Tag Archives: Threats

Why blocking advertisements matters

What are web advertisements?

One basic premise of an advertisement is that its publisher has an adequate user base to be influential. The advertiser can be trying to get his new product out to the customer. Combine both, put it into the context of modern technology like the WWW, and big new opportunities emerge from the statically dull-looking world of HTMLs.

In most cases, advertisements are delivered through a dedicated server, the ad server. This makes it easy for the publisher to manage. All that needs to be done is to specify where the content is fetched from, the rest is taken care of by the advertising company. The latter is now able to fine-tune ads, for example via copy and design changes, to squeeze out the maximum click and conversion rates possible. Typical options for which ads can be tailored might include:

  • Browser used by the visitor
  • Browser language the visitor has set as default
  • Country, state, city the visitor resides in
  • Operating system the visitor uses
  • Plugins the user has installed (Java, Adobe Flash and Reader, Quicktime and many more)
  • Which page the visitor comes from
  • Screen resolution

This vast potential can take somewhat weird forms. Kogan Technologies, an Australia-based consumer electronics retailer, introduced the “Internet Explorer 7 Tax” which charged online shoppers with an extra 6.8% for using that browser.² Furthermore, Orbitz, an online travel planning website, has chosen to show pricier hotels to Apple Macintosh users.³

Can these ads be malicious?

This also builds the foundation for distributing malicious content. While the method of propagation is the same as with legit ads, content mostly consists of harmful JavaScript snippets. These scripts reload more scripts or simply redirect the visitor to infected web pages without user interaction – meaning: you will not feel a thing until it is too late.

Keeping in mind the options that advertisement agencies have, this opens another door. Phishing sites can be shown in the browser’s native language. Exploits and other malware can be downloaded, depending on the software installed on the victim’s computer. We have seen these types of “malvertising” sites loading malicious code during prime time – directly after the evening news. In the end, it showed that people tend to watch free online movies (often illegally) during prime time rather than during the work day.

Ransomware Screenshot

Localised ransomware

How so, please give me an example?

So, say it’s a ridiculously hot summer. You look for… an anti-perspirant by your favorite sports brand. You feed the search engine with the right terms and find a promising page on Amazon. Of course, the idea of malware striking at this moment does not even cross your mind – why would it? You click the link; bam! Now, your computer might be infected. Seems unrealistic? Too paranoid? Well, it is not.

Some weeks ago, while I was on my couch and browsing the web, this exact thing happened to me. Analyzing the sample and the signature (HTML/Badsrc.I.1) brought me to the conclusion that this definitely was no false alarm. What happened is that the advertising agency Amazon used for this particular page was delivering malicious content (Note that it is not Amazon themselves delivering the malware). The difference, for an Avira user at least, is this:

Amazon page blocked

Blocked malicious advertisement

So, can your computer be infected by browsing legit and trusted websites? Yes!

How can I protect myself?

The example above shows that being careful on the web and visiting only legit and well-known websites does not mean you cannot get infected with malware. Web advertisements have a right to exist, no doubt. Just to be on the safe side, basic malware protection should always be complemented with sophisticated URL detection and ad tracker blocking. Avira Browser Safety gives the security-concerned user just what is necessary to live free. It is able to detect malicious URLs using Avira’s globally distributed URL Cloud but will also keep pesky and harmful online ads away from you. Why not give it a try?

¹ TechChrunch: Internet Ad Spend To Reach $121B In 2014 […]

² Kogan: New Internet Explorer 7 Tax :)

³ The Wall Street Journal: On Orbitz, Mac Users Steered to Pricier Hotels

The post Why blocking advertisements matters appeared first on Avira Blog.

Malicious Office macros are not dead

You could think that malicious Office macros are a thing of the past. They are not a major threat anymore, but they still represent a potential risk for unsuspecting users.

Since Microsoft Office enabled documents to embed macros that can even do complex actions such as dropping malicious executables, malicious office macros were used in the malware landscape.

When Office XP was released in 2001, it disabled macros by default: as a consequence, malicious macros were not so efficient to infect users, so their use in the malware landscape rapidly declined afterwards.

German warning: Macros have been disabled - Enable ContentHowever, it doesn’t mean that the threat is not present anymore, especially in corporate environments where users may leave them activated by default.

