Your holidays start on the Internet: tips for booking vacations online


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Everything is possible online nowadays: reading newspapers, ordering books and clothes, flirting, checking out recipes – and of course booking vacations online. Hotel comparison sites are immensely popular, every airlines offer online booking services, and instead of combing through endless travel-agency brochures, you now simply visit Expedia, Opodo or Travelocity. While it’s all very easy and convenient, it isn’t without its risks. Whether it’s a dodgy low-cost website which goes bust before your vacation starts or a seemingly harmless invoice attached to an email which is infected with a virus – at Avira we find that a little caution goes a long way.

Many problems with online booking stem from legal issues. In some instances, the difference between provider, organizer or contracting party is not clear to the customer. In case of questions and complaints, it is important to know whom to contact. Whether you can even make any claims and how easy that is differs immensely depending on the location of the company you signed the contract with. On top of that, costs often aren’t as transparent as they could and should be, with hidden additional transfer costs or trip-cancellation insurance suddenly selected on the final page before the last confirmation click without it ever being mentioned beforehand.

Low-cost portal or not, no operator offers its services for free. The cheaper the offer, the greater the risk that the small print conceals hidden costs. Free hotel room? Perhaps a minimum stay is involved, or you need to pay service and agency costs. Extremely cheap flight and accommodation? There may be compulsory shopping trips planned involving visits to carpet makers, jewelers, and leather factories.

Internet transactions always involve risks – even if they have become safer over the years. You should always transfer money over an encrypted connection. For that, the online travel agent has to offer a SSL-secured Web session. Operators usually make a specific point of mentioning this at the virtual checkout, but you can also tell the session is encrypted by the little padlock icon or the different color of the Web browser’s address bar. This type of encryption is extremely secure and cannot be cracked without a reasonable amount of effort – effectively meaning no risk is involved.

However, other risks are beyond the user’s control. Hackers often manage to crack the websites of legitimate online travel operators. In 2005 the Japanese tour operator Club Tourism had to admit that hackers had stolen the information of over 90,000 customers. In 2009 a website in the USA which government officials use to book travel was compromised. And only in April 2013 Traveltainment, a subsidiary of the Amadeus Group, had to concede that hackers had broken into its servers and stolen the personal details, including payment information, of an unknown number of customers. This theft caused harm when customers opened their emails containing phishing software which the thieves were able to send as they knew the customers’ email addresses and booking details. A comprehensive security software solution like Avira Antivirus Pro offers protection against such attacks and should therefore be a staple on every computer.

Source :

Avira Tech Support : Blog

Bad Rabbit – the not so cute ransomware


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Yesterday, Avira labs recognized an attack by a new ransomware variant called Bad Rabbit. It is the typical file cryptor that will make all your personal files unreadable and will force you to pay a ransom for decrypting them. It overwrites the MBR file to deliver this message to the victim after the computer reboots.

Bad Rabbit - the not so cute ransomware - in-post

This threat comes to the victim’s computer as a drive-by-attack. We’ve identified the payload as being downloaded from h(tt)p://1dnscontrol(.)com/flash_install.php behind. It seems that for this attack, the criminals have not gone for an ordinary phishing attack (where the payload is mostly attached) but instead more likely used a malicious advertising banner or hacked website.

They haven’t chosen phishing for spreading the infection but they have used another famous social engineering method to get on the user’s computer. The dropped file needs to be executed by the user with admin rights to work. So, they probably decided that hiding it as a Flash Player installer was the best method. Recently we have seen quite often type of malvertising (a combination of malware and advertising) where you might need to install Flash Player first before watching the banner. Many people click daily on a fake Flash Player icon thinking that it is a new update:

If the malicious fake Flash Player is executed it drops the malicious DLL as C:\Windows\infpub.dat. This is launched using rundll32 and it drops a dispci.exe (the file decoder) and a cscc.dat (utility tool) file into the windows folder (c:\windows). In parallel, it also tries to spread these files on related computers in the network via brute forcing the administrative shares (\\computername\admin$) with a list of hardcoded credentials (e.g. sex, qwe123, qwe321, …)

For the dropped files in the Windows folder, it creates three task jobs.

