Posts Tagged: AVAST!

Sep 15

Like Kaspersky, Russian Antivirus Firm Dr.Web Tested Rivals

A recent Reuters story accusing Russian security firm Kaspersky Lab of faking malware to harm rivals prompted denials from the company’s eponymous chief executive — Eugene Kaspersky — who called the story “complete BS” and noted that his firm was a victim of such activity.  But according to interviews with the CEO of Dr.Web — Kaspersky’s main competitor in Russia — both companies experimented with ways to expose antivirus vendors who blindly accepted malware intelligence shared by rival firms.

quarantineThe Reuters piece cited anonymous, former Kaspersky employees who said the company assigned staff to reverse-engineer competitors’ virus detection software to figure out how to fool those products into flagging good files as malicious. Such errors, known in the industry as “false positives,” can be quite costly, disruptive and embarrassing for antivirus vendors and their customers.

Reuters cited an experiment that Kaspersky first publicized in 2010, in which a German computer magazine created ten harmless files and told antivirus scanning service that Kaspersky detected them as malicious (Virustotal aggregates data on suspicious files and shares them with security companies). The story said the campaign targeted antivirus products sold or given away by AVG, Avast and Microsoft.

“Within a week and a half, all 10 files were declared dangerous by as many as 14 security companies that had blindly followed Kaspersky’s lead, according to a media presentation given by senior Kaspersky analyst Magnus Kalkuhl in Moscow in January 2010,” wrote Reuters’ Joe Menn. “When Kaspersky’s complaints did not lead to significant change, the former employees said, it stepped up the sabotage.”

Eugene Kaspersky posted a lengthy denial of the story on his personal blog, calling the story a “conflation of a number of facts with a generous amount of pure fiction.”  But according to Dr.Web CEO Boris Sharov, Kaspersky was not alone in probing which antivirus firms were merely aping the technology of competitors instead of developing their own.

Dr. Web CEO Boris Sharov.

Dr.Web CEO Boris Sharov.

In an interview with KrebsOnSecurity, Sharov said Dr.Web conducted similar analyses and reached similar conclusions, although he said the company never mislabeled samples submitted to testing labs.

“We did the same kind of thing,” Sharov said. “We went to the [antivirus] testing laboratories and said, ‘We are sending you clean files, but a little bit modified. Could you please check what your system says about that?'”

Sharov said the testing lab came back very quickly with an answer: Seven antivirus products detected the clean files as malicious.

“At this point, we were very confused, because our explanation was very clear: ‘We are sending you clean files. A little bit modified, but clean, harmless files,'” Sharov recalled of an experiment the company said it conducted over three years ago. “We then observed the evolution of these two files, and a week later, half of the antivirus products were flagging them as bad. But we never flagged these ourselves as bad.”

Sharov said the experiments by both Dr.Web and Kaspersky — although conducted differently and independently — were attempts to expose the reality that many antivirus products are simply following the leaders.

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,” Sharov said. “It’s unacceptable.”

According to Sharov, a good antivirus product actually consists of two products: One that is sold to customers in a box and/or or online, and the second component that customers will never see — the back-end internal infrastructure of people, machines and databases that are constantly scanning incoming suspicious files and testing the overall product for quality assurance. Such systems, he said, include exhaustive “clean file” tests, which scan incoming samples to make sure they are not simply known, good files. Programs that have never been seen before are nearly always given more scrutiny, but they also are a frequent source of false positives.

“We have sometimes false positives because we are unable to gather all the clean files in the world,” Sharov said. “We know that we can get some part of them, but pretty sure we never get 100 percent. Anyway, this second part of the [antivirus product] should be much more powerful, to make sure what you release to public is not harmful or dangerous.”

Sharov said some antivirus firms (he declined to name which) have traditionally not invested in all of this technology and manpower, but have nevertheless gained top market share.

“For me it’s not clear that [Kaspersky Lab] would have deliberately attacked other antivirus firm, because you can’t attack a company in this way if they don’t have the infrastructure behind it,” Sharov said. Continue reading →

Feb 13

Exploit Sat on LA Times Website for 6 Weeks

The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks.

On Feb. 7, KrebsOnSecurity heard from two different readers that a subdomain of the LA Times’ news site ( was silently redirecting visitors to a third-party Web site retrofitted with the Blackhole exploit kit. I promptly asked my followers on Twitter if they had seen any indications that the site was compromised, and in short order heard from Jindrich Kubec, director of threat intelligence at Czech security firm Avast. 

latimesKubec checked Avast’s telemetry with its user base, and discovered that the very same LA Times subdomain was indeed redirecting visitors to a Blackhole exploit kit, and that the data showed this had been going on since at least December 23, 2012.

Contacted via email, LA Times spokeswoman Hillary Manning initially said a small number of users trying to access a subdomain of the site were instead served a malicious script warning on Feb. 2 and 3. But Manning said this was the result of a glitch in Google’s display ad exchange, not a malware attack on the company’s site.

“The LA Times, along with dozens of other Google ad exchange users including the New York Times, the Guardian, CNET, Huffington Post and ZDNet, were, to varying degrees, blocked by malicious script warnings,” Manning wrote in an email to KrebsOnSecurity. “The impacted sections of our site were quickly cleared and there was never any danger to users.”

Unfortunately, Avast and others continued to detect exploits coming from the news site. Manning subsequently acknowledged that the Google display ad issue was a separate and distinct incident, and that the publication’s tech team was working to address the problem.

Malicious code served by

Malicious code served by

It’s not clear how many readers may have been impacted by the attack, which appears to have been limited to the Offers and Deals page of the Web site. Site metrics firm says this portion of the newspaper’s site receives about .12 percent of the site’s overall traffic, which according to the publication is about 18 million unique visitors per month. Assuming the site was compromised from Dec. 23, 2012 through the second week in February 2013, some 324,000 LA Times readers were likely exposed to the attack.

