News of Doctor Web
October 29, 2014
Issues that might arise when activating a trial license;
A defect resulting in slow data exchange with the Time Capsule;
An error whereby files restored from the quarantine were instantly detected again Also, running processes are now scanned as soon as the SpIDer Guard file monitor is toggled on.
The Dr.Web icon on the status bar is now displayed correctly regardless of the background.
To update Dr.Web for Mac OS X to version 10.0.2, download the package from the websiteand install the application on top of the previously installed version or after its removal.
October 28, 2014
We invite you to visit our special webpage where we not only discuss Dr.Web 10.0 for Windows but also show you exactly what it looks like.
|Check out Dr.Web 10.0|
October 28, 2014
It can steal game assets from Dota 2, Counter-Strike: Global Offensive, and Team Fortress 2 gamers. Also, it logs key strokes and transmits the information to criminals. It can be assumed that, like its predecessor, Trojan. SteamLogger.1 is spread via forums or Steam live chat in offers to sell, buy or exchange game items.
The malicious program consists of three modules, the first of which is a dropper that decrypts and extracts from its body the main and service modules. The service module is stored in a temporary folder as Update.exe and launched, and the main module is loaded in the infected system's memory by means of a system routine. Then the service module downloads an image from the attackers' site, saves it into the temporary folder and immediately displays it on the screen:
The service module checks whether the subdirectory Common Files\Steam\ is located in Program Files, and if it is not present, the module creates it. After that, the module copies itself to the folder under the name SteamService.exe, sets the attributes for the executable as “system” and “hidden”, and then adds a registry entry, so that SteamService.exe will be launched automatically and start the file. Then the service module sends a query to the attackers' site, and if the instruction “OK” is not returned, it attempts to establish a connection to the command and control server via any of the proxy servers on its hardcoded list. Trojan.SteamLogger.1 transmits information about the infected computer to the remote server. The data includes the operating system version and platform, as well as its unique identifier, generated using the serial number of the hard disk that contains the C partition. In addition, Trojan.SteamLogger.1 can receive an instruction to update its service module.
Once the main Trojan. SteamLogger.1 module is started and initialised, it searches the infected system memory for a Steam process and verifies whether the user has logged in on the Steam server under their account. If not, the malicious program waits for the server to authorise a player and then extracts information about their Steam account (the availability of SteamGuard, steam-id, security token). The program then transmits the data to the criminals. In response, Trojan.SteamLogger.1 gets a list of accounts to which game items from the compromised account can be transferred. All the collected data is sent to the criminals' server after which the Trojan checks whether automatic authorisation is enabled in the Steam settings. If the feature is disabled, the malware creates a separate thread to run the keylogger. Information about logged key strokes will be sent to the attackers in 15-second intervals.
To search for the inventory and valuable in-game items, Trojan. SteamLogger.1 uses such keywords as Mythical, Legendary, Arcana, Immortal, DOTA_WearableType_Treasure_Key, Container, and Supply Crate. That is, the Trojan attempts to steal the most valuable in-game items, chests and chest keys. Trojan.SteamLogger.1 also monitors whether players attempt to sell any of the virtual items themselves, and if they do, it automatically removes the items from the sale dialogue box.
Trojan.SteamLogger.1 primarily targets Dota 2, Counter-Strike: Global Offensive, and Team Fortress 2. However, it can easily be tweaked to steal assets of other games. All the stolen virtual items are transferred to cybercriminals' accounts—as instructed by the command and control server. Then criminals use their specially designed e-store to sell the cheapest portion of their stolen loot, namely Dota 2 chest keys. It is not quite clear how the criminals convert other items into money.
The Trojan.SteamLogger.1 signature has been added to the Dr.Web virus databases, so machines running anti-virus software from Doctor Web, Ltd., are well protected from this threat.