It is interesting here to notice how the cybercriminals label the task job names because “Drogon”, “Rhaegal” and “Viserion” are dragons from the world-famous Game of Thrones series. But not only those ones. They also use the name of another character, “GrayWorm”, as the product name for the exe file. It is not the first time that the criminals mix popular culture icons with malware as we have seen before with Mr. Robot, James Bond, Pokemon, and much more.

This ransomware also has some special techniques to avoid leaving traces behind after the infection. One interesting method is deleting the usn journal.

Fsutil.exe usn deletejournal /D c: provides the solution to delete the journal cache. The cache detects, among other things, what changes have been made in a file after an encryption. In this way, only the cybercriminals (or anyone) can keep this information.

The file decoder sheds a light on what kinds of users the cybercriminals would like to target if you look at the list of file types.

It especially checks for filetypes of Virtual machines (e.g. vhdx, vmdk, vbox,…). This means they are also targeting the corporate arena and not just the “home user”.

The file decoder gives us an insight into what would happen on the victim’s computers’ if he paid the ransom.

The user should disable their antivirus or anti-malware program and should click on the decryption.lnk on the desktop. Additionally, after the files are decrypted, the filecoder plus the created task will be deleted from the system. Anyway, we recommend never to follow these instructions from cybercriminals.

The camouflaged file cscc.dat is originally a sys file which is part of the open encryption solution called “DiskCryptor” used by the ransomware.

This encryption method doesn’t change the file extension like many other file encryptors such as Locky. It remains the same but appends a string at the end of the file where “encrypted” can be read.

This time, it looks like the criminals spent more time creating the onion link page. It even has a loading animation of a decryption.

But don’t worry, Avira is already protecting you against this ransomware.

Source :

Avira Tech Support : Blog

Support Scam: Your browser has been locked for support (that you just don’t want)


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

With viewers’ browsers as a target, online scareware/scam pop-ups keep spiking in early August. The typical message for the latest wave of scareware promises users that the website has updated browser support and that these users need some special help to get back online. Along with this message, the scam often maximizes the browser and makes it impossible for the user to close it or click anywhere else.

We call it a support scam. The notices claim to have a malware infection or similar and try to scare the user with this news. These pages are absolutely annoying for the customer. While some may not be directly harmful, others redirect users to adware applications. — Oscar Anduiza, malware analyst at Avira.

The newest wave of support scam has the Avira Protection Services racking up over a hundred thousand new detections daily in early August. 

Crossing the grey line

While support scam can appear out of nowhere if you surf to “normal” sites it most often happens in the grey zone where users are streaming online content that may or may not be completely legal.

We see this more commonly in the grey/dark zone. Especially with the illegal movie and TV streams that are streaming copyrighted content like Game of Thrones, and on some porn sites.  — Oscar Anduiza, malware analyst at Avira.

Most of them are related to some kind of advertisement redirection or pop-up.

Keeping that browser clean 

Even if not visiting illicit streaming sites, there is a chance that a service scam will be encountered. However, staying secure is not too complicated.

  • Have an Antivirus installed and up-to-date. This will help ID and stop any additional malware from being bundled with the service scam.
  • Listen to your Antivirus. If the Antivirus signals that something is not quite right – even if it messes up that streaming experience – listen to it.
  • Stay updated. Think of it as a vaccination. The more up-to-date your device is, the less apt you are to catch something nasty.

Source :

Avira Tech Support : Blog

Back in Black malware at your power company could put out the lights


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Malware can do more than just hold up your device for ransom; they just might flip off the electrical power switch for an entire city. New malware is targeting the power grid infrastructure, say analysts, and this first attack is likely just a taste of what could come in the future.

The malware, called Industroyer or Crash Override, came into view in late 2016 when it knocked about 700,000 homes off the grid for few hours outside the Ukrainian city of Kiev. And that’s the good news. The bad news is that this malware knows its way around the power grid, can send out malicious commands to mission-critical equipment, and once configured and deployed, can be scaled out without direct hacker involvement.

