May 16, 2013

Doctor Web has released the eighth version of Dr.Web for Android. Version 8.0’s major innovations include faster scanning on multi-core smart phones, Android 4.2 support, and Anti-theft Module recognition of multiple, trusted SIM cards.

Anti-virus scans on the latest Android smart phones are now significantly faster thanks to multi-thread scanning that divides tasks between the CPU cores.

The new version supports Android 4.2.

With Dr.Web for Android 8.0 you can use multiple trusted SIM cards with the Anti-theft enabled. Now, if you regularly switch between several SIM cards on one smartphone, you can add these SIM cards to your trusted list, so that the Anti-theft won't block access to the device when changing them. You can add SIM cards to your trusted list when you restart the device or when launching Dr.Web for Android.

Dr.Web also now lets you disable the detection of adware and riskware by the file monitor SpIDer Guard and the anti-virus scanner.

In addition, Dr.Web for Android can send statistics about its operation to Doctor Web with the user's consent. To use this feature, after installing version 8.0, you will need to accept the license agreement again.

In addition to the aforementioned innovations, several upgrades have also been made. Now, if SpIDer Guard and the anti-spam service are terminated, they will be restarted automatically.

Version 8.0 also includes Latvian and Estonian language support and tweaks that have been made to the custom scan interface.

Among other things, known defects have been corrected. In particular, the scanning process no longer decelerates as soon as the device's screen turns off and scanning can no longer be interrupted by touching the screen. A widget display issue that had the ability to impact certain devices has also been fixed.

The new version of Dr.Web for Android is available on Google Play (Dr.Web Anti-virus, Dr.Web Anti-Virus Life license) and on Doctor Web's site (Dr.Web for Android).

Dr.Web for Android will be updated to version 8.0 automatically. If automatic updates are disabled on the device, go to Google Play, choose Dr.Web Anti-virus (paid) or Dr.Web Anti-Virus Life license on the application list, and click "Update”.

For updates via Doctor Web's site, download a new distribution file. If the option “New application version” is enabled, a new version notification will be displayed when updating the virus databases. You can start the download directly from this dialogue box.

May 13, 2013

IT security experts will remember April 2013 for several remarkable events. At the beginning of the month, Doctor Web's analysts hijacked a rapidly growing botnet comprised of computers infected with BackDoor.Bulknet.739. The middle of April saw the discovery of a new Trojan of the most common family – Trojan.Mayachok– and an upsurge of spam containing subject matter related to the terrorist acts that occurred in Boston. It was a rough time for handhelds, too, with 28 infected applications spread via Google Play to as many as five million devices.

Viruses

According to statistics collected by Dr.Web CureIt!, the number of machines infected with Trojan.Hosts malware declined in the past month. The programs in question modify the hosts file which contains DNS server addresses. However, infections with Trojan.Hosts constituted more than 4.78% of the total infections which amounts to 40,000 detected malicious samples. The most common Trojan.Hosts modifications are listed in the table below.

Doctor Web attributes such a large number of infections to multiple incidents of websites being compromised—the company published a report on this in March.

According to data gathered by Dr.Web CureIt!, Trojan.Mods.1 (earlier known as Trojan.Redirect.140), became one of the most common Trojans in April 2013. This program redirects browsers to bogus web pages. BackDoor.IRC.NgrBot.42 and Trojan.Zekos were also found in large numbers. Available for 32- and 64-bit versions of Windows, the latter can intercept DNS queries of Internet Explorer, Mozilla Firefox, Google Chrome, Opera and Safari. Consequently, when attempting to go to an address, the user ends up on a web page crafted by criminals; meanwhile, the correct URL will be displayed in the address bar. Virus writers use this method to prompt the user, their potential victim, to submit a phone number into a field and reply to a short message; doing so signs the user up to a chargeable service.

The table below lists the most common threats detected with Dr.Web CureIt! on home computers in April 2013.