Continue reading →

Mar 12

Avast Antivirus Drops iYogi Support

iYogi Refers to Incident as ‘Tylenol Moment’

Avast, an antivirus maker that claims more than 150 million customers, is suspending its relationship with iYogi, a company that it has relied upon for the past two years to provide live customer support for its products. The move comes just one day after an investigation into iYogi by indicating that the company was using the relationship to push expensive and unnecessary support contracts onto Avast users.

In a blog post published today, Avast said it came to the decision after reports on this blog that “iYogi’s representatives appear to have attempted to increase sales of iYogi’s premium support packages by representing that user computers had issues that they did not have.”

“Avast is a very non-traditional company in that positive referrals and recommendations from our user base drive our product usage,” Avast CEO Vince Steckler wrote. “We do not distribute our products in retail, via computer manufacturers, or other similar channels. This model has served us well and has made us the most popular antivirus product in the world. Last year we added over 30M new users on top of almost 30M new users in the previous year. As such, any behavior that erodes the confidence our users have with Avast is unacceptable. In particular, we find the behavior that Mr. Krebs describes as unacceptable.”

Steckler said Avast had initial reports of the unnecessary upselling a few weeks ago and met with iYogi’s senior executives to ensure the behavior was being corrected.

“Thus, we were shocked to find out about Mr. Krebs’ experience. As a consequence, we have removed the iYogi support service from our website and shortly it will be removed from our products,” Steckler said. “We believe that this type of service, when performed in a correct manner, provides immense value to users. As such, over the next weeks, we will work with iYogi to determine whether the service can be re-launched.”

Steckler added that Avast will also work to ensure that any users who feel they have been misled into purchasing a premium support receive a full refund. The company asked that users send any complaints or concerns to or even to the CEO himself, at

iYogi executives posted several comments to this blog yesterday and today in response to my reporting. After Avast announced its decision to drop iYogi, Larry Gordon, iYogi’s president of global channel sales, sent me a formal letter that was unapologetic, but which promised that the company would endeavor to do better. Gordon called the incident, a “Tylenol moment for iYogi and the leadership team.” His letter is reprinted in its entirety below.

Continue reading →

Mar 12

Aghast at Avast’s iYogi Support

The makers of Avast antivirus software are warning users about a new scam involving phone calls from people posing as customer service reps for the company and requesting remote access to user systems. Avast is still investigating the incidents, but a number of users are reporting that the incidents followed experiences with iYogi, the company in India that is handling Avast’s customer support.

A follow-up investigation by KrebsOnSecurity indicates that Avast (among other security companies) is outsourcing its customer support to a third-party firm that appears engineered to do little else but sell expensive and unnecessary support contracts.

Adam Riley, Avast’s third party support manager, wrote in a post on the company’s blog that “during the past week or so, we have received some complaints and it appears that some of our customers are being targeted by a new scam.  Luckily only a handful of customers have contacted us regarding this so far, but they report receiving phone calls from ‘Avast customer service’ reps who need to take control of their computer to resolve some issue and who, for a fee, wish to charge them for this privilege.”

I’d first heard about the issue when a reader wrote in to say he’d received complaints from his clients about calls from someone claiming to represent Microsoft and requesting remote access to user computers to help troubleshoot computer problems.

I decided to investigate iYogi myself, and created a fresh installation of Windows XP on my Mac, using the free virtual machine from Virtualbox. I wanted to see whether I, too, would receive follow-up sales pitches. I also wanted to see for myself if there was anything to the claims on Avast’s user forum that iYogi was using support requests to push expensive “maintenance and support” packages.

A call to the support number listed on Avast’s site put me through to a technician named Kishore Chinni; I told Mr. Chinni that I had just installed a copy of Avast, but that I couldn’t be certain it was updating correctly. He asked for a phone number and an email address, and then said the first thing he needed to do was take remote control over my system. He directed me to use Internet Explorer to visit a Web site that requested permission to install two ActiveX add-ons. Those add-ons installed a remote control client called Bomgar Support.

Chinni asked if I had previously installed any antivirus software, and I said I wasn’t sure (I hadn’t). He then fired up the Windows Registry Editor (regedit), poked around some entries, and then opened up the Windows System Configuration Utility (msconfig) and the Windows Event Viewer. Chinni somberly read aloud a few of the entries in the event viewer marked with yellow exclamation points, saying they were signs that my computer could have a problem. He then switched over to the “services” panel of the system configuration tool and noted that the “manufacturer” listing next to avast! antivirus read “unknown.”

“When it says unknown like that, these are warnings that there could be an infection running on the computer,” Chinni explained. He proceeded to install an iYogi “tune up” tool called PCDiagnostics, which took about 60 seconds to complete a scan of my system. The results showed that my brand new installation of Windows had earned a 73% score, and that it had to detected 17 registry errors and a problem with Windows Update (this was unlikely, as I had already enabled Windows Update and Automatic Updates before I made the support call, and had installed all available security patches). Chinni explained that the “antispyware” warning generated by the PCDiagnostics scan was an indication that a previously installed security software program had not been cleanly removed and was probably causing problems with my computer.

He said another technician could help me with these problems if I wanted. When I inquired whether it would be free, Chinni told me that the company sells support packages for one- to three-year durations, and that the starting price for a support package was $169.99. Continue reading →

Aug 10

Anti-virus Products Mostly Ignore Windows Security Features

I recently highlighted a study which showed that most of the top software applications failed to take advantage of two major lines of defense built into Microsoft Windows that can help block attacks from hackers and viruses. As it turns out, a majority of anti-virus and security products made for Windows users also forgo these useful security protections.

Continue reading →