, we are adding detection for this for all of our customers, regardless of the source of the malware. It is the case for recently discovered Regin as well, since our Antivirus products already detect all known Reging samples.

We strongly believe that no malware is unstoppable, not even government malware. Users need to make sure that they are protecting all of their digital devices with the latest technology, keeping their operating system, 3rd party applications and of course their antivirus software up-to-date.

Source :

Avira Tech Support : Blog

Bad Rabbit – the not so cute ransomware


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Yesterday, Avira labs recognized an attack by a new ransomware variant called Bad Rabbit. It is the typical file cryptor that will make all your personal files unreadable and will force you to pay a ransom for decrypting them. It overwrites the MBR file to deliver this message to the victim after the computer reboots.

Bad Rabbit - the not so cute ransomware - in-post

This threat comes to the victim’s computer as a drive-by-attack. We’ve identified the payload as being downloaded from h(tt)p://1dnscontrol(.)com/flash_install.php behind. It seems that for this attack, the criminals have not gone for an ordinary phishing attack (where the payload is mostly attached) but instead more likely used a malicious advertising banner or hacked website.

They haven’t chosen phishing for spreading the infection but they have used another famous social engineering method to get on the user’s computer. The dropped file needs to be executed by the user with admin rights to work. So, they probably decided that hiding it as a Flash Player installer was the best method. Recently we have seen quite often type of malvertising (a combination of malware and advertising) where you might need to install Flash Player first before watching the banner. Many people click daily on a fake Flash Player icon thinking that it is a new update:

If the malicious fake Flash Player is executed it drops the malicious DLL as C:\Windows\infpub.dat. This is launched using rundll32 and it drops a dispci.exe (the file decoder) and a cscc.dat (utility tool) file into the windows folder (c:\windows). In parallel, it also tries to spread these files on related computers in the network via brute forcing the administrative shares (\\computername\admin$) with a list of hardcoded credentials (e.g. sex, qwe123, qwe321, …)

For the dropped files in the Windows folder, it creates three task jobs.

It is interesting here to notice how the cybercriminals label the task job names because “Drogon”, “Rhaegal” and “Viserion” are dragons from the world-famous Game of Thrones series. But not only those ones. They also use the name of another character, “GrayWorm”, as the product name for the exe file. It is not the first time that the criminals mix popular culture icons with malware as we have seen before with Mr. Robot, James Bond, Pokemon, and much more.

This ransomware also has some special techniques to avoid leaving traces behind after the infection. One interesting method is deleting the usn journal.

Fsutil.exe usn deletejournal /D c: provides the solution to delete the journal cache. The cache detects, among other things, what changes have been made in a file after an encryption. In this way, only the cybercriminals (or anyone) can keep this information.

The file decoder sheds a light on what kinds of users the cybercriminals would like to target if you look at the list of file types.

It especially checks for filetypes of Virtual machines (e.g. vhdx, vmdk, vbox,…). This means they are also targeting the corporate arena and not just the “home user”.

The file decoder gives us an insight into what would happen on the victim’s computers’ if he paid the ransom.

The user should disable their antivirus or anti-malware program and should click on the decryption.lnk on the desktop. Additionally, after the files are decrypted, the filecoder plus the created task will be deleted from the system. Anyway, we recommend never to follow these instructions from cybercriminals.

The camouflaged file cscc.dat is originally a sys file which is part of the open encryption solution called “DiskCryptor” used by the ransomware.

This encryption method doesn’t change the file extension like many other file encryptors such as Locky. It remains the same but appends a string at the end of the file where “encrypted” can be read.

This time, it looks like the criminals spent more time creating the onion link page. It even has a loading animation of a decryption.

But don’t worry, Avira is already protecting you against this ransomware.

Source :

Avira Tech Support : Blog

Back in Black malware at your power company could put out the lights


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Malware can do more than just hold up your device for ransom; they just might flip off the electrical power switch for an entire city. New malware is targeting the power grid infrastructure, say analysts, and this first attack is likely just a taste of what could come in the future.

The malware, called Industroyer or Crash Override, came into view in late 2016 when it knocked about 700,000 homes off the grid for few hours outside the Ukrainian city of Kiev. And that’s the good news. The bad news is that this malware knows its way around the power grid, can send out malicious commands to mission-critical equipment, and once configured and deployed, can be scaled out without direct hacker involvement.

There’s a SCADA in the lightswitch

This attack targeted several SCADA protocols used in Europe. SCADA, short for Supervisory Control and Data Acquisition, is the system of hardware and software controls behind almost every industrial process. Once activated, the Crash Override malware cycles through a range of circuit-breaker addresses, trips them, then repeats the process.