Botnets

In early April, Doctor Web's analysts managed to gain control over a control server of a botnet comprised of computers infected with BackDoor.Bulknet.739 This malware sends massive volumes of spam and can execute criminal commands including commands to perform updates, download new message templates or spam mailing lists, or stop sending spam. If the program terminates abnormally, it can notify the intruders.

This malware sends massive volumes of spam and can execute criminal commands including commands to perform updates, download new message templates or spam mailing lists, or stop sending spam. If the program terminates abnormally, it can notify the intruders BackDoor.Bulknet.739. contacted the server controlled by Doctor Web's analysts. Statistics collected by the virus analysts helped greatly to analyse this malware, the details of which can be found in one of our previously published reviews.

The growth rate of the botnet created with the file infector Win32.Rmnet.12 remained unchanged: 569,274 infected computers joined the network in April, and the total number of infected machines has reached 9,232,024. The diagram below illustrates how the network expanded:

Another botnet, formed by a related file infector Win32.Rmnet.16, showed a significant drop in its growth rate compared with previous months with around 500 hundred new joiners in April and reached a total of 262,604 infected hosts (against 262,083 hosts at the end of March). It should be noted that this is the lowest rate of growth demonstrated by the Win32.Rmnet.16 botnet over the last year. A similar tendency persists with regard to the BackDoor.Finder botnet which grew by only 114 nodes in April, and the daily number of corresponding infections ranged between 1 and 3. If this trend continues, it will be possible to speak about a decline in the spread of these malicious programs and state that the aforementioned botnets have almost stopped growing.

The threat of the month

A new representative of the well-known malicious family Trojan.Mayachok was one of the most peculiar threats analysed by Doctor Web in April. Despite the fact that analysts currently know about 1,500 species of the family, Trojan.Mayachok.18607 is quite different from the rest: apparently, its developers decided to completely rewrite the program, after keeping some of their basic features.

Trojan.Mayachok.18607 can infect both 32- and 64-bit versions of Windows. Trojan.Mayachok.18607’s main function is to implement web injects: as users load various web pages, the malware embeds third-party content into them. Google Chrome, Mozilla Firefox, Opera and several versions of Microsoft Internet Explorer, including the latest one, are at risk. When the user of an infected machine visits some popular sites, genuine web pages are displayed in the browser window; these pages contain content injected by the Trojan.

The attackers’ main objective is to force the user to enter their mobile phone number into a specific field. After that they are subscribed to services promoted by http://vkmediaget.com for a fee of 0.60 USD per 24 hours.

Encoders on the offensive

Encoder Trojans are among the most dangerous threats in the modern IT world. Two such programs— Trojan.Encoder.205 and Trojan.Encoder.215—were spread on a large scale in April. Trojan.Encoder programs seek out music, Microsoft Office, image and archive files on the hard drives of infected computers and then encrypt them. After that they display a demand requiring that the user pay as much as several thousand dollars to decrypt the data.

Spread with spam, these Trojans can do a lot of damage— several hundred systems have already been compromised by the encoders. More information on how to neutralize such threats can be found in news material published by Doctor Web.

Threats to Android

The second month of spring 2013 once again confirmed that Android is the main target for cybercriminals interested in mobile platforms. Throughout April, Doctor Web's analysts discovered new malicious Android applications whose definitions were promptly added to the Dr.Web virus databases.

The discovery on Google Play of programs containing the malicious adware module Android.Androways.1.origin became one of the most significant events related to Android security. Criminals distributed the module as part of their seemingly harmless ad network which enables developers to integrate the module into their software so that it generates revenue. Similarly to legal ad network modules, Android.Androways.1.origin can display push notifications in the status bar, however, these messages can be used to show fake prompts to update various programs. If the user agrees to an update, they risk downloading an Android.SmsSend program to their device.

In addition, Android.Androways.1.origin can execute a number of commands from a remote server and upload such information as the device's phone number and IMEI, and the operator code to the server. More detailed information about this threat can be found in our news material.

