News of Doctor Web
September 29, 2014
Now administrators can control network end-point security from an iPad as well as from an iPhone.
The Pull To Refresh feature was added to the main application window, allowing information on the screen of the device to be updated quickly. The object action menu has also been updated. The dialogue box displaying repository update progress has been redesigned. Now messages sent to protected hosts can include links.
In addition, the following defects in the have been corrected: the fault causing the application to terminate abnormally when a host was being selected on the search page, and the error that occurred when lists were being displayed in the stations, groups, notifications and quarantine sections under iOS 8.
The updated is available free of charge via the App Store.
September 26, 2014
Today Dr.Web for Android Light is trusted by users in many countries around the world. And that is for a reason: this anti-virus application not only scans file systems and detects threats that have not yet been registered in the Dr.Web virus database, but also has a minimal impact on OS performance, battery life, and the amount of traffic used. The anti-virus is constantly being upgraded and enhanced with new features and is becoming even more user-friendly. For example, Dr.Web for Android Light has recently been equipped with a feature that enables users to unlock devices compromised by locker ransomware. Now users can get rid of this threat even if the screen is completely locked! Currently unavailable in any other anti-virus, this feature has naturally boosted the number of Google Play downloads which now number over 50 million.
Doctor Web says 50,000,000 thank yous to the users who have chosen Dr.Web for Android Light! Your trust is the best proof that our product is moving in the right direction and will provide protection for an even greater number of handhelds in the future. Download Dr.Web for Android Light — one small step for man, one giant leap for Android users!
Doctor Web also wishes to remind everyone that an anti-virus alone is not enough to provide maximum protection for an Android-powered device: components such as anti-spam, anti-theft, firewall, Security Auditor and Cloud Checker are absent in the Light version and are only available in the enhanced version of the product, namely, Dr.Web for Android. You can try it free for 14 days!
September 25, 2014
In particular, additional cache and server-agent connection parameters can now be specified during installation.
Also, the update resolves an issue involving mobile devices and Novell Netware clients being unable to connect to the Dr.Web server via the proxy-server.
In addition, an extra Dr.Web Server distribution, which incorporates installers for all corporate Dr.Web solutions under all supported operating systems, is now available. The extra package is installed as an addition to the already deployed Dr.Web server.
The updated Dr.Web Enterprise Proxy can be downloaded from Doctor Web's site.
September 24, 2014
Discovered in May, the extortionist Android.Locker.2.origin poses extreme danger to user data. On an infected mobile device, the extortionist searches the available memory cards for files with the following extensions: .jpeg, .jpg, .png, .bmp, .gif, .pdf, .doc, .docx, .txt, .avi, .mkv, and .3gp. It encrypts the files and adds the extension .enc to the filenames. Then the mobile device's screen is locked, and a message is displayed that accuses the user of distributing adult content and demands a ransom to unlock the device. To enhance the effect, the extortionist can also add a photo of the user, made with the handheld's front camera, to the ransom demand message.
After thoroughly examining the ransomware, Doctor Web designed a special utility that will most likely decrypt files corrupted by the malicious application, making it unnecessary for users to pay a ransom.
The utility scans the available SD card for encrypted files and attempts to restore one of them as a test. If successful, the program starts restoring all the corrupted files it has found. Backups of all the corrupted files are placed in the directory DrWebTemp before the utility attempts to decrypt them. All the recovered files are restored to their original location and the extension .enc is removed from their filenames. To avoid permanent data loss after the utility finishes its work, the directory DrWebTemp, which contains copies of the encrypted files, is not removed.
If your handheld has been compromised by Android.Locker.2.origin, follow these steps:
- Do not try to restore the encrypted data on your own;
- Contact Doctor Web's technical support. When filing a request, select ‘Cure request’ (this service is available free of charge);
- Attach a file encrypted by the ransomware to your request;
- Wait for a response from a virus analyst.
