News of Doctor Web
March 5, 2014
Today, in crisis situations related to computer threats, many users do not know where to start to repair the damages. The legal section on Doctor Web's site will help you calmly examine the situation and make the kinds of decisions that will bring you closer to having your stolen money returned or your compromised data recovered.
Here you will find out what actions you should take if your money has been stolen over the e-banking system, a Trojan has encrypted your files, or your access to Windows has been blocked.
Indeed, we wish all our users a life free from cybercrime! We are confident that our legal section will serve as a reminder of the necessity to take care of anti-virus security at home and at your workplace in advance.
If you have suffered from the actions of intruders, do not give up—seek justice! The legal section will help you with this.
March 3, 2014
Overall, from February 1-27, 2014, Dr.Web for Android discovered 8,315,374 unwanted and malicious programs, with peak viral activity occurring on February 7. That day 374,194 malware samples were identified. The lowest level of virus activity was registered on February 19 when only 283,159 threats were found.
The most frequently detected programs include
The prevalence of this threat has been clarified thanks to the fact that Doctor Web's security researchers managed to obtain statistics on the infection, including the IMEIs of the devices affected, during the period from February 1-27, 2014. Currently, the botnet consists of 396,709 infected devices (2,325,326 unique IP addresses were registered from February 22-27). The majority of them (378,614) are in China; about 4,500 infection incidents occurred in European countries.
This malware mostly infects mobile phones manufactured in China. The handset models on which
The distribution of the infected devices by Android OS version is shown in the following diagram.
The majority of Dr.Web for Android users still prefer smart phones manufactured by Samsung. As far as devices of other manufacturers are concerned, LG Optimus models L5 and L7, and Sony Xperia J are the most popular. The list of the most popular handset models is presented in the diagram below.
User preferences by Android OS version are illustrated below.
Doctor Web continues to monitor the mobile security situation.
February 28, 2014
According to statistics collected in February 2014 by Dr.Web CureIt!,
Doctor Web's analysts continue to monitor the growth of the botnet consisting of Windows PCs that have been compromised by the file infector
The number of machines on which Dr.Web software has been detecting the malignant module
The number of computers infected with the Trojan for MAC OS X, known as
The botnet comprised of devices infected with the first known Android bootkit, dubbed
Currently, the botnet consists of approximately 400,000 infected devices whose IMEIs were registered by security researchers from February 1-27. In the past, researchers assessed the number of bots by the number of IP addresses being used to connect to the command and control server. The botnet’s growth, assessed by taking into account the number of IP addresses involved between January 22 and February 27, 2014, is illustrated in the graph below.
In addition to the information about IP addresses, Doctor Web's analysts have now managed to collect statistics concerning the IMEIs of the infected devices.
Adware Trojan invasion
February saw an extremely large number of malignant programs that are designed to replace advertisements on web pages and display annoying ads in browser windows. At the beginning of the month, Doctor Web's security researchers added the signature of the Trojan dubbed
Shortly thereafter, the security researchers discovered another similar program which was dubbed
Other February threats
Machines manufactured by Apple didn't escape the attention of cybercriminals either. In February, an entry for the program
Another threat, dubbed
Threats to Android
As far as information security is concerned, February turned out to be rather eventful. At the beginning of the month, Doctor Web discovered several dangerous applications, designed to covertly send short messages, embedded in Android firmware. In particular, one of them worked as an audio player that sent out SMS messages containing IMSI identifiers to try to automatically subscribe users to a Chinese online music site. The program, which incorporated an undocumented feature, failed to control the number of sent messages, sending a message whenever it was launched. Thus, users were charged by their mobile operator accordingly.
Another similarly functioning Trojan was embedded in a system utility and also covertly sent out short messages containing device IMEIs. Both threats were classified as SMS Trojans and entered the virus database as
The Flappy Bird incident didn't go unnoticed by criminals either: shortly after the program was removed from Google Play and the App Store, a number of analogous imitators appeared on the Internet in addition to malicious programs created by enterprising fraudsters claiming that their master works were actually the original, now discontinued, game. In truth, users were offered
Meanwhile, as far as South Korean users are concerned, the security situation improved somewhat: Doctor Web's security researchers registered 90 incidents involving malware being distributed via SMS spam, a 36.6% drop from the January figure. It should be noted that most Trojans were uploaded by criminals via file hosting services such as Google Drive and Dropbox, a departure from earlier criminals who normally used their own sites.
