Category Archives: Avira

Avira

Official specifications are not enough

 

is it malicious or clean ?

Before one can tell if a file is malicious or clean,

is it an Android? a Windows file ?

it’s important to determine the file type,

is it valid or corrupted ?

and then if the file is valid or corrupted:

If the file is indeed corrupted (aborted download…), there is no point in checking further. However, pretending to be corrupted while being valid is a way to evade detection: if the file can still run properly, it might infect a user and exploit a system, even if it may look invalid according to the official specifications.

So your reaction might be:

“Just do your work properly, and implement the official specifications”.

Sadly, it’s not that easy:

specsiceberg

because the official specifications are typically far from enough. They only cover the general case of what should be required in theory, not all the corner cases of everything that would actually execute in reality. Official specifications are not enough.

Example

For example, the official Adobe PDF specifications say that a PDF shall start with a signature from 8 possible values (%PDF-1.0 until %PDF-1.7). This sounds easy to check and implement, right ?

Sadly, in practice it’s quite different: Adobe Reader itself just accepts %PDF-1. , or %PDF- followed by a NULL character, and at any position within 1024 bytes.

So, the official PDF reader itself doesn’t strictly follow the official PDF specifications, made by the same company, and what it actually does is not even documented anywhere. If you want to create a robust tool, then you can be sure that official specifications are not enough !

So, if the official tool does something out of bound and undocumented, nothing prevents readers to do follow different undocumented behaviors. So the same files could lead to different interpretations, and none of them is perfectly documented!


A PDF file is made of objects. PDF objects should end with the endobj keyword.

Some objects, like the content of a page, are stream objects.A stream should be closed via the endstream keyword, and then this object should end with the usual endobj keyword.

First, ‘endstream’, then ‘endobj’.

Several readers force the end of a stream of an object if the word ‘endobj’ is present before the ‘endstream’, which means you can’t print the string “this is an endobj” as is, because it will be interpreted as the end of the object, and at the same time, the end of its stream.

The consequence? After an ‘endobj’ word in a stream, some readers will stop parsing as a stream, while others will go on until ‘endstream’ is encountered.

However, parsing the root defining element of the PDF – the trailer – doesn’t explicitely require to parse an object-like structure.

What if the trailer is defined in such an ambiguous object in a PDF (hand-made PoC, for clarity)

Some readers will parse this trailer, some won’t. So some readers will see totally different documents, with the same file:

different documents seen from the same file

The post Official specifications are not enough appeared first on Avira Blog.

Why blocking advertisements matters

What are web advertisements?

One basic premise of an advertisement is that its publisher has an adequate user base to be influential. The advertiser can be trying to get his new product out to the customer. Combine both, put it into the context of modern technology like the WWW, and big new opportunities emerge from the statically dull-looking world of HTMLs.

In most cases, advertisements are delivered through a dedicated server, the ad server. This makes it easy for the publisher to manage. All that needs to be done is to specify where the content is fetched from, the rest is taken care of by the advertising company. The latter is now able to fine-tune ads, for example via copy and design changes, to squeeze out the maximum click and conversion rates possible. Typical options for which ads can be tailored might include:

  • Browser used by the visitor
  • Browser language the visitor has set as default
  • Country, state, city the visitor resides in
  • Operating system the visitor uses
  • Plugins the user has installed (Java, Adobe Flash and Reader, Quicktime and many more)
  • Which page the visitor comes from
  • Screen resolution

This vast potential can take somewhat weird forms. Kogan Technologies, an Australia-based consumer electronics retailer, introduced the “Internet Explorer 7 Tax” which charged online shoppers with an extra 6.8% for using that browser.² Furthermore, Orbitz, an online travel planning website, has chosen to show pricier hotels to Apple Macintosh users.³

Can these ads be malicious?

This also builds the foundation for distributing malicious content. While the method of propagation is the same as with legit ads, content mostly consists of harmful JavaScript snippets. These scripts reload more scripts or simply redirect the visitor to infected web pages without user interaction – meaning: you will not feel a thing until it is too late.

Keeping in mind the options that advertisement agencies have, this opens another door. Phishing sites can be shown in the browser’s native language. Exploits and other malware can be downloaded, depending on the software installed on the victim’s computer. We have seen these types of “malvertising” sites loading malicious code during prime time – directly after the evening news. In the end, it showed that people tend to watch free online movies (often illegally) during prime time rather than during the work day.

Ransomware Screenshot

Localised ransomware

How so, please give me an example?

So, say it’s a ridiculously hot summer. You look for… an anti-perspirant by your favorite sports brand. You feed the search engine with the right terms and find a promising page on Amazon. Of course, the idea of malware striking at this moment does not even cross your mind – why would it? You click the link; bam! Now, your computer might be infected. Seems unrealistic? Too paranoid? Well, it is not.