October 27, 2014
The malware for Android that entered the Dr.Web virus database as Android.Dialer.7.origin is a conventional malicious dialler, making calls to premium numbers. Spread in the guise of an application for adults, it places its shortcut, without an icon or any captions, on the home screen which can make users believe that the installation has failed. In some cases after its launch, Android.Dialer.7.origin can display an error message about the unavailability of the requested service, after which it hides its tracks in the infected system by deleting the shortcut, and operates in the guise of a system service. The service can be launched using the shortcut, but alternately the dialler can activate it automatically after a system restart, so it doesn't require user intervention to start its malicious activities.
The service started by Android.Dialer.7.origin periodically calls the number 803402470 which is stored in the dialler’s settings. However, if necessary, intruders can change the target phone number by issuing a corresponding command from the command and control server. This makes Android.Dialer.7.origin more flexible and enables criminals to profit from several chargeable services simultaneously.
To reduce the likelihood that users will detect its unwanted activities, the dialler disables the earpiece of the mobile device during unsolicited phone calls and removes all traces of its activities. It also clears the system log and call list of all damaging information.
However, the main distinguishing feature of this dialler is its ability to resist user attempts to remove it from an infected mobile device: whenever victims attempt to open the system settings section responsible for managing applications, Android.Dialer.7.origin redirects them to the home screen. In effect, manual removal of the malware becomes impossible.
Dr.Web anti-viruses detect and remove the dialler from protected mobile devices, so handhelds running Dr.Web for Android and Dr.Web for Android Light are well protected against this threat. If you are having trouble deleting Android.Dialer.7.origin, use the built-in emergency unlock feature and then repeat the scan and cure steps.
October 22, 2014
The update resolves an issue involving validation of digital signatures for OS processes. The issue emerged after recent Windows 7 updates.
The update will be performed automatically; however, a system reboot will be required.
October 15, 2014
Flaws resulting in the possible abnormal termination of both products have been corrected.
To decrease false positives, Dr.Web for Android Light has had its unlocking routine for ransomware-compromised phones redesigned. Now to unlock a device, connect and immediately disconnect it from the plugged-in charger; then connect and instantly disconnect the headphones; and then shake the device vigorously.
The update also provides Persian language support for Dr.Web for Android Light.
The update will be downloaded and installed automatically. If automatic updates are disabled on the device, go to Google Play; choose Dr.Web Anti-virus, Dr.Web Anti-Virus Life license or Dr.Web for Android Light on the application list; and click "Update”.
To perform an update via Doctor Web's site, download the updated distribution. If the option “New application version” is enabled, a new version notification will be displayed whenever the virus databases have been updated. You can start the download directly from this dialogue box.
October 14, 2014
In addition, the update resolves an issue involving the HTTP monitor SpIDer Gate™ option to block threats by type.
To update Dr.Web for Mac OS X to version 10.0.1, download the package from the website and install the application on top of the previously installed version or after its removal.
October 8, 2014
Dr.Web Updater’s possible abnormal termination when processing license key files.
A Dr.Web for Windows and Dr.Web Enterprise Security Suite agent issue that could prevent users from renewing expired licenses.
A Dr.Web Enterprise Suite Hardware Browser Helper issue involving the collection of system hardware formation.
Dr.Web Security Space, Dr.Web Anti-virus, and Dr.Web Desktop Security Suite will be updated automatically. However, a system restart will be required.
Dr.Web for MS Exchange will be updated automatically.
October 7, 2014
- An issue that could occur when Dr.Web server logs were being viewed in a browser.
- An error that led to the forced installation of the SpIDer Guard file monitor on server OS editions during remote installation.
- Errors occurring while the Licence Manager was processing key files for distribution among other Dr.Web servers.
- An error involving uninstalled agents being restored simultaneously on multiple PCs.
- Information on the page Anti-virus network→Statistics→Start/Stop is now filtered by component stop and start date.
- An operation logic error affecting permissions that allow the system administrator to edit licensing policy has also been resolved.
A defect has been corrected that involved an incorrect error message being displayed when a remote agent installation was being initiated on a machine on which an installation was already in progress.