There’s a SCADA in the lightswitch

This attack targeted several SCADA protocols used in Europe. SCADA, short for Supervisory Control and Data Acquisition, is the system of hardware and software controls behind almost every industrial process. Once activated, the Crash Override malware cycles through a range of circuit-breaker addresses, trips them, then repeats the process.

Malware targeting SCADA was not a big surprise. With origins dating back to intersection of manual controls and mainframe computers – it has been described as “insecure by design” by experts. Efforts to make SCADA more secure are something like putting a band-aid on a chest wound.

Following an even earlier hacker attack (also in Ukraine) on the power grid, the industry has taken a two-pronged approach: trying to prevent attacks and, almost more importantly, getting quickly back online afterwards.

Tidy hackers at work

Investigators aren’t exactly sure who wrote this malware – although some fingers are pointing towards Russia. What they are sure of is that these hackers did tidy work – without recycling old code or leaving digital fingerprints behind – and that more events are coming. There simply have been too many resources invested in creating this malware for this to be a one-off event. Besides, the malware has additional features and payloads not even activated this time. Investigators have raised the specter that this attack was just a POC (Proof of Concept) for getting the bugs ironed out of the malicious software before they move on to a real target.

Electrifying points to consider

Most people, myself included, are absolute strangers to the intricacies of high voltage systems. However, there are three points from this event that are applicable to everyone online.

  1. It can happen to you – The simple awareness that bad things can indeed happen is critical – for both power managers and individuals.
  2. Be prepared for bad events – Preventing or reducing the damage means having an action plan prepared. For this malware, Dragos recommended having robust backups of engineering files. For the average computer user, preparation should mean a combination of having files backed up, antivirus software in place, and software fully updated.
  3. Stay involved – “Human defenders are required” is the last line of the Dragos report. This is true for your online security. The best defense against a social engineering or customized spear-phishing attack is you.

Source :

Avira Tech Support : Blog

Android: The phone is not the target, your money is


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Having grown in popularity, Android devices are naturally the favorite target of cyber-criminals. They are concentrating their efforts in breaching the Google developed OS. The lack of attention that many Android users have is also being manipulated. A key factor is that users aren’t paying attention to what they are downloading from Google Play Store. Many devices are getting infected with malware that gives itself root access after being downloaded, followed by an immediate start of malicious operations.

The most-known malware for mobile platforms is currently the Locker ransomware. It usually starts as a “message” from law enforcement agencies like the FBI, BKA, LKA and they use various tricks to obtain payment from their victims. This malicious software is becoming more and more professional, even offering up alleged “examples” of user misdeeds that could be used as evidence against the user to ensure that payment is made as quickly as possible. The bitcoin payment methods used make it next to impossible to either trace or to recover the ransom money.

But how do you get rid of this malware from your Android device?

One of the most important steps in reducing potential damage from malware is to make a weekly backup of the most important files on the Android device. In this way, after a user restarts in safe mode, the most important data on the phone will remain untouched. Beyond that, the default factory settings may have to be restored if it is not possible to make the device work again due to the malware intrusion.

Most attacks on Android have a clear purpose: making money from users. That is why only a small amount of the malware is focused on directly attacking the phone. The growth curve is developing similarly as it  happened with Windows; as Android becomes more known and apps are more easy to develop, cybercriminal attacks increasingly focus on it. Although they are still, at least at the moment, far lower than the attacks on Windows PCs, the numbers of these attacks are quickly rising over time.

Security you can trust

At Avira, we have developed a free security system for Android which is available in the Google Play Store. Independent testing labs have found that Avira Free Antivirus for Android has a superior detection of mobile device threats when compared to most paid solutions. Also,  Avira prevents unwanted premium calls (a prime way that cybercriminals make money from mobile malware), blocks banking Trojans, and stops Ransomware from restricting access to data or encrypting it. Free Antivirus for Android also includes features that protect your e-mails and browsing and. It contains the Android Optimizer which accelerates the phone’s operation by freeing up extra memory (RAM), protecting your privacy, and extending the device’s battery life.