Malware targeting SCADA was not a big surprise. With origins dating back to intersection of manual controls and mainframe computers – it has been described as “insecure by design” by experts. Efforts to make SCADA more secure are something like putting a band-aid on a chest wound.

Following an even earlier hacker attack (also in Ukraine) on the power grid, the industry has taken a two-pronged approach: trying to prevent attacks and, almost more importantly, getting quickly back online afterwards.

Tidy hackers at work

Investigators aren’t exactly sure who wrote this malware – although some fingers are pointing towards Russia. What they are sure of is that these hackers did tidy work – without recycling old code or leaving digital fingerprints behind – and that more events are coming. There simply have been too many resources invested in creating this malware for this to be a one-off event. Besides, the malware has additional features and payloads not even activated this time. Investigators have raised the specter that this attack was just a POC (Proof of Concept) for getting the bugs ironed out of the malicious software before they move on to a real target.

Electrifying points to consider

Most people, myself included, are absolute strangers to the intricacies of high voltage systems. However, there are three points from this event that are applicable to everyone online.

  1. It can happen to you – The simple awareness that bad things can indeed happen is critical – for both power managers and individuals.
  2. Be prepared for bad events – Preventing or reducing the damage means having an action plan prepared. For this malware, Dragos recommended having robust backups of engineering files. For the average computer user, preparation should mean a combination of having files backed up, antivirus software in place, and software fully updated.
  3. Stay involved – “Human defenders are required” is the last line of the Dragos report. This is true for your online security. The best defense against a social engineering or customized spear-phishing attack is you.

Source :

Avira Tech Support : Blog

Gooligan steals more than 1m Google accounts


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

You may have read or heard about an Android malware attack campaign named Gooligan.

What is Gooligan about?

The main purpose of Gooligan is to steal Google accounts from devices with Android 4 (Jelly Bean, KitKat) and 5 (Lollipop). Later these accounts are used to promote, rate, and download apps from the Google Play Store – making it a huge advertising fraud scheme. Gooligan roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.

That vulnerabilities are used for exploiting a mobile device and putting malicious programs on it, it isn’t something special. It’s a very popular method to compromise a system. And that’s the reason why protecting and updating your system is so important in our digital life. — Mikel Echevarria Lizarraga, Malware Analyst at the Virus Lab at Avira.

According to Checkpoint there are more than 80 malicious Gooligan apps. These apps have stolen more than 1 million Google accounts – and the number is increasing by 13,000 accounts per day!

Google’s director for Android security already published a statement on Google+:

Several Ghost Push variants use publicly known vulnerabilities that are unpatched on older devices to gain privileges that allow them to install applications without user consent. In the last few weeks, we’ve worked closely with Check Point, a cyber security company, to investigate and protect users from one of these variants. Nicknamed ‘Gooligan’, this variant used Google credentials on older versions of Android to generate fraudulent installs of other apps. — Adrian Ludwig, Google’s director of Android Security

Where do these apps come from?

The apps are found in 3rd parties stores, a fact that many may see as a relief. But it’s not! Users can be redirected to these apps while browsing the net and then be asked to install them – and a lot of them do.

Checkpoint states that 57% of the infected devices were detected in Asia. We recommend you to not relax or get comfortable nonetheless because this doesn’t mean that just Asia is being affected by “untrusted” download stores. Untrusted download stores are everywhere, they’re a dime a dozen on the internet. So if you are using other stores beside Google Play you will increase your risk for being affected – no matter if you’re in Asia or not.

We have your back!

Avira free Antivirus for Android has already been protecting you against this threat for several months. Download the app on Google’s Play Store for free!

We also recommend to check the configuration of your Android device, inside the settings > security menu. The options “Unknown sources” and “Verify apps” should be enabled by default. This will avoid the accidental installation of these malware applications.

Source :

Avira Tech Support : Blog

Malware: Just believe and follow our directions


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

It all starts when the computer user opens the attached .zip file and executes the excel icon file inside. This kicks off an “installation process” that has the popup warning of a suspicious root certificate from the “COMODO Certification Authority” flashing by in less than a second. It’s just like the best of Dr. Who – blink and you will miss it – no additional help needed. But there is a problem with this certificate: It’s not from Comodo.

Name recognition counts

“The Comodo name is well known and just does not look suspicious on certificates,” explains Oscar Anduiza, malware analyst at Avira.

Self-issued root certificateComodo is the largest Certificate Authority(CA), one of the global “trust anchors” at the top of the “chain of trust” charged with verifying identities and levels of authorization.