Also fixed was an error that occurred when host status information was being retrieved and an Oracle DBMS was being used to manage data storage.
Now email notification headers can be customised.
Station group filtering has been redesigned for better readability.
The updated product is available through the where it will appear as an update dated 09.25.2014.
October 6, 2014
Modern multiplayer games cast players into virtual worlds that are complete with their own traditions, history, and culture. They even have their own economic models that enable players to buy and sell objects and even characters that have been upgraded to a certain level. Developed and maintained by Blizzard Entertainment, World of Warcraft is among the most popular games of this kind. It should be noted that the sale of characters is expressly prohibited by the rules of most multiplayer games, whose administration makes considerable efforts to stop it. So, in an effort to put an end to account trading, upon releasing a World of Warcraft update, the game’s creators offered players the option to pay to boost their characters to level 90, but this security measure did not yield the expected result. When acquiring an account on the game server, a buyer wants to get not just the character with the maximum number of different "skills" and experience points, but also game items such as armour and mounts (sometimes quite rare ones), as well as the set of skills and professions that are available for this character. The more assets are available, the greater the account price will be. In some cases, it can exceed USD 500.
The main element of risk one encounters when purchasing a character lies in the fact that most game servers (including those supported by Blizzard) associate user accounts with an email address and, sometimes, phone numbers. If an account gets blocked, the server administration may ask the user to provide their ID. That's why an account offered for sale by fraudsters can be returned to them as soon as the first support request is made. If the administration discovers that the account has been sold in violation of the rules, it will be blocked. In any case, the money will remain with the intruders, and the problems will be left to their victims.
Among other things, a potential buyer has a good chance of ending up with a stolen account that was hijacked earlier from another user. Criminals seldom steal accounts for the purpose of playing a game. More often than not, they do it for profit. Simply selling the stolen account is the most primitive way to make money. However, the shadow business involving virtual universes provides other quite real opportunities: for example, scammers can transfer all their “loot” to another account (for the purpose of engaging in further selling). The new owners of a stolen account can exploit the trust of their gaming guild compatriots by borrowing some virtual coins or robbing the guild bank. Also, criminals can use chat to distribute phishing URLs, e.g., they can publish a fake announcement about a promo on offer from the game developer that requires participants to sign in with their game login and password on a third-party website or offer them malware in the guise of a program that will help them to enhance their characters' attributes.
That's why experienced gamers recommend that new joiners take some precautions when purchasing an account. For example, in addition to requesting from the seller the password and the answer to the security question, they should also request full access to the mailbox associated with the account as well as scanned copies of the current owner's ID and the photo of the owner holding the ID in their hand—so that these can be presented to support specialists for verification. However, in reality even these steps may not help. To validate the account owner's identity, the technical support personnel can request that the photo include a recent issue of a newspaper or a magazine to prove that it was taken recently. As a result, account access will be granted to the person who will be able to provide such a photo; or if it is proven that a sale has taken place, the account will end up being blocked for good. Gamers should also remember that an agreement, whose terms they accept in order to use most game servers, usually includes the administration's disclaimer and a clause that entitles it to block any account without explanation—this often comes as a surprise to many players who get into trouble but have never actually read the License Agreement. That's why users playing popular online games should exercise caution whenever they get involved in online transactions and should try to follow the rules set by the administration, particularly the rule that prohibits the selling of accounts.
October 3, 2014
This new Android threat is being distributed among Hong Kong protesters demanding more democratic elections. The malware has gotten onto the protesters' devices in the guise of a program that coordinates their protest activities, so most of them wouldn't suspect it to be malware.
After its launch, Android.SpyHK.1.origin establishes a connection with a command and control server, to which it uploads a large amount of information about the infected device (for example, the operating system version, phone number, the IMEI, and hardware specifications) and stands by for further instructions from the intruders. The Trojan is heavily loaded with various features and, depending on which directive it receives, it can perform the following tasks:
- Read the contents of a specified directory (names, size, and last modified dates for files and folders in the directory).
