For the popular Foxit PDF Reader, an alternative for Adobes Reader, there is now exploit code available. Many people use Foxit in the hope that it doesn’t contain the same vulnerabilities as the “original” software from Adobe. But a few issues had been found with the alternative PDF Reader as well.

As well as in the Adobe Reader there are security weaknesses within Foxit. Not very common, there is now also exploit code publicly available which can be abused to smuggle malicious code into a victims computer with specially prepared PDF documents. Since there is an update available, make sure to install it immediately!

Dirk Knop
Technical Editor

Not only Microsoft published security updates - also Adobe managed to provide a fix for some versions of Adobe Reader and Acrobat to close an actively exploited security hole in these products.

Microsoft issued 3 security bulletins. One vulnerability in the Windows kernel could lead to code execution while viewing manipulated EMF or WMF graphics; another weakness in Microsofts SChannel (Secure Channel) implementation and one in Microsofts DNS and WINS server could be abused to spoof another identity. An update fixing Microsofts Excel isn’t available yet though.

Adobe released patches for Acrobat and Reader Version 9 as announced earlier in February. Patches for older versions will be following in a week, according to Adobe.

As some of the closed security holes allow for (remote) code execution, it is advised to apply the provided patches as soon as possible.

Dirk Knop
Technical Editor

The Professional Edition of AntiVir 9 will introduce a new feature which we have called Configuration Profiles. The idea behind this feature is to better support mobile users. Probably you have faced the problem yourself when running an enterprise antivirus: as long as you are located in the company the product should update from a server in the Intranet and (in most cases) the security policy is very restrictive. However, when you are at home or somewhere at a customer or in the hotel, updates should take place from Avira servers and the security policy might be less restrictive: there’s no help desk available but you urgently need to install something etc.

The new Configuration Profiles now offer an effective and flexible way to configure AntiVir Professional according to these needs. The feature allows you to define up to 3 individual configuration sets called a Profile. A Profile includes all AntiVir options. For example you can define different update servers, activate or deactivate mail or web protection (e.g. in the company the user is protected by a gateway, at home or at the customers he’s not protected), etc. This allows an administrator to configure the system according to the individual situation.

Each Profile (configuration) can be set active by an automatic rule. A rule can be:

• Use profile it the current default gateway or the default gateways MAC address matches
• Use profile if no other rule fits (default rule)
• Do not use a rule

If a rule is set accordingly AntiVir will automatically switch the configuration options in use depending on the current location of the notebook.

Configuration Profile can be also switched manually (not recommended as most users will ‘forget’ to do so):

Of course Configuration Profiles are also supported by the Avira Management Console for centralized management. The administrator can define the configuration sets and the rules but – obviously – he cannot switch between the Profiles.

We think that this is a somehow complex but useful feature in enterprise environments. Btw, if you do not want to deal with these profiles you can continue working the old way, of course.

Thomas Salomon
Manager Windows Software Development

While fixing the false positive detection from a few days ago, PCTools managed to add a new false alarm in their Google Pack version of Spyware Doctor: Today, the program alerts the user that Avira’s ccev.dll contains the Backdoor.Bandok. Of course this is a false alert, the Avira software is clean.

We contacted PCTools again and hope that they remove the faulty signature as soon as possible. Until an update is available please deactivate Spyware Doctor from Google Pack.

Update:

PCTools published an update that remidies the issue. You can update Spyware Doctor and reactivate it again.

Dirk Knop
Technical Editor

Today, prime minister of Baden-Württemberg, Günther Oettinger, visited us at our CeBIT-Booth.

Dirk Knop
Technical Editor

We’re blogging live from the CeBIT! You can find us in Hall 11, Booth D19. You can see our game “Klatsche gegen Viren” on the image - try it, its fun!

Interesting presentations are planned at our Avira Forum. 3 times per day the ex-hacker Gunnar Porada will show some attacks on computers and networks. Dr. Hackenberg will comment on the attacks and will shed some lights on the lawyers’ point of view.

We have further presentations where specialists demonstrate our business product line and how they fit in special environments.

Dirk Knop
Technical Editor

Users of PCTools’ Spyware Doctor have gotten a false alarm: The Antispyware detects Avira’s aecore.dll as the Trojan CDur with a recent update. This is of course a false positive detection - something that Antimalware specialists try to avoid. We contacted PCTools to make sure they remove the false detection as soon as possible.

Anyhow, this false positive detection appeared and lead some users to block their aecore.dll which prevents Avira AntiVir from working correctly. As countermeasure, please deactivate your Antispyware solution, unblock aecore.dll and as soon as PCTools manages to remove the false detection, update and reactivate the Antispyware. Further information can be found in our forum.

Update:

The false positive detection was caused by the Spyware Doctor version from the Google Pack. In the meantime, an updated signature database is available. Users of the Google Pack/Spyware Doctor should update their database and reactivate the software.

Dirk Knop
Technical Editor

APWG has published an advisory document called “What to do if your site has been hacked by Phishers”. This document gives website owners hints for specific actions they can take when they have been notified that their website or webserver has been infiltrated and is used for Phishing. If you are a brand owner, takedown provider, or ISP, feel free to include a link to this document when you communicate with people who have had their sites compromised to host phishing.

If you know any brand owners, takedown providers, or ISPs that might be interested in using this document, please feel free to forward this document to them or notify them of its existence.

Here is the document:
http://www.apwg.com/reports/APWG_WTD_HackedWebsite.pdf

Many thanks to APWG (www.apwg.org) for their continuous fight against this Internet plague.

Sorin Mustaca
Manager International Development

While analysing the latest malicious PDF exploit documents, we found the embedded shellcode to have some interesting features. The shellcode gets executed once the exploit was successful.

The payload of the PDF is contacting a server in China - so far nothing uncommon here. The connected system belongs to the network of the cinese CHINA RAILWAY TELECOMMUNICATIONS CENTER. Very unusual though is the port which gets used for communicating with the command and control server - it’s port 220, which should be used by the IMAPv3 protocol. The protocol used seems to be proprietary and zlib compressed.

There it downloads further malware. Among the malware we have seen is for example BDS/Agent.adsi, a Backdoor. It gets installed in the windows system directory.

As long as Adobe is working on the patch for this security vulnerability, make sure to disable JavaScript support in Adobe Reader and in Acrobat; also use an up-to-date antivirus software like Avira AntiVir. Avira AntiVir detects the known malicious PDF files and the downloaded malware. We plan to release a heuristics update today which will detect even more malicious PDF files, also yet unknown ones.

Dirk Knop
Technical Editor

Microsoft patched a security hole in Internet Explorer on the Black Tuesday last week (MS09-002). As expected, first public exploits appeared for the vulnerability, trying to install malware on computers of unsuspecting users.

A link is spread in spam mails with a Word document attached that opens a chinese website - which in turn tries to exploit the vulnerability on unpatched systems. The vulnerability can get exploited via drive-by-download as well, but we didn’t see this attack vector being used yet.

Avira detects the exploit site as being infected with HTML/Rce.Gen and warns the user. So users of Avira products are currently safe from the attack. Anyhow, now it’s time to patch the computers with the available update. Make sure all your computers are up to date!

Dirk Knop
Technical Editor