News of Doctor Web
February 27, 2015
Mac.BackDoor.OpinionSpy programs have been known to information security experts since 2010, but recently a new version of this malware got into the Doctor Web's virus laboratory. This backdoor was named
When launched on the target Mac, PremierOpinion also connects to the command and control server and receives a link to download another one .osa package, from which the complete application with the same name, PremierOpinion, is extracted and installed. This application contains several executable files: the PremierOpinion program which does not have any malicious payload and the PremierOpinionD backdoor which implements dangerous features to the user of Mac OS X.
The Trojan gets the administrative rights when installing and operates in the system with administrator privileges. If initially the user chooses “I Disagree” in the Set up dialogue box, only the program that the user downloaded from the Internet is installed on the computer without any additional spy components.
If the user chooses “I Agree”, PremierOpinion is installed on the computer besides the downloaded application. Its icon appears in the command bar and in the list of installed applications.
The PremierOpinion's interface is quite concise.
By clicking the application icon in the command bar, the user runs the browser with a loaded page that contains a description of PremierOpinion presented as a marketing research tool. However, the developer's website does not report that it collects and transmits the information about the Apple computer running this application to the remote server.
The developers claim that PremierOpinion just monitors the user's shopping history, and from time to time offers to take part in marketing research which requiring to answer a number of questions from a special form. In practice, the features of
While exchanging information with the command and control server, the Trojan encrypts some data and transmits some data in plain text. Among other issues,
The signature of this malware has been added to Dr.Web virus database. We warn the users of computers running Mac OS X to pay careful attention to the applications they download from the Internet.
February 27, 2015
According to the news reports, on February 24, 2015 command and control servers of Rmnetbotnet were shut down by combined efforts of several organizations. The operation involved the Europol's European Cybercrime Centre, CERT-EU (Computer Emergency Response Team), Symantec, Microsoft, AnubisNetworks and other European organizations. In particular, at Europole's web page it is reported that IT security specialists managed to intercept about 300 Internet domain addresses of command and control servers generated by a malicious program, and Reuters news agency informs that 7 command and control servers were shut down during the operation. According to Symantec, this operation phased down botnet consisting of 350,000 compromised devices, and according to Microsoft, their total number may reach up to 500,000.
Doctor Web's security researchers monitor several botnets' subnets, created by hackers, using different versions of the Rmnet file infector. Thus, the modification called
A later modification of the virus,
Despite the fact that numerous news agencies report on successful operation to block the activity of the Rmnet botnet, Doctor Web's analysts do not register any decrease of the botnets activity monitored by the anti-virus laboratory. So far, Doctor Web's security researchers have learnt about at least 12 Rmnet's subnets that use algorithm of generating the control servers' domains and at least two Win32.Rmnet.12 subnets, that do not use the automatic domains generation (Symantec's specialists blocked only one subnet with seed 79159c10 from the first category).
In particular, two
A similar situation exists when monitoring computers compromised with malicious modules, known as
The given statistics shows that the organizers of the operation which was aimed to destroy the Rmnet botnet have apparently failed to eliminate all command and control servers of this botnet. At least no fewer than 500,000 computers, compromised with various modifications of this virus, still remain active and refer to the survivors command servers. Doctor Web will monitor the future situation.
February 25, 2015
A problem with the Dr.Web Net filtering Service configuration scripts was eliminated in Dr.Web Security Space, Dr.Web Anti-virus, and Dr.Web Desktop Security Suite. This was a problem that would occur when viewing the cinoibebt;s notifications in the Windows Event Log.
For all the products mentioned, except for Dr.Web Desktop Security Suite, a Dr.Web Security Space Anti-virus for Windows Setup defect was corrected.It involved removal of the anti-virus when the self-protection driver malfunctioned.
In Dr.Web for Desktop Security Suite, SpIDer Agent for Windows now allows users to enable and disable the proactive protection features. Also resolved was an issue involving the incorrect status being displayed in the ‘Mode’ tab if the connection to the Dr.Web Control Center was lost. A Dr.Web Enterprise Agent for Windows setup issue that involved switching from the standalone mode to the enterprise server mode has been eliminated.
The update will be performed automatically; however, a system reboot will be required.
February 24, 2015
- Assign permissions to toggle on/off proactive protection features on target hosts.
- Verify the SSL certificates of Global Updating System servers against a user-defined certificate.
- Take advantage of the expanded Office Control list to protect objects on Windows machines.
- The ‘Help’ section of the Dr.Web Security Control Center gives users access to a greater amount of documentation.
- The language files of the Security Control Center UI have also been updated.
- An issue that prevented virus statistics from being obtained via inter-server communication.
- An issue involving multiple entries for a single host being displayed on a group status page.
- An error that might prevent new hosts from being approved to connect to the Dr.Web Server.
- An issue involving incorrect server version information being displayed on the version list page.
- An issue related to the list of Windows updates installed on target machines.
- An extra field issue that occurred when adding a ‘Purge old records’ job to the server schedule.
- An issue that might result in server update errors.
- A defect involving scan error messages being received from Linux machines.
- внесены другие незначительные исправления.
The updated product is available through the Dr.Web Control Center web interface where it will appear as an update dated 06.02.2015. The updated distribution files can also be downloaded from Doctor Web's site.
February 24, 2015
The situation on the handheld malware front
The past year was rather eventful in terms of emerging new malicious applications being used by criminals to attack smartphones and tablets running Android, particularly iOS. At the same time, Android continued to maintain its leading position on the handheld market, so it's hardly surprising that cybercriminals have made this OS their primary target. By the end of 2014, the Dr.Web virus database expanded by 2,867 new entries for various malicious, unwanted, and potentially dangerous applications and held a total of 5,681 definitions—showing 102% growth compared with the same period in 2013. And compared with 2010, when the first definitions for Android malware appeared in the Dr.Web virus database, the figure has increased 189 times, or 18,837%.
As the amount of malware and unwanted software for Android grew through 2014, so did the number of new Android malware families—it reached 367, which is 11% more than the 331 families known at the end of 2013.
As before, Trojans that steal confidential information or provide criminals with other ways of generating illicit income were some of the most abundant malware applications for Android in 2014. Ideas for new Trojan designs were often inspired by malicious programs for desktops and laptops.
Attackers keep profiting from premium SMS messages
Fraud schemes aimed at subscribing victims to chargeable services or covertly sending short messages to premium numbers remain the most common way for those attacking handheld devices to make money illegally. So it’s no wonder that
Malicious programs from other families facilitate the transmission of SMS messages to premium numbers too.
Yet, enterprising criminals didn't stop there; they expanded their premium SMS profit arsenal even further with Trojans of the new
Virus makers also obfuscate this malware’s code to make it more complicated for anti-virus companies to analyse it, and to make it less likely that security software will detect it—this is another distinguishing feature of these programs. In 2014, the Dr.Web virus database received 113 entries for
Mobile banking Trojans hunt for subscribers' money
Remote banking services, particularly mobile banking, are becoming more and more popular among users. Cybercriminals could not simply ignore this fact, so it's no wonder that their attacks on handhelds have intensified through the years. They employ a substantial variety of malicious programs to gain access to user bank accounts in many countries. On infected devices, these malicious programs can steal account access passwords, intercept SMS messages containing mTANs, transfer money to criminal accounts, steal other confidential information and covertly send short messages to specified numbers.
With its developed market of online banking services, South Korea has become one of the most attractive regions for money-hungry criminals. To spread malicious Android applications on devices in South Korea and to get to the customers of its financial institutions, enterprising virus writers made heavy use of unsolicited SMS messages containing Android Trojan download links. According to statistics gathered by Doctor Web, over the past 12 months, cybercriminals organised over 1,760 such spam campaigns involving about 80 different malicious programs for Android, as well as many modifications of them.
To get their targets interested in spam messages enough to open a download link, criminals supplement the link with a socially meaningful message. The most popular topics include postal delivery tracking, invitations to all sorts of events including weddings and meetings, as well as criminal offence reports and notifications about civil defence exercises. In addition, messages were sent on behalf of banks, telecom providers and popular online services. Criminals weren’t the slightest bit squeamish about using news about large scale technological and natural disasters and accidents as an irresistible lure.
Users who opened links in messages of this kind were typically redirected to a bogus site involved in hosting and spreading malware or ended up on a page of a file-sharing service employed by criminals for the same purpose. It is noteworthy that in most cases (66.78%), criminals preferred file-sharing services or other means freely available to the general public to spread their malicious applications. Unlike websites of their own making, those require neither effort nor money to design and maintain.