Please note that the decryption service is only available to users who have purchased commercial licenses for Doctor Web anti-viruses. To get the utility, you have to be an owner of a commercial Dr.Web for Android, Dr.Web Security Space or Dr.Web Anti-virus license which includes technical support.
To ensure that your mobile device is continually protected from Android.Locker.2.origin and other Android threats, purchase Dr.Web for Android with advanced security features.
September 22, 2014
An issue involving the delegation of permissions to access the hidden shared directory containing the agent installer and public encryption key.
- A configuration file conversion issue which occurred whenever the Dr.Web Enterprise Security Suite server version 6 was being updated.
- An agent connection issue that arose if the option “Replace IP-addresses” was enabled on the server.
- Server multi-cast initialisation defects that could prevent agents from connecting to the server.
- An issue causing the incorrect group to be displayed in the Dr.Web Mobile Control Center.
- A defect occurring whenever the list of languages available in the agent for Windows was changed in the general repository configuration.
The update also provides error-free interaction between the Dr.Web server and proxy server via HTTPS.
In addition, issues preventing users from accessing documentation via the Dr.Web Control Center and a number of minor defects have been resolved.
The update can be downloaded using the Dr.Web Control Center. Also, the updated Dr.Web Enterprise Security Suite server is available on downloaded from Doctor Web's site.
September 16, 2014
SpIDer Agent for Windows now notifies users whether the virus databases in computers running under Windows Vista and later are out of date. Previously, the virus database status was only displayed in the Windows support centre. The update also resolves an issue that could result in false alerts being issued about the failure to launch certain Dr.Web components after Windows startup.
A Dr.Web updater defect that could interfere with the removal of Dr.Web has also been corrected.
The launching of SpIDer Agent for Windows during installation has been disabled to avoid an early system restart prompt.
The update also delivers monitor tweaks to Help in French and German.
The update will be performed automatically; however, a system reboot will be required.
September 11, 2014
Owned and maintained by Valve, Steam enables users to download and update their games via the Internet and keep up with news from the video gaming world. In addition to games developed by Valve, Steam also distributes applications produced by other companies. Many games available on Steam allow players to use various virtual items that change the appearance of their characters or provide them with certain advantages. Some of these items can be sold and purchased for real money via a specific Steam-powered service.
At the end of August 2014, messages from Steam users about missing valuable game assets began to emerge on various gaming forums. The Trojan that appears in the Dr.Web database under the name Trojan.SteamBurglar.1 is the culprit behind this virtual theft. Criminals spread the malware via the Steam chat and forums where they prompt users to view screenshots of weapons or other items supposedly available for purchase. Here is an example of such a message: "Hello. I like your weapon. Can you swap for my knife + weapon? (Look screenshot my knife + weapon)". These Trojan.SteamBurglar.1 images were displayed to the user of the targeted computer. Meanwhile, the Trojan searched the machine's memory for the process steam.exe to extract information about game items. The malware used such key words as ‘rare’, ‘immortal’ and ‘legendary’ to determine which items were the most valuable and stole them so that they could be resold. The stolen artifacts were transferred to a Steam account used by the criminals:
Trojan.SteamBurglar.1 signatures have been added to the virus database, so the Trojan poses no threat to Steam users whose computers are protected by Doctor Web anti-viruses. However, players wishing to sell or buy any game object are recommended to exercise caution when receiving transaction offers from unknown senders — even if it is only about buying an enchanted sword for a few real dollars.
September 11, 2014
When reinstalling the anti-virus, users can now clearly define the security settings and retain the previous configuration, if desired.
Furthermore, when being installed on a machine running CAS MS Exchange 2013 SP1, Dr.Web will notify the user that only the anti-spam agent will be installed.
In addition, Dr.Web can no longer be installed on machines running Windows Server 2003 (x64) as it is no longer supported.
The update also delivers French language support for the web-console and help.
