Category Archives: Avira

Avira

Pwn2Own: Nothing is safe

Chrome got both its stable and beta versions hacked in just two minutes. Google paid $75,000 for just one buffer overflow in Chrome which allows an attacker to bypass the sandbox.

Apple’s Safari got also hit by using a use-after-free (UAF) vulnerability in an uninitialized stack pointer in the browser and bypassed the sandbox for code execution.

Internet Explorer 11 64-bit was taken out with a time-of-check to time-of-use (TOCTOU) vulnerability allowing for read/write privileges. The attacker evaded all the defensive mechanisms by using a sandbox escape through privileged JavaScript injection, all of which resulted in medium-integrity code execution.

Mozilla Firefox was hit with an out-of-bounds read/write vulnerability leading to medium-integrity code execution.

A team of researchers showed their skills against Flash by using a heap overflow remote code execution vulnerability and then leveraging a local privilege escalation in the Windows kernel through TrueType fonts, bypassing all defensive measures. They were awarded $60,000 for the Flash bug and a bonus of $25,000 for the SYSTEM escalation. Another researcher exploited Flash by using a use-after-free (UAF) remote code execution vulnerability and sandbox escape directory traversal vulnerability in the Flash broker.

Adobe Reader was exploited twice through a stack buffer overflow – once for an info leak and again for remote code execution. The researcher leveraged an integer overflow to exploit the broker, netting him a cool $60,000 USD. For the day, that brings his total payout to $90,000 USD.

The final numbers for Pwn2Own 2015 are quite impressive:

5 bugs in the Windows operating system

4 bugs in Internet Explorer 11

3 bugs in Mozilla Firefox

3 bugs in Adobe Reader

3 bugs in Adobe Flash

2 bugs in Apple Safari

1 bug in Google Chrome

————————————-

$557,500 USD bounty paid out to researchers

As with every Pwn2Own, all vulnerabilities were disclosed to their respective vendors in the  “Chamber of Disclosures,” and each vendor is working to fix these bugs through their own processes.

The post Pwn2Own: Nothing is safe appeared first on Avira Blog.

Secure your DNS to avoid losing business – Part 1

What is DNS and where is it used?

What many don’t realize is that there is much more behind it than just name to IP translation (called DNS lookup) and the other way around (that is called reverse DNS lookup).

There are hidden services which are critical for the proper functionality of the Internet like mail, ftp, web  – just to name the most well-known.  All these services are used every day by billions of people, devices and online services around the world without even thinking at them. The only time when they are aware of their existence is, when they don’t function anymore. But before going into this, let’s briefly go through the most important of them: email and web.

Email

Mail transfer agents use DNS to find out where to deliver e-mail for a particular address. The domain to mail exchanger mapping provided by MX records (Mail eXchange) is another example of how DNS works. MX represents the entity (mail server) that can receive email for a domain. The MX record is used by mail servers to exchange emails and it is configured as a subdomain like mx.domain.com. For example, if a user [email protected] wants to send an email to [email protected], the two servers must communicate via their MX records (domain1.com connects to mx.domain2.com), negotiate and agree on certain parameters and then finally exchange the email message.

The first and most important thing that must happen is that the servers are able to contact each other. When trying to contact mx.domain2.com, the mail transfer agent running on domain1.com must be able to locate domain2.com (this is called A-Record). If the DNS resolution for a domain doesn’t work at all (the name to IP address translation doesn’t work) then it is impossible for that domain to receive any emails.

WWW

Ever wondered why do you have to almost always put a “www.” in front of a domain so that you can view its website? “www.“ is actually a subdomain for the main domain and it was historically chosen as an acronym for “World Wide Web” or simply said, the website of that domain. Same as for the email, if the main domain doesn’t get found, then you usually can’t see the website anymore.

Other uses of DNS

There are also other uses of the DNS which are even more hidden than the two mentioned above. Best example for such a service built on top of the DNS are white- and black-lists used to filter good and bad domains, respectively. A service makes a specially created query to a certain domain and get back an answer in form of an IP address (that’s what DNS does, right?). Many services use 127.0.0.1 for when the address is in the list and 127.0.0.2 when the address is not in the list.