The magnitude of South Korean spam campaigns enabled criminals to impact from several hundred to tens of thousands of people. For example, in April, Doctor Web registered the mass distribution of the Trojan program
Screenshots showing examples of sites crafted by virus makers to spread malware in South Korea in 2014
Criminals using file-sharing services to host and spread Android malware in South Korea
Many Trojans employed by attackers in South Korea incorporated a rather extensive payload and sophisticated design. For example, in order to steal valuable information, many banking Trojans (including
South Korean virus makers applied various packers and code obfuscation techniques to make it less easy for anti-viruses to detect the malware. Furthermore, cybercriminals very often hid malicious Android applications by employing all kinds of droppers belonging to the
It is also worth mentioning that in some cases, South Korean Trojans didn't just conceal themselves from users and popular anti-viruses but also attacked the latter rather aggressively and attempted to remove the anti-viruses whenever they discovered the Trojans in the system.
The twenty most common Android Trojans in South Korea in 2014 are presented on the figure below.
Russia also saw quite a few capable Android banking Trojans in 2014. Discovered in autumn by Doctor Web security researchers,
Bank customers in other countries didn't escape the attention of criminals either. For example, in November Brazilian users were threatened by two banking Trojan spies lodged in the Google Play catalogue:
Special attention needs to be paid to
Number of devices infected by Android.Wormle.1.origin in November 2014
Ransomware lockers and mining Trojans generate revenue
The emergence of several new types of malicious applications created by cybercriminals for illegal gain was one of the key trends of the past year. In particular, in May the first-ever Trojans capable of locking mobile devices and demanding a ransom from users were discovered. These applications provided criminals with easy money, so the subsequent rapid upsurge in the quantity of these applications was hardly surprising. So, if in May the Dr.Web virus database contained only two entries for Android ransomware, by the end of 2014, that figure increased by 6,750% and reached 137 units.
Discovered in May, the dangerous locker program
It should be noted however, that for now criminals still prefer less vicious versions of the malware, and most known Android ransomware programs merely lock devices and accuse their owners of committing all kinds of crimes such as viewing and storing adult content illegally. This intimidation technique was used in attacks on devices in various countries, and false accusations were typically made on behalf of the police, investigators, and other law enforcement agencies of the country in which the malware operated. For example, discovered in June,
owever, virus writers didn't stop at blocking mobile devices and displaying threats. For example, discovered in September, the extortionist
However, the new programs discovered in 2014 weren’t limited to ransomware. In 2013, various Trojans designed to exploit the resources of infected machines in order to mine cryptocurrencies were widespread on desktop PCs. Apparently, their success encouraged makers of malware for handhelds, and the first programs of this kind for Android appeared in early 2014. Of special note were the Android miners (included in the Dr.Web virus database as
April 2014 saw new versions of the Trojans designed to mine bitcoins being discovered on Google Play. These malicious applications were hidden in innocuous "live wallpaper" and would also begin their illegal activities after infected mobile devices lay dormant for a certain amount of time.
Unlike similar programs discovered in March, the new members of the
Confidential data still a target
Virus makers aren’t just out to get hold of users' money. They just as eagerly hunt for their confidential information which can yield just as much of a profit. In 2014, information security experts registered scores of such attacks, many involving highly sophisticated malicious applications.
For example, an entry for Android.Spy.67.origin, which spread in China in the guise of software updates, was added to the Dr.Web virus database in January. This malicious program was installed in the guise of popular applications and created several corresponding shortcuts on the home screens of the devices it compromised. When launched, Android.Spy.67.origin deleted the shortcuts and collected personal information which included SMS history, call log, and GPS coordinates. In addition, the malware could activate the camera and microphone of the mobile device; it could index images and creates thumbnails of them. All the information acquired was uploaded to an intruder-controlled server. Android.Spy.67.origin had another peculiar feature: if the malware gained root access, it would disrupt the operation of popular Chinese anti-viruses, remove their virus databases, and install a malicious program that could, in turn, covertly install other applications.
In spring 2014, security researchers also found numerous remarkable spying Trojans attacking Android-powered devices. In early March, cybercriminals began commercially distributing another "mobile" spy. Dubbed
Also in March, Doctor Web discovered a rather unusual backdoor that was subsequently dubbed Android.Backdoor.53.origin. In order to spread this program, the criminals behind it modified Webkey, a legitimate application that lets users control their mobile devices remotely. Unlike the original version, the compromised application didn't have a GUI and after installation, it hid its presence in the system by removing its icon from the main screen. When launched, Android.Backdoor.53.origin sent the device's ID to a remote server, signalling that the infection was initiated successfully. Consequently, the intruders could get full control over the device and gain access to the personal data and hardware features.
In August 2014 information security specialists discovered another dangerous backdoor for Android. Under the Dr.Web classification system, it was given the name
Trojans pre-installed on mobile devices and the first-ever bootkit for Android
One way cybercriminals have found to spread malicious software programs for the Android OS is to either embed them in files (e.g., Android firmware) that are then posted on the Internet where they can be downloaded by users, or pre-install them on mobile devices. This method has several advantages for attackers. First, hidden this way, malware can remain "in the shadows" and operate successfully for a long time, without attracting attention. Second, even if the embedded Trojan is exposed, most users are unlikely to be able to do anything about it since removing the unwelcome intruder entails either obtaining root privileges or installing clean firmware which results in total data loss. In the worst case scenario, the victim will either have to just put up with the malicious software running on their phone or simply exchange it for another Android smartphone or tablet.
The last year witnessed several incidents involving malicious applications being hidden in Android OS firmware distributed online, as well as pre-installed malware being found on some mobile devices. One of the most notable cases involving similar Trojans occurred in January, when the malicious application
A little later, security researchers discovered an upgraded version of this Trojan. In this case, some of the installed malware components incorporated obfuscated code. They removed themselves after being launched and continued to operate only in the memory. This very same Trojan,
In February, Doctor Web discovered several applications, designed to covertly send short messages, embedded in Android firmware. One of them in particular, Android.SmsSend.1081.origin, worked as an audio player that sent out SMS messages containing IMSI identifiers to try to automatically subscribe users to a Chinese online music site. It is noteworthy that the Trojan did not control the number of SMS messages being sent. Every time it was launched, it dispatched messages, emptying the subscriber's account by an insignificant amount of money. Android.SmsSend.1067.origin featured a similar payload and was embedded into a system application. It also covertly sent messages of this kind but relayed the handheld’s IEMi instead of the SIM card ID.
Also hidden on a number of Android-powered devices was the Trojan program
Discovered in December, Android.Backdoor.126.origin was another malicious program that was deployed by criminals on a range of mobile devices. This malicious program could execute commands to generate short messages containing specific texts and add them into the message inbox which enabled enterprising criminals to use it in the most diverse fraud schemes. A definition for a similar malicious program was added into the Dr.Web virus database in November. However, that one—Android.Backdoor.130.origin—came with a more extensive array of features. Specifically, it could covertly send short messages; make calls; display ads; and download, install, and launch applications; as well as transmit all sorts of confidential information, including call and SMS history and location data, to a remote server. In addition, Android.Backdoor.130.origin could remove applications that had already been installed on infected devices, and execute a slew of other undesirable actions.
Attacks on Apple handhelds
Even though many cybercriminals view mobile devices running Android as their main target, they relentlessly pursue additional sources of extra income and turn to other popular mobile platforms. For example, in 2014 intruders orchestrated a series of attacks on devices manufactured by the Apple Corporation. Owners of unaltered iOS smartphones and tablets came under fire as did owners of jailbroken handhelds.
In March, IPhoneOS.Spad.1, which targeted jailbroken devices and modified the parameters of some advertising modules embedded in various applications for iOS, was discovered in China. The profit generated by the advertisement was subsequently channelled to an account belonging to enterprising hackers rather than to the authors of those programs. In April, another Trojan was found that also attacked jailbroken mobile devices in China. Classified by Dr.Web as IPhoneOS.PWS.Stealer.1, the malware stole Apple ID credentials on devices compromised by the Trojan. Compromised Apple IDs can affect the ability of users to access most Apple services, including App Store and iCloud. In May, Chinese jailbroken devices were assaulted by the Trojan IPhoneOS.PWS.Stealer.2. Similar to IPhoneOS.PWS.Stealer.1, the Trojan stole Apple ID logins and passwords, but could also download and install other applications, including those that it bought automatically in App Store at the expense of unsuspecting users.