The following issues have been resolved: Transport agent installation issues related to particular MS Exchange server roles (Edge Transport Server MS Exchange 2013 SP1, Client Access Server MS Exchange 2013 SP1, and the Edge Transport Server MS Exchange 2010); A defect involving the reinstallation of Dr.Web when saved settings and a new administrator login and password are used; A defect causing the incorrect plugin size to be displayed on the “Add and remove program” list.
To use the updated version of Dr.Web for MS Exchange, users will need to install the updated version over the existing installation. After reinstalling the product, a server reboot will also be necessary.
More update information can be found in the Release notes.
September 10, 2014
When registering a Dr.Web license, it is very important for customers to provide a personal email address to which only they have access. The email containing the key file, as well as service messages regarding the status of the license, are sent to this address.
If your license is still valid, but for some reason you can no longer use the email address you specified during registration, use the new Doctor Web service to link your license to another email address.
To change your registration email, you must verify that you are the license’s lawful owner and provide your previously registered email address and the Dr.Web serial number for which you want to change the address. A link to confirm the change of registered address will be sent to the new email address. A message about the change of email request will also be sent to the previously registered address.
After linking, you will be able to receive service messages using the new address; however, to access site sections and services that are only for the rightful owners of Dr.Web licenses, you will still have to specify the previous registration email.
|Learn more about the service|
September 10, 2014
Dubbed by Dr.Web as Android.Locker.38.origin, the new malicious locker represents a growing family of ransomware that locks handhelds and demands a ransom to unlock them. This Android extortionist is spread in the guise of a system update. When launched, it requests access to the device's administrative features. After that the Trojan mimics update installation, removes its icon from the home screen, reports back to a remote server that the infection has been successful and awaits further instructions.
The command to lock the targeted device can be given via a JSON request from a web server as well as via an SMS message containing the directive set_lock. Similarly to other ransomware of the Android.Locker family, Android.Locker.38.origin locks the device's screen and shows a ransom demand that can't be closed.
However, if the affected user still tries to delete the extortionist by depriving it of administrator privileges, Android.Locker.38.origin engages an additional lock. This ability distinguishes it from other similar threats for Android.
First, the Trojan switches an infected device into standby mode by using the standard phone feature to lock the screen. Once the lock screen is turned off, the malicious program displays a fake warning that all the data stored in the device's memory has been removed.
Once a selected action is confirmed, the ransomware brings up the lock screen again and activates a feature that requires the user to enter a password to toggle off the standby mode. Even if the feature hasn’t been used before, the malicious locker sets its own password: "12345". Thus, the infected smart phone or tablet is locked until the criminals involved get their ransom (the lock can be removed with the set_unlock command) or the user resets all the device's settings to default.
In addition to locking handhelds, Android.Locker.38.origin can also act as an SMS bot and send various messages when commanded to do so by criminals. This can result in additional financial losses for the user.
Devices running Dr.Web Anti-virus for Android are well protected from this malicious program.
September 4, 2014
Other product innovations:
- Automatic detection of incompatible software;
- Optimized consumption of system resources when scanning objects;
- The addition of Korean, Turkish, Czech and Portuguese to the product's list of supported languages.
Protecting Macs remains an urgent task. Threats for Mac OS X are no longer a myth, and they are hitting Apple computer users often and painfully. In 2012, Backdoor.Flashback.39 was used by intruders to create the largest botnet in history; at that time it included more than 800,000 infected Macs. This botnet is still operating today: currently, it is comprised of 13,000 hosts. Backdoor.Flashback.39 can download from the Internet and run any other executable file on an infected machine. In February 2014, an entry for the program Trojan.CoinThief was added to the Dr.Web virus databases. This malware is designed to steal Bitcoin and Litecoin electronic currency on machines running Mac OS X. Users also complain about the annoying ads they periodically observe on web pages loaded in popular browsers.
To upgrade to version 10.0, users will need to download a new distribution.