And the document can try social engineering to convince you to re-enable them.

a malicious Office document trying to convince the user to enable macros.


The file also contains something weird:

a suspicious highlighting on invisible textIf you scroll down, you notice something unusual:
that invisible but underlined text is actually a malware file (4D 5A is the signature of a Portable Executable file), encoded in the document, but in white font on white background.

hidden_executableThis is what it looks like if the text is back in normal color.

On execution, the macros remove this hidden text, to remove traces of maliciousness.

So, be careful: don’t enable macros by default, and don’t enable them for unusual documents.


Analyzing malicious office macros out of a document

Until Office 2007, Microsoft used the OLE Compound File Binary Format. Here is an accurate summary of the format:

"nigthmare", in blood lettersbecause it’s actually a complete filesystem, with multiple FAT formats, sectors, streams, defragmentation…

So for your sanity, we’ll avoid the details here as much as we can…

Starting with Office 2007, the default format was the “XMLs in a ZIP” Office Open XML.

But to store macros, even Office Open XML still uses the OLE format: they are located in the vbaProject.bin file inside the ZIP archive.

macros are located in ZIP/word/vbaProject.binSo in any case, we need to deal with the OLE format to extract macros: either the whole document (< Office 2007), either the vbaProject.bin file (later versions),


Just for your information, this is what such a OLE file looks like from a high level perspective.

high-level structure of an office file(don’t show that to your kids, they might look away from computers for ever)

If you still want to know more about the OLE format, you may want to watch Bruce Dang’s presentation on the topic.


 

So first, extract the vbaProject.bin file from the ZIP. Then, ask OfficeParser to extract the macros: luckily, it does all the magic for us.

Extracting macros from an office documentit displays an error, but the file NewMacros is still correctly extracted.

And then, you can clearly tell immediately the intent of the file… it’s pretty obvious (and actually, quite disappointing)…

stupid variable names in the macrosObvious variable names

anti-emulation code in the macroCommented “anti-emulation”

over-using the same anti-emulationThey are so proud of it that they re-used it multiple times…

Ok, let’s stop here. You already get the idea about the intents of this file, and now you know a simple method to analyze malicious Office macros yourself.

Sadly, not much to learn from this threat: excepted that it’s a good thing to practice on a ‘forgotten’ file type, that could still be used today to infect users.

Related tools:

  • OfficeMalScanner: doesn’t parse OLE file, but tries to extract embedded shellcodes and binaries.
  • OleFileIO_PL: a more advanced parsing library than OfficeParser, but with no direct macros extraction ability.

The post Malicious Office macros are not dead appeared first on Avira Blog.

The 3 most common questions about Clickjacking

This procedure is called Clickjacking and it is one of the most used techniques by hackers trying to gain access over your accounts or obtain private data.

How does clickjacking work?

It all starts with a user receiving an e-mail that mimics perfectly the messages usually sent by a company he is a client of. This e-mail would have to include a fake link for the user to reset the password used on the real company website when he would actually be providing the hackers access to his account. Knowing both the e-mail address and the associated password, they can now extract all the personal information they need and take over the specific account.

Practically, once the customer clicks on the button in the e-mail, he will end up on the hacker’s website. There, the latter will attempt to make an http/https call to the real company’s API’s/forms to reset the user’s password/e-mail address and take over his account.

When does clickjacking this work?

In order for clickjacking to work, the user had to be previously logged in the account that he owns on the real company website. Also, if no CSRF protection is activated on the company’s end and official website/API accepts calls from other domains with no filtering, chances are that the operation becomes successful.

Clickjacking can also work locally (on your machine) when you manually create an iFrame and inject the company’s forms. This however doesn’t impact the end user/ customer because it only takes place on the hacker’s computer.

How can I be sure that I am not a victim of clickjacking?

We recommend all companies to implement the 2 following methods to keep safe from this kind of attacks:

  1. Do not accept requests from other websites (domains). If possible, use the x-frame-options header and set it to SAMEORIGIN so that other domains cannot access the methods/ API on your company’s end (this header should not be accessible / usable in all browsers).
  2. Implement CSRF token validation making sure that for each form display page there is an uniquely assigned CSRF token to the customer. The CSRF token can only be obtained by logging in as the real customer.