Yet another malicious program designed to infect jailbroken iOS devices was discovered by security researchers in September. This program entered the Dr.Web virus database as IPhoneOS.Xsser.1 and proved to be rather dangerous. IPhoneOS.Xsser.1 could be commanded to steal such confidential information as the contents of the phone book, photos, passwords, SMS and call history and device location. In December, jailbroken devices were assailed by the spying Trojan IPhoneOS.Cloudatlas.1. This malware was designed to steal a wide range of sensitive data, including detailed information about the infected devices (starting with the version of the operating system and ending with the current time zone), as well as information on available user accounts, including AppleID and iTunes credentials.
All these incidents show exactly how dangerous it is to use iOS devices whose integrity-monitoring software has been compromised. But sometimes even complying with security basics doesn't guarantee full protection for ‘mobile assistants’ manufactured by the Cupertino-based corporation. An attack occurring in November 2014 that targeted jailbroken handhelds as well as devices with an intact iOS serves as clear evidence of this. The attack involved Mac.BackDoor.WireLurker.1—a malicious application that infected machines running Mac OS X. It was used to install IPhoneOS.BackDoor.WireLurker onto smartphones and tablets manufactured by Apple Inc.
Virus makers embedded Mac.BackDoor.WireLurker.1 into counterfeit copies of various legitimate applications (often expensive ones), making it very likely that the Trojan would be installed by careless users who were unwilling to pay for apps and games. Once the Trojan infected its next Mac, it would wait for a mobile device that would suit its purposes to connect to the Mac via USB, and as soon as the next smartphone or tablet was connected, the Trojan would use a special security certificate to immediately install IPhoneOS.BackDoor.WireLurker onto it. This backdoor could steal confidential information, including contact information and SMS messages, which was then relayed to an intruder-controlled server.
Unusual threats in 2014
Sometimes in their pursuit of profit, resourceful virus writers produce malicious applications whose payloads differ from the payloads of the majority of other Trojans. One such rarity was Android.Subscriber.2.origin which subscribed users to chargeable services. The main difference between this Trojan and similar ones that cybercriminals have produced is that Android.Subscriber.2.origin subscribes users to paid services by registering their phone number on a bogus website rather than by sending a short message. The Trojan registers a phone number on the portal and awaits an SMS message containing the operation confirmation code. The malware hides the SMS reply, reads its contents and automatically sends the acquired code to the same website, to complete the registration. However, this is not the only surprise Android.Subscriber.2.origin has for users. Once the supposedly requested premium messages begin to arrive on the device, the Trojan hides them in the inbox by marking them as ‘read’ and changing their date of receipt to 15 days prior.
However, sometimes virus makers are driven by motives other than some kind of material gain. Discovered by security researchers in September, Android.Elite.1.origin is a vivid example of this. Once located on a mobile device, this Trojan would format the available memory card and disrupt the normal operation of numerous online chat and SMS applications by blocking access to their windows with the message OBEY or Be HACKED.
In addition, this malicious program would send mass short messages to all of the contacts found in the phone book, activity that could deplete the user's mobile account.
Prospects and likely trends
Numerous diverse attacks on handhelds in the past year indicate that in 2015 smartphone and tablet owners will have to take mobile device security even more seriously.
Keeping their bank accounts safe from cybercriminals will most likely become one of the most pressing issues for users. The rapid development of online banking makes it a tempting morsel for criminals, so attacks involving various banking Trojans will intensify. The threat from programs that send premium SMS messages will persist. Users should also be wary of attacks by new ransomware, programs that virus makers get particularly enthusiastic about. More sophisticated attacks with this sort of malware are likely to occur, and it is quite likely that new mobile mining Trojans will emerge.
In addition to keeping their finances safe, users would do well to take extra care to maintain the integrity of their personal information. This is a valuable asset which rivals money in terms of how popular it is with intruders.
The likelihood that new malware will emerge for Apple-manufactured devices is also rather high. Therefore, fans of Mac OS X and iOS should pay special attention to security basics: Refrain from visiting bogus sites, avoid opening links from unknown sources, and whenever possible abandon jail-breaking for the purpose of installing dubious software.
February 18, 2015
Thanks to Dr.Web Process Heuristic, which monitors a system for similar malware behaviour patterns, Dr.Web for Windows Servers can now detect new versions of Trojan horses such as programs from the Trojan.Encoder and Trojan.Inject families.
Furthermore, the data loss prevention feature in the new version lets administrators select the directories they need and create protected backups, so that later, if a malicious object has managed to ravage the system, information can be restored. The data protection technology lets users save changes that were made to their original files—through a defined time interval or manually, on command.
All the latest features of the updated Dr.Web Cloud, which are already available in Dr.Web Security Space, have been included in the new version of Dr.Web Anti-virus for Windows Servers.
You can block devices by a hardware bus or category to prevent unwanted devices from connecting to the server host. In addition, you can take advantage of the new blocking options: Use 'Restrict access to the removable media' to block access to flash drives; enable 'Block sending jobs to printers' to prevent printing; and toggle on the option 'Block data transfer over network (LAN and the Internet)' to block all the networking activities of the server machine. Moreover, you can now disable the option to change the system time or the time zone.
The new version also features a comprehensive analyser of packed threats which allows malignant processes whose signatures are already recognised by Dr.Web to be detected at the beginning of any malicious activity. This significantly improves the detection rate for supposedly "new" threats that may already be known to Dr.Web but have been packed in such a way that the anti-virus doesn’t recognise them.
The anti-rootkit module for 64-bit platforms has been added to the software so that threats targeting 64-bit operating systems can be more effectively neutralised.
Thanks to Dr.Web SpIDer Guard’s revamped routines, machines involved in processing large amounts of data experience improved performance. These are changes that will benefit all file servers.
During product setup, the installer will now only extract repository files for the corresponding platform (32- or 64-bit) which helps save disk space.
The self-protection module in Dr.Web 10.0 for Windows Servers can be disabled in the program's settings.
The new version also brings UI upgrades. The redesigned main menu keeps all the elements involved in daily routines at hand. Setting changes are now applied on the fly—just enter the required data, check a box, or move a slider. You no longer need to enter a CAPTCHA code to disable a protection component. Threat notifications and other messages are now more noticeable. To make it easier to configure them, all notifications are divided into four groups: minor, major, threats, and critical.
To upgrade the product to version 10.0, you must run the new installer on a computer that already has Dr.Web Anti-virus for Windows Servers installed on it.
February 17, 2015
With the revamped mini-agent, upgraded Data Loss Prevention configuration routines, Parental Control, and other anti-virus features, controlling Dr.Web has never been easier.
Please note that all your settings will be saved through the upgrade except the following parameters:
- Anti-virus network password (Dr.Web 10.0 will enable you to generate a password automatically);
- Your blocked devices;
- The Parental Control list of blocked files and directories.
Please note that the Dr.Web 10.0 interface has been redesigned, and the grey system tray icon now indicates that the anti-virus is working properly.
The update will be performed automatically; however, a system reboot will be required. However, if the anti-virus is updated via the Global Updating System, Dr.Web Anti-virus 9.0 won't be upgraded. But, if an update mirror is used, this product will also get updated to version 10.0 (if the mirror is created in Dr.Web Security Space).
Owners of Dr.Web Anti-virus licenses can take part in the Dr.Web Security Space free migration promo and upgrade from the basic security software to the product that provides comprehensive protection.
Blocking access to hardware
- Open the mini-agent, and click on the lock to toggle on the administrative mode.
- To open the configuration window, click on the gears button.
- In the configuration window, go to Main - Devices.
- Set the required restrictions on the use of devices or the transmission of data over the network.
Configuring Parental Control to block access to files and directories.
- Open the mini-agent, and click on the lock to toggle on the administrative mode.
- Click on the gears button to open the settings.
- In the settings window, go to the Parental Control section.
- Select the Windows account on which you want to impose restrictions.
- In the Files and Folders section, press Change.
- Press the Objects button The Files and Folders window will open.
- Press "+" to add paths to the files and/or folders to which you want to block access.
- Then in the Files and Folders window, press OK.
February 16, 2015
To participate in the promotion, you must have a valid Dr.Web Anti-virus license that expires in no less than three months. The license period will be rounded upward when upgrading to Dr.Web Security Space! The number of protected objects will be equal to the number specified in your Dr.Web Anti-virus license.
The new license doesn’t require activation, which is automatic. You can upgrade on the promo page – here, you must enter your valid serial number, your registered e-mail address, and the e-mail address you want the new license registered under (this can be the same address). You will receive an e-mail containing a link. By following it, you’ll be able to complete the process of exchanging your license.