Please remember that users who purchase the product can enjoy free use of Dr.Web for Android, Symbian OS, and Windows Mobile.
September 2, 2014
The unlock algorithm has been changed: the user should start charging the device, and then after five seconds, unplug the power cord and shake the device vigorously.
In addition, known defects have been corrected.
The update will be downloaded and installed automatically. If automatic updates are disabled on the device, go to Google Play; choose Dr.Web Anti-virus, Dr.Web Anti-Virus Life license or Dr.Web for Android Light on the application list; and click "Update".
To perform an update via Doctor Web's site, download the updated distribution. If the option “New application version” is enabled, a new version notification will be displayed when the virus databases are being updated. You can start the download directly from this dialogue box.
September 1, 2014
Statistics collected by Dr.Web CureIt! indicate that browser adware still leads in the rankings of the most frequently detected programs. As before, Trojan.BPlug.123, Trojan.BPlug.100, Trojan.BPlug.48, and the adware installer Trojan.Packed.24524 took the top spots.
The August list of detected threats, which was generated using information from the Dr.Web statistics server, differs little from the July list. As before, Trojan.Packed.24524, which installs unwanted programs in infected systems, ranked first. It accounted for almost 0.59% of all detections, against 0.56% in July. Trojan InstallMonster programs, which install unwanted applications under the InstallMonster referral programme, and various Trojan MulDrop Trojans are also among the leaders.
As in July, Trojan Redirect. 197, which redirects users to malicious sites, was most frequently detected in email traffic. The malicious downloader BackDoor.Tishop.122, which is distributed with spam messages, has moved into second position. It accounted for 1.6% of all incidents, compared with 1.15% in July. Various versions of Trojan.DownLoad programs and the dangerous banking malware Trojan.PWS.Panda were also actively distributed via email.
The size and behaviour of the botnets monitored by Doctor Web's security researchers also remained largely unchanged in August. Thus, on average, one of the two active Win.Rmnet.12 subnets experienced roughly 270,000 requests being made daily to the control server which is slightly higher than the July figure. The botnet created using the file infector Win32.Sector was still connecting 65,000-67,000 active bots every day. In contrast, the size of the botnet consisting of machines running Mac OS X and infected with BackDoor.Flashback.39 is gradually decreasing: in late August, it included about 13,000 infected machines, which is 1,000 fewer than the July figure.
Trojans showing annoying ads in pop-up windows or embedded in loaded web pages have recently been found in extremely large numbers. In terms of their prevalence, they are on par with encoders which encrypt user data stored in compromised systems. For already several months running, it is namely advertising Trojans that have been the absolute leaders in the statistics on threats detected by Dr.Web.
Trojans of this kind are usually spread by means of referral programmes which focus on generating income from file downloads. Advertising Trojans can be secretly installed along with other software. They often look like useful applications, but their developers add a malicious payload to the original legitimate features. Neither are criminals averse to using cyber fraud to spread this malware. For example, they create bogus file-sharing and torrent sites and lure their victims to those sites from fake forums and Q&A sites that have been optimised for specific search terms.
These malicious programs can be divided into two groups. The first includes representatives of the Trojan.BPlug family and also Trojan.Admess, Trojan.Triosir and Trojan.Zadved which are implemented as extensions to popular browsers and replace website advertisements or display pop-up banners. In such cases, users often do not even know that their machines have been infected.
This malware doesn’t just target Windows. Even Mac OS X machines have been impacted by specially designed and distributed Trojans from the
In addition to displaying annoying ads, the program can modify social networking profile pages by publishing obscene photos and text and prompt the user to sign up for a paid subscription whenever they try to change their profile information. Trojan.Mayachok.18831 also has a range of other dangerous features which are described in detail in the corresponding Doctor Web review.
To avoid becoming an accidental victim of advertising Trojans, observe basic safety rules: do not download or install software from suspicious sources; do not run executable files distributed as email attachments; and, of course, always use up-to-date anti-virus software.
