Category Archives: Avira

Avira

Avira

3 social media dangers to avoid

Leave a comment

Included below are three different social media dangers that can become a problem from time to time.

Fake Influence – That Twitter account with tens of thousands of followers must be legitimate and interesting, right? Not always. While follower counts can sometimes indicate influence, they’re not a perfect measuring stick. Scammers or companies trying to promote their products in deceptive ways can create fake accounts and then buy followers in a way that’s just about as easy as buying something from Amazon. Try to look beyond the follower count to see if someone or something is really worth following. For example, who follows them, and what are they posting about? Also, how long has the account been active?

Trolling – An online troll can basically be described as someone who’s trying to cause problems online. This can sometimes just prove to be an inconvenience, but in many cases, the activity crosses over into harassment that can be very hurtful. We’ve all seen comments on social media that demonstrate this behavior. Many times they come from people who are deliberately trying to hide their real identity. It can be tempting to respond to these posts, but there’s a saying that says that you shouldn’t feed the trolls, which means that you shouldn’t fall into their trap by responding because it only gives them more to work with.

Catfishing – This refers to the practice of creating a fake identity online in order to try and trick someone into a a romantic relationship. People who do this could be seeking revenge, they might have no self-confidence, or they might just enjoy the entertainment value of it. Either way, if you’re starting to form a romantic relationship online, it’s important to get proof that the person you’re talking to is actually who they say they are.

Those are just three of the problems that can be lurking on social media, but if you know what to watch out for, then you can have a better experience with social media.

The post 3 social media dangers to avoid appeared first on Avira Blog.

Avira

Internationalization and the Internet

Leave a comment

The Internet is a child of the United States of America, so it does not come as a surprise that only Latin letters and some scientific characters were used when the systems and the software (then called ARPANET) were designed. In today’s world, where roughly half the global population, with its different letters and alphabets uses the Internet, things look different.

The Need for Internationalization

You might have seen a so-called IDN before. IDN stands for internationalized domain name and all it boils down to, is a web address with special characters. This can be of great help for Internet users that live in regions where the primary alphabet in use is not Latin-based or is extended with special characters. Take Swedish for instance: the letters ä, ö and å augment the standard Latin alphabet. Without the support of IDNs, you would have to agree on a different (Latin) character for domains – like a or aa instead of å. Instead of visiting the website of your favorite Swedish bakery with www.pågen.se, you would have to go to www.pagen.se. This is okay until another company with the name Pagen appears and wants to claim that domain name. It becomes confusing very quickly for the visitors.

Wait…IDN what?

The Domain Name Service (short: DNS), which is used to translate a web address to something the computer understands, only accepts Latin characters. To make internationalized domains work, a system called punycode is used. A complete explanation of the algorithm is way out of scope for this article, but here is a short one. Whenever you enter an address like pågen.se, punycode prepends xn--, skips all non-Latin characters of the domain (å) and appends a dash to the remaining characters (pgen). So far, the result is xn--pgen-. Now, some black magic (finite state machines and generalized variable length integers) is used to represent the location and the identity of the skipped characters. In the end, the result looks like xn--pgen-qoa.se. This is the domain that your browser will access. You, as a user, will not feel any difference as this is done transparently by your browser. Arguably the first internationalized domain (rather subdomain in this case) was http://räksmörgås.josefsson.org.

How it affects you?

There are alphabets which contain letters similar to the ones in other alphabets. Take the Cyrillic script for instance: the Cyrillic letter а resembles the Latin character a. In a so-called IDN homograph attack, a cyber-criminal uses exactly this resemblance to mimic trusted websites. Imagine the domain in the following pictures.

Internationalized version of a domain. The first a is Cyrillic, not Latin

Internationalized version of a domain. The first a is Cyrillic, not Latin

From the looks of it, it is paypal.com. You would almost have to be psychic to note that the first a is a Cyrillic letter. Now the attacker only needs to design a page that looks exactly like PayPal’s and send the login credentials to his or her email address – Mission accomplished.

If the domain is considered suspicious, modern browsers will show the punycoded variant

If the domain is considered suspicious, modern browsers will show the punycoded variant

Not all is lost

Fortunately, it is not that simple to deceive unsuspecting users anymore. Modern day browsers indicate that you are browsing an internationalized website as the image below shows.