Therefore, to enhance the protection of Dr.Web you have to spend only a few minutes, while money does not have to be spent at all!
|Upgrade to Dr.Web Security Space free of charge|
February 13, 2015
The new section provides information about the criteria used by Doctor Web to decide whether a site should be added to the non-recommended list, specifically what threats are posed by sites of this sort and how Dr.Web responds when an attempt is made to open a URL that is on the list. Here you can also learn how to configure the corresponding anti-virus component on your PC, Mac or handheld.
On the section page, we reiterate the fact that protecting users against visiting non-recommended sites is not the same as blocking access to those sites. Users can choose to ignore warnings issued by Dr.Web.
Doctor Web invites all users to get acquainted with the new site section and expand their knowledge of the dangers that can lurk behind seemingly ordinary links on the Internet. If you wish, you may also leave your comments and tell us whether you find this information useful.
Reading about non-recommended sites is much safer than visiting them!
Dr.Web non-recommended sites
February 11, 2015
Upgrades made to the anti-rootkit API, control service, and the self-protection module ensure that all the above listed anti-viruses can better detectTrojan.Encoder programs.
A number of adjustments have been made to the Dr.Web Enterprise Security Suite control service. In particular, the update resolves issues involving hosts being unable to reconnect to the new Control Center once the server address and agent password have been changed. A defect involving scheduled scans starting at the wrong time has also been corrected. The scanning feature that enables users to limit consumption of system resources now works properly. Also fixed was an issue involving multiple executions of a task scheduled to occur one time. Furthermore, now, if the network interface status changes, the agent will reconnect to the Control Center automatically.
If a database update revision has been changed, the Dr.Web Enterprise Security Suite updating module no longer fails to download files.
Numerous changes have also been made to Dr.Web Enterprise Agent for Windows. Now, if issues emerge while the self-protection driver is in operation, the agent will uninstall properly. The update corrects a defect occurring during the creation of a Dr.Web Scanner shortcut on the desktop, and in the Start menu during agent installation. Also eliminated was an issue involving the agent appearing on the list of installed programs after installation via command prompt.
The update will be performed automatically; however, a system reboot will be required.
February 10, 2015
According to statistics gathered during 2014 with Dr.Web CureIt!,
The 10 malicious programs most frequently detected by Dr.Web CureIt! on PCs in 2014 are listed in the table below:
The statistics clearly indicate that installers of unwanted applications, adware browser plugins, and Trojans that display annoying ads in browsers constitute the greater part of the malicious programs identified. The activity of criminals involved in referral programmes that distribute 'advertising junk' intensified significantly throughout the past year. Apparently, Trojans of this kind yield a substantial income for their makers, so the latter are unlikely to give up on a good thing any time soon. Therefore, the distribution of such programs is expected to persist in 2015.
The SpIDer Gate HTTP monitor incorporated into Dr.Web Security Space 10.0 provides reliable protection from threats of this sort. It blocks access to suspicious sites that are known to be involved in spreading malware.
According to data collected by Doctor Web's statistics servers,
Trojan.Redirect.197 ranks second. It was added to the virus database in July 2014 and was also spread on a large scale via email. When users opened a bogus message containing this small file, they were redirected to a malignant site from which other Trojans (including
Named “Smoke Loader” by its makers,
After it’s been launched,
Banking Trojan programs from the
Downloader Trojans distributed with emails can turn an unprotected machine into a cesspool containing all sorts of malicious programs. And, backdoors and Trojans (such as Trojan.PWS.Panda programs which frequently appear in the above rankings) steal confidential information from user-submitted forms and also steal money during attacks on remote banking systems.
Available in Dr.Web Security Space and Dr.Web Anti-virus 10.0, the SpIDer Mail monitor provides full protection against malware spread via email. The monitor promptly detects and removes dangerous programs attached to messages and also blocks emails containing suspicious links or dangerous scripts.
In 2014, malicious programs that encrypt data in compromised systems and demand a ransom for its decryption were one of the most common and severe threats. In the past 12 months, over 10,000 users whose data was compromised by ransomware contacted Doctor Web's technical support. Starting in July, the monthly number of such support requests increased gradually, and the August figure was twice as large as the number registered in January. The diagram below shows how the number of requests grew through 2014. The smallest number—507—was registered in April, while the largest figure—1,609—was registered in October:
The most common versions of encryption ransomware include Trojans of the BAT.Encoder family and a myriad of others:
It should be noted that 2014 brought considerable success with regards to the development of countermeasures against programs of this sort. Doctor Web was able to create routines for decrypting files affected by some members of this malware family. For example, in July users gained the opportunity to decrypt files compromised by
Later, in November 2014, Doctor Web researchers determined how to recover files compromised by
A research study conducted by Doctor Web to create an effective decryption routine resulted in the ability to restore corrupted data. These efforts paid off: by the time Doctor Web came up with its decryption routine, it was the only company whose experts were able to recover—with a 90% success rate—files encrypted by
The above information shows that encryption ransomware poses a severe threat to data, and the number of infections involving these malicious programs is on the rise. And this trend is expected to persist in 2015.
If your files have been compromised by this malware, follow these steps:
- Notify the police;
- Never attempt to solve the problem by reinstalling the operating system;
- Do not delete any files from the hard drives;
- Do not try to restore the encrypted data on your own;
- Contact Doctor Web technical support at https://support.drweb.com/new/free_unlocker/?keyno=&for_decode=1&lng=en (this service is available to users who purchased commercial licenses for Dr.Web software);
- Attach a .DOC file encrypted by the Trojan to the ticket;
- Wait for a response from a virus analyst. Due to the large volume of requests, it may take some time to receive a response.
By performing timely backups and placing reasonable restrictions on user privileges, and by using a state-of-the-art anti-virus equipped with routines that neutralise such threats, PC owners can protect their data from encryption ransomware. Dr.Web Security Space 10.0, which incorporates special proactive data-protection features, is up to the job. To keep your data safe, follow the recommendations below:
1. Make sure that in the anti-virus settings you toggle on the preventive protection which protects your PC against threats yet unknown to Dr.Web.
2. Go to the ‘Tools’ menu to turn on ‘Data loss prevention’ and configure the parameters of the backup storage containing your important files.
3. Create a custom schedule to back up your valuable data.
Over the course of the past year, Doctor Web security researchers carefully observed several botnets. In doing so, they noticed that the monthly activity of a zombie network comprised of two subnets, encompassing personal computers infected with the file infector
The activity of the
Another botnet closely monitored by Doctor Web since May 2014 was created with the polymorphic file infector
The botnet comprised of machines running Mac OS X and infected with
The past year proved to be rather fruitful in terms of new Linux malware programs. Chinese virus makers were especially active in this regard and crafted a significant amount of new Trojans for Linux that are designed to mount DDoS attacks.
Compared with previous months, in April and May 2014 Doctor Web security experts researched a record-high number of these Linux Trojans. They include
Malicious programs of another family known as
Another DDoS Trojan, which was given the name
In other words, during the year the Dr.Web virus database received a significant number of new entries for Linux Trojan families, and that number can justifiably be considered a record-high. They include families of Trojans designed to carry out DDoS attacks: Linux.DnsAmp, Linux.BackDoor.Gates, Linux.Mrblack (for ARM), Linux.Myk and
A significant increase in the quantity of malware for Linux was one of the most obvious and notable trends of 2014. The attackers' main objective is to orchestrate mass-scale DDoS attacks via infected devices. Dr.Web for Linux reliably protects machines from this kind of malware.
Threats to Mac OS X
In the past year, Mac OS X didn't escape the attention of virus-makers either. As early as February 2014, Doctor Web security researchers discovered the program
With the help of another malicious program,
On top of that, a number of new backdoors for Mac OS X were also discovered in 2014. They include Mac.BackDoor.WireLurker, Mac.BackDoor.XSLCmd, Mac.BackDoor.Ventir, BackDoor.LaoShu and
The number of malware samples for Mac OS X received by Doctor Web in 2014 is illustrated in the figure below:
Dr.Web Anti-virus for Mac OS X 10.0 protects Apple machines from all sorts of threats. The anti-virus now includes the HTTP monitor SpIDer Gate which scans HTTP traffic and controls Internet access. With SpIDer Gate HTTP monitor, Dr.Web for Mac OS X scans all traffic on all ports in real time, intercepts all HTTP connections, and provides protection against phishing and dubious websites of all kinds. It provides additional protection when users download malware onto their Macs. In addition, SpIDer Gate can restrict Internet access according to a blacklist of non-recommended sites.