Source :

Avira Tech Support : Blog

Android users: beware the porn-clicker Trojan in Play Store


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Android devices are getting infected due to a Clicker Trojan, a family of Android malware, which is hidden in counterfeit versions of various apps. After installation, it uses the browser of the infected device to click on porn ads in the background. The way in which this Trojan manages to infect isn’t at all complicated. The virus is disguised in a version of a very popular game or app, from which it “borrows” even the name and icon. Also, the malicious apps are available for free, and are completely unrelated with the original.

Apps and games to avoid

As we have mentioned before, the Clicker Trojan usually has a popular name such as “Temple Run 3”, “Subway Surfers 2”, “Travel Wallpapers”, etc., and each app has a different icon matching the name. Once they are installed, they start a hidden browsing session, load different porn websites and trick the user to click on ads. This way, the malware authors are collecting revenue.


Avira Antivirus for Android detects the Trojan

Avira Virus Lab ensures that Avira Antivirus detects the Trojan and they explain how it is possible for the porn-clicker to trick Google’s filters:


A common feature of the Clicker family is that it is requesting “draw over other apps” permissions.

“The Clicker Trojan is a family of Android Malware that poses as legitimate apps but once they are installed they click on Porn ads in the background,” said Mihai Grigorescu, Virus Analyst at Avira Protection Lab – ”They are present in Google Play as they have been able to bypass Google’s automatic filters as well as the human review process. Avira Antivirus is detecting the Trojan as Android/Clicker with subtypes like Android/Clicker.B, Android/Clicker.AC, etc. and we are successfully blocking it.”

This type of malware usually deletes the shortcut from the android main menu, so that it apears it is not installed. You can find it by going to Settings and then Applications and safely uninstall it from there.

Also, in order to spot these fake Apps, Avira advises Android users to check carefully the name of the publisher, the number of downloads, and the number of positive reviews. The more comments it has, the better. Otherwise, when you notice plenty of bad reviews for an app, it’s a suspicious sign and please inform our Virus Lab team about this.

Source :

Avira Tech Support : Blog

KeRanger ransomware is now a menace for your Mac too


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Mac computers were attacked by KeRanger ransomware

As you know, ransomware is one of the fastest-growing types of cyber threats. It attacks by encrypting data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data. According to security experts, cyber criminals manage to get from their victims hundreds of millions of dollars a year, especially by targeting Microsoft Windows operating system.  Now it looks like they have just expanded their horizons.

Ryan Olson (Palo Alto Threat Intelligence Director)  confirmed the “KeRanger” malware, which appeared on 4th of March, was the first functioning ransomware attacking Apple’s Mac computers.

“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” said Olson in an interview for Reuters.

This time the attack vector was very specific since an affected user had to download a specific program which download website was compromised.

How did it happen?

Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog article posted on Sunday afternoon.

When users downloaded version 2.90 of Transmission, which was released on Friday, their Macs were infected with the ransomware, the blog said.

Apple’s immediate intervention over the weekend

Apple  had taken steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs. Other details were not provided yet.

Transmission, also, responded by removing the malicious version of its software from its website. On Sunday it released a version that its website said automatically removes the ransomware from infected Macs. Transmission users were advised to immediately install the new update, version 2.92, if they suspected they might be infected.

How the ransomware acts after infecting your Mac

Palo Alto said on its blog that KeRanger is programmed to stay quiet for three days after infecting a computer, then connect to the attacker’s server and start encrypting files so they cannot be accessed.

Once the encryption complete, KeRanger demands a ransom of 1 bitcoin, or about $400, the blog said.

Olson also mentioned that the victims whose machines were compromised but not cleaned up could start losing access to data on Monday, which is three days after the virus was loaded onto Transmission’s site.