But, this certificate is self-signed by the issuers –  not Comodo. Self-signed certificates are equivalent to a schoolyard know-it all’s statement: “It’s good because I said so. Don’t ask questions, everything will be just fine.” The email address listed on the certificate is me@myhost.mydomain.***. And, a root certificate is a carte blanche that empowers the issuer to do almost anything to the computer – very useful for data-stealing malware.

Spoofed information about the issuer

The spoof continues on other certificate tabs, making it appear that their certificate comes from Comodo, despite it being self-issued from someone else. “Instructions on how to do this are easily obtainable on the internet – from official and other sources,” he adds.

Just follow the directions

In case the downloader does not automatically open or is stopped by the recipient’s antivirus software, this malware comes with directions that can cure that problem. The directions come as a inside_zipzipped “readme.txt” file alongside the Trojan downloader. They give computer users detailed directions how to execute that malware.

readme installation text

Here is a summary:

  • Just click to agree to everything: Double click on the extracted file. And from there, just click on “Agree” and then “Run”. For PCs with Windows 8 or the newer 10, click on “More Information” -> “Download anyway” at the standard SmartScreen warning.
  • Disable or turn off your antivirus or firewall: AVs and firewalls can block all files downloaded from the internet. If there are problems, add this file to the exceptions list and try again. Or, temporarily turn off the AV or firewall until the file has been downloaded.

“They really want to be sure that the user ‘properly’ gets infected,” says Anduiza. “These directions are pretty much exactly 180 degrees off from what computer users should actually do.”

The readme.txt file is in standard, but slightly irregular German, but does not appear to be a machine translation. This indicates that the text has been written for the German mass-market but is probably also being distributed in other languages such as English.

“This gives the cybercriminals a second chance at a successful installation, especially after the AV has blocked the initial attempt,” he points out. “This is an interesting social engineering trick, especially as the downloader and malware are not especially sophisticated.”

Start me up with malware

The malware downloads a malicious file from a compromised URL hxxp:// The file that is copied to three places in the computer, one of which is the Startup folder, insuring the malware will be executed every time the computer starts Windows.

  • c:\ProgramData\
  • c:\Users\All Users\
  • c:\Users\%user%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif

As of early March, the installed malware was a banking Trojan that steals credentials and financial information. This downloaded malware is detected by Avira as TR/ by Avira.

Source :

Avira Tech Support : Blog

To get infected, follow the directions – Avira Support


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

The directions come as a zipped text file along with the Trojan downloader with the malware hiding on the recipient’s computer behind the standard icon for an Excel file. If the downloader does not automatically open or is stopped by the recipient’s antivirus software, the directions in the readme.txt give detailed directions how to execute that malware.

Here is a summary:

  • Just click to agree to everything: Double click on the extracted file. And from there, just click on “Agree” and then “Run”. For PCs with Windows 8 or the newer 10, click on “More Information” -> “Download anyway” at the standard SmartScreen warning.
  • Disable or turn off your antivirus or firewall: AVs and firewalls can block all files downloaded from the internet. If there are problems, add this file to the exceptions list and try again. Or, temporarily turn off the AV or firewall until the file has been downloaded.

“They really want to be sure that the user ‘properly’ gets infected,” pointed out Oscar Anduiza, malware analyst at Avira. “These directions are pretty much exactly 180 degrees off from what computer users should actually do.”


The readme.txt file is in standard, but slightly irregular German, but does not appear to be a machine translation. This indicates that the text has been written for the German mass-market but is probably also being distributed in other languages such as English.


“This gives the cybercriminals a second chance at a successful installation, especially after the AV has blocked the initial attempt. This is an interesting social engineering trick, especially as the downloader and malware are not especially sophisticated,” added Anduiza.

ComodoIf users click, they begin an “installation process” that starts with a popup of suspicious root certificate. This official-looking certificate — apparently issued by COMODO — gives the issuers unlimited permission to make changes on the system, move freely past the firewall and circumvent the already installed AV.

The malware will download a malicious file that is copied to three places in the computer.  One of them is copied into the Startup folder, insuring that the malware will be executed every time the computer starts Windows.

c:\Users\All Users\
c:\Users\%user%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif

As of March 3, the installed malware was a banking Trojan that steals credentials and financial information. However, the precise link or new variants can be added by the cybercriminals at short notice. The current banking Trojans are covered by Avira detections.

Source :

Avira Tech Support : Blog

How much is your streaming account worth?


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

In fact, more and more people seem to do so. And it’s no wonder – choosing what you want to watch and when definitely has a lot of pros. With its rise in popularity it should come as no surprise that account theft for those (and other) online services is hot, too. So how much would one have to pay to get access to someone else’s account? Apparently not much.

