News

PRAGUE, Czech Republic, January 6, 2012 – avast! Free Mobile Security – the new anti-theft and anti-malware app from AVAST Software – has been installed by over one million smartphone users in just 16 days.

This threshold was crossed on January 6, only 16 days after avast! Free Mobile Security was placed in the official Android Market.

“This has been a really fast-paced launch, surpassing the results from competing products,” said Ondrej Vlcek, CTO for AVAST Software. “It required Lookout a full six months to reach the one-million level for their mobile security product.”

avast! Free Mobile Security is a full-featured anti-theft and anti-malware app for Android smartphones. With special “stealth” and remote-access features, it defends smartphone users against the loss or misuse of their device together with anti-malware features to keep online threats at bay. Available through the Android Market and other select markets, avast! Free Mobile Security is completely free.

avast! Free Mobile Security was launched in seven languages on the Android Market. The three most selected languages during the download process were French at 15.6%, followed by United States English with 11.5%, and Brazilian Portuguese at 11.4%. “The language division roughly parallels that of our avast! user base for Window PCs. We will be adding more languages as we place avast! Free Mobile Security in other markets around the world,” said Mr. Vlcek.

avast! Free Mobile Security is the first app from AVAST Software designed for Android smartphones. The company’s best-known product is avast! Free Antivirus, with over 187 million registered users and available in 39 languages.

“Before we launched avast! Free Mobile Security, we knew that only 30% of our users with Android phones had a security program installed on it, but that over 60% would be interested in the feature set provided in avast! Mobile Security. Reaching the million user mark within 16 days shows that we are meeting users’ needs and expectations,” stated Mr. Vlcek.

PRAGUE, Czech Republic, December 22, 2011 – AVAST Software, developer of the avast! Antivirus program, has opened an office in Austria dedicated to mobile security issues. The expansion comes on the heels of AVAST’s acquisition of ITAgents, the developer of the Theft Aware mobile phone theft protection and recovery system – and ahead of the launch of its first security app for Android phones.

“The definition of security for Android phones is continuing to evolve,” said Vince Steckler, CEO of AVAST Software. “By establishing our Austrian office with Reinhard Holzner, the founder of ITAgents, we are ensuring that the present and future security needs of Android phone users are tightly integrated into the new generations of avast! products.”

Located in Linz, Austria, AVAST Software Österreich GmbH will initially integrate elements in Theft Aware and avast! Antivirus products into a complete security suite for Android phones. Subsequent projects are in the pipeline to widen the range of Android security apps.

“Theft Aware has already secured very high ratings in the Android Market and gotten great professional reviews,” stated Mr. Holzner. “Following our incorporation into avast! security products, I am looking forward to bringing the features developed under ITAgents to a much larger global audience.”

Stealth features in Theft Aware enable users to hide the security app program and icon together with an installation that is extremely difficult for thieves to remove. The stealth features enable other security components such as the GPS tracking and text message alerts to continue functioning, helping people recover their lost or stolen phones.

“Security for most Android users starts with getting their phone back intact. I’ve used these features to recover my own phone twice – so I have personal experience,” he added, pointing out that the features are especially useful when phone users have “rooted” their devices, removing the manufacturer’s restrictions on app usage and allowing the anti theft features to even work after factory resets of the mobile device.

“With ITAgents, we had a great beginning. Now with AVAST, I’m looking forward to keeping Austria on the map for the next steps in mobile security,” said Mr. Holzner.

Free, full- featured suite provides ‘stealth’ and remote-access features

PRAGUE, Czech Republic, December 21 – AVAST Software, the world’s largest provider of antivirus software, will give Android owners an array of “stealth” and remote-access features in the new avast! Free Mobile Security- and it is completely free.

“When a smartphone is stolen, the owner’s number one desire is to get their device back intact and, secondly, to secure their private data,” said Ondrej Vlcek, CTO of AVAST Software. “We’ve developed our avast! Free Mobile Security with these needs in mind – and at a price everyone can afford.”

avast! Free Mobile Security answers the conflict between the current security app usage in Android phones and what users would like to have. “People think they need some sort of security app, but they are unsure of the benefits and don’t like the prices of what they see on the market,” stated Mr. Vlcek. A survey of avast! antivirus users with Android smartphones found that only 30% had some sort of antivirus app installed on their phones. However, over 60% of the same group stated that they would be interested in a free anti-theft/anti-malware app on their smartphones.

