AVAST Software: How to lose a million customers with malware

PRAGUE, Czech Republic, January 31, 2011 – Everyone knows that too much crime in the neighborhood is not good for business. So, it should be a surprise that companies running online shops don’t pay more attention to keeping their sites infection-free. While it may not directly affect their business, it might keep would-be customers from getting in the front door. To illustrate this point, nearly one million users of avast! antivirus software were prevented from visiting legitimate but infected on-line store – and that was after AVAST Software informed the company about the infection.

“With Francoise Saget, we have a perfect illustration as to why it’s much more effective – from the public safety perspective – to tell thousands of users about an infected site instead of the individual administrator,” said Ondrej Vlcek, CTO of AVAST Software. “With CommunityIQ members on the internet nonstop, there is a constant two-way flow of information about infected sites between avast! and our users. Getting a hold of a site admin is another issue.”

The avast! Virus Lab noticed an infection at francoisesaget.com at 12:20:40 (Central European Time) on November 21, 2010. The infection was HTML:Illiframe-R [Trj], a Trojan redirecting unsuspecting visitors to a malware distribution site in China. Within two days, the infected page had been visited 65,968 times by avast! CommunityIQ members.

Ahead of the holiday shopping season, AVAST decided to directly contact the shop about the infection and emailed them a message – in English and in French – on November 23. There was no response. As of January 26, two months after the avast! Virus Lab found the Trojan malware, the site was still infected. During this time, avast! had blocked 946,376 attempts by its users to visit the infected page.

“The lack of response is exactly what we have encountered other times we’ve tried to tell websites about infections, even those based near our company headquarters,” said Mr. Vlcek. “Here are a few lessons we’ve learned during our attempts to directly contact administrators about their infected sites.”

Five facts about infections and responsibility:

  1. Breaking the news about an infection is difficult – It is usually not clear what individual or department is responsible for site safety and or even how to contact them. Even after the responsible person has been identified, it is often difficult to convince them that their site has a problem which they should correct.
  2. Infections are not always activated – Site infections, unlike the human variety, are not always turned on. They can be turned off and on to avoid detection and when the malware is being ‘upgraded’. With an estimated 200,000 infected sites for the ‘Ill” family of Trojans, there is room for a lot of changes.
  3. Infections do not impact performance – Many infections will have no influence on a website’s direct functionality. The ‘Ill’ Trojan just redirects visitors to one of more than 3,400 malware distribution domains. Yes, visitors might get infected, but they can still do their e-shopping.
  4. Don’t rely on the other party staying clean – The francoisesaget.com site has mode SSL (Secure Socket Layer), HTTPS security systems and VeriSign systems in place. While these may keep financial transactions safe, they have not kept the site clean of malware.
  5. Safety requires (your) personal responsibility – To remain safe, all computer users need a certified and updated antivirus application on their computers at all times.