Re: 14 antivirus apps found to have security problems.

F-Secure Product Expert
F-Secure Product Expert

Re: 14 antivirus apps found to have security problems.

Hello @Bits ,


@Rusli  thank you for your advices. You altogether gave lots of ideas worth following.


In case of infections you can always submit samples to our Lab through its portal.

If you properly fill the submission form, you should get an expert opinion on what is affecting you.

Physically sending us the compromised device(s) to our Lab could also be an option, as Rusli mentioned.


For the legal side of the story, you might want to look for a professional to represent and advise you on what can be done and how it should be done.
This community is not really the place to discuss that side of the story.


PS: I made a separate thread for this discussion, as it wasn't directly related to the beginning of the original thread.

Best Regards



Has somebody helped you? Say thanks by giving likes. Has your issue been solved? Mark the post using "Accept As Solution" button to let others know.
Senior Advisor

Re: 14 antivirus apps found to have security problems.

Hmm... could be a botnet.


The first Davinci malware have an ip address backdoor at


General IP Information
Decimal:    2956616741
ISP:    Linode
Organization:    Linode
Services:    Likely mail server
Assignment:    Static IP
Geolocation Information
Country:    United Kingdom gb flag
Latitude:    51.5  (51° 30′ 0.00″ N)
Longitude:    -0.13  (0° 7′ 48.00″ W)


The one that she has, the malware is resided at Australia.


Quote:" BillyBob Waltzing Maltida with me..."


Re: 14 antivirus apps found to have security problems.


Thank you and Ive taken the proper steps to try to send files for anaysis, unfortunaly after talking to customer support (because it could not detect the virus, as I was afraid) Your second option of sending in the device seems to be neccessary. The support person said to find out from you how to do this. Please advise. Also please see my private messages for further request I need for privacy issue. 

thanks Ben


Senior Advisor
Senior Advisor

Re: 14 antivirus apps found to have security problems.

Scanning the ip address 23.343.207.XX or 23.343.207.XXX comes out nothing on ip address tracker.


if you do a whois is a different ip address.


It's starting with 50.XX.XX.XXX.XXX


So who ever it was that reside in 23.343.207.xx is unknown.


I'm not sure who or what belongs to that ip address.


Hope you get the picture....


I myself do not know where that ip address come from.


The certificate that reside to Australia ip address is different from 23.xx.xx.xx.xx


That's strange... real strange. I'm speechless at this time.


Did you get the macbook pro laptop from someone else or you bought directly from Apple.


Michelle, my advice to you,you don't do any online banking, or make any transaction on your computer. It's not safe.



Quote:"X-Files-The truth is out there"

Senior Advisor

Re: 14 antivirus apps found to have security problems.

About Davinci virus being reported by Kaspersky Lab.


DaVinci surveillance malware distributed via zero-day Flash Player exploit, researchers say
The attacks targeted activists from the Middle East, according to Kaspersky Lab researchers
By Lucian Constantin
February 12, 2013 03:34 PM ET

IDG News Service - Political activists from the Middle East were targeted in attacks that exploited a previously unknown Flash Player vulnerability to install a so-called lawful interception program designed for law enforcement use, security researchers from antivirus vendor Kaspersky Lab said Tuesday.

Last Thursday, Adobe released an emergency update for Flash Player in order to address two zero-day -- unpatched -- vulnerabilities that were already being used in active attacks. In its security advisory at the time, Adobe credited Sergey Golovanov and Alexander Polyakov of Kaspersky Lab for reporting one of the two vulnerabilities, namely the one identified as CVE-2013-0633.

On Tuesday, the Kaspersky Lab researchers revealed more information about how they originally discovered the vulnerability. "The exploits for CVE-2013-0633 have been observed while monitoring the so-called 'legal' surveillance malware created by the Italian company HackingTeam," Golovanov said in a blog post.

HackingTeam is based in Milan but also has a presence in Annapolis, Maryland, and Singapore. According to its website, the company develops a computer surveillance program called Remote Control System (RCS) that is sold to law enforcement and intelligence agencies.

"Here in HackingTeam we believe that fighting crime should be easy: we provide effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities," the company says on its website.