Trojan horses primarily targeting devices used in China stand out from the multitude of malware designed to attack Android. Criminals usually embed them into legitimate applications. Various software catalogues and forums remain the most popular ways to distribute them. In April, Doctor Web's analysts discovered several such malicious programs. These include Android.Uapush.2.origin, Android.MMarketPay.3.origin, Android.DownLoader.17.origin, and several versions of Android.Infostealer spy programs and a number of SMS Trojans.

Android.Uapush.2.origin is a Trojan horse whose main purpose is to display advertising messages in the notification bar. However, it also has other functions. In particular, Android.Uapush.2.origin collects information about browser bookmarks, outbound calls, address book contact details and personal information stored by the IM client QQ. The Trojan uploads stolen information to a remote server.

Android.MMarketPay.3.origin is a malicious program discovered in early April. This Trojan is a modification of malware that Doctor Web reported on last year. Similarly to its predecessor, Android.MMarketPay.3.origin is designed to automatically buy applications on the Mobile Market portal maintained by the carrier China Mobile. This program can bypass the online store’s security restrictions and cause significant damage to Chinese users' finances by covertly purchasing applications.

As for Android.DownLoader.17.origin, it is a Trojan downloader that can download other applications from the Internet. Once the apk-package is downloaded, Android.DownLoader.17.origin attempts to install it. This Trojan was found in a large number of games and other applications available for downloading from several Chinese sites, so it can be assumed that the criminals who made it have ambitious plans with regard to the program. In particular, they can use it to increase the rating of applications or adjust the installations counter for programs distributed from partner sites. The illustration below provides information about some of the compromised applications that contain Android.DownLoader.17.origin.

Discovered in April, Android.Infostealer.4.origin, Android.Infostealer.5.origin and Android.Infostealer.6.origin are Trojans that steal such sensitive information as a device's IMEI, phone number and list of installed applications and sends this data to a remote, criminal-controlled server.

In the past month, cybercriminals didn't spare other East Asian countries, namely South Korea and Japan. An entry concerning the program Android.SmsSpy.27.origin, which also steals information, was added to the Dr.Web virus database at the end of the past month. This malware, which steals incoming short messages and sends them to a remote server, is spread as a Japanese and Korean version of a UI theme for Vertu phones.

Malicious files detected in mail traffic in April

Malicious files detected on user computers in April

May 7, 2013

Specialists from the Russian anti-virus company Doctor Web have studied one of the most widespread threats in April 2013, the Trojan Trojan.Mods.1, formerly known as Trojan.Redirect.140. According to statistics compiled by the curing utility Dr.Web CureIt!, the number of infections with this Trojan represent 3.07% of the total number of detected threats. A summary of the study can be found below.

The Trojan has two components: the dropper and the dynamic link library which stores the payload. During installation, the dropper creates a copy of itself in one of the folders on the hard drive and runs itself for execution. In Microsoft Windows Vista, the dropper can be launched as a Java update that requires user confirmation to bypass User Accounts Control.

Then the dropper saves on the hard drive the main library which injects its code into all running processes on the infected computer but operates only in the processes of the following browsers: Microsoft Internet Explorer, Mozilla Firefox, Opera, Safari, Google Chrome, Chromium, Mail.Ru Internet, Yandex.Browser, and Rambler Nichrome. The configuration file containing all the data needed to run Trojan.Mods.1 is encrypted and stored in the dynamic linking library.

Trojan.Mods.1 is chiefly designed to replace web pages visited by users with malicious web pages by intercepting the system functions responsible for translating DNS names to IP addresses. As a result, instead of the sites they have requested, users are redirected to fraudulent pages where they are asked to enter a mobile phone number and reply to an SMS sent from the short number 4012. If they comply, a certain amount will be debited from their account.

The architecture of Trojan.Mods.1 contains a special algorithm that allows redirection to a certain group of addresses to be disabled.

The signature of this threat has been added to the Dr.Web virus database, so Trojan.Mods.1 does not pose a serious threat to systems protected by Doctor Web products.