Internationalization feature of Internet Explorer: shows a small icon in the address bar

Internationalization feature of Internet Explorer: shows a small icon in the address bar

In contrast to typosquatted URLs, where you might be able to spot phishy URLs by looking at them twice, IDNs can pose a real problem. You have to rely even more on a strong Web protection. It shows that common sense does not protect you from everything on the Internet and that it is crucial to have an up-to-date antimalware solution on all your devices.

Recommended Reading & Resources

Internationalized Domain Name
Punycode
Internet Usage Statistics
Internet
Homograph Attack
DNS

The post Internationalization and the Internet appeared first on Avira Blog.

Avira

2015 Resolutions: The Nerd’s List

Leave a comment

We like nerds. We love nerds. We are nerds. And, as any respectable nerd would do, we have already thought about our 2015 resolutions. Check out what some of the coolest Avira nerds have planned for next year. It will give you a good hint of our guilty little pleasures.

Our gamers, in particular, have big plans…

  1. Avoiding Steam sales: No Steam,you won’t get my money this year!
  2. Play more indie games.
  3. Don’t flame and troll. Ok ok. Flame and troll less. At least a bit.
  4. Don’t buy games immediately after they are released, especially if you already know in advance that it will just be a paid beta test.
  5. Buy an Oculus Rift. Come on, I know you want it too.

...what about their other passions?

  1. Get Android Auto as soon as it’s launched: steering wheel controls and smartphone connected to access music, contacts, and messages while you keep your eyes on the road? Can’t wait to be driven by Android!
  2. Operate Full Home automation with Raspberry Pi: wireless sensors, OCR, connect front door camera to smartphone… it already feels like home.
  3. Convince my friends that the perfect birthday gift would be a mini tablet with retina display for kick-ass resolution
  4. Get into machine learning and data mining (who owns big data is ready to rule the world – to be followed by an evil laughter when read aloud)
  5. Get back into manga drawing and super edit my makeup photos with the help of this beauty (you didn’t see this one coming, did you?)

Special thanks to my colleagues who accepted the challenge of going public with their nerdiest 2015 resolutions: Nicole, Daniela, Cornel, Eliza, Ovidiu, Calin, Bogdan… you just made it to the Nerd Hall of Fame!

If you also have “nerdy” wishes on your Resolutions list, please share them with us in the comments section below.

Happy New Year from the whole Avira team!

The post 2015 Resolutions: The Nerd’s List appeared first on Avira Blog.

Avira

On Neuroscience and Phishing Attacks

Leave a comment

All kinds of fun facts bounce around the internet. You might have seen the one about contextual reading: It deson’t mttaer in waht oredr the ltteers in a wrod aepapr, you can sitll raed it wouthit pobelrm. See how this neuro-scientific peculiarity helps phishing criminals earn lots of money and what simple things you can do to protect yourself.

Why are URLs so important?

As I work in the URL detection team of Avira’s Protection Labs, you might not be surprised by me saying that URLs are a very important part of our daily lives. In ancient times, ten or fifteen years ago that is, data was shared through floppy disks, which were still in heavy use back then. (You know, the legacy industrial equipment that looks like the ‘Save’ button in your applications.) Times have changed and so has the industry. In today’s world, files are distributed over the Internet. File hosting services, like Dropbox and OneDrive, flourish like never before. The Internet actually consists of many subsystems like email, file sharing and the Word Wide Web. Also known as just the Web, the latter represents what you usually do in your browser: click on links, enter URLs in the browser bar, search the web; those are all examples of how you use URLs to access the Web.

What is a domain?

domain

Avira’s domain entered in a web browser

Domains exist because they are easier to remember than IP addresses (which domains point to). They operate pretty much like a phone book. You do not remember the phone number of a person to call, you look them up in the phone book. This establishes the connection between person and callable number. While you still have to enter the number yourself on the phone, your browser will take that burden off of you. So, when you enter www.wikipedia.org in your browser, it will look up and redirect you to the proper IP address of the web server that hosts the site. If you enter www.wikkepedia.org, you will not be redirected to the site you intended to visit but rather receive a browser warning, stating that the website does not exist – just like the well-known “The person you’ve called is temporarily not available” message you hear on the phone when you dial the wrong number.