Kaspersky Lab has been monitoring HackingTeam's RCS -- also known as DaVinci -- since August 2012, said Costin Raiu, director of Kaspersky Lab's global research and analysis team.

RCS/DaVinci can record text and audio conversations from different chat programs, including Skype, Yahoo Messenger, Google Talk and MSN Messenger; can steal Web browsing history; can turn on a computer's microphone and webcam; can steal credentials stored in browsers and other programs, and much more, he said.

Kaspersky researchers have detected around 50 incidents so far that involved DaVinci being used against computer users from various countries including Italy, Mexico, Kazakhstan, Saudi Arabia, Turkey, Argentina, Algeria, Mali, Iran, India and Ethiopia.

The most recent attacks that were exploiting the CVE-2013-0633 vulnerability targeted activists from a country in the Middle East, Raiu said. However, he declined to name the country in order to avoid exposing information that could lead to the victims being identified.

It's not clear if the zero-day exploit for CVE-2013-0633 was sold by HackingTeam together with the surveillance malware or if whoever purchased the program obtained the exploit from a different source, Raiu said.

HackingTeam did not immediately respond to a request for comment.

In previous attacks detected by Kaspersky Lab, DaVinci was distributed via exploits for Flash Player vulnerabilities that were discovered by French vulnerability research firm Vupen, Raiu said.

Vupen openly admits to selling zero-day exploits, but claims that its customers are government and law enforcement agencies from countries that are members or partners of the NATO, ANZUS or ASEAN geopolitical organizations.

The DaVinci installer dropped on computers by the CVE-2013-0633 exploit in the first stage of the attack was signed with a valid digital certificate issued by GlobalSign to an individual named Kamel Abed, Raiu said.

GlobalSign did not immediately respond to a request for more information about this certificate and its current status.

This is consistent with past DaVinci attacks in which the dropper was also digitally signed, Raiu said. Previous certificates used to sign DaVinci droppers were registered to one Salvetore Macchiarella and a company called OPM Security registered in Panama, he said.

According to its website, OPM Security sells a product called Power Spy for A!200 (US$267) under the headline "spying on your husband, wife, children or employees." Power Spy's feature list is very similar to the feature list of DaVinci, which means that OPM might be a reseller of HackingTeam's surveillance program, Raiu said.

This is not the first case when lawful surveillance malware has been used against activists and dissidents in countries where free speech is limited.

There are previous reports of FinFisher, a computer surveillance toolkit developed by U.K.-based company Gamma Group International, being used against political activists in Bahrain.

Researchers from the Citizen Lab at the University of Toronto's Munk School of Global Affairs also reported back in October that HackingTeam's RCS (DaVinci) program was used against a human rights activist from the United Arab Emirates.

This type of program is a ticking time bomb because of the lack of regulation and uncontrolled selling, Raiu said. Some countries have restrictions on the export of cryptographic systems, which would theoretically cover such programs, but these restrictions can be easily bypassed by selling the software through offshore resellers, he said.

The big problem is that these programs can be used not only by governments to spy on their own citizens, but can also be used by governments to spy on other governments or can be used for industrial and corporate espionage, Raiu said.

When such programs are used to attack large companies or are used by cyberterrorists, who will be responsible for the software falling into the wrong hands, Raiu asked.

From Kaspersky Lab's perspective, there's no question about it: These programs will be detected as malware regardless of their intended purpose, he said.

Senior Advisor

Re: 14 antivirus apps found to have security problems.

Ben, F-Secure Security team....



Please take note of the news on Davinci Malware virus... which was reported by Kaspersky Labs.


I think you guys need to help her.


She is innocent...


And her Macbook Pro got infected somehow.


It can infect both Windows and Mac OS X.



Senior Advisor

Re: 14 antivirus apps found to have security problems.

Hi Ben,


I PM you, please check...


Please send the debugging techniques to the respective person whom i ask to send it to.

(Including Mikko Hypponen and Sean Sullivan)


Hope this debugging techniques on Crisis/DAVINCI virus help you guys in solving the issues.



Senior Advisor

Re: 14 antivirus apps found to have security problems.

You guys got kungfu chops in debugging!