In 2014, online scammers kept seeking new ways to take advantage of unsuspecting users. Dr.Web Security Space can address these threats with its SpIDer Gate and Parental Control whose databases receive an average of 2,000 to 6,000 new links to fraudulent, suspicious, or objectionable sites every day.
Criminals often prey on people looking for quick fixes for their financial issues; so-called “binary options” were particularly popular in the past year. Fraudsters advertise certain websites—mainly through spam mailings—that address the user ostensibly on behalf of a successful businessman who has earned millions on the Internet in a matter of days or on behalf of a blogger who has found a new way to make money.
These sites always tell you a story about a “unique” trading technique involving “binary options”. According to fraudsters, “binary options” pay out if the price of an asset (currency, precious metals, stocks, etc) increases or goes down. If you guess which way it will go correctly, your initial amount will increase by a percentage; if not, you lose the bet.
To organise the trading process, fraudsters develop special sites where bots allegedly accept bets, but, in truth, no connection exists between these sites and international currency markets or stock exchanges. Instead users are “playing” with a local bot running on a server. If a victim of such fraud attempts to withdraw their money, they will face overwhelming difficulties that ultimately make this task impossible.
Another popular scam, by no means a new one, gained popularity during the Sochi Olympics. Here criminals also attempted to cash in on a get-rich-quick mentality. Enterprising criminals designed sites specifically for this category of user to offer them reliable and credible information about negotiated contests whose outcomes are supposedly already known. Network swindlers claim that this information can be used to make bets that result in a multi-million-dollar payout within weeks!
These happiness merchants offer their victims the chance to purchase information about the outcome of a contest or to pay for a subscription to receive this type of data on a regular basis. The service fee seldom exceeds 150 dollars. To put users off guard, sites like these often display screenshots showing winning bets and glowing feedback from fortunate clients—all fake, of course.
In reality, in the best case scenario, a victim will get a professional sports analyst’s prediction that is already in the public domain. In other words, scammers sell predictions that are already established facts, and there is no guarantee that users will win. Sometimes, the swindlers offer a refund if their prediction proves to be false, but they still earn a profit because some users are provided with one outcome while others are given the exact opposite. Even if a user loses, they can have a hard time getting their money back: Instead of money, the indignant customer is usually offered another prediction for free.
Fans of multiplayer games also often become fraud targets. Many modern games cast players into virtual worlds that are complete with their own traditions, history, and culture. They even have their own economic models that enable players to buy and sell objects and even characters that have been upgraded to a certain level.
When acquiring an account on a game server, a buyer wants to get not just the character with the maximum number of different "skills" and experience points, but also game items such as armour and mounts (sometimes quite rare ones), as well as the set of skills and professions that are available for this character. Here the risk for the buyer lies in the fact that the fraudsters who sold them the account can get that account back as soon as the buyer (the current owner) makes their first support request. If the administration overseeing the game discovers that the account had been sold in violation of the rules, it will be blocked.
So, a potential buyer has a good chance of ending up with a stolen account that was hijacked earlier from another user. Criminals can also use chat to distribute phishing URLs, e.g., they can publish a fake announcement about a promo on offer from a game developer that requires participants to sign in to a third-party website with their game login and password or the criminals can offer them malware in the guise of a program that will help them enhance their characters' attributes.
Parental Control, which is available in Dr.Web Security Space 10.0, can protect users from various Internet scams. The Parental Control component lets you limit Internet access to websites related to a certain topic, and filter suspicious content. And, using its database of non-recommended URLs, the component can shield users from fraudulent sites, potentially dangerous and shocking content, and from sites which are known to distribute malware.
Attacks on mobile devices
The past year will also be remembered for the number of attacks of every possible kind that were made on handhelds. As before, smartphones and tablets running Android were the primary targets. Throughout the year, the Dr.Web virus database received a large number of entries for all kinds of malicious and unwanted programs for Android, and by the end of 2014, it contained 5,681 entries (up 102% compared with 2013).
Once again, the virus writers behind the malicious software for Android devices were driven by their main goal of extracting maximum profits. To this end, they once again employed time-tested fraudulent schemes involving sending SMS messages to premium numbers and signing up users to chargeable content services.
However, old-school SMS malware is not the only tool at criminals' disposal. In 2014, the range of malicious applications that generate profit by sending SMS messages to premium numbers expanded considerably. For example, the number of
Apart from sending premium messages, cybercriminals have other sources of illicit gain—stealing confidential financial information and employing banking Trojans to covertly transfer data from bank accounts associated with infected devices. Once a smartphone or tablet gets infected, the malicious applications on them not only lure users into divulging bank account access credentials but also drain the users’ accounts when they use online banking. In 2014, the number of attacks involving banking Trojans increased notably, and the geography of the incidents involving malware of this sort expanded. For example, the programs
Criminals made heavy use of banking Trojans in South Korea. Many of the malicious programs infesting handhelds in this country in 2014 were spread via unwanted SMS messages containing Trojan download links. Over the past 12 months, Doctor Web recorded over 1,760 such spam campaigns, each of which could hit from several hundred devices to tens of thousands of them.
Many of the Trojans discovered in 2014 in South Korea have a rather extensive payload and incorporate state-of-the-art design. For example,
Here we must mention the Trojan
The past year also saw the emergence of brand new Trojans for Android that helped criminals take advantage of users. These program included ransomware blockers—their desktop editions are still quite a nuisance. The emergence of the mobile versions was something to be expected. With the huge Android software and hardware market and the simplicity of ransomware design, what other encouragements did criminals need? The first programs of this sort were discovered in May 2014, and one of them proved to be rather dangerous. Dubbed
Luckily, other ransomware examples found in 2014 weren't so vicious and merely blocked the screen and demanded a ransom. However, in most cases, users were left with smartphones or tablets that were completely useless because
Some of these Trojan horses have even more dangerous features. For example,
Less than eight months after
Mining Trojans, which are designed to extract various electronic cryptocurrencies, were another type of malware crafted by criminals last year in order to take advantage of Android users. For example,
A bit later, virus makers released improved versions of the malware. Unlike the original malicious programs, the upgraded versions didn't exhaust all the hardware resources. Nonetheless, the compromised devices would still operate to the benefit of the intruders.
In summary, the past year showed that cybercriminals not only sustained their interest in getting money from Android users but also significantly intensified their attacks, hoping to swindle users out of even more money. In this regard, owners of Android smartphones and tablets should exercise caution when it comes to installing applications and, if in doubt, refrain from using suspicious programs. It is also recommended that all users without exception install anti-virus software and, if engaged in mobile banking, maintain constant control over all transactions involving their accounts and bank cards.
Stealing confidential information is another lucrative illicit business that once again became a pressing issue for Android users in 2014. Virus makers produced a myriad of diverse spying Trojans, and attacks involving programs of this type were registered all over the world. For example, Android.Spy.67.origin, which was discovered in January in China, collected confidential information including SMS messages, the call history, and GPS data and forwarded it to a remote server. In addition, the malware could activate mobile device cameras and microphones; it could also index images and create special thumbnails of them. Android.Spy.67.origin had another peculiar feature: If this malware gained root access, it would disrupt the operation of popular Chinese anti-viruses, remove their virus databases, and install a malicious program that could, in turn, covertly install other applications. In the spring,
However, the malware program
The rich diversity of spy Trojans for Android discovered in 2014 proves once again that Android-powered devices serve as an excellent source of valuable information for cybercriminals. Therefore, users should always factor in the risk that their confidential information can be stolen and never expect that some segment of their data won’t be of interest to cybercriminals. Even if you regard a piece of information as insignificant, that doesn't mean that criminals won't find a way to use it to their advantage.
Pre-installed malicious programs or those that have been embedded into firmware became another severe threat to Android users. Over the past 12 months, a large number of such incidents were registered, the most striking one involving the emergence of the first-ever Android bootkit. That bootkit, the Trojan
In February, Doctor Web security researchers discovered two malicious programs in Android firmware installed on inexpensive Chinese-made devices. The programs’ main purpose was to pay the usage fee on a Chinese music portal. Dubbed Android.SmsSend.1081.origin and Android.SmsSend.1067.origin, these programs covertly sent special short messages for which subscribers would be charged around 10 US cents. Also in November,
Similar programs were discovered in December too. One of them, Android.Backdoor.126.origin enabled criminals to implement various kinds of fraud and could add short messages with arbitrary content into the SMS inbox. Dubbed Android.Backdoor.130.origin, another malicious program could—without the knowledge or consent of the device's owner—send text messages; make calls; display advertisements; download, install and run applications; and send various bits of confidential information, including the call history, SMS messages and data on the mobile device’s location, to a remote server.