- Acquire the device's GPS coordinates.
- Add an entry to the log file.
- Output a message with a specified text on the screen.
- Call a specified number.
- Gather information about the device.
- Execute a specified shell-script.
- Get an extended contact list (including names, phone numbers and email addresses).
- Gain access to the SMS correspondence.
- Get the call history.
- Add specific phone numbers to the list of individuals being eavesdropped on.
- Obtain the current list of individuals being eavesdropped on.
- Download a file from a designated web address.
- Delete a specified file from the device;
- Upload a specified file to the command and control server.
- Activate the voice recorder after a specified time interval.
- Activate voice recording and simultaneously stream the recording onto the server's socket.
- Stop voice recording.
- Upload the mail database of the default mail client onto the server.
- Acquire browsing history.
- Send information about files and directories found on the SD card to the command and control server.
- Execute multiple commands to gather sensitive information and send it to the server.
Android.SpyHK.1.origin has certain features that distinguish it from other Trojan spies. In particular, to determine the GPS location of an infected Android handheld, the Trojan exploits a known vulnerability of the power control widget and, thus, can bypass the global system settings and activate certain features of the mobile device. Despite the fact that this vulnerability was fixed in 2011, some users have reported on its re-emergence in recent versions of the operating system. Thus, in some cases, Android.SpyHK.1.origin theoretically can activate the GPS receiver of an infected smart phone or tablet, even if the owner has disabled this feature in the settings.
In addition, the capability to stream voice recordings to the server's socket enables the intruders to listen in on phone calls in real time. This feature serves as an alternative to covert phone calls. While the transfer of data over a cellular network can be blocked by law enforcement agencies, Wi-Fi hotspots can still be nearby, so criminals have a chance to acquire the information they need. Moreover, a large portion of the information collected is transmitted directly to the socket on the remote server, and— provided that the latter is powerful enough—the intruders can obtain current information about the situation at the location of the infected Android devices in real time by turning the compromised smart phones and tablets into a powerful surveillance network.
This indicates that the intruders are carrying out a well-planned, targeted attack aimed at acquiring information about the protesters in Hong Kong and about their future actions. Similar programs can be put to use anywhere in the world, so owners of mobile devices should exercise caution and refrain from installing suspicious applications onto their handhelds.
The Trojan's definition has been added to the virus databases, so Android.SpyHK.1.origin poses no threat to devices running Dr.Web for Android and Dr.Web for Android Light.
October 2, 2014
The number of new malicious programs for Android and the rate at which they emerge never cease to amaze information security experts. To a large extent, criminals are interested in these devices because they are extremely popular worldwide, and they offer cybercriminals lucrative opportunities. In particular, criminals are getting increasingly interested in mobile remote banking which must look particularly appetising to them. In September, Doctor Web's security researchers registered the emergence of new banking Trojans designed to gain unauthorised access to user accounts.
Many of the discovered threats targeted smart phones and tablet PCs in South Korea. Traditionally, most Android Trojans in this country are spread with unwanted SMS containing malware download links. In September, Doctor Web registered more than 100 of these spam campaigns. The most common malicious applications distributed by means of short messages included Android.Banker.28.origin (22.64%), Android.BankBot.27.origin (21.70%), Android.SmsSpy.78.origin (14.15%), Android.SmsBot.121.origin (11.32%), Android.MulDrop.21.origin (9.43%) and Android.Banker.32.origin (7.55%).
Users from China came under attack as well. Threats to Android examined by virus analysts in September include a spy Trojan that steals confidential information from devices found in China. Classified by Doctor Web as Android Spy.130.origin, this program is particularly dangerous because it provides attackers with information about SMS correspondence, the call history, current GPS coordinates and can also discreetly call a specified number, effectively turning an infected smart phone or tablet into an eavesdropping device.