“For Android phones, our security starts with recovering the lost or stolen device intact,” explained Mr. Vlcek. “To do this, we’ve built a special array of “stealth”, remote-access, and anti-malware features to help owners recover their lost phones and stay protected from online threats.”

1. Stealth features – The “stealth” features in avast! conceal the app’s presence from thieves and, if eventually discovered, also make it nearly impossible to delete. These features include App Disguiser where owners can choose a custom name (e.g. Pistachio Game) for their avast!, a Stealth Mode where the avast! icon is hidden in the app tray, and Self-Protection where avast! components are disguised with several self-preservation techniques.


2. Remote-access features – Android owners can direct a variety of remote actions on their lost or stolen devices via text message. Some of the six remote features special to avast! include Remote Calling to have the stolen phone call another device, Call and Message Forwarding, and Memory Wipe, the permanent erasing of all phone data.


3. Anti-malware features - Avast! Free Mobile Security includes the well-tested avast! antivirus engine used by over 180 million registered users around the globe. The avast! WebRep cloud technology is incorporated into a Web Shield scanner that examines each loaded URL for malware, alerting users to potentially dangerous links and phishing scams.

avast! Free Mobile Security can be downloaded for free at the official Android Market app store and other outlets.

AVAST warns site owners to “check your plugins" as infections spike

PRAGUE, Czech Republic, October 31, 2011 - Researchers at the AVAST Virus Labs in Prague have seen an increase in malware infections within WordPress sites, an open-source application frequently used by bloggers and self-publishers, due to a vulnerability in a popular image plugin and loose credential management.

In early October, researchers from AVAST were contacted by several users via the CommunityIQ system that www.theJournal.fr, the online site for The Poitou-Charentes Journal, had been infected. In addition, the site operator directly contacted AVAST to determine why the avast! antivirus program was blocking visitors from their site which had been purportedly “checked and clean” by an external scanner.

The AVAST research team detected similar infections in other WordPress sites. “The Poitou-Charentes Journal is just one part of a much bigger attack,” said AVAST Senior Virus Lab researcher Jan Sirmer. “These compromised sites are part of a network which redirected vulnerable users to sites distributing an array of malware.”

Mr. Sirmer worked with the site owner to gather more information on how this web site had been compromised and where vulnerable users were being redirected to as they visited the site. He was able to determine that the source of this infection was a PHP file (UPD.PHP) uploaded through a security vulnerability in Timthumb, an image resizer used by developers to create themes for WordPress sites.. It is believed that a hacker compromised the weak login credentials used by the WordPress administrators for the hosting servers’ FTP prior to uploading and executing PHP files.

The infection was the work of cybercriminals using the Blackhole Toolkit, a set of malware tools available on the black market. “TheJournal.fr and its readers were certainly not the only targets, this is a larger issue of WordPress security,” said Mr. Sirmer. We’ve registered 151,000 hits at one of the locations where this exploit redirected users. We also blocked redirects from 3,500 unique sites on August 28 – 31 – the first three days that this infection surfaced - that led to this exploit. During September, we blocked redirects from 2,515 sites and I expect October results will be similar. More details on the Toolkit are in Mr. Sirmer’s blog post.

Mr. Sirmer uncovered and removed several JavaScript infections and a backdoor Trojan on TheJournal.fr site during his investigation. In this instance, the problem went unnoticed because the site was hosted and managed by a third party. “The site owner found out about the infection only because visitors to the site running avast! were blocked from visiting the site as part of their protection. “So even if you outsource IT services, it is often a good idea to visit your own blog with an AV that has an active virus scan to make sure that it is not infected or being blocked,” he said. “And, change your FTP passwords, and don’t save them on your PC because this malware is often able to unpack the passwords from the usual FTP clients.”

“WordPress is not immune to exploitation – a fact driven by its overall popularity and the wide number of available versions,” said Mr. Sirmer. However, he stressed that this was not a specific issue with WordPress itself, but the result of an outdated program plugin and poor password management by site administrators. This issue highlights that simple-to-crack login and password details for the underlying FTP servers can lead to problems. “Stronger login and password keys, alone or together with two-factor authentication, are options that system administrator should use when working with third-party IT managers.”