According to The Register “premium sports accounts sell for about $10 while streaming TV can be bought for as low as 50 cents, far less than the $10 monthly subscription.

Comic fans can buy a stolen Marvel Unlimited lifetime account – meaning the victim is unlikely to shutter it – for 50 cents compared to the $10 monthly fee.”

The Marketplace, which is accessible via the Tor network, also offers premium Spotify, ComCast Xfinity, Uber, Apple, and Lynda training video accounts as well as drugs, weapons, malware, and of course credit cards.

The stolen accounts also come with some care instructions for the “new” (and apparently not too bright) owners: Make sure not to change the email address or the legitimate owner will notice.

So, now that you know how much your account might be worth out there in the wild (not a lot apparently, compared to what you are paying for it), you should make sure that it remains your own and will not be sold to who knows how many other people.

  • Make sure you are using a good antivirus that will guard your PC from trojans, keyloggers, and other malware.
  • Use a unique password for each of your accounts. Make it a good one.
  • Change your password regularly.

Source :

Avira Tech Support : Blog

Avira now identifies SilverPush ad-tracking as malware


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Even worse, they are doing it right in front of you – but you don’t know it.

Welcome to the world of cross-device tracking where the only thing you have to lose is your privacy as an autonomous human being.

This is no nightmare futuristic scenario, it is now. But it does not have to be for people using Avira antivirus software.  Avira, the German security company, now detects the SilverPush tracking software as Trojan malware.

Devices running Avira security software will now warn users if this software is present or about to be downloaded. If the software is already present, Avira will either remove or block it from operating. The new detection will protect the millions using Avira security software or the Avira anti-malware engine in their device.

SilverPushThe SilverPush technology enables advertisers to put an ultrasonic “sound beacon” signal into TV commercials which people can’t hear – but their devices can. This signal can be heard by apps which have SilverPush software – and they respond with a message sent back to SilverPush – identifying where the ad was seen and the precise broadcast channel. That’s just the start: The message also identifies the exact ID of the device, the Wi-Fi router MAC address, details about the device’s operating system, and best of all – the user’s phone number.

After putting the pieces together, SilverPush and its clients can have a very detailed portrait of the end consumer preferences. It’s a marketing dream – a technology that enables cross-device tracking and targeted ads – but who is taking care of the user and their need for privacy?

“What user privacy?—and this is a big, big problem for us,” says Travis Witteveen, CEO of AVIRA. “The functionality of the SilverPush software is way out of line for a legitimate advertising software development kit – given the way this software sucks up data on the individual user, the extent of this data, and the insecure transport of this data back to SilverPush – so we are now detecting this as a Trojan.”

Analysis from the Avira Virus Lab shows the detailed level of user data sucked up and broadcast by SilverPush. “They even transmit the user’s phone number – which is certainly classified as personally identifiable information … along with other data like the device’s IMEI or MAC address – details which identify the individual device,” pointed out Mr. Witteveen. “With this amount of data, SilverPush could order and deliver a pizza for viewers when they sit down to watch a Western on TV.”

SilverPush is not the only tech firm working on cross-device tracking. Others active in this area include Adobe, Drawbridge, and Flurry. But thanks to the way SilverPush sucks in and handles user data, they have been at the center of a media storm involving the US Federal Trade Commission and its review of cross-device tracking of users by marketing firms.

“The best solution is increased transparency and a robust and meaningful opt-out system. If cross-device tracking companies cannot give users these types of notice and control, they should not engage in cross-device tracking,” stated the Center for Democracy & Technology, an American advocacy group for internet privacy in a letter to the FTC.

At Avira, we agree with this position. And until these details are figured out, we will identify SilverPush for what it is. As the CDT has pointed out in the same letter, privacy is important and recent polls show that 91% of Americans feel like they have lost control over the way their personal data is being collected and used.

Source :

Avira Tech Support : Blog

LNK Files – Shortcuts to Faster Infections


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

These shortcut files are actually called Shell link files. Microsoft filename extension: “.LNK”

Let’s dig a little deeper and check the typical properties of an example LNK file. Just right click on the shortcut and then select “Properties. There are now several options which can be changed. In this case we will focus on the “Target” field which contains the path to the application or folder.

“C:\Program Files (x86)\Avira\Avira Antivirus\avcenter.exe”

Looks easy, right? When you click on the shortcut it performs the command specified here. In this case our trusted Avira Antivirus is being launched. This is actually what you can expect and want when clicking on a shortcut.

Unfortunately these shortcut files also have drawbacks since you don’t know exactly what hides behind them without explicitly looking. At Avira we are currently seeing a trend that more and more malware threats are using this kind of propagation method. You can follow this and more trends by visiting our Avira Threats Landscape.