Ransomware programs that lock Android handhelds and demand a ransom to unlock them are still quite popular, and their number is still growing. Android.Locker.38.origin somewhat stands out from the others, because—in addition to locking the screen and displaying a ransom demand—it is equipped with an extra extortion tool. Similarly to other programs of this kind, it gets onto a device in the guise of a harmless application (e.g., a system update) and, when launched, requests access to the handheld’s administrative features. Next, Android.Locker.38. origin locks it and demands a ransom.
When the user attempts to revoke the permissions granted to the Trojan horse, the malware uses the standard system feature to lock the screen, and once it is unlocked it threatens the owner of the infected Android smartphone or tablet with wiping all the data stored on the device. If the user ignores the threat and revokes the privileges, Android.Locker.38.origin will set a password for switching the mobile device from the standby mode. Consequently, one may have to resort to a factory reset to regain control over the device. For more information about this Android threat, please refer to the corresponding publication.
Android.Elite.1.origin, on the other hand, wasn't designed for profit. However, it posed a severe threat to Android-based devices. Once launched on an infected smart phone or tablet, Android.Elite.1.origin wiped all the data from the memory card and also blocked a number of applications for online chat and SMS correspondence. Furthermore, this malicious program dispatched a bulk of short messages to all the contacts found in the phone book which could serve to rapidly empty the affected user's mobile account. Learn more about Android Elite.1.origin in our review.
Neither did criminals allow devices running iOS to go unnoticed. In September, the definition for a component of the malicious program IPhoneOS.PWS.Stealer.2, which targets jailbroken iOS devices, was added to the Dr.Web virus database. Discovered in spring 2014, the program steals authentication information including the App Store login and password, allowing criminals to purchase contents at their victims' expense.
October 2, 2014
Statistics collected by means of Dr.Web CureIt! in September indicate that browser plugins that display annoying ads during web-surfing, namely, Trojan.BPlug.123 and Trojan.BPlug.100, were the most frequently detected on PCs. Scanning disks with this curing utility also often exposed the presence of the adware installer Trojan Packed.24524. This data has remained largely unchanged over the previous month.
According to Doctor Web's statistics server, September resembled August in that the adware installer Trojan.Packed.24524 was among the malicious programs most frequently detected. It accounted for 0.66% of the incidents detected on infected PCs. Note that in July, Trojan Packed.24524 was involved in 0.56% of the incidents, and in August that figure increased to 0.59%. BackDoor.IRC.NgrBot.42, whose first versions were discovered as early as 2011, ranked second in the detection statistics. Advertising Trojans, including Trojan.InstallMonster.953, Trojan.Zadved.4 and the like, also had high detection scores.
As far as mail traffic is concerned, the malicious downloader BackDoor.Tishop.122 has regained its previously lost leading position—the portion of detection incidents connected with this backdoor has increased from 1.15% to1.54% in the last thirty days. One of its modifications, BackDoor.Tishop.152, ranked second with a share of 1.03%. The third and fourth positions are occupied by Trojans that are designed to steal passwords and other confidential information—namely, Trojan.PWS.Stealer.4118 and Trojan.PWS.Turist.144. Other members of the BackDoor.Tishop family—BackDoor.Tishop.148 and BackDoor.Tishop.144–were also rather frequently spread as email attachments.
No noticeable changes were registered with regard to the activities of the botnets monitored by Doctor Web's security researchers. A subnet of a zombie computer network comprised of machines infected with Win32.Rmnet.12 was still experiencing around 265,000 requests daily to its command and control (C&C) servers, which is almost equal to the August figure. At the same time, the number of bots in the botnet deployed by means of Win32. Sector declined slightly over the past month: an average of 56,000-58,000 active nodes were being registered every 24 hours at the end of September against the average of 65,000 active nodes witnessed in August. Yet there’s been no thinning of the ranks when it comes to the number of Macs compromised by BackDoor.Flashback.39: on average, the number of bots in this botnet stayed at around 14,000 infected hosts. In addition, in September 2014 Doctor Web discovered a new Mac-based botnet created usingMac.BackDoor.iWorm.