Now you know exactly what DNS is used for and where. In our next part we will talk about what happens when DNS doesn’t work, so stay tuned!

The post Secure your DNS to avoid losing business – Part 1 appeared first on Avira Blog.

The mysterious OpenSSL vulnerability has been patched

All users of OpenSSL 1.0.2 should upgrade immediately to version 1.0.2a. In the advisory published on their website the OpenSSL vulnerability is called “ClientHello sigalgs DoS (CVE-2015-0291)”. If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension, a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server.

According to OpenSSL’s Security Policy, a “high severity issue”  includes issues affecting common configurations which are also likely to be exploitable. Examples include a server DoS (like this one), a significant leak of server memory (Heartbleed), and remote code execution.

OpenSSL promises that such issues “will be kept private and will trigger a new release of all supported versions”. They will attempt to keep the time these issues are private to a minimum, but the goal would be “no longer than a month” where this is something that can be controlled, and significantly quicker if there is a significant risk or we are aware the issue is being exploited.

The OpenSSL vulnerability has been reported on February 26th and the fix was released yesterday (March 19th), so well within the limit.

If this was no surprise, this advisory comes with something everyone was expecting: the FREAK vulnerability, which was initially categorized as “low severity”, has been reclassified as “high severity”. This was initially classified low because it was originally thought that servers with RSA export cipher suite support were rare: a client was only vulnerable to a MITM attack against a server which supports an RSA export cipher suite. Recent studies have shown that RSA export cipher suites support is far more common.

The patch comes also with fixes for a dozen or so vulnerabilities categorized as “moderate” and “low” severity.

Our recommendation is to update to version 1.0.2a immediately. Now that the vulnerability is public, it is to be expected that cybercriminals will try to exploit it.

The post The mysterious OpenSSL vulnerability has been patched appeared first on Avira Blog.

Digital Certificates – How helpful are they?

Digital Certificates contain some or all of the following information (not all of these attributes have to be specified):

  • Program Name: Name of the software.
  • Publisher Link: Link to the software developer / company.
  • More Info Link: Additional link to a specified area.
  • Signer Serial Number: Contains the serial number of the signer (in Hex-Code).
  • Signer Issuer Name: Name of the signer who certificated the software.
  • Signer Subject Name: Name of the company which created the software.
  • Timestamp Serial Number: Timestamp when the serial number was created (in Hex-Code).
  • Timestamp Issuer Name: Company name of the signer with the specific timestamp of certification.
  • Timestamp Subject Name: Company name of the signer with an additional timestamp.
  • Date: Date when the software was created.

This is what a certificate looks like in a debugger view:

certificates_01

Below you can see the same certificate as before but in the general MS Windows overview:

aviraThings are changing though: Since malware authors have found ways to steal or fake digital certificates, one can never be really sure if a file with a valid certificate is legit or not.

Suspicion: How can I find out if a digital certificate is trustworthy?

  • First of all, the certificate should be valid and not expired. Anything else could be seen as suspicious, although not reliably so, for example an old tool might indeed have an expired but actually valid certificate.
  • Another very easy way would be to compare if the software which was e.g. downloaded has the same name as declared in its signature. If that’s not the case, it is possible that the certificate was stolen or faked.
  • It is also always good to see if the certificate contains a countersignature. In some cases, it could be a sign for malware if this information is missing.
  • An additional quick web search often brings more information about the reputation and trust-level of a certificate issuer or their software.

Also, it is necessary to know if a signature is still valid or expired. This might bring additional value to the classification, although when working with adware, one often encounters valid signatures.

The other way around: Classifying files based on digital certificates

On the other hand, adware vendors also use certificates to make sure their files are theirs. We, as an Antivirus company, can use this to our advantage. It enables us to classify files being suspicious of Adware or other possibly unwanted applications in a very simple manner.