Be safe under Avira’s umbrella right away

Our Free Antivirus for Mac is able to detect the new KeRanger ransomware on Apple computers. If you are already seeking for solutions to protect your Mac against ransomware attacks.

Source :

Avira Tech Support : Blog

To get infected, follow the directions – Avira Support


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

The directions come as a zipped text file along with the Trojan downloader with the malware hiding on the recipient’s computer behind the standard icon for an Excel file. If the downloader does not automatically open or is stopped by the recipient’s antivirus software, the directions in the readme.txt give detailed directions how to execute that malware.

Here is a summary:

  • Just click to agree to everything: Double click on the extracted file. And from there, just click on “Agree” and then “Run”. For PCs with Windows 8 or the newer 10, click on “More Information” -> “Download anyway” at the standard SmartScreen warning.
  • Disable or turn off your antivirus or firewall: AVs and firewalls can block all files downloaded from the internet. If there are problems, add this file to the exceptions list and try again. Or, temporarily turn off the AV or firewall until the file has been downloaded.

“They really want to be sure that the user ‘properly’ gets infected,” pointed out Oscar Anduiza, malware analyst at Avira. “These directions are pretty much exactly 180 degrees off from what computer users should actually do.”


The readme.txt file is in standard, but slightly irregular German, but does not appear to be a machine translation. This indicates that the text has been written for the German mass-market but is probably also being distributed in other languages such as English.


“This gives the cybercriminals a second chance at a successful installation, especially after the AV has blocked the initial attempt. This is an interesting social engineering trick, especially as the downloader and malware are not especially sophisticated,” added Anduiza.

ComodoIf users click, they begin an “installation process” that starts with a popup of suspicious root certificate. This official-looking certificate — apparently issued by COMODO — gives the issuers unlimited permission to make changes on the system, move freely past the firewall and circumvent the already installed AV.

The malware will download a malicious file that is copied to three places in the computer.  One of them is copied into the Startup folder, insuring that the malware will be executed every time the computer starts Windows.

c:\Users\All Users\
c:\Users\%user%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif

As of March 3, the installed malware was a banking Trojan that steals credentials and financial information. However, the precise link or new variants can be added by the cybercriminals at short notice. The current banking Trojans are covered by Avira detections.

Source :

Avira Tech Support : Blog

Locky ransomware is dead, long live Locky


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

The first wave of Locky has passed, but the ransomware is still being distributed globally and within the DACH region. While this secondary distribution seems to be smaller than the first wave, the financial success of this malware for its authors and distributors gives us some clues as to what features will likely be included in the NEXT rounds of malware. “Follow the money” was the key phrase in All the President’s Men, Robert Redford’s classic film on Watergate — and this very much applies to malware. These clues from Locky are a mix of technical, distribution, and operational features – and should be a warning for computer users and companies planning their defensive strategies.

1. Drive me baby – Locky encrypted all drives on computers and networks – even the unmapped drives and shares. This expanded reach for encryption is expected to be included in future ransomware variants.

Response: Have a solid backup plan in place, ideally with a cloud service, as they offer file versioning and rollbacks. For consumers, having a spare HDD/SSD for a local backup is fine – but only if the harddisk is disconnected after the backup is finished. This also protects the backup against damage from other dangers like lightning-caused electrical surges.

2. New money from old tricks – Locky went to work by directly using macros in Word documents – and also by tossing in a bit of social engineering to get document recipients to activate the macros. That is quite old school – but it worked and was profitable for the cybercriminals.

Response: While zero-day threats are sexy, don’t forget to do the basic protection against continuing vulnerabilities such as macro manipulation. Consider enabling only digitally signed Office macros and disabling the rest. For corporate networks, this can be done in a way where end users are not able to see this option.

3. What the FUD! – In the early moments of the Locky onslaught, security publications pointed out the low detection scores in VirusTotal by most antivirus companies. This is a valid – but incomplete – look at the situation. We consider Locky to be FUD-level malware (Fully Undetected Malware), which means that the malware files were “optimized” until no AV scanner detected them anymore. Cybercriminals are testing their malware samples against the publicly available detection in VirusTotal – or against private and internal testing systems that in a similar way. The low detection scores have to be read with caution. Only some of the AV firms have cloud detection or other advanced detection methods in their products enabled on VirusTotal – sometimes, just as in poker, it is better to not show your full capabilities.