Threats of August
August witnessed numerous information security events involving the distribution of malware. For example, at the beginning of the month several users requested assistance from Doctor Web's support engineers to cope with another encryption Trojan. This incident would not have been out of the ordinary except for the fact that in all the cases, the encrypted files resided in Synology NAS storages. Trojan.Encoder.737 was the culprit behind the incident. It exploited a firmware vulnerability affecting DSM (DSM 4.3-3810 and earlier). More information about this event can be found in informational material published on Doctor Web's site.
Also in early August, security researchers discovered a clicker program designed to generate website traffic and fake banner clicks. The Trojan has been spreading under the Installmonster referral programme which specialises in distributing malware through gullible users. A description of this threat can be found in a Doctor Web review.
Chinese virus makers weren’t idle either; they made their mark in early summer by releasing an enormous quantity of Linux malware programs designed to mount DDoS attacks. By summer's end, these virus makers came up with ports of their malicious creations so that they could run them under Windows. Read more about this incident on Doctor Web's site.
The events of August
Many U.S. handhelds were compromised by Android.Locker.29.origin, a program that can lock devices and demand ransom to unlock them. According to information in the public domain, around 900,000 Android-powered devices were infected with this malware in August. The Trojan masquerades as anti-virus software and other legitimate applications. Originally Android.Locker.29.origin infected devices in Europe. However, recently virus makers designed a U.S. version. This is probably what caused the sharp increase in the number of infected smartphones.
In addition, a surge in infections of Android devices is expected thanks to the fact that the source code for Android.Dendroid.1.origin, a Trojan that steals confidential information and can make calls and open web pages without user knowledge or consent, was made available to the public in mid-August.
A spam mailing exploiting public interest in the Eastern Ukraine conflict was launched at the end of August. The spam contains download links for a program that is supposedly designed to mount DDoS attacks on Ukrainian government sites. In reality, the recipients of this spam download the malicious application BackDoor.Slym.3781 which then connects their infected computers to the Kelihos botnet and can control traffic and steal confidential information. The C&C servers communicating with the infected machines are located in Ukraine, Poland and the Republic of Moldova.
Threats to Android
As in previous months, in August cybercriminals again tried to infect mobile devices with various malicious applications, and the Dr.Web virus database expanded to include entries for a number of new Android Trojan horses.
For example, Chinese users had to deal with Android.smssend.1404.origin, which was designed to steal confidential information and install other malware onto mobile devices. This Trojan can also send short messages containing its download links. The malicious program it installs onto infected devices, which was added to the database under the name Android.SmsBot.146.origin, can execute commands issued by criminals and send and intercept SMS messages.
August also had its share of ransomware that locks Android devices. Android.Locker.27.origin was one such program, but unlike many other species of this kind, it enabled users to unlock their devices completely for free. All they had to do was enter a 14-digit payment code that did not contain certain combinations of digits. If the requirements were met, the Trojan would unlock the device and remove itself. You can learn more about this Trojan in the relevant review on Doctor Web's site.
South Korean users also came under fire again. In August Doctor Web's security researchers registered over 100 spam campaigns aimed at spreading Android malware by means of SMS. Handhelds in South Korea were most endangered by Android.Banker.28.origin, Android.SmsBot.121.origin, Android.SmsSpy.78.origin and Android.MulDrop.14.origin.
Apart from actively using SMS, cybercriminals are also using other means to mass distribute malware. In the past month, information security experts learnt about a massive spam mailing containing a download link for the dangerous mobile backdoor Android.Backdoor.96.origin, which is distributed under the guise of anti-virus software and capable of performing a variety of malicious tasks on infected devices. In particular, it could steal confidential information including SMS messages, call and browser history, contact information and GPS data. It could also display various messages, send USSD queries, activate device microphones, and record phone calls into audio files for subsequent uploading, along with other acquired information, to a remote server.