Thus, it is completely clear that compliance with the basic security rules for Android devices, which includes installing software only from trusted sources and using anti-virus software, is no longer enough. Special attention also needs to be paid when choosing a device. Make sure especially that the device was produced by a reliable manufacturer and that the vendor selling the device is reputable. In addition, you should avoid using dubious Android builds and refrain from downloading firmware from untrusted sources.
Dr.Web for Android incorporates an arsenal of features to keep state-of-the-art smartphones, tablets, and other handhelds secure.
Although the majority of the attacks targeted Android device users, smartphones and tablets running iOS also came under fire. It is worth noting, though, that the majority of malware for iOS could only infect jailbroken devices; however, there was a Trojan horse that could infect handhelds running unaltered iOS. IPhoneOS.Spad.1 was discovered in March and targeted devices in China. This malware would make specific modifications to advertising modules embedded in various iOS applications. As a result, the profit generated by the advertisement went to an account belonging to the enterprising hackers rather than the authors of those programs. Discovered in April, IPhoneOS.PWS.Stealer.1 stole Apple IDs. IPhoneOS.PWS.Stealer.2, discovered in May, stole Apple IDs, but it could also buy software in the App Store at the user's expense as well as download and install purchased programs. Detected in September, the Trojan program IPhoneOS.Xsser.1 posed a rather severe threat. It could obey commands to steal such confidential information as the contents of the phone book, photos, passwords, SMS messages, the call history, and the device location. And in December, the integrity of personal information on jailbroken devices was threatened by the dangerous Trojan IPhoneOS.Cloudatlas.1 which was designed to collect a wide range of sensitive data. However, IPhoneOS.BackDoor.WireLurker was 2014’s most dangerous Trojan for iOS users. This program could be installed on jailbroken handhelds as well as on smartphones and tablets whose operating systems remained intact. To accomplish this, virus writers were aided by a desktop relative of the malware. Mac.BackDoor.WireLurker.1, in particular, was spread by hackers in pirated versions of legitimate programs and infected computers running Mac OS X. It monitored USB connections for target mobile devices and used a special "corporate" digital certificate to install IPhoneOS.BackDoor.WireLurker onto connected mobile devices. Once IPhoneOS.BackDoor.WireLurker was successfully deployed on an iOS handheld, it could steal confidential information, including contact information and SMS messages, which was then relayed to a server controlled by the intruders.
Attacks on Apple smartphones and tablets in 2014 give users a clear signal that the danger is real, and crafty intruders will do their best to take advantage of iPhone and iPad users. Doctor Web recommends that Apple fans pay special attention to applications they install (including those installed onto Apple desktops and laptops), avoid dubious websites, and refrain from opening links found in suspicious short messages.
Prospects and likely trends
Based on an analysis of the situation in 2014, we can assume that encryption ransomware will persist, its diversity will increase, and the technologies and designs employed by criminals will be further perfected and upgraded.
We should also expect new malicious programs for Linux and Mac OS X. New banking Trojans as well as more sophisticated malware engaged in data theft in remote banking will also surely emerge. Some of them will interact with malicious programs on handhelds.
The further development and proliferation of all sorts of gadgets—including tablet PCs, smartphones and GPS navigation devices—will result in criminals becoming even more interested in mobile platforms. Banking technologies will also certainly continue to be their focus, and 2015 is likely to witness new banking Trojans for Android. Threats involving chargeable SMS messages will definitely still be relevant, and new ransomware lockers for Android will also appear in the wild. And, it is also safe to assume that personal information stored on mobile devices will be targeted just as much as it has been in the past.
Owners of Apple handhelds should also remain vigilant in 2015. The past year showed that criminals have become increasingly interested in this platform.
Learn more with Dr.Web
February 10, 2015
With the revamped mini-agent, upgraded Data Loss Prevention configuration routines, Parental Control, and other anti-virus features, controlling Dr.Web has never been easier.
Please note that after the upgrade, you will need to set a new anti-virus network password. You’ll also need to reconfigure the device’s blocking parameters as well as the Parental Control settings which are responsible for file and folder access control.
More details about the upgrade will be covered in a corresponding news publication.
February 5, 2015
To spread the new Linux backdoor, dubbed
The program uses the following routine to exchange data with the intruders' control server. To obtain configuration data, the backdoor looks for a special string in its body—the string points to the beginning of the encrypted configuration block, then decrypts it and starts sending queries to control servers on the list until it finds a responding server or until the list ends. Both the backdoor and the server use the library zlib to compress the packets they exchange.
Thus, when commanded to do so,
- List files and directories inside the specified directory.
- Send directory size data to the server.
- Create a file in which received data can be stored.
- Accept a file.
- Send a file to the command and control (C&C) server.
- Delete a file.
- Delete a directory.
- Signal the server that it is ready to accept a file.
- Create a directory.
- Rename a file.
- Run a file.
In addition, the backdoor can run a shell with the specified environment variables and grant the C&C server access to the shell, start a SOCKS proxy on an infected computer, or start its own implementation of the portmap server.
The signature of this malware has been added to the Dr.Web virus database, so systems protected by Dr.Web Anti-virus for Linux are safe from this backdoor.
February 3, 2015
January was marked by the massive distribution via email of the dangerous downloader program Trojan.DownLoad3.35539. This program downloads and launches Trojan.Encoder.686 encryption ransomware on infected PCs. This is probably why Trojan.Encoder.686 wound up being the most common encryption malware program of the past month. Botnets comprised of machines infected with the file infector Win32.Sector and the backdoor program for Mac OS X BackDoor.Flashback.39 are still operational.
Linux did not escape the attention of virus writers either: the file infector Linux.EbolaChan was the most notable malware program of the month. Furthermore, several banking Trojans for Android were added into the Dr.Web virus database in January.
Read about these events and other developments in IT security in the detailed virus activity review from Doctor Web.
February 3, 2015
PRINCIPAL TRENDS IN JANUARY
- Banking Trojans
- New spying Trojans
- Programs in the Google Play catalogue that feature aggressive advertising
- Further proliferation of malware embedded into Android firmware or deployed as pre-installed applications
New entries in the Dr.Web for Android virus database
Mobile threat of the month
- Can spread in firmware modified by intruders.
- A Linux executable that extracts several modules, some of which are encrypted. Once the components are decrypted and loaded into the memory, the Trojan deletes the original files and commences with its malicious activities.
- It covertly sends and intercepts short messages, loads webpages in the browser, transmits information about the infected device to a remote server, and downloads other applications.
Banking Trojans for Android
In the past month Doctor Web registered the emergence of the latest group of banking Trojans for Android. These malicious applications were particularly active in South Korea where they are spread with unsolicited short messages containing their download links.
Over 40 spam campaigns involved in the spread of several malicious programs were registered
Malicious programs designed to distribute and install other Android Trojans on Android-powered devices. South Korean virus makers use these malicious applications to spread various banking Trojans.
The banking Trojan steals authentication information from customers of South Korean banks. Whenever a user runs a legitimate online banking application, the Trojan replaces its interface with a fake copy that prompts the user to enter all the sensitive information needed to access their bank account. The information entered by the user is transmitted to criminals. Under the pretext of subscribing the user to a banking service,
A banking Trojan that steals money from accounts associated with Android-powered devices.
Cyberespionage remains a pressing issue for users of mobile devices. In January the Dr.Web virus database was updated with a large number of definitions for a variety of commercial spyware that was designed to spy on the owners of the Android smartphones and tablets it was running on. Along with discovering new species in the known spyware families Program.MobileSpy, Program.Tracer, Program.Highster, Program.OwnSpy, Program.MSpy, and numerous others, Doctor Web security researchers examined new programs of this kind, including Program.ZealSpy.1.origin, Program.LetMeSpy.1.origin and Program.CellSpy.1.origin.
- Intercepts SMS text and email messages
- Acquires information about phone calls and contacts
- Keeps track of GPS coordinates
- Reads the correspondence maintained via popular messaging programs
This program monitors:
- SMS correspondence;
- Phone calls;
- GPS coordinates.
- Intercepts text messages and phone calls
- Acquires the device's GPS coordinates.
- Covertly records audio input from the device's microphone
- Views browser history
Threats in the Google Play catalogue
Applications available on Google Play frequently incorporate potentially dangerous and unwanted modules that display annoying ads. Another module of this sort, which was used by some developers of free software, was discovered in January. It entered the Dr.Web virus database as Adware.HideIcon.1.origin.
Advertising module that generates a profit in Android freeware. Incorporates several harmful features.