South Korean users most frequently had to deal with
The definitions for several commercial spyware programs that apparently are still rather popular on the mobile market were also added to the Dr.Web virus databases during the last full month of winter.
Malicious files detected in mail traffic in February
|01.02.2014 00:00 - 28.02.2014 17:00|
Malicious files detected on user computers in February
|01.02.2014 00:00 - 28.02.2014 17:00|
February 18, 2014
Once the injector is launched, it decompresses the main Trojan modules and injects their code into all the running processes, excluding the few related to Windows’ operation.
The Trojan ensures the operation of several modules on an infected computer: one of them functions as a VNC server; another works like a SOCKS proxy server. Another module enables the program to make web injections. An additional module (the grabber) is designed to transmit to criminals the data entered by users in web forms in Microsoft Internet Explorer, Mozilla Firefox and Google Chrome, while the Stealer module acquires passwords stored by dozens of popular applications which include email and FTP clients. Finally, the module allows criminals to control an infected machine, even if it is hidden behind a gateway or firewall.
- Download, save, and launch the specified program;
- Update the malware;
- Send cookies from Microsoft Internet Explorer, Mozilla Firefox and Google Chrome to the remote server;
- Export digital certificates found on the infected PC and send them to the remote server;
- Transfer the list of running processes to the remote server;
- Delete cookies on the infected computer;
- Enable logging;
- Enable the proxy server;
- Enable the VNC server;
- Install the malware update with a digital signature;
- Launch a program;
- Write a value in the registry or get a value from the registry;
- Search files in the infected system.
This malignant program poses a severe threat because it has an arsenal of features for stealing sensitive information which can be used by criminals to gain unauthorised access to an infected computer, and compromise websites and online accounts. However
February 17, 2014
The malicious program that entered the Dr.Web virus database as
It bears mentioning that Trojans in OS firmware are not particularly widespread. However, they are as dangerous as other malignant applications distributed via software catalogues. In particular, one of the recent incidents involving such a Trojan was covered in Doctor Web's January review. During that month,
Regardless of the payload, the main danger of such malicious programs arises from the inability to remove them by conventional methods―one must gain privileged access to the operating system’s features and system files (root access) or reflash the device with firmware that doesn't include the program. All these measures entail risks because they involve file system modification which may void the warranty, cause data losses or break the device.
To minimise the probable negative impact, owners of Android devices should avoid dubious firmware and refrain from purchasing handhelds of unknown origin. However, if you do encounter this issue, do the following:
- Check whether your firmware was provided by the device's manufacturer. To do this, contact the manufacturer's support service. If the firmware was provided by a third party, reflash the device with firmware from the device's manufacturer.
- If you have reflashed the device with third-party firmware on your own, and it contains a Trojan, switch back to the manufacturer’s firmware.
- If your device is using the manufacturer’s firmware but a Trojan is found in the system, contact the manufacturer to resolve the situation.
- If you have sufficient technical knowledge and skills, you can try to delete the malicious program by acquiring root access, but in this case you risk voiding the warranty or rendering your mobile device non-operational, so do this at your own risk.
- If the current firmware incorporates a malicious program, you can try to disable it: go into the application management menu and select "Disable" for the respective application.
February 13, 2014
Doctor Web's security researchers know of several
It consists of several components: the installer which is distributed in the guise of a legitimate application; the agent which performs a variety of tasks (for example, it processes intercepted data, checks which applications are installed in the system, and updates itself); as well as browser extensions for filtering traffic, performing the functions of the agent, and communicating with the intruder’s command and control (C&C) server. The malware’s main objective is to monitor traffic and private data transmitted by bitcoin mining applications. Also, if Bitcoin-Qt is installed on an infected computer,
February 12, 2014
Dr.Web 9.0 offers an entire array of revolutionary innovations that will enhance the security of your PC and make the anti-virus even more reliable. The new Dr.Web behavioural analyser promptly detects the latest modifications of Trojan.Encoder programs to protect user data from being decrypted by malware. It also detects known threats disguised with new packers. Please note that a Dr.Web license also includes protection for a mobile device — as a gift.
With the release of the new Dr.Web version, its developers are confident that users won't need any technical support whatsoever, so the promo licenses do not include it.