Some typos are intentional

“Where does the neuroscience bit come into play?”, you might ask. Cyber criminals are able to register this domain and host advertisements. Once you accidentally enter the wrong URL, you will be redirected to this so-called typosquatted domain and thus will have accessed ads. This in turn generates money for the advertiser. Check out my other article about online advertisements for further information. The important thing to remember is, that this is possible not due to careless surfing. It works because the human brain operates with contextual sections.

Some just want to make a few bucks by registering a misspelled domain in order to sell it back to the brand owner. One could register www.citybank.com and sell it to www.citibank.com, as this is a common misspelling.

From Malware to Phishing

01_outbrowse_landing_page

Landing page of misspelled Wikipedia URL

Other unfair practices include redirection to potentially unwanted applications (abbreviated PUA). Your browser will typically show a warning about the state of your computer – telling you it might be infected, your drivers might be out of date or that you have won a million dollars. To give you a practical example: I found this software recommending driver updates for my computer while going through misspelled Wikipedia links (I omit the direct URL for obvious reasons). A click on “Installieren” (region-specific, as I am browsing from Germany), tries to install the software that I do not actually intend to have on my PC. Fortunately, I am one of the lucky people having Avira security products installed. The Web Protection kicks in and saves me from accidentally installing PUA on my PC.

What to do about it?

02_avira_detection

Avira detects potentially unwanted applications (PUA)

No antimalware solution will ever give you 100% security. They are considered to provide you with something in between base and enhanced detection of malicious software on your PC. Nowadays, those programs also include effective web protection like cloud-based scanning of URLs. Avira offers both traditional antimalware solutions and an unobtrusive browser plugin to protect you against most of it. However, you should never solely rely on software to protect you. It helps a lot to know about the risks. You just might look twice the next time. ;)

Resources and recommended reading

Breaking the Code: Why Yuor Barin Can Raed Tihs
Typosquatting
We knew the web was big…
How Big Is The Internet?
TypoSquatting – Malicious Domains Malware Domains

The post On Neuroscience and Phishing Attacks appeared first on Avira Blog.

Avira

How to Prevent Holiday Shopping Hacks

Leave a comment

As the holiday times approach, many of us increase our online shopping. But if the 2014 year taught us anything, it is that online criminals have figured out that hacking into the IT systems of retail stores is an easy way to make money. This year there were no fewer than a dozen major retail stores whose customer data was stolen or whose POS systems (Point of Sale systems… their electronic cash registers) were compromised in order to steal customer credit card numbers.

You’ll recognize most of these retailer brands whose customer databases have been breached this year:

  • Home Depot (56,000,000 customer records stolen)
  • Target (40,000,000 records stolen)
  • Michaels Art Supplies (2,600,000 records stolen)
  • Neiman-Marcus (1,100,000 records stolen)
  • Goodwill Stores (868,000 records stolen)
  • UPS Stores (105,000 records stolen)
  • K-Mart (unknown; investigation continues)

In addition, several major retailers have had their POS systems hacked:

  • Dairy Queen (400 stores hacked)
  • Jimmy Johns (200 stores hacked)
  • SuperValu (180 stores hacked)
  • F. Chang’s (33 stores hacked)
  • Staples (unknown; investigation continues)

The burden of security ultimately rests on your shoulders. So here are five simple things you can do to protect yourself from holiday shopping hacks:

1. Shop at trusted online retailers

Search engines will lead you to that perfect present no matter where it is, but if you’ve never seen or heard of the retailer before then think twice before entering your credit card and all your personal information.

2. Don’t shop from the free café Wi-Fi

Public, unsecured Wi-Fi access points can be very easily tampered with; the person sitting next to you could be sniffing and recording every transmission, using simple algorithms to identify credit card numbers and ID information. Use a secured Wi-Fi and/or a VPN for your shopping. Consider also using a dedicated e-mail address just for shopping.

3. Use a credit card instead of a debit card

Credit card companies usually have policies in place to protect users from fraud and limit your personal liability. In addition, many credit card companies offer extended warranties and return policies during holiday shopping season.

4. Be careful where you click

Retailers ramp up their e-mail marketing during the holiday season, but e-mails can be easily spoofed by hackers. Instead of automatically following the URL link from an e-mail offer, consider going directly to the retail vendor’s website and then looking for the product you want. Also be aware of phony emails from UPS and other shippers claiming that “your package could not be delivered.” Often these e-mails contain attachments that install spyware and keyloggers.