Malware authors are starting to use this method because nowadays most novice users might know that clicking on a suspicious executable file might be dangerous for their systems. But clicking on a shortcut is normally not associated with bad behavior.

I like to show you how malware is actually misusing the usually helpful LNK files by giving an example of an actual in-the-wild malware detection named: VBS/LNK.Jenxsus.Gen

This variant uses LNK files to spread an infection via removable drives. The trick is very simple since it actually creates shortcuts to your files and folders stored on the USB stick and then hides the originals from you.

Let’s see what a folder structure looks like once the USB drive is infected.

Folder View of an infected USB drive:

Folder View of an infected USB drive

Nothing unusual here at first glance, right? Except maybe that the icons have all a small arrow in the bottom left corner which indicates that they are actual shortcut files. But you can still access all your files and folders when clicking on them.

We will now take a closer look at what actually is hidden behind the shortcut files by telling the Windows Explorer that we want to see all “Hidden system files”

Directory view with “Hidden System files” shown.

Directory view with “Hidden System files” shown.

When we focus on the “avira-logo” you can see there are actually two files there. One is the LNK file and the highlighted one is the actual “hidden” jpg image file.

This means when you click on a trusted file on the USB drive you are actually clicking on the shortcut which will execute the following command stored inside the LNK target instead of just opening the image.

C:\WINDOWS\system32\cmd.exe /c start dlbfbiicvg.vbs&start avira-logo.jpg&exit

Target path of an infected LNK file.

What this command does is silently execute the malicious “dlbfbiicvg.vbs” via cmd.exe and then use the “start avira-logo.jpg” to open the file you clicked on to avoid any suspicion.

Additionally the malware also adds Run-Key entries to the Registry to infect other USB drives if they are plugged into the system.  This makes also sure that the malware gets executed with each system boot.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] dlbfbiicvg”=”wscript.exe //B \”C:\\DOCUME~1\\USERNAME\\LOCALS~1\\Temp\\dlbfbiicvg.vbs\””

Example of a malicious Run-Key added by the malware.

The filename and the Registry value of the Run-Key are always randomly generated by the malware on an infected system.

At last the malware can also deploy a backdoor on your computer to send out information about the operating system, sites you visited and so on.

USB drives are still popular because there are very convenient way to transfer large files from one location to another especially if you have limited internet bandwidth available.

So if you want to share some data with a family member or friend, be very careful when you plug-in your USB drive into an unprotected computer. Your USB drive might get infected or vice versa you could spread the infection from your USB drive to his computer.

Of course nobody has the time to check every shortcut this closely before clicking on it.

One easy solution is to use our Avira product which automatically scans for malicious content and will protect you from this kind of malware threat.

Source :

Avira Tech Support : Blog

Sharing and the fine art of stopping malware


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

There are an array of technical and business issues that have to be solved: What format do the files need to be in? Who pays for the bandwidth? And the list goes on and on.

Regardless of these technical issues, there are a number of advantages to sharing – particularly for the average computer user. This user – let’s call him Joe Six-Pack – gets much faster and deeper information about any potential threats than if he kept news of his malware misadventures all to himself.

Just from the perspective of Avira, cooperation has its organizational costs – but brings clear benefits down the road.

Avira was one of a “Gang of Five” security companies that set up MUTE, the Malware URL Tracking and Exchange back in 2008.

Avira web developers were volunteered by the company and shared their expertise to set up the backend infrastructure for the group’s members to combine and share their collections of malicious web addresses. The initial outline of Avira’s system specs could be placed on four PDF slides. Today, the system is far more complex and requires a whopping 44 slides to describe its operations. And that is not all of the sharing. Avira also founded VIREX, a web-based application for helping security analysts organize their bits and pieces of malicious code, clean samples, and URLs. Yes, Avira is proud of its sharing efforts.

But you could still ask, what does Avira get out of its investment in sharing — addition to fresher bits of malware? I can think of two primary benefits.

1. Greater back-office expertise in coordinating data flows.
2. Experience in collaborative working outside of the company environment.

Put these two advantages together and there is a third one:

3. Avira expertise that can fit under the banner of other companies as an OEM product.

That is exactly what we have done with the recently announced Lavasoft deal. We’ve licensed our new  Avira URL Cloud (MURL) and program classification service (AUC) to Lavasoft and they’ll  use this to beef up the security levels in their Ad-Aware Web Companion.

Sharing is a good thing – whether in a real or a virtual sandbox.  It makes life a better, richer, and yes, more secure experience.

Source :

Avira Tech Support : Blog