April 29, 2013

Doctor Web has updated the Scanning Engine service (8.1.0.201304260) in Dr.Web Security Space and Dr.Web Anti-virus 8.0 for Windows.

The update resolves the issue when SpIDer Guard would stop scanning files if the option to check running programs and modules were disabled.

The update will be automatically downloaded by the anti-viruses, but applying it will require a system reboot.

April 25, 2013

Russian anti-virus company Doctor Web has updated the plugin Dr.Web for IBM Lotus Domino for Linux to version 6.0.2.1. The plugin is designed to protect IBM Lotus Domino servers from viruses and spam.

The updated version of the module supports Red Hat Enterprise Linux (RHEL) 6 and Novell SuSE Linux Enterprise Server (SLES) 11 and incorporates updates of all plug-in components, including Dr.Web Virus Finding Engine, Dr.Web Daemon and Dr.Web Updater.

To install the new version of Dr.Web for IBM Lotus Domino you need to uninstall the previous one. All the current settings and the quarantine database will be deleted. If necessary, backup the database found in the Dr.Web directory.

April 24, 2013

Russian anti-virus company Doctor Web has released an update for the Dr.Web Anti-rootkit Service (8.3.0.201304151), the Scanning Engine (8.1.0.201303280) and the file monitor Dr.Web SpIDer Guard (8.00.03.01110) incorporated in Dr.Web Security Space and Dr.Web Anti-virus 8.0 for Windows.

The scanning service tweaks improve overall performance, accelerate the launch of processes and speed up file scanning. Also, the service no longer needs Windows API to detect system processes, so they can be removed from the list of scanned objects. This significantly increases system boot-up speed and accelerates the launch of trusted applications.

The updated Dr.Web SpIDer Guard can use some Dr.Web Anti-rootkit Service routines and, if necessary, utilize the service to neutralize threats.

The update also resolves known issues to improve the overall stability of Dr.Web Security Space and Dr.Web Anti-virus 8.0 for Windows.

• An error that could cause a system failure when the Dr.Web Anti-rootkit Service was running has been fixed.
• Also resolved was a problem involving system files being processed longer than they should have been while removable data storage devices were being initialized at the same time when incorrect settings were being used to establish an Internet connection.
• A defect keeping the size of the quarantine from resetting after being cleaned has been corrected.
• Previously, malignant files were being moved to the local disk quarantine from a removable media device even if the option to create the quarantine on a removable media had been enabled; that issue has been fixed.
• The error message “Access denied or incorrect program usage” was being displayed when Dr.Web was being removed, and that issue has also been rectified.

The update will be performed automatically; however, a system reboot will be required.

April 24, 2013

Doctor Web has updated the sixth version of its products Dr.Web for Kerio mail servers and Dr.Web for Internet gateways Kerio.

Dr.Web for Kerio mail servers now supports Kerio Connect 8.0 and later, and Dr.Web for Internet gateways Kerio is now compatible with Kerio Control 7.0.0–7.4.2. The Dr.Web Virus Finding Engine has been updated in both products.

To update Dr.Web for Kerio mail servers or Dr.Web for Internet gateways Kerio, download the updated distribution and reinstall the application after removing the installed program.

April 23, 2013

Russian anti-virus company Doctor Web is warning users that twenty-eight applications incorporating a malicious adware module that can download Trojans to Android devices have been discovered on Google Play. The total number of installations of these programs has reached several million.

Advertising in applications for Android has long been successfully used by various developers to generate income from their work: it is a legal and a very convenient way to get compensated for time and money spent creating software. It was in 2011 when crafty cybercriminals also decided to use mobile ad networks to spread Trojans. Android.SmsSend programs designed to send short messages to premium numbers and subscribe users to chargeable services are the most popular among them. Doctor Web recently reported an incident involving such a program. However, the list of malware being spread in such a way is expanding.

Despite the fact that ad networks like Google AdMob, Airpush, and Startapp meet criminals' demands, intruders decided to go even further and created an ad network of their own. At first sight, it appears quite similar to others: Android software developers are offered very favourable advertising API usage terms, and are promised a high and steady income and easy account management. So it's hardly surprising that some developers became very interested in the ad network.