Response: Be skeptical about everything and always keep your eyes open.

4. Wisdom from the cloud – Avira detects Locky on several layers within its cloud detection and analysis. At the Auto Dump layer, Locky is being detected after layers of obfuscation have been removed. In the Night Vision machine learning layer, files are scored according to around 7,000 features, allowing us to catch malware in a very efficient way. In case that other detection layers catch the malware first, the Night Vision system will dynamically learn about the sample within a few minutes, and subsequently cover variants of this malware sample. In addition, the cloud analysis is out of reach for the cybercriminals.

Response: For complete protection, make sure that the cloud protection in your AV is fully activated. We feel this is so important, we’ve automatically included our consumer users in the APC. Corporate clients must, for data protection issues, sign off that they approve the EULA before stepping into the APC.

Source :

Avira Tech Support : Blog

Ransomware “Tesla”: Are ransomware writers kidding us?


Tags :- Avira Tech Support | Avira Support NumberAvira Refund.

Most of us have probably seen e-mails like the one below in our inbox at one point or another:


This is basically the typical phishing email sent out by cybercriminals. They want to get the victim with “evil” social engineering: In order to succeed they try and make the user open the invoice using scare tactics like unpaid bills, invoices, lost packages, and so on. The icing on the cake is the attached copy of the “invoice” so it can be opened ASAP.

In comparison to the other phishing emails we received before, they don’t insert the original “Tesla” ransomware file anymore. Instead they put an obfuscated JavaScript file inside the archive. Cool! That makes them more flexible than ever before.


The obfuscation is a pretty good one from my point of view. It doesn’t allow anyone to understand what’s going on. But nothing is perfect … enough ;-). It may take several tries but you can decode the script. This easy decryption leads me to the conclusion that they have automated its creation. Well, it seems that even the world of the criminals is changing.

An interesting fact is that to deploy ransomware, no knowledge of any programming language is needed anymore: Everything is offered ready to go on the darknet for anyone who is willing to pay. You can read a cool article I wrote on this topic over here.


But let’s get back to the malicious script. It’s just a downloader. It shows the download source for the “Tesla” ransomware, where it will be stored on the system (e.g. %temp%), and it also takes care of running the binary after running some “quality checks” like file size.

Interesting? I believe so, because the criminals have changed the way they ensure that the ransomware is downloaded to the victim’s computer. They now also have the possibility to use different URLs as sources. And, last but not least, it seems to be easier for them to deploy new scripts than to make adjustments to the binary itself when it comes to by-passing antivirus solutions in order to stay undetected. With more samples to choose from they have more possibilities to successfully infect your device.

You might be confused about the last sentence, but let me explain: Once we analyzed the Tesla ransomware file in more detail, it seemed like they didn’t invest any additional time in their “Tesla” ransomware files itself. The latest and newest binaries which we have received and analyzed are already covered by our detections from more than three years ago! That’s friggin’ old-school  🙂 !

how to restore small

Nope, that’s no joke. We’ve also seen that – after executing yet another script –  instead of the Tesla ransomware binary, the latest Avira launcher is being downloaded. We know that they took our launcher and put it on their commanding control server.


Please note: You should know that we NEVER collaborate with cybercriminals or force something like this! We also don’t spread malware with our launcher! But we want to say thanks to everyone who wants to promote our product for better protected world detections nonetheless! 🙂

In the end it shows us once again how strong our detection pattern is when it comes to daily threats. It’s funny to find “new” samples which we’ve already been detecting for more than 3 years. But anyway, don’t forget our Avira Protection Cloud: in combination with our main antivirus, it becomes a powerful tool and a much stronger protective shield! So, ENABLE the Avira Protection Cloud in our product – and live free.

Source :

Avira Tech Support : Blog