Some weeks ago, while I was on my couch and browsing the web, this exact thing happened to me. Analyzing the sample and the signature (HTML/Badsrc.I.1) brought me to the conclusion that this definitely was no false alarm. What happened is that the advertising agency Amazon used for this particular page was delivering malicious content (Note that it is not Amazon themselves delivering the malware). The difference, for an Avira user at least, is this:

Amazon page blocked

Blocked malicious advertisement

So, can your computer be infected by browsing legit and trusted websites? Yes!

How can I protect myself?

The example above shows that being careful on the web and visiting only legit and well-known websites does not mean you cannot get infected with malware. Web advertisements have a right to exist, no doubt. Just to be on the safe side, basic malware protection should always be complemented with sophisticated URL detection and ad tracker blocking. Avira Browser Safety gives the security-concerned user just what is necessary to live free. It is able to detect malicious URLs using Avira’s globally distributed URL Cloud but will also keep pesky and harmful online ads away from you. Why not give it a try?

¹ TechChrunch: Internet Ad Spend To Reach $121B In 2014 […]

² Kogan: New Internet Explorer 7 Tax :)

³ The Wall Street Journal: On Orbitz, Mac Users Steered to Pricier Hotels

The post Why blocking advertisements matters appeared first on Avira Blog.

Protect your blog

Castles have very regular (not to say, boring!) layouts.

Why is that? Why don’t they have any fancy layout ?

fancy layouts If they had a funny shape, they would be much more attractive!

Fancy, but less secure

Castles were built with defense in mind: they intend to reduce the attack surface, and keep control of it. Fancy extras create new openings, and make your defense less secure.

Boring, but more protected


When you create your own blog, you could be tempted to add many extra add-ons to make your blog more attractive: contact forms, slideshow, RSS…

It makes sense from a marketing perspective – who doesn’t want to look more attractive ? – but by doing so, you increase the attack surface. Many attacks have been reported recently, and they show that not all plugins follow the same quality standards when it comes to security.

How

Typically, attacks against blogs are either done by brute-forcing simple passwords or exploiting weak plugins.

Why

The usual goal is to modify a part of your blog, to redirect visitors to malware or to link to other websites to increase their ranking in search engines, and thus generate ads revenues. Another possibility is to take your content hostage, or to take over your server and use it as a relay for malicious content.

Consequences

At best, your blog is blacklisted, and your visitors will be prevented to enter, for their own safety:

a browser warningThis is not very attractive.

At worst, your database could be stolen /deleted / ransomed or your server could be taken over, and even worse: you could be liable…

Extra

Since such attacks are done transparently and silently, you may think this is a false positive, as nothing seemed to have changed in appearance: a small URL insertion in one of the PHP script can have big consequences.

What should you do ?

To protect your blog, you should reduce your attack surface, and keep your defense in control:

  • Reduce your weaknesses, by removing unnecessary or insecure plug-ins (Google for a plug-in name, check if it’s widely used, check if there was any security bug reported, and if the authors seemed to care.
  • Generate logs, and check them
  • Backup your blog files: to recover deletion, of course, but also to make post-infection analysis much easier, so that you can easily check what was modified.

The post Protect your blog appeared first on Avira Blog.

Malicious Office macros are not dead

You could think that malicious Office macros are a thing of the past. They are not a major threat anymore, but they still represent a potential risk for unsuspecting users.

Since Microsoft Office enabled documents to embed macros that can even do complex actions such as dropping malicious executables, malicious office macros were used in the malware landscape.

When Office XP was released in 2001, it disabled macros by default: as a consequence, malicious macros were not so efficient to infect users, so their use in the malware landscape rapidly declined afterwards.

German warning: Macros have been disabled - Enable ContentHowever, it doesn’t mean that the threat is not present anymore, especially in corporate environments where users may leave them activated by default.

And the document can try social engineering to convince you to re-enable them.

a malicious Office document trying to convince the user to enable macros.


The file also contains something weird:

a suspicious highlighting on invisible textIf you scroll down, you notice something unusual:
that invisible but underlined text is actually a malware file (4D 5A is the signature of a Portable Executable file), encoded in the document, but in white font on white background.

hidden_executableThis is what it looks like if the text is back in normal color.

On execution, the macros remove this hidden text, to remove traces of maliciousness.

So, be careful: don’t enable macros by default, and don’t enable them for unusual documents.


Analyzing malicious office macros out of a document

Until Office 2007, Microsoft used the OLE Compound File Binary Format. Here is an accurate summary of the format:

"nigthmare", in blood lettersbecause it’s actually a complete filesystem, with multiple FAT formats, sectors, streams, defragmentation…

So for your sanity, we’ll avoid the details here as much as we can…

Starting with Office 2007, the default format was the “XMLs in a ZIP” Office Open XML.