If it is known that a certain adware type is always certified by the same certificate issuer, we can classify this issuer as potentially adware-related. Any new unknown file that is also signed by this issuer, now also is considered to be potentially adware-related. This works for all other prefixes as well, like APPL, PUA etc.

Obviously, this way of classification is not highly secure, but it gives us the opportunity to quickly find and easily filter certain amounts of files for further analysis and creating detections.

Let’s take a look at an example:
This is a valid certificate of a known adware vendor of the PUA/InstallCore family. Starting here, digital digestwe can gather that most of the files which have “Digital Digest Pty Ltd” as the certificate issuer are part of the same adware family. A simple google search confirms it and verifies the fact that said issuer is at least suspicious to a certain amount.

Several departments within the Avira Protection Lab (e.g. the engine team and protection QA) act as additional sources for suspicious certificate names. Anyone who processes a lot of files and sees any similarities in the certificates is providing the virus lab with the information needed to make a classification. This cross-department communication has proven very useful in the past and has led to many synergy effects.

Back on topic, the same vendor could use different names for the signatures, as shown here:

Click image for full size

Conclusion

Certificates are very powerful as an analysis instrument. They cannot and will not replace conventional detection creation though; being simple ASCII-Text based makes them not 100% reliable. But as a quick and easy addition they serve their purpose well.

The post Digital Certificates – How helpful are they? appeared first on Avira Blog.

OpenSSL: Patch for secret “high severity” vulnerability

And indeed, in order to avoid being again in the news, the OpenSSL Foundation is set to release later this week several patches for OpenSSL, fixing undisclosed security vulnerabilities, including one that has been rated “high” severity.

Matt Caswell of the OpenSSL Project Team announced that OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf will be released Thursday.

“These releases will be made available on 19th March,” Caswell wrote. “They will fix a number of security defects. The highest severity defect fixed by these releases is classified as “high” severity.”

OpenSSL has been hit hard and the trust in it and in open source in general has been severely shaken in the last 12 months.

Last year in April, Heartbleed (CVE-2014-0160) was discovered in older versions of OpenSSL, but still highly used, which allowed hackers to read the sensitive contents of users’ encrypted data, such as financial transactions, instant messages and even steal SSL keys from Internet servers or client software that were running the affected versions of OpenSSL.

Two month later, in June the same year, a Man-in-the-Middle (MITM) vulnerability (CVE-2014-0224) was discovered and fixed. However, the vulnerability wasn’t quite as severe as the Heartbleed flaw, but serious enough to decrypt, read or manipulate the encrypted data.

In October last year, POODLE (CVE-2014-3566) (Padding Oracle On Downgraded Legacy Encryption) was discovered in the obsolete Secure Sockets Layer (SSL) v3.0 that could allow an attacker to decrypt contents of encrypted connections to websites. When exploited, it allows an attacker to perform a man-in-the-middle attack in order to decrypt HTTP cookies. The POODLE attack can force a connection to “fallback” to SSL 3.0, where it is then possible to steal cookies, which are meant to store personal data, website preferences or even passwords.

Just weeks ago, the latest vulnerability, FREAK (CVE-2015-0204)  (Factoring Attack on RSA-EXPORT Keys) was discovered in the SSL protocol that allowed an attacker to force SSL clients, including OpenSSL, to downgrade to weaken ciphers that can be easily broken. Needless to say that such a weak encryption could potentially allow them to eavesdrop on encrypted networks by conducting man-in-the-middle attacks. This time, pretty much every big software vendor was affected: Apple, with its MacOS, iPhone and iPad,  Google with Android and Chrome and last but not least, Microsoft with all versions of Windows.

Due to its widespread use, OpenSSL is considered an important software project and is ranked first under the Linux Foundation’s Core Infrastructure Initiative. Because of its complexity, high usage and lack of in-depth security reviews, companies like Google, Facebook and Cisco are heavily sponsoring this project in order to avoid being again affected by long forgotten bugs.

Well, for OpenSSL seems that this is starting to pay off.

The post OpenSSL: Patch for secret “high severity” vulnerability appeared first on Avira Blog.