- Can simulate the download of important files to lure the user into going to a site its makers have been paid to promote.
- Regularly prompts users to install updates that conceal adware.
- Displays annoying ads whenever users run certain applications.
- Deletes the original shortcut icons of the applications it is contained in which makes it hard for inexperienced users to determine the source of the annoying advertisements. The original icons on the home screen are replaced with new ones that lead to various sites that distribute adware.
February 3, 2015
According to Doctor Web's security researchers, in the first month of 2015 cybercriminals organised mass mailings of malware designed to install other dangerous applications on infected computers. In January, many Windows users suffered under the effects of encoders. As before, the number of Trojans and other malware programs threatening users of Android-powered devices remained high.
PRINCIPAL TRENDS IN JANUARY
- Mass mailings of Trojans designed to install other malicious applications.
- The spread of encryption ransomware, posing a serious hazard to Windows users.
- New malicious applications for Android-powered devices.
Threat of the month
In mid-January, attackers carried out a mass mailing of
- It is distributed in email messages as an attached ZIP archive.
- The program's main objective is to download and launch Trojan.Encoder.686 (a.k.a. CTBLocker) on infected machines.
According to Doctor Web security researchers, messages of this kind come in many languages including English, German, and even Georgian.
Files compromised by this encryption Trojan can't be recovered.
However, this malware is successfully detected by Dr.Web Anti-virus and, thus, users are protected from this Trojan’s activities.
More information about this incident can be found in a news article published by Doctor Web.
The number of requests for decryption received by the technical support service
|December 2014||January 2015||Movement|
In January, the number of users compromised by
Virus writers give their victims only 96 hours to pay the ransom required to recover their files and threaten that a failure to comply with their demands will result in permanent data loss. To acquire information about the terms and the ransom amount, users are directed to a site residing in the TOR network
Unfortunately, it is currently impossible to decrypt files affected by Trojan.Encoder.686. However, Dr.Web successfully detects this malicious program, and users of our products are protected from its actions.
The other most common encoders:
By performing timely backups and placing reasonable restrictions on user privileges, and by using a state-of-the-art anti-virus equipped with routines that neutralise such threats, PC owners can protect their data from encryption ransomware. Dr.Web Security Space 10.0 possesses effective tools for countering encoders; these include special preventative protection components that keep data safe from the activities of ransomware.
Use Data Loss Prevention to protect your files from encryption ransomware
|Only available in Dr.Web Security Space 9 and 10|
|More about encryption ransomware||Configuration presentations tutorial||Free decryption|
According to statistics gathered by Dr.Web CureIt!
Trojan.MulDrop5.10078Installs various unwanted applications and adware on an infected computer.
Trojan.BPlugThese plugins for popular browsers display annoying ads to users as they browse web pages.
Trojan.ZadvedAdd-ins designed to spoof browser search engine results as well as to display fake pop-up messages in social networks. In addition, these Trojans are capable of replacing advertising messages displayed on various websites.
Trojan.LoadMoneyDownloader programs generated by servers belonging to the LoadMoney referral programme. These programs download and install various unwanted software programs on a victim's computer.
Trojan.ClickA family of malicious software that uses cheating techniques to bring more visitors to various Internet resources. This involves redirecting victims to certain sites by controlling browser behavior.
Trojan.YontooPlugins for popular browsers that demonstrate ads to users as they browse web pages.
According to Doctor Web's statistics servers
Trojan.InstallCore.16The Trojan that installs ads and suspicious applications (a.k.a.Trojan.Packed.24524).
Trojan.DownLoad3.35539The downloader Trojan that spreads via email as a ZIP archive containing a .SCR file. When you try to open the file, the Trojan saves the RTF document to your infected computer’s drive and then displays it on your screen. Simultaneously a malware program loads the payload (i.e., Trojan.Encoder.686, a.k.a CTB-Locker) from the attackers’ remote servers and runs it on your PC.
Trojan.LoadMoney.336A representative of the family of downloader programs generated by servers belonging to the LoadMoney referral programme. These programs download and install a variety of unwanted software on their victim's computers.
BackDoor.IRC.NgrBot.42A fairly common Trojan, known to information security researchers since 2011. Malicious programs of this family are able to execute intruder-issued commands on infected machines, and cybercriminals use the text-messaging protocol IRC (Internet Relay Chat) to control those PCs.
Trojan.OutBrowse.54One of the representatives of a family of adware Trojans which are spread via referral programmes that focus on generating income from file downloads.
Statistics concerning malicious programs discovered in email traffic
BackDoor.Andromeda.404This downloader Trojan is designed to download other malware from remote, hacker-controlled servers and run it on infected machines.
Trojan.DownLoad3.35539The downloader Trojan that spreads primarily via email as a ZIP archive containing a .SCR file. When you try to open the file, the Trojan saves the RTF document on your infected computer’s drive and then displays it on your screen. Simultaneously the malware loads the payload (i.e. Trojan.Encoder.686, a.k.a CTB-Locker) from the attackers’ remote servers and runs it on your PC.
Trojan.Proxy.23968The Trojan designed to be installed in an infected proxy server system; its role is to intercept confidential information when working with the remote banking service systems of several Russian banks. Once launched on a victim’s machine, it changes the network connection settings, writing into them a link to an automatic configuration script. User traffic is redirected through a hacker proxy server, which can substitute a “Bank-client” system webpage for a malicious one. To organise HTTPS connections, the Trojan sets a bogus digital certificate in the system.
Trojan.PWS.Stealer.13025Malware designed to steal confidential information from an infected machine, including passwords of email programs, ftp clients, browsers, and messengers.
W97M.DownLoader.185Representative of the family of malware that spreads primarily by email in Microsoft Word documents. It is designed to download other malicious applications during a computer attack.
Its key functions are to:
- download various executables via P2P networks and run them on infected machines;
- inject its code into running processes;
- terminate certain anti-viruses and block access to the sites of their respective developers;
- infect file objects on local disks and removable media (where during the infection process, it creates an autorun.inf file) as well as files stored in public network folders.
BackDoor.Flashback.39The Trojan for Mac OS X which was distributed on a wide scale in April 2012. Infection was carried out via Java vulnerabilities. The purpose of this Trojan is to download and run a payload on an infected machine; the payload can be any executable file specified in the directive the Trojan receives from the hacker who controls it.
Threats to Linux
In January 2015 Doctor Web's security researchers discovered several new samples of malware for Linux, the most interesting of which is the file virus
- The main purpose of
Linux.EbolaChanis to execute the scheduled launch of a special script that downloads other sh-scripts from a criminal-owned, malicious website and executes those scripts on an infected machine.
Fraudulent and non-recommended sites
During January 2015, we added 10,431 Internet addresses to the Dr.Web database of non-recommended sites.
|December 2014||January 2015||Movement|
|10 462||10 431||+0,3%|
Parental Control, which is available in Dr.Web Security Space 10.0, can provide protection from various Internet scams. The Parental Control component lets you limit access to websites related to a certain topic and filter suspicious content. And, using its database of non-recommended URLs, the component can shield users from fraudulent sites, potentially dangerous and shocking content, and from sites which are known to distribute malware.
Malicious and unwanted software threatening Android
In January 2015 a large number of new malware programs as well as other dangerous Android programs were detected. The newest among them are the following:
- Trojans spreading inside hacker-modified Android firmware;
- Banking Trojans
These malicious applications were particularly active in South Korea where they are spread with unsolicited short messages containing their download links.
We detected over 40 such spam campaigns involving several malicious programs.
Commercial spywareIn January, the Doctor Web virus database expanded with the addition of a large number of records for various commercial spyware applications designed to be installed on Android-powered devices and track their owners.
Threats on Google PlayAggressive and potentially dangerous advertising network modules for mobile devices remain an urgent problem. One such system has been implemented in a number of free programs hosted on Google Play.
Find out more about malicious programs for Android in our special overview.
Learn more with Dr.Web
January 29, 2015
- An issue involving the Devices section of the anti-virus settings being displayed in Dr.Web Security Space when Parental Control is absent.
- A defect causing the process outlook.exe not to terminate after the mail client is closed.
- A threat neutralisation report attachment problem that could occur if an infected object in a message has been removed.
- The option to add a spam prefix to the email subject field is now enabled by default.
- Issues that could cause the process outlook.exe to terminate abnormally when receiving email in Microsoft Outlook 2000 and XP and when launching the email client.
The update will be performed automatically; however, a system reboot will be required.
January 29, 2015
These include the ability to export data via the registry editor and the anti-virus shortcut on the desktop.