5. Patch your computer before you go shopping

If haven’t got around to installing that software patch or antivirus security update, now might be a good time to do it. Most hacks prey on the short window of time between when a vulnerability is discovered and when the software vendors patch the hole. If you are not installing the patch, then the hole is still wide open on your computer and you are just asking for trouble.

If you are worried that your personal identity might have been exposed in recent data breach or hack, you can use Avira’s free Identity Safeguard tool to check: it is included free in both Avira Mobile Security for iOS and in Avira Antivirus Security for Android).

Shopping online is actually safer now than it has ever been before, so just take a few precautions and enjoy the holidays!

The post How to Prevent Holiday Shopping Hacks appeared first on Avira Blog.

Avira

3 Tips for Geeks to Save Their Holidays

Leave a comment

If you’re a geek, like most people, you’ll probably visit your family for Christmas.
Like most people, you probably want to enjoy nice holidays with relatives and friends.
Unlike most people, you’ll probably have to face (many) tricky infosec-related questions during this period. So here are a few tips for geeks on that topic.

Heartbleed

  1. you want to unlock your phone, so you concentrate, and think about your PIN
  2. someone near you shouts “tell me what you think, chicken”
  3. you answer honestly (because you’re vulnerable to this particular word, like Marty McFly)
  4. you just leaked your secret PIN :(

To be exact, Hearbleed is not about a PIN, it’s about encryption key, but they both grant access if you know them.

It’s not about a phone, it’s about a widely used security library called OpenSSL – and in particular the “Heartbeat” extension of OpenSSL (hence the name Heartbleed)
It’s a bit more complicated than just shouting ‘chicken’, but it’s not too complicated either :(

And like Heartbleed, it’s about ‘attacking’ at the right moment: you’ll just get whatever is in the target’s mind at the moment of the attack: “buy bread & milk”, or what’s on TV tonight… or an access PIN.

Goto fail

Here is a dialog between you and your grandma:

  • You: “Grandma, you’ll guard that door. Follow exactly the instructions I’ll tell you now.”
  • Grandma: “OK”
  • Y: “The door should be closed”
  • G: “OK”
  • Y: “if it’s grandpa, leave the door open”
  • G: “OK”

But then, your child comes behind you, and just repeats the last part of your sentence, imitating your voice.

  • child: “leave the door open”
  • G: “OK”

Now the door is permanently open. Just because a statement was accidentally repeated, out of its original context.

Consequences

This is as simple as that: since a conditional piece of code was executed in all cases because of a mistake, one of the security doors of Apple’s operating system was always open: if you knew which door to go to, you could bypass the whole security and enter without any problem.

Shellshock

Your grandpa speaks an old forgotten dialect.
You only know one sentence in this language.
Because you learned it so long ago that you can’t clearly remember, you just think it’s a common greeting.
But it actually means “do this now”.
And your grandpa – a fragile person due to his age – would actually blindly do anything you ask him.
So far, no one noticed because no one gave an order to your grandpa in his dialect.

Yet he was vulnerable all the time (or at least, for the past 25 years). He’d just do anything if asked the right way.
Sadly, it turned out that a lot of people would actually also do the same.
It wasn’t a mistake, just some old dialect that very few people consciously understood.

Conclusion

Of course, there were much more than 3 major events this year, but that might be enough to convince your audience, and save your holidays :)

I hope this will help to face your relatives & friends’ questions without boring them.

May you enjoy nice holidays – Merry Christmas / happy solstice!

The post 3 Tips for Geeks to Save Their Holidays appeared first on Avira Blog.

Avira

The global hacking problem

Leave a comment

If you just thought about countries that regularly seem to be in the news about hacking, then you might name China or Russia, and those wouldn’t be bad answers. After all, a lot of hacking activity does originate in those countries, and depending on which statistics you look at, either one of them could be the correct answer. But before we’re quick to jump to conclusions about the regions where hacking activity takes place, it’s important to realize that it’s not always so obvious.

An article published by Bloomberg detailed the author’s experiment with setting up a honeypot to try to entice hackers to make their moves on a fake industrial-control computer. Which country was the source of most of the attacks? Russia was in third place, China was in second place, and believe it or not, the United States was in first place. In fact, the United States housed almost twice as many attacks as China.