But to store macros, even Office Open XML still uses the OLE format: they are located in the vbaProject.bin file inside the ZIP archive.

macros are located in ZIP/word/vbaProject.binSo in any case, we need to deal with the OLE format to extract macros: either the whole document (< Office 2007), either the vbaProject.bin file (later versions),


Just for your information, this is what such a OLE file looks like from a high level perspective.

high-level structure of an office file(don’t show that to your kids, they might look away from computers for ever)

If you still want to know more about the OLE format, you may want to watch Bruce Dang’s presentation on the topic.


 

So first, extract the vbaProject.bin file from the ZIP. Then, ask OfficeParser to extract the macros: luckily, it does all the magic for us.

Extracting macros from an office documentit displays an error, but the file NewMacros is still correctly extracted.

And then, you can clearly tell immediately the intent of the file… it’s pretty obvious (and actually, quite disappointing)…

stupid variable names in the macrosObvious variable names

anti-emulation code in the macroCommented “anti-emulation”

over-using the same anti-emulationThey are so proud of it that they re-used it multiple times…

Ok, let’s stop here. You already get the idea about the intents of this file, and now you know a simple method to analyze malicious Office macros yourself.

Sadly, not much to learn from this threat: excepted that it’s a good thing to practice on a ‘forgotten’ file type, that could still be used today to infect users.

Related tools:

  • OfficeMalScanner: doesn’t parse OLE file, but tries to extract embedded shellcodes and binaries.
  • OleFileIO_PL: a more advanced parsing library than OfficeParser, but with no direct macros extraction ability.

The post Malicious Office macros are not dead appeared first on Avira Blog.

The 3 most common questions about Clickjacking

This procedure is called Clickjacking and it is one of the most used techniques by hackers trying to gain access over your accounts or obtain private data.

How does clickjacking work?

It all starts with a user receiving an e-mail that mimics perfectly the messages usually sent by a company he is a client of. This e-mail would have to include a fake link for the user to reset the password used on the real company website when he would actually be providing the hackers access to his account. Knowing both the e-mail address and the associated password, they can now extract all the personal information they need and take over the specific account.

Practically, once the customer clicks on the button in the e-mail, he will end up on the hacker’s website. There, the latter will attempt to make an http/https call to the real company’s API’s/forms to reset the user’s password/e-mail address and take over his account.

When does clickjacking this work?

In order for clickjacking to work, the user had to be previously logged in the account that he owns on the real company website. Also, if no CSRF protection is activated on the company’s end and official website/API accepts calls from other domains with no filtering, chances are that the operation becomes successful.

Clickjacking can also work locally (on your machine) when you manually create an iFrame and inject the company’s forms. This however doesn’t impact the end user/ customer because it only takes place on the hacker’s computer.

How can I be sure that I am not a victim of clickjacking?

We recommend all companies to implement the 2 following methods to keep safe from this kind of attacks:

  1. Do not accept requests from other websites (domains). If possible, use the x-frame-options header and set it to SAMEORIGIN so that other domains cannot access the methods/ API on your company’s end (this header should not be accessible / usable in all browsers).
  2. Implement CSRF token validation making sure that for each form display page there is an uniquely assigned CSRF token to the customer. The CSRF token can only be obtained by logging in as the real customer.

The post The 3 most common questions about Clickjacking appeared first on Avira Blog.

Avira HR Team @Top Employers Job Fair

Software engineering: from everyday challenges to real world solutions

The second day of event, our colleague Radu Calin (Web Backend Software Engineer) gave a presentation about Distributed computing during the workshop we organized. We were happy to learn that this session raised unexpected interest among the candidates attending the fair: more than 120 people had registered for what we designed as a workshop with 40 participants.

Radu talked about how we managed to build a product that makes life easier for millions of users worldwide, all the while solving some of the most difficult problems of the cloud era. He went more in-depth, showing the attendees how the Avira team managed to create a scalable distributed system with pure fun and passionate engineering. Towards the end, he did not forget to give some details about what makes “life at Avira” so special and the audience was really impressed.

All in all, the event was a great success for our HR team:  2 days, over 500 applicants, almost 1400 flyers taken home by the candidates, 1 workshop with 58 participants, and over 5000 participants to attend the fair in search of their next Top Employers.

If you missed the event but you also want to” join the battle”, you can also check the current job opportunities and apply directly on our career page. A virtual job fair is also organized to follow up with Top Employers attendees, check it out here.

The post Avira HR Team @Top Employers Job Fair appeared first on Avira Blog.

Cyber awareness month – stay safe online

Bad URLs can steal your identity, track your every movement, and violate your privacy. Bad URLs have been around for many years, and they are still wreaking havoc. It is exactly why you should always be careful where you click.