The program's usability has also been improved. Now, a battery status indicator is available if Dr.Web LiveDisk is launched on a laptop.
Also, the virus databases can be updated if the utility is launched from a flash drive—there is no need to write Dr.Web LiveDisk onto media to update it.
An issue with assessing free disk space that could arise when writing Dr.Web LiveDisk onto a flash drive has been eliminated.
|Download Dr.Web LiveDisk|
January 29, 2015
An issue that might cause a system crash on machines running Windows 8.1 (32-bit) with the update KB3013769 installed has been resolved.
The update will be automatically downloaded by the Dr.Web Anti-virus service software and by Dr.Web Enterprise Security Suite, but a system restart will be necessary for the update to be applied.
January 27, 2015
The update, which contributes to faster database downloading for all the above-listed Dr.Web products, will accelerate system startups and the launch time of the Dr.Web anti-virus.
The products will utilise the same scanning module (version 7).
Version 9 databases are already being used by Dr.Web Security Space, Dr.Web Anti-virus for Windows 10.0 and the curing utilities Dr.Web CureIt! and Dr.Web CureNet!.
The update, which is 140 MB in size, will be downloaded and installed automatically. Users of Dr.Web for Linux will need to restart the daemon drweb-configd.
January 26, 2015
The agent interface of Dr.Web Security Space and Dr.Web Anti-virus once again provides notifications whenever a license key file is blocked. In the Data Loss Prevention section, a problem resulting in items on the list of protected objects being sorted incorrectly has been eliminated. At the same time, changes have been introduced so that this option is disabled if no objects have been selected for backing up. The anti-virus network option is unavailable if a connection to a remote agent has been established. In addition, an animated progress bar for host searches has been implemented in the Anti-virus Network tools. In products for home customers, the range of information collected by Dr.Web SysInfo has been expanded, and log collection defects have been corrected.
Also eliminated was a Dr.Web Enterprise Security Suite issue involving the incorrect Control Center connection status being displayed in the notification area whenever the mouse pointer hovered over the agent icon in the system tray. Furthermore, the update corrects a defect involving incorrect information about the agent language settings being displayed if the system language option has been selected. Tool tips for the system tray agent icon have also been implemented.
The following changes affect all of the above listed products.
The Settings and Close buttons have been removed from notifications about Internet use time limits almost being reached. An issue that involved errors occurring when switching between different keyboard layouts in the administrative mode password dialogue box has been resolved.
A compatibility issue between Dr.Web Net filtering Service and Xerox 5740 software has been eliminated.
A self-protection module defect has also been corrected. The module now prevents executables from launching in folders on the Dr.Web Parental Control (Office Control in Dr.Web Enterprise Security Suite) block list.
An error occurring when the firewall terminated abnormally when displaying the list of running processes has been corrected.
A Dr.Web DeviceGuard issue involving multimedia key presses on some Microsoft keyboard models has been resolved. Also eliminated was an issue that could cause a system crash when the component blocked access to disks.
A Dr.Web Updater defect involving the installation and updating of Dr.Web under Windows XP with Czech localisation has also been corrected.
The Scanner SE feature for restricting access to various system functions has been redesigned.
A configuration script issue involving the repeat registration of the Outlook plugin after updating has been resolved.
The update will be performed automatically; however, a system reboot will be required.
January 21, 2015
The downloader Trojan entered the Dr.Web virus database as Trojan.DownLoad3.35539. Criminals spread it as an attached ZIP archive in mass spam messages. According to Doctor Web security researchers, messages of this kind come in many languages including English, German and even Georgian.
The archive contains an SCR file—by default, the .scr extension is utilised for Windows screen savers. These files are executable. If the archived file is launched, Trojan.DownLoad3.35539 extracts an RTF document from its body, saves it onto the hard drive and displays it on the screen.
At the same time, Trojan.DownLoad3.35539 establishes a connection with one of the attackers' remote servers, downloads an archive containing the encryption ransomware Trojan.Encoder.686 (a.k.a. CTB-Locker), and then decompresses and runs it. Following its successful initialisation on the victim machine, Trojan.Encoder.686 encrypts files and displays the following message:
It is worth mentioning that attackers give their victims only 96 hours to pay the ransom required to recover their files and threaten that a failure to comply with their demands will result in permanent data loss. To acquire information about the terms and the ransom amount, users are directed to a site residing in the TOR network.
Trojan.Encoder.686 has been compiled using TOR and OpenSSL libraries and relies heavily on their encryption routines. While encrypting data, the ransomware makes use of CryptoAPI to generate random data as well as elliptic curve cryptography which for now makes it impossible to recover the affected data.
Doctor Web urges users to exercise caution and to never launch files received with emails, as well as to refrain from opening attachments in messages from unverified senders and to back up valuable data regularly.
In addition, please note that Dr.Web Security Space 9 and 10 incorporate several components that will facilitate automatic timely backups for your most valuable information and protect your computer from encryption ransomware and other malicious programs.
To keep your data safe, follow the recommendations below:
- Make sure that in the Dr.Web Security Space (9 and 10) settings, you toggle on the preventive protection which will protect your PC against threats yet unknown to Dr.Web.
- Go to the ‘Tools’ menu to turn on ‘Data loss prevention’, and configure the parameters of the backup storage containing your important files.
- Create a custom schedule to back up your valuable data.
Supplemented by some caution when working with emails, these measures will keep your system safe from most modern threats including encryption ransomware.
January 19, 2015
The plugin can now be installed under Microsoft Windows Server 2012 and 2012 R2.
In addition, the update resolves the "No MIME data" issue that occurred on machines running both Domino X64 and Lotus/Notes 9 whenever a memo that had had a threat removed from it earlier was opened.
To install the new version of Dr.Web for IBM Lotus Domino, you need to uninstall the previous one. All the current settings and the quarantine database will be deleted. If necessary, back up the database found in the Dr.Web directory.
More information about the upgrade process, as well as the system requirements for Dr.Web 6.01 for IBM Lotus Domino, can be found in the release notes.
January 15, 2015
In particular it corrects the defect that might cause the Scanning Engine to freeze while checking an object in RAM.
Also, in series 10 products the issue related to curing objects in shared folders has been eliminated.
The update will be performed automatically; however, a system reboot will be required. To use the updated Dr.Web CureIt! you need to download the new version.
December 29, 2014
Although incorporating malicious code in Android firmware is nothing new, criminals do not use this technique often. Yet, they don't discard it altogether, and security researchers occasionally come across a new Trojan for Android embedded in firmware or pre-installed on some handset model. In December several such incidents occurred. As before, the malicious programs detected were used by cybercriminals to covertly perform various actions to their advantage. In particular, the backdoor that entered the Dr.Web virus database as Android.Backdoor.126.origin could be instructed by criminals to add various text-specific SMS to the messages coming in on the infected mobile device. This feature provided criminals with the most diverse scam opportunities. Another malicious program lurking in Android firmware imparted its makers with an even more ample supply of features facilitating illicit activities. In particular, the program Android.Backdoor.130.origin (under the Dr.Web classification) could send short messages; make calls; display ads; download, install and launch applications without user consent; and transmit to its command and control (C&C) server all sorts of information including call history, SMS correspondence and location data. Furthermore, Android.Backdoor.130.origin could delete applications installed on the infected device. Since this backdoor was actually a system application, it didn't require user intervention to perform its tasks—this makes Android.Backdoor.130.origin particularly dangerous.
Android.SmsBot.213.origin, which can also perform unwanted actions on an infected device, is another noteworthy malicious program for Android that was detected in December. In particular, it could intercept and send SMS messages, and forward confidential information found on the device to its C&C server. Here, the main danger lies in the malware's ability to provide criminals with access to bank accounts involved in online banking. By sending and intercepting SMS messages used in remote banking, Android.SmsBot.213.origin could covertly transfer all the available funds to the attackers' account. Interestingly, criminals spread this program in the guise of a popular game which would eventually be installed onto the compromised device. In particular, once installed and launched by the user, Android.SmsBot.213.origin would begin installing the game that is incorporated into the malware, delete its shortcut and further operate as a system service. This trick helped criminals reduce the risk of users getting upset after failing to acquire an expected game and deleting the malware. It also improved the program's chances of successfully accomplishing its tasks.
Also in December, cybercriminals targeting devices in South Korea carried on with their attacks. As before, they spread Android Trojans with unwanted SMS containing the relevant download links. Doctor Web registered about 160 spam campaigns of this sort throughout the month. The most common malicious programs spread in this way included Android.MulDrop.48.origin (40,25%),