Unicode feature misused to infect computers on a payment-per-install basis

PRAGUE, Czech Republic, September 7, 2011 -- “What you see is not what you get,” thanks to a new wave of malware that misuses a special language display feature to trick people into opening supposedly “safe” files. The new exploit misuses features in Unicode – the computing industry’s standard for representing text – to mask executable malware as “safe” files with a .doc or .jpg extension. It has been named "Unitrix" by AVAST Software analysts.

The Unicode feature is designed to display alphabets written in a right-to-left schema such as Arabic or Hebrew and flips the displayed text after special hidden codes such as 0x202E (right-to-left override) are added to the file name. For example, the executable malware file ending with “gpj.exe” is displayed to the recipient as the more innocent sounding “photo_D18727_Collexe.jpg”.

Source: AVAST Virus Lab

“The typical user just looks at the extension at the very end of the file name; for example, jpg for a photo. And that is where the danger is,” said Jindrich Kubec, head of the AVAST Virus Lab. “The only way a user can know this is an executable file is if they have some additional details displayed elsewhere on their computer or if a warning pops up when they try and execute the file.”

The AVAST Virus Lab tracked a steady increase in the number of detections during August, with a daily peak of over 25,000. “From the email messages and the traffic pattern, this is clearly aimed at businesses,” said Mr. Kubec. The attacks are almost exclusively made during the working week, with daily detections dropping below 5,000 on the weekend.

The most common Unitrix file is a malware downloader with connections to several URL addresses which then act as command and control centers. “Based on our analysis of over fifty samples, it appears to be part of a pay-per-install network with the capacity to send infected users a variety of malware," explains Mr. Kubec. Additional Unitrix information is on the AVAST blog.

“It is not possible to make a single universal, foolproof detection for it because this would create a lot of false positives, but there are definite ways to deal with this,” said Mr. Kubec. He pointed out that avast! Antivirus end users are protected in two ways:

1. Simple detection when a file name using this trick appears on incoming mail.


2. Within the file system, avast! automatically suggests that the suspect file be opened in the sandbox, a safe virtualized environment.

“The problem is that this is a Unicode functionality. Although they mentioned the security implications of this in the specifications, people just implemented as designed and nobody cared about it. It’s been mentioned in other antivirus lab sites but is not widely known,” said Mr. Kubec.

PRAGUE, Czech Republic, August 10, 2011 – The website of Super Glue Corporation (supergluecorp.com) makers of the world-famous adhesive, has been infected with malware. And after five days, this infection seems to be sticking like glue.

The infection was a Trojan JavaScript Redirector which takes visitors through a series of infected sites to the final location in Russia, most likely a distribution center for fake antivirus.

The malware was first reported to the AVAST Virus Lab through the CommunityIQ system of sensors. After receiving the initial report on August 5, 20.53 CET, the Lab confirmed the infection and flagged the site to avast! users.

“The script creates a URL (hXXp://cameoprincess.com/index.php?go=lastnews&rf=) and creates a script tag with it which basically activates the code on that URL,” said Alena Varkockova, Virus Lab analyst. The ‘cameoprincess’ page contains a JavaScript code, which redirects the visitor to ‘hXXp://papucky.eu/ext/’ which redirects the visitor to ‘http://adeportes.es/images/info/js/js.php’ and then to ‘hXXp://labource.ru/iframe.php?id=0xxnnc3e8793z0nevu1f4o36ncdvg34’.

“This last address seems to be the page that contained the payload - and it is turned off for now. By using a combination of redirectors, it’s statistically difficult to uncover the precise payload,” she added. “The likely candidate is some sort of fake antivirus.”

While injected JavaScript downloaders or redirectors are fairly common, the specific AVF Trojan at the superglue site is not. “It’s not in the top fifty malware rankings, but it has already been reported in over 500 sites today,” said Ms. Varkockova.

NOTE: AVAST Software informed Super Glue Corp. by email and telephone about this malware. They removed the Trojan later that day and sent AVAST a thank you note.

More freedom, less hassle, greater protection

PRAGUE, Czech Republic, July 19, 2011 – AVAST Software has launched avast! Business Protection, its comprehensive IT security software for small and medium-sized businesses. avast! Business Protection uses the award-winning 6.0 antivirus engine and includes a new browser-based central management console, giving IT administrators and service providers the ability to remotely manage protected desktops and servers in their network via the internet.