Avira In Free Security Package By Deutsche Telekom

At CeBIT in Hanover, T-Systems CEO Reinhard Clemens said: “Customers are often unsure when it comes to security software. Since the Snowden revelations, they are also anxious and asking for a ‘made in Germany’ protection solution. Deutsche Telekom wants to make it easy for as many people as possible to secure their smartphones and computers. That is why we are expanding our existing offering to include an easy-to-install package version from Germany.”

Our very own Avira Antivirus will take care of the security part of said package and protect your Windows PCs and Macs, smartphones and tablets with the iOS and Android operating systems, and servers and networks against malware, using an integrated real-time scanner. Thanks to its cloud-based scanning Avira Antivirus achieves unparalleled security and lightning fast performance. Of course it also reliably scans your downloads, folders, and hard disks.

“Avira Browser Safety” will be included in the package as well. The browser extension protects personal information when surfing the internet and blocks malicious websites as well as tracking by advertising networks, so that they can no longer track what a user is searching for or purchasing online.

The free offering is available to download with the market launch in the second quarter this year at www.telekom.de/schutzpaket. A premium version of the offering with additional functions is planned.

Further Information:

The post Avira In Free Security Package By Deutsche Telekom appeared first on Avira Blog.

Regin: Is Government Malware Stoppable After All?

What is Regin?

According to Virus Bulletin, we are looking at a multi-staged threat (like Stuxnet) that uses a modular approach (like Flame), a combination that makes it one of the most advanced threats ever detected. Researches show that Regin has been used in espionage campaigns for the last 6 years. This sophisticated backdoor Trojan affects Microsoft Windows NT, 2000, XP, Vista, and 7 and it is able to take control of input devices, capture credentials, monitor network traffic, and gather information on processes and memory utilization.

Regin mainly affects companies, research institutes, governmental organizations, and individuals who have access to networks of special interest. This is why Avira has worked together with the German Federal Office for Information Security (BSI) to add new Regin detection routines to the widely implemented and proven tool Avira PC Cleaner.

How can the Avira PC Cleaner help me?

The tool can now detect the identifiable elements of Regin and remove them from the infected system. “PC Cleaner came about as a result of the German anti-botnet “botfrei.de” initiative which is backed by the BSI. The software was also further developed with the support and know-how of the BSI. Users now have an easy-to-use tool available to them which can track down Regin malware”, explains Dr. Dirk Häger, head of operational network defense at the BSI. If PC Cleaner detects Regin, the affected system can be cleansed and the relevant files quarantined. Even after a successful system cleanup, it is worthwhile running further scans to make absolutely sure that Regin has not infiltrated other areas of the network. This also makes PC Cleaner an early warning tool. If Regin is detected, affected organizations should definitely think about taking further steps to protect their IT infrastructure.

The really unique feature about Avira PC Cleaner is that it doesn’t need to be installed. This means there are no conflicts with other vendors’ antivirus solutions installed on the computer. As such, PC Cleaner gives users the chance to get a second opinion. This is why it is also called a 2nd opinion scanner, although it isn’t a replacement for a fully-fledged antivirus solution. As a result, PC Cleaner is ideal for detecting Regin and for checking the computer for any other malicious software. It is based on the proven malware detection capabilities of Avira antivirus solutions of which there are millions of installs.

The post Regin: Is Government Malware Stoppable After All? appeared first on Avira Blog.

“Ze Foreign Accent” spam is back

One of the methods listed there is called “Ze Foreign Accent” spam or (BWO!Accent!Plain).

The main characteristic of this method is the usage of special characters called “accents”. They make no sense in English, but they exist in other languages like French, German, Romanian, and others.

"Ze Foreign Accent" spam: This is not a dating offer!

We haven’t seen this kind of spam in the wild for many years now because it was very easy to detect (due to the heavy usage of special characters). So you can imagine our surprise to see this technique pop up again in a spam message.

What makes “Ze Foreign Accent” spam so special?

This spam is special because it combines various methods described in “The Spammer Compendium”:

"Ze Foreign Accent" spam: A spam negative
The first two techniques are immediately visible once the body of the email is selected (see picture).