The advertisement API provides push notification ads that deliver small alerts to an Android phone's notification bar. However, there are also some undocumented features.

Push ads sent via the ad network can prompt a user to install an important update for a certain application. If an unsuspecting user agrees to install this update, the advertising module downloads an apk package and places it into the download directory /mnt/sdcard/download on the memory card. The module can also create a shortcut linked to the downloaded package, so if the user taps on it, it will start the installation of the downloaded program.

An investigation conducted by Doctor Web's analysts revealed that such apk-files contain Android.SmsSend Trojans. Analysts also found that these malicious programs were being downloaded from various fake application catalogues. The ad module in three analysed applications would connect to a control server at 188.139.xxx.xx, while the module in the remaining 25 apps would try to connect to a server at 91.226.xxx.xx. These IP addresses were promptly added to the Dr.Web Parental Control database, so access to the respective sites is blocked.

Below you can find a full list of the commands sent by a controlling server to the malignant module:

• news – display a push-notification
• showpage – open a web page in a browser
• install – download and install an apk package
• showinstall – show a push-notification about the installation of an apk package
• iconpage – create a shortcut to a web page
• iconinstall – create a shortcut to the downloaded apk package
• newdomen – change the control server address
• seconddomen – an alternate server address
• stop – stop sending queries to the server
• testpost – re-send a request
• ok – do nothing

In addition to executing these commands, the fraudulent module is also able to collect and send the device's IMEI, operator code, and the phone number to the server.

The advertising API is particularly dangerous because applications that use it are found on Google Play, which de facto is the safest sourceof programs for Android. Many users have come to trust the security of Google Play, so the number of installations of the software that feature the advertising module is very large. Since statistics about downloads of applications from Google Play are hard to get, Doctor Web can't say exactly how many devices have been compromised, but it can be assumed that the number exceeds 5.3 million handhelds. This is the largest and most massive case of infection on Google Play since Google Bouncer was introduced.

Considering the advertising API’s malignant features and the connection between the ad network and sites spreading malware for Android, Doctor Web has classified this module as belonging to adware designed to perform malicious tasks. The module has been added to the virus databases as Android.Androways.1.origin and poses no threat to devices running Dr.Web anti-virus for Android.

April 22, 2013

Russian anti-virus company Doctor Web has released an update for the following components of Dr.Web Security Space and Dr.Web Anti-virus 8.0 for Windows: Dr.Web Net Filtering Service (8.0.5.04180), Dr.Web Net Filter driver for Windows (7.0.4.03030), and Dr.Web Control Service (8.1.0.04190).

Now upon upgrading from version 7, Dr.Web Net Filtering Service will use the settings from the previous installation. HTTPS links on the blacklist are now blocked, even if the option to scan encrypted traffic is disabled. An issue involving traffic of applications featuring Metro UI not being scanned has been resolved. A compatibility issue between Dr.Web and the T-Mobile mail client has also been resolved.

An updating defect of the Dr.Web Control Service has been corrected.

The update will be performed automatically; however, a system reboot will be required.

April 18, 2013

Russian anti-virus company Doctor Web has updated the Dr.Web SelfPROtect module (the new version is 8.01.00.01170) and Dr.Web Updater (8.0.4.04080) in Dr.Web Security Space and Dr.Web Anti-virus 8.0 for Windows. The update resolves known issues.

In particular, it corrects a defect that could cause the self-protection module to terminate abnormally when installing Dr.Web, when upgrading from version 6.0, or when compatibility issues existed between the module and the NVIDIA ForceWare Network Access Manager.

Also resolved was an issue involving Dr.Web SelfPROtect, whereby a system restore point could not be created under Windows 8.

The update will be performed automatically; however, a system reboot will be required. Please note that it may take longer than usual to boot up for the first time after updating.