From start to finish, installing avast! Business Protection takes less than half of the clicks demanded by other major competitors. Well-designed default settings and the ability to inherit configurations from the previous system combine to make installation easy. Once fully installed, avast! Business Protection still takes a quarter less computing resources than most of the competition.

"AVAST is about freedom," said Vince Steckler, CEO of AVAST Software. "With avast! Business Protection, we are providing the comprehensive network and endpoint security that businesses need in a package that is simple enough for people who are not IT experts to freely operate."

avast! Business Protection highlights:

• Light and compact – avast! Business Protection takes 0.75GB of computer space for full installation. That is less than a third of the space required by Symantec Protection Suite, Small Business Edition and still a quarter less space than similar products from AVG, ESET, and Kaspersky.


• Fully mobile administration - The unique avast! Administration Console enables remote access via any computer browser, freeing system administrators from their dependency on a fixed location or a specific machine as they have with AVG or Symantec.


• Install and forget - avast! Business Protection automatically detects new computers as they attach to the company network, alerting system administrators to unknown “rogue” machines and enabling them to decide how new devices should be administered within the secure network.


• Proven protection - avast! Business Protection builds on the tested antivirus engine in avast! 6.0 which has won industry recognition from organizations such as VirusBulletin and AV Comparatives for its detection abilities, fast scanning speed, and light footprint. avast! Business Protection includes on-access rootkit detection and enables boot-time scans to find and remove malware hidden within the OS.


• Keeps data private - The new SafeZone™ feature enables safer banking and transfer of sensitive information with a virtualized desktop guarding against data-stealing malware such as keyloggers. System administrators decide who can use this function.

"Business users get avast!'s proven detection ability together with the look and feel of our consumer AV products," said Mr. Steckler. "Organizations are spending too much time and too many resources to keep their antivirus protection functioning. They should be able to focus on their core activities and not have to micromanage their antivirus application."

75% of rootkits hit Windows XP; pirated versions provide perfect target for attackers

PRAGUE, Czech Republic, July 28, 2011 – The AVAST Virus Lab has identified un-patched and often pirated versions of Windows XP as the main vector for rootkits infections. Data from a six-month study catalogued over 630,000 samples and found that 74% of infections originated from Windows XP machines, compared to 17% for Vista and only 12% from Windows 7 machines.

While Windows XP may be old, it is still the most common operating system around the globe with 49% of avast! antivirus users having it on their computers compared to the 38% with Windows 7 and the 13% with Vista.

Rootkit infections and choice of operating system

Rootkits actively hide their presence from administrators by subverting standard operating system functionality or other applications as they access to software and data.

“One issue with Windows XP is the high number of pirated versions, especially as users are often unable to properly update them because the software can’t be validated by the Microsoft update,” said Przemyslaw Gmerek, the AVAST expert on rootkits and lead researcher. “Because of the way they attack – and stay concealed – deep in the operation system, rootkits are a perfect weapon for stealing private data.”

More recent operating systems like Windows 7 are more resilient to rootkits - but not immune. Including innovations like UAC, Patchguard and Driver Signing in the latest Windows versions has helped, but not provided fail-proof security. Cybercriminals are continuing to fine-tune their attack strategy with the Master Boot Record (MBR) remaining their favorite target for even the newest TDL4 rootkit variants.

The study found that rootkits infecting via the MBR were responsible for over 62% all rootkit infections. Driver infections made up only 27% of the total. The clear leader in rootkit infection were the Alureon(TDL4/TDL3) family, responsible for 74% of infections.

“People need to keep an antivirus software installed and updated – regardless of where they got their operating system,” pointed out Mr. Gmerek. “And, if they suspect there is an issue, they can scan their computers with a rootkit removal tool such as aswMBR.

avast! is the only AV solution to provide on-access detection of rootkits as they try to install themselves in addition to boot-time and on-demand scanning. These anti-rootkit features are included in all free and paid versions of avast!.

As the rootkit specialist at AVAST Software, Mr. Gmerek will be attending the upcoming Blackhat/Def Con events in Las Vegas on August 3-7, 2011. He and the AVAST Virus Lab team would also like the opportunity to brief the press ahead of the public release of his full rootkit research whitepaper. Mr. Gmerek has never before given a briefing to the US media and the session offers insight and detailed statistics around the global infection rates, sources and technological direction of rootkit creators.