Use Dr.Web to protect your computers and you will always be a winner! It's just that simple!
|Buy Dr.Web at 50% off|
February 12, 2014
According to statistics compiled with Dr.Web CureIt! over the course of the year, Trojan.Hosts programs were the most common threats of 2013.
Twenty threats most often found on computers by the end of 2013 (according to statistics from Dr.Web CureIt!) are listed in the table below.
Throughout the year, Doctor Web's analysts monitored the activity of several botnets organized by cybercriminals with the aid of Trojans and file infectors. One of them virtually ceased to exist in the second half of 2013. At the same time, some botnets are still operating and growing in number.
Since September 2011, Doctor Web's analysts have been monitoring two botnets created by the multi-component file infector
By the end of April 2013, the total number of computers that had ever been infected with
Another large botnet consisting of computers infected with the file infector
In May 2013, Doctor Web's analysts found two more representatives of the Rmnet family — these malicious modules were distributed with the file infector Win32.Rmnet and were given the shared name
As of May 22, 2013,
A botnet also exists that consists of computers infected with
Finally, we should say a few words about the
More than 6,700 users whose data was encrypted by encoder Trojans contacted Doctor Web in 2013. Apart from Russian users, in many cases, victims were found in other countries?mainly, the Ukraine and other CIS countries, the U.S., Italy and Latin America?although Russians constituted the overwhelming majority. Statistics showing encoder Trojan-related support requests by country are presented in the diagram below.
On average, Doctor Web's analysts received 20-50 file decryption requests daily. Fluctuations in the number of requests for help with file decryption, received by Doctor Web between April and December 2013, are illustrated in the graph below.
Many requests were received from users whose systems were infected with
In 2013, blockers that interfere with the normal inner workings of operating systems and demand money from their victims to unlock Windows, gradually lost in popularity among virus writers. These blockers were superseded by encryption Trojans and more "advanced" malware, like representatives of the
As with encoder Trojans, most computers that have been compromised with Windows blockers reside in Russia. The Ukraine ranks second, followed by Belarus and Kazakhstan. Trojan blocker incidents on computers found in France and other EU countries were registered, too.
Remote banking software is the constant focus of intruders' attention. In addition to previously known banking Trojans found in the wild, new threats were identified in 2013. In particular, attacks on payment terminals persisted throughout the year. A new version of
In autumn 2013, Doctor Web's analysts discovered a modification of a Trojan.Ibank program that was targeting SAP (Systems, Applications and Products) enterprise software (accounting, trade, production, finance, personnel management, warehouse management, etc.). The Trojan operates in both 32-bit and 64-bit versions of Windows and uses various methods to compromise different platforms. Security experts find the increased interest of virus writers in SAP and ERP rather disturbing: attackers can employ such technologies to steal business-critical information processed by these solutions.
Also in November, Doctor Web reported incidents involving the banking Trojan
Advertising and mining Trojans as the trend of the season
During 2013, Trojans displaying annoying ads regularly appeared on the list of programs most frequently detected on desktops and laptops. Because many such threats spread using affiliate programs that allow attackers to capitalize on the quantity of adware installations, their number is steadily increasing.
Similar features were found in two other Trojans discovered in 2013 —
Mac OS X users didn’t go unnoticed by criminals either. For them, attackers developed Trojan.Yontoo.1 which downloads and installs extensions for Safari, Chrome and Firefox. These extensions are used to display ads while a user browses the web.
Virus-makers who chose to profit from Bitcoin and Litecoin mining sprang into action in the second half of 2013. Discovered by Doctor Web's analysts,
Threats to Linux
IT security experts will also remember 2013 for the increased number of threats to Linux.
Another malware program,
Another modification of this threat —
Apart from the above threats, also added to the Dr.Web virus database were entries for several modifications of Linux-Trojans designed for organized DDoS-attacks—these malicious programs were dubbed Linux.DDoS. Furthermore, threats to Linux discovered over the past 12 months include
Threats to Android
As in the past few years, 2013 was particularly threatening for devices running Android. During this period, the Dr.Web virus database received 1,547 new entries corresponding to malignant, unwanted and potentially dangerous programs, resulting in a total of 2,814 virus definitions. Thus, since the emergence in 2010 of the first malignant Android applications, which at that time numbered 30, their number has increased almost 94 times.