The post The 3 most common questions about Clickjacking appeared first on Avira Blog.

Cyber awareness month – stay safe online

Bad URLs can steal your identity, track your every movement, and violate your privacy. Bad URLs have been around for many years, and they are still wreaking havoc. It is exactly why you should always be careful where you click.

Clicking on an infected or bad URL has happened to millions across the globe in probably every country, and the reason people sometimes make the mistake of clicking something they shouldn’t is the very reason that the bad guys keep putting those bad URL’s in various places (websites, emails, pop up ads, etc.) to trick us. They keep doing it because we keep clicking where we shouldn’t.

This October we celebrated Cyber Awareness Month and Avira wants to make sure users don’t click on anything bad and end up on a website that is dangerous. Avira Browser Safety is a browser extension that ensures that when users browse various sites on the Internet, they don’t accidentally click on a bad URL.

Avira Browser Safety is browser extension which protects a user’s online privacy and blocks malicious websites before they load. Right now it’s available to Avira users for free.

If you don’t have browser security installed on your PC, please consider installing Avira Browser Security. It’s important to make sure you’re doing everything possible to remain safe while online, and set in motion good browsing habits that last throughout the year.

The post Cyber awareness month – stay safe online appeared first on Avira Blog.

Was your email hacked in recent data breaches?

In early September, reports of a massive Gmail password breach came to light across the globe. In all, there were up to 5 million stolen Gmail accounts and passwords and all were published on a Russian forum.

Luckily, many of the passwords do not match the Gmail accounts with which they are associated. Google announced that only 1 to 2 % of the passwords match and that it has secured those. It has also stated that its systems were not breached in any way. But, the damage is done and another breach has occurred.

It could be that passwords stolen from previous security breaches such as Adobe or LinkedIn happened to be the same ones that people used for Gmail and the hacker put together different data sets to come up with this list.

In mid-September, Russia’s largest email providers mail.ru and Yandex were hit by data breaches. Around 5 million mail.ru email accounts and 1 million Yandex email accounts were breached and passwords released on Russian forums. The companies said that their systems were not compromised and these accounts were stolen using phishing attacks. The analysis of these accounts showed that they were at least partially genuine.

In what seemed to be a busy month for hackers, JP Morgan Chase announced that over 76 million households in the US were affected by a breach that compromised personal contact information like addresses, email addresses and phone numbers.

No matter how many times breaches happen all over the globe, you can always check to see if your personal email address has been compromised. By downloading Avira’s Identity Safeguard to your mobile device, you can instantly scan the Avira database and check to see if you’re identity has been compromised. To check your email address, download the free Identity Safeguard app for Avira’s iOS or Android mobile apps.

The post Was your email hacked in recent data breaches? appeared first on Avira Blog.

What to do about Shellshock bash bug on Mac OS X, web servers, routers, and more

The “Bash Bug” or “Shellshock” vulnerability means a wide range of devices, servers and computers, including Mac OS X, will need to be patched to prevent abuse by malicious persons. Here’s advice about what to do and links to more in-depth resources.

The post What to do about Shellshock bash bug on Mac OS X, web servers, routers, and more appeared first on We Live Security.

Popular topics are also popular with hackers

Events and topics that are interesting to a large number of people make great malware campaigns for hackers, as they tend to target the largest possible groups for their endeavors. If they’re going to plant a trap online, then they’re probably not going to do it with a method that very few people are interested in.

The recent World Cup is a good example of a major event that hackers used for illicit purposes. An article from EnterpriseAppsTech highlighted that 375 fake World Cup apps were created to target Android devices — in addition to approximately 2,000 daily cyber attacks that took place during the World Cup event.

The World Cup may be over (although Avira is still reveling in Germany’s win), but there are plenty of other events and topics to watch out for when clicking or tapping through the Internet. As a first step in protecting yourself, make it a practice to think twice before you engage with content that you find about extremely popular things online. This could be content related to celebrities, entertainment (movies, television, music, games), sporting events, top news stories, and so on. Just be careful, always.

The good news is that with a proper amount of caution and our security software running quietly in the background, you can feel safe while you research any of those popular topics that everyone is talking about.

The post Popular topics are also popular with hackers appeared first on Avira Blog.