This may seem surprising, and it is in certain respects, but as many of you know, by using bots and proxies, hackers can make it look like the activity is coming from a certain place even though it’s not. Even when you account for the impact that might have on the numbers, this experiment still shows that hacking is becoming more of a global problem all the time.

In the case of the United States, whether the hacking attempts came from there or the hackers just wanted it to look like they were coming from there, the numbers give us a clue that the United States could potentially be making more headlines as a hub for hacking. But it’s not just the United States. China and Russia have become synonymous with global hacking, but in the future, who knows which countries we’ll think of first when we think of places where hacking activity comes from.

The post The global hacking problem appeared first on Avira Blog.

Avira

VMCloak – Create a Virtual Machine the Easy Way

Leave a comment

… and – in this we were correct – they are. You can basically find virtual machines:

  • In companies running their internal servers as a VM for easier maintenance
  • On Thin Client, where the end-users have simple terminals instead of “real” systems (for reasons of easier maintenance again)
  • In clouds like the Amazon cloud where you can just “click your own system” within minutes
  • As virtual appliances, simple systems which only have one job (like a network proxy). Easy to install.

However, due to our assumption we decided not to bother with the virtual machine detection.

That’s where we went wrong.

Now, at the end of 2014, about 20% of the malware out there still detects VMs. Especially the complicated-and-interesting malware does. Back when we started, we estimated that not more than a one-figure number would be able to do it by now!

Symantec released an article which covers that topic. Furthermore our own numbers show similar results (ours are a bit biased though: For the iTES project we filter out all the “boring” malware before we send the remaining samples to Cuckoo).

Malware detects virtual machines just to annoy the antivirus vendors

One way to classify samples in a virus lab is to run the suspicious sample in a VM and monitor its behavior. If it does attack the system, it’s malware – and that’s why malware is detecting whether or not it is running in a virtual machine and changes its own behavior accordingly. In the Avira Virus Lab we do not rely on a single classification method but combine several ones. So this is not really an issue.

But for our research project I wanted to observe the malicious behavior of even the trickiest malware in a virtual machine … a problem that obviously needs to be solved.

VM Detection and a Paranoid Fish

There are many ways to detect if your program is running in a VM. The most common ones are:

  • Detect hardware configuration
  • Network MAC address
  • HD vendor Name
  • BIOS vendor
  • Video BIOS vendor
  • Detect installed guest additions
  • Detect specific registry keys
  • Some malware detects a specific machine ID (for example based on a fingerprint on the user ID and the hardware being used)

These tricks are surprisingly simple and yet seem to be very effective.

Instead of writing a documentation on how to detect a VM I decided to add the identified tricks to a cool Open Source project: The Paranoid Fish (PaFish. If you are interested you can find my changes in the dev-chaos branch). For me as a programmer writing code (especially as simple and structured as required for PaFish) is like writing a documentation that executes and helps in the next step:

VM Cloaking

This step starts with hardware configuration to create a cloaked VM. You will have to do this before being able to install any operation system. After the OS is installed there will be other buttons to press: Registry settings and basic program configuration. Back in the “good old days” we had whole manuals on how to do it and configured the virtual machines manually; a quite boring and error prone task. Instead of writing another how-to we (Jurriaan Bremer and I) decided to fix it once-and-forever: We created a tool called VMCloak that can mass-produce ready-to-use cloaked VMs.

Just add your requirements to a configuration file, start the script, wait 2 coffees and you will have a dozen VMs.

Please welcome VMCloak

VMCloak will:

  • Set up the virtual machine, including the appropriate hardware setup -like proper hardware ids, >50 GB of HD space (lesser is a sign for a VM), …
  • Install the OS
  • Set up networking
  • Install applications
  • Do some system config to cloak the machine
  • …and it can install everything required for Cuckoo Sandbox

To give you a small glimpse of the very useful features VMCloak offers I’ll go into more detail concerning its dependencies (aka “automatically install programs”). A complete documentation can be found here.

When analyzing the behavior of a malicious sample you normally want some programs installed which then will be attacked by the malware. That can include old browsers, PDF readers, Flash players, you name it. Also, when doing a manual analysis, you want you default tools to view the running processes, system changes, etc.