Traditionally, Trojans that send expensive SMS messages and sign up subscribers to chargeable services have posed the greatest threat to users. In particular, such threats include numerous
Malignant programs that steal confidential information were no less dangerous.
In this regard, the continuing increase in the number of proposals related to various illegal services—such as developing and selling malware for Android—is very revealing: in addition to SMS Trojans, which were rather popular on the black market, cybercriminals added spyware Trojans capable of giving many users a hard time.
Compared with 2012, the number of
In addition, several Android vulnerabilities that could be exploited to spread various malignant applications were discovered. The Trojans that successfully exploited them included Android.Nimefas.1.origin and
More details about these and other threats can be found in corresponding mobile threat reviews posted on the Doctor Web site.
Employing various techniques to obtain money from Internet users, scammers didn't idle away the year either. They often employed social engineering and other psychological tricks to deceive those down on their luck (e.g., people looking for extra work). For example, in Russia criminals often registered at job search portals as potential employers and promised would-be-workers high salaries to lure them onto a bogus site. There people had to enter their mobile phone number and send an acquired confirmation code with a short message. As the result, the victim ended up subscribed to a chargeable pseudo service.
Also in 2013, Internet swindlers took to launching the most fraudulent and authentic-looking portals promoting a wide range of services. Whenever visitors to such sites refreshed web pages, they would see an advertisement for a different pseudo service. These include an audio course that helps listeners cure their varicose veins, meditation that facilitates teeth whitening, "proven" methods for getting rid of pimples, thousands of non-surgical techniques for lip and breast augmentation, a seduction course for teen-aged girls, and, of course, long-distance fertility treatments for women. It should be noted that while our analysts knew about most of the above "courses", the proposals to become pregnant by listening to a CD, appeared rather recently.
Another trend of 2013 was the appearance of a large number of sites offering to treat serious diseases like tuberculosis with dried mole crickets—insects of the order Orthoptera.
Other entirely traditional online swindles have become widespread. These involve magical rituals for which gullible users are encouraged to buy certificates; magic candles imbued with the energy of love, harmony and happiness; as well as Pharaoh cylinders, allegedly crafted by Russian scientists on the basis of ancient Egyptian manuscripts that have miraculously survived to this day. In addition, fraudsters designed several web pages where visitors were invited to "download" the emanations of different medicines from a special "information center", after which the trusting users were asked to wait while the healing light was being recorded on a CD.
Dating sites also saw their share of fraud. Scammers posing as foreigners offered women expensive gifts (tablets, smart phones or jewellery). However, because the gifts were of great value, they could only be sent via a private courier service. And the sites for those courier services were also designed by the fraudsters. There the victims were informed that the sender had failed to cover the full shipment cost and were asked to pay the shipping charges themselves. Naturally, soon after payment is made, the courier service and the generous suitor vanish.
Doctor Web urges users to be careful and exercise caution when dealing with suspicious offers and casual acquaintances online. Do not submit your phone number on suspicious sites, and do not enter confirmation codes received in SMS messages. Network scammers can be very creative, so there’s no harm in being cautious and slightly suspicious.
Based on the current situation in the information security field, we can assume that threats to Android will continue to grow in number. In September 2013, Doctor Web's analysts discovered the largest known botnet comprised of mobile devices infected with several
The emergence in the public domain of malware construction kits, allowing even inexperienced programmers to create new versions of encoder Trojans, will probably entail a rise in the number of infections being caused by these malicious programs. The geographical spread of encoder Trojans is likely to expand, too.
As Bitcoin-like systems multiply, so will Trojans that utilise the hardware of compromised systems for mining. In all likelihood, the attackers will increasingly make use of the Tor network as well as P2P networks to facilitate communication between malicious programs and C&C servers. The number of advertising Trojans, including those disguised as browser extensions, will increase markedly, too.
February 6, 2014
In particular, it corrects the defect that might cause error 1722 when one started scanning.
In addition, it increases the utility's launch speed.
February 6, 2014
The component has been rolled back due to the issue involving its abnormal termination during retrieval of emails via IMAP, if the mail server was using LITERAL+. The error occurred when an insecure connection was being used to check e-mail.
The component will be rolled back to the previous version automatically.