Clicking on an infected or bad URL has happened to millions across the globe in probably every country, and the reason people sometimes make the mistake of clicking something they shouldn’t is the very reason that the bad guys keep putting those bad URL’s in various places (websites, emails, pop up ads, etc.) to trick us. They keep doing it because we keep clicking where we shouldn’t.

This October we celebrated Cyber Awareness Month and Avira wants to make sure users don’t click on anything bad and end up on a website that is dangerous. Avira Browser Safety is a browser extension that ensures that when users browse various sites on the Internet, they don’t accidentally click on a bad URL.

Avira Browser Safety is browser extension which protects a user’s online privacy and blocks malicious websites before they load. Right now it’s available to Avira users for free.

If you don’t have browser security installed on your PC, please consider installing Avira Browser Security. It’s important to make sure you’re doing everything possible to remain safe while online, and set in motion good browsing habits that last throughout the year.

The post Cyber awareness month – stay safe online appeared first on Avira Blog.

Was your email hacked in recent data breaches?

In early September, reports of a massive Gmail password breach came to light across the globe. In all, there were up to 5 million stolen Gmail accounts and passwords and all were published on a Russian forum.

Luckily, many of the passwords do not match the Gmail accounts with which they are associated. Google announced that only 1 to 2 % of the passwords match and that it has secured those. It has also stated that its systems were not breached in any way. But, the damage is done and another breach has occurred.

It could be that passwords stolen from previous security breaches such as Adobe or LinkedIn happened to be the same ones that people used for Gmail and the hacker put together different data sets to come up with this list.

In mid-September, Russia’s largest email providers mail.ru and Yandex were hit by data breaches. Around 5 million mail.ru email accounts and 1 million Yandex email accounts were breached and passwords released on Russian forums. The companies said that their systems were not compromised and these accounts were stolen using phishing attacks. The analysis of these accounts showed that they were at least partially genuine.

In what seemed to be a busy month for hackers, JP Morgan Chase announced that over 76 million households in the US were affected by a breach that compromised personal contact information like addresses, email addresses and phone numbers.

No matter how many times breaches happen all over the globe, you can always check to see if your personal email address has been compromised. By downloading Avira’s Identity Safeguard to your mobile device, you can instantly scan the Avira database and check to see if you’re identity has been compromised. To check your email address, download the free Identity Safeguard app for Avira’s iOS or Android mobile apps.

The post Was your email hacked in recent data breaches? appeared first on Avira Blog.

Avira Travel: book the best hotel for your next trip

Planning your next vacation has never been so easy

We all know how time- and energy consuming the search for the perfect accommodations can be. Many things have to be taken into consideration when booking your hotel: location, the room amenities and, of course… the price.

What if a new Avira Browser Safety feature could put you only one click away from the perfect hotel for your next trip? Thanks to a new partnership with Expedia, we are now able to provide you with the best hotel options available for your needs.

How does Avira Travel work?

Avira Travel is part of Avira Browser Safety and Avira Offers features. Thus, in order to use Avira Travel you first need to install Avira Browser Safety. You will then be discretely informed about competitive travelling offers every time you visit websites like www.booking.com.

travel-offers

The new portal www.travel.avira.com is live and public so that it can be visited by anybody at any time. As always, online safety comes first when sharing new services with our users, so another great thing about Avira Travel is that the service will protect you against any scamming attempts in order for you to book your hotel both safely and carefree.

Expedia – your favorite online travel agency

One of the world’s leading online travel companies will help us share the best accommodation offers for you at competitive prices. Expedia’s goal is to help you discover destination ideas, get information about flights, hotels, car rentals, cruises and more — so that you can easily book and purchase your next trip. With deep experience in vacation packages, they can also book both your flight and hotel together so you won’t have to worry about anything else.

The post Avira Travel: book the best hotel for your next trip appeared first on Avira Blog.

Customer Advocacy: bigger, faster, stronger

What’s in it for our customers?

One of our biggest goals regarding customer advocacy has been to form a multilingual team and train these new employees to provide high quality support to our customers. The great news for Avira users globally is that, from now on, our own in-house Customer Advocacy team will be able to respond to their queries in several languages: English, Italian, French, Spanish, Portuguese and Dutch. They will be available 24/7, handling requests coming from all over the world.

A warm welcome to our new team members

Last week, we celebrated the arrival of our new colleagues the “Avira way” — with snacks and pizza, some beers, and lots of fun and laughter. It was a great opportunity for us to welcome them aboard and give them a dose of what Avira’s “Live free” slogan is all about.

Let’s wish them luck and success in their new roles @Avira!

Thinking of a career change?

Our recruitment process is not over yet, so if you wish to join our brand new Customer Advocacy team in our Bucharest office, please see below the open positions still available at this moment.

The post Customer Advocacy: bigger, faster, stronger appeared first on Avira Blog.