April 17, 2013

Russian anti-virus company Doctor Web is warning users about a new fraud scheme. It involves various Android programs displaying advertisements that prompt users to scan their mobile devices for viruses and then lure them into downloading a fake anti-virus for Android. The bogus anti-virus is really a Trojan belonging to the Android.Fakealert family.

Ads displayed by Android applications have long been exploited by criminals to spread malware. Being an effective and relatively inexpensive means to reach a wide audience, advertisements are often used in schemes. Ads found by Doctor Web's analysts this time offer Android users virus scans. If users accept the offer, they are redirected to a website from which they can download an "anti-virus" which, in fact, is the malicious program Android.Fakealert.4.origin.

Analysts have been aware of Trojans of the family Android.Fakealert since October 2012. These programs pose as fully functional anti-viruses and pretend to detect threats. To get rid of malware that has supposedly been found, the user must pay a certain amount. Users of PCs know this scheme well.

Once Android.Fakealert.4.origin is installed and launched, it notifies the user that a threat has been detected, but, as to be expected, the user has to buy a full version of the program to neutralize it.

In addition to displaying infection alerts in its main menu, Android.Fakealert.4.origin can also display corresponding messages in the notification panel.

Doctor Web urges Android users to be more sceptical about various ads displayed by applications and to use reliable anti-virus software, when necessary.

April 11, 2013

Doctor Web has updated SpIDer Agent and the Dr.Web Control Service in Dr.Web Security Space and Dr.Web Anti-virus 8.0 for Windows.

Changes have been made to SpIDer Agent (8.1.0.04080) so that users can now adjust the window size in the application settings. A UI display issue involving fonts, icons and other objects scaling improperly has been resolved In addition, other tweaks have been made to the interface.

The update to Dr.Web Control Service (8.1.0.04090) has accelerated Dr.Web’s launch during system startup.

Also, the products now support the Greek and Hungarian languages.

The update will be performed automatically; however, a system reboot will be required.

April 10, 2013

Russian anti-virus company Doctor Web is pleased to announce that starting April 1, 2013, Dr.Web for Android comes pre-installed on Challenge Tablet devices in Japan. The manufacturer of these devices, Benesse Corporation, has acquired a comprehensive OEM license for Dr.Web for Android.

Under their partnership programme, Doctor Web and Benesse Corporation agreed that Dr.Web for Android will be made available pre-installed on the sought-after Challenge Tablet devices.

Beginning this month, which coincided with the start of Japan’s new academic year, secondary school students have been using these tablets for a distance-learning programme run by Benesse Corporation.

Today, Dr.Web for Android is popular among users not only in Russia but also far beyond its borders – in the Ukraine, Kazakhstan, Taiwan, Saudi Arabia, Japan and the USA. In all these countries installations of Dr.Web for Android number in the hundreds of thousands. The total number of Dr.Web for Android users so far is around 20 million.

Dr.Web for Android is already pre-installed on some mobile devices in Russia. Doctor Web’s partnership programme with Seiko Instruments Inc., which got under way in February, marked the OEM product’s début on a major international market. Customers who purchase Dayfiler electronic dictionaries automatically have Dr.Web for Android Light at their disposal.

About Challenge Tablet

Challenge Tablet devices have been specifically designed by Benesse Corporation for secondary school students who use them for the company’s distance-learning courses. These tablets can be used along with conventional textbooks. Models differ in screen size, settings, and the availability of a folding stand. With Dr.Web for Android pre-installed on the tablets, students can safely use them. Content can be filtered and usage time can be restricted.

chu.benesse.co.jp/tablet

Benesse Corporation

The diversified company provides products and services that educate children, inform parents, and care for the elderly. The company's education division, which accounts for nearly 60% of sales, provides correspondence course, exam prep services, and classroom education, to Japanese children from infancy through high school. Through Benesse Style Care the company operates nursing homes throughout Japan, as well as senior day care and temporary health care staffing services. Benesse Corporation also publishes magazines aimed primarily at women. Its Berlitz International subsidiary provides language training throughout the world.

chu.benesse.co.jp