February 4, 2014
According to statistics compiled in January with Dr.Web CureIt!,
The botnet created by hackers using the multi-component file infector
The number of computers on which Dr.Web software detected
The number of computers running Mac OS X, and infected with
New ad Trojan
In January, Doctor Web's analysts found in the wild a new advertising Trojan spread by means of Facebook spam:
The plug-ins impede web browsing, display ads and can also download other unwanted software onto a computer. It has been discovered that when web pages of popular social networking websites (Twitter, Facebook, Google, YouTube, and VKontakte) are loaded into a browser window, these plug-ins also download dubious Java scripts. More information about this malware can be found in a review published on Doctor Web's site.
Threats to Android
Android users will above all remember January for the appearance of the first-ever bootkit for this OS. The malware, entered into the Dr.Web virus database as
According to Doctor Web's security researchers, in late January the number of mobile devices infected with
More information about this threat can be found in a corresponding publication on Doctor Web's site.
When launched, the Trojan would delete the shortcuts and collect personal information, including the SMS history, the call log and GPS coordinates. In addition, the malware could activate the mobile device’s camera and microphone; it would also index images and create thumbnails for them. All the acquired information was uploaded to an intruder-controlled server. On top of all that, if able to gain root access,
Also discovered in the past month was a malicious program on Google Play. In particular, the Trojan dubbed
Contrary to the expectations of users who wanted to install and play the game, the Trojan was installed under the guise of an application for accessing Google Play. At the same time, it would covertly load web pages using addresses from a predefined list, thus helping enterprising criminals generate a profit from the artificial increase in traffic to those sites and from taps on ads. The application was downloaded at least 10,000, times, so even if it was promptly removed by disappointed users,
In addition, in January criminals continued to spread a malicious application for Android in South Korea. Over the past month, Doctor Web's security researchers registered over 140 such incidents, slightly fewer than during the same period in December 2013. The most common Trojans in January included
Malicious files detected in mail traffic in January
|01.01.2014 00:00 - 31.01.2014 23:00|
Malicious files detected on user computers in January
|01.01.2014 00:00 - 31.01.2014 23:00|
February 4, 2014
From January 1-30, Dr.Web for Android discovered 11,063,873 malignant or unwanted programs, with about 300,000 threats exposed on a daily basis. Saturday, January 11, accounts for the maximum number of the anti-virus's positives—589,172, while the fewest number of incidents (293,078) was registered on January 1.
In terms of the total number of threats to Android detected, Moscow is the most severely "infected" city in the world. Baghdad ranks second. Third and fourth places are taken by the Saudi cities of Riyadh and Jeddah. Cities ranked according to the number of threats identified in January 2014 are shown below.
It should be noted that 85.7% of malware programs are detected on smart phones; tablets account for only 14.3% of virus incidents.
Users will also remember January 2014 for the appearance of the first-ever Android bootkit which was added to the Dr.Web virus database as
As of January 30, 2014, the number of mobile devices infected with
Most users of Dr.Web live in Russia. Dr.Web for Android also enjoys considerable popularity among residents of Suadi Arabia, Iraq, Kazakhstan, Turkey and the Ukraine. The percentage of users who have chosen Dr.Web for Android and Dr.Web for Android Light.
Just like last year, the vast majority of users who are installing Dr.Web for Android own Samsung-manufactured devices. Samsung GT-I9300 Galaxy S III (8.26%) was the most popular device in January 2014. Samsung GT-S7562 Galaxy S Duos (3.98%) ranked second, followed by Samsung GT-I9100 Galaxy S II (3.73%). The least common devices running Dr.Web for Android include Craig CMP741D, Hisense E920, Kyocera ISW11K, Motorola A1680 and NEC N-07D (only one device per model in the world).
Doctor Web's analysts will continue to monitor the statistics and inform users about the latest threats and the overall security situation.
February 4, 2014
In particular, it upgrades the anti-rootkit module to increase the anti-virus's launch speed and, accordingly, reduce Windows boot time and provides the improved routine for Dr.Web Process Dumper. It also introduces additional tweaks for Anti-rootkit API that enhance its stability.
The firewall issue involving its possible abnormal termination while interacting with Google Chrome has been resolved.
Also corrected is the self-defence module defect that didn't allow a Russian security solution to start in the system.
Adjustments in the traffic filtering service resolve errors that might occur during interaction with VMWare vSphere, network printers and multifunction printers from certain manufacturers.
The update also incorporates help files in Spanish, Japanese and Polish and corresponding tweaks for the language modules.
The update will be performed automatically; however, a system reboot will be required.