Additionally, the spam is addressing the recipient of the email by full name taken from the “From” field. The subject of the email is “Re: Mrs. Amalee Crigger LIKED <full name> and left a new MESSAGE for <full name>”. This is easy to implement, of course, but it requires more information and CPU power in order to create the dedicated message.

What should you do?

We said it back then, we keep saying it now: never click on links in spam messages. You never know what hides behind that URL: malware, phishing, identity theft, scams, etc.

If your spam filter didn’t catch the spam and you see something that looks rather strange, just like “Ze Foreign Accent” spam, erase it.

The post “Ze Foreign Accent” spam is back appeared first on Avira Blog.

“Ze Foreign Accent” spam is back

One of the methods listed there is called “Ze Foreign Accent” spam or (BWO!Accent!Plain).

The main characteristic of this method is the usage of special characters called “accents”. They make no sense in English, but they exist in other languages like French, German, Romanian, and others.

"Ze Foreign Accent" spam: This is not a dating offer!

We haven’t seen this kind of spam in the wild for many years now because it was very easy to detect (due to the heavy usage of special characters). So you can imagine our surprise to see this technique pop up again in a spam message.

What makes “Ze Foreign Accent” spam so special?

This spam is special because it combines various methods described in “The Spammer Compendium”:

"Ze Foreign Accent" spam: A spam negative
The first two techniques are immediately visible once the body of the email is selected (see picture).

Additionally, the spam is addressing the recipient of the email by full name taken from the “From” field. The subject of the email is “Re: Mrs. Amalee Crigger LIKED <full name> and left a new MESSAGE for <full name>”. This is easy to implement, of course, but it requires more information and CPU power in order to create the dedicated message.

What should you do?

We said it back then, we keep saying it now: never click on links in spam messages. You never know what hides behind that URL: malware, phishing, identity theft, scams, etc.

If your spam filter didn’t catch the spam and you see something that looks rather strange, just like “Ze Foreign Accent” spam, erase it.

The post “Ze Foreign Accent” spam is back appeared first on Avira Blog.

Storing passwords

Storing passwords

a key and a door, with a lock

Passwords may look to you like doors and keys:
they just have to match…

a list of names

…but a system (website, network…) has to store the passwords of many users!

a closed treasure chest

If a system stores all the users passwords
in their original form, like a secret in a chest,

a password list in front of an opened chest

…then once the chest is opened,
all passwords are instantly known!

The weakness:

a security risk warning

So you probably guess that there is a huge potential security risk,

an email showing an actual password

and when you receive an e-mail mentioning your actual password…
…then it means that the system actually knows your original password!

So, in a single attack, someone could just open the chest, and instantly get the password of every user.

This means only one thing for the security of such a system:

fatality

The solution:

So, you want to check if an entered password is correct, yet you need to store many passwords without leaking them.

There’s one answer:

Maths FTW!!

Instead of storing passwords, you store a key that is derived from the password: this makes it possible to authenticate the user without actually storing the password:

  1. take the entered password
  2. calculate the key
  3. compare with the key generated with the original password

For example, a bcrypt-derived key of “password” is “$2a$10$3BY0wQ3rgzBf6VlG0YFLoekcGrrHKYdSUdSSrN37TqClNg7Oouzey“.

It’s much longer, and in practice, it’s very difficult to determine the original password that it was derived from.

Why not using just any complex hash function to derive the keys?

Because such key derivation functions are specifically designed to prevent an attacker to generate in advance a list of keys from all standard passwords, or better, a well-organised table.

Conclusion

not passwords, but keys

To prevent the risk of an instant and complete leak, one should never store passwords, but only derived keys, generated via dedicated algorithms.

key = math(password)

These keys are mathematically derived from the entered passwords.

no password list

That way, you have a real strong authentication system without a vulnerable list of passwords.

For a multi-user system, storing passwords is a big risk !

In a next blog post, we can show how that influences Windows security…

The post Storing passwords appeared first on Avira Blog.