Dependencies are small configuration snippets that allow VMCloak to automatically install programs after the OS has been set up. They define the filename of the setup file, which buttons have to be clicked to get through the installation and some additional information like flags, description, and even dependencies.

Without any kind of automation one would waste minutes to hours in order to click the next button.

Test your skillz

PaFish and VMCloak are Open Source and available for everyone. Especially VMCloak is still very young and there are lots of opportunities to test it and show your superior skillz:

  • Add application packages (dependencies) for automatic program installation
  • Add more cloaking (add PaFish VM detection followed by VMCloak cloaking, chess against yourself)
  • Windows 7 installation or other – for programming admins
  • Create virtual machines using VMWare, KVM, …

The opportunities are endless, so just go ahead.

TL;DR:
No need to ever create a virtual machine for malware analysis again. Use VMCloak.

For Science !
Thorsten Sick

ites

Sponsored_by_Federal_Ministry_of_Education_and_Research

The post VMCloak – Create a Virtual Machine the Easy Way appeared first on Avira Blog.

Avira

Android Malware Steals Credit Card Information

Leave a comment

Given my daily work, I recently ran into some interesting Android malware that tries to steal credit card information from users. The malware is cloaked as Adobe Flash Player App: users who want to install the app on their devices end up downloading the malware from an untrusted source.The bad news is that victims might not even recognize it as malware since it looks like the real Flash Player.

Android malware

As you can see in the picture above, although it looks like Adobe Flash Player it actually requests a lot of permissions like access to location data, SMS, phone calls …

The malware installs itself as a service on the phone and it requests device administrator permissions from the user. It says that it needs the permission to get access to a video codec. Once the user agrees with this request, the app gains full access to everything on the phone.

Android malware

Now everything is set up and I will explain how it is stealing the information. Basically the malware is checking if some popular or often used apps like Google Play Store, Google Music, WhatsApp, Facebook, Twitter, Instagram … are launched on the device. If one of these Apps were started, the malware displays some screens to get the credit card information from the user. It looks like the launched app is requesting this credit card information for payment issues.
android11

As you can see in the screenshots above, all information needed to make a payment is demanded by the malware. It requests credit card number, expiration date,CVC number, the complete owner information with address and the only payment password for the credit card. The dialogue box also includes a checking system to ensure that no wrong numbers etc. are entered. Once all of this information is introduced, the data is sent to a server which collects the stolen credit card information. Authors of this Malware can use it now to make payment transactions with the stolen data.

To prevent you from being affected by such malware we recommend to install only apps from trusted sources like Google Play and always keep an eye on the permissions the app requests from you. Check if it makes sense that the app has this permission and if it is really needed.

 

The post Android Malware Steals Credit Card Information appeared first on Avira Blog.

Avira

Is Government Malware unstoppable?

Leave a comment

What is Regin?

According to Virus Bulletin, we are looking at a multi-staged threat (like Stuxnet) that uses a modular approach (like Flame), a combination that makes it one of the most advanced threats ever detected. Researches show that Regin has been used in espionage campaigns for the last 6 years. This sophisticated backdoor Trojan affects Microsoft Windows NT, 2000, XP, Vista, and 7 and it is able to take control of input devices, capture credentials, monitor network traffic, and gather information on processes and memory utilization.

Protection against government malware

In this context, we would like to remind our users that Avira is a founding member of IT Security made in Germany and we pride on providing our customers a guarantee of Quality and Reliability.

We thus committed ourselves, among other things, to:

  • Exclusively provide IT security solutions no other third party can access.
  • Offer products that do not cause the transmission of crypto keys, parts of keys or access recognition.
  • Eliminate vulnerabilities or avoidance methods for access control systems as fast as possible once detected.

Additionally, we would like to clarify our standpoint on malware developed by government. Whenever we discover a new piece of malware, we are adding detection for this for all of our customers, regardless of the source of the malware. It is the case for recently discovered Regin as well, since our Antivirus products already detect all known Reging samples.

We strongly believe that no malware is unstoppable, not even government malware. Users need to make sure that they are protecting all of their digital devices with the latest technology, keeping their operating system, 3rd party applications and of course their antivirus software up-to-date.

 

The post Is Government Malware unstoppable? appeared first on Avira Blog.