Threats to Mac OS X
Although over two years have already passed since Doctor Web security specialists discovered the largest-ever botnet consisting of Macs infected by BackDoor.Flashback.39, the number of malware programs for machines manufactured by Applehas not declined. Moreover, there are indications that such threats are becoming more complex—their payload is increasing, and their makers are adopting state-of-the-art technologies. Apparently, the growing popularity of Mac OS X among users also makes it more popular among intruders. Thus, in the first autumn month of 2014, virus analysts simultaneously added into the Dr.Web virus database multiple entries related to malicious programs targeting machines designed by Apple. These entries included Mac.BackDoor.Ventir.1 and the spy Mac.BackDoor.XSLCmd which has been ported under Mac OS from Windows. They target machines running versions of Mac OS X released before 2013 (i.e., 10.8 and older). Criminals have posted on Google Analytics links for downloading malicious Java scripts that load Mac.BackDoor.XSLCmd onto targeted machines. In addition to performing common spyware functions, Mac.BackDoor.XSLCmd could log keystrokes on infected Macs and take screenshots and forward them to criminals.
However, Mac.BackDoor.iWorm malware, used by attackers to deploy an active botnet, was of particular interest to security researchers. This backdoor can execute various commands which include detecting the infected Mac's OS version, getting the bot UID, sending a GET-query, downloading a file, opening a socket for an inbound connection, executing instructions received, and executing nested Lua scripts. It is noteworthy that this very sophisticated backdoor uses encryption extensively and acquires a list of control server addresses via the reddit.com search service by specifying the hexadecimal values of the first 8 bytes of the current date MD5 hash value as the search string. The reddit.com search returns a web page containing the list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd.
The bot picks a random server from the first 29 addresses on the list and sends queries to each of them. Search requests to acquire the list are sent to reddit.com in five-minute intervals. More details about this malicious program and its operation can be found in a news post and detailed threat overview.
An analysis of the statistics collected by the Doctor Web security researchers monitoring the botnet indicates that, as of September 30, only 19,888 unique IP addresses associated with infected Macs appeared on the network. The USA accounts for 5,130 of them (25.8%); Britain ranks second with 1,417 (7.1%) addresses; and Canada ranks third with 1,354 IPs (6.8%). The late September 2014 geographical distribution of the botnet created with Mac.BackDoor.iWorm is shown in the following illustration:
Trojan for gamers
In early September, Doctor Web added into its virus databases the definition of the malicious program Trojan. SteamBurglar.1, which is designed to steal game items from Steam users. Owned and maintained by Valve, Steam enables users to download and update their games via the Internet and keep up with news from the video gaming world. Criminals spread Trojan.SteamBurglar.1 via the Steam chat and forums where they prompt users to view screenshots of weapons or other items supposedly available for purchase. While images of various game items were being displayed on the screen, the Trojan would search the machine's memory for the process steam.exe to extract information about game items. The malware used such keywords as ‘rare’, ‘immortal’ and ‘legendary’ to determine which items were the most valuable and stole them for later resale. The stolen game assets were transferred to a Steam account used by the criminals:
In particular, Trojan.SteamBurglar.1 stole items from a number of Dota 2 fans. Get more details about this threat from the review published by Doctor Web. As of this moment, several dozen representatives of this malware family have already been discovered.
Other security events in September
The overall security situation in September showed that virus makers didn't lose their enthusiasm for creating malware: attacks on PCs and handhelds involved brand-new programs as well as upgraded versions of known malicious applications and commercial applications injected with malignant payloads.
The new piece of encryption ransomware dubbed Trojan.Encoder.761 has been infecting PCs in Australia and Great Britain for two months. The ransom charged to decrypt compromised data is 350 pounds. Another 'cutting-edge' malicious program—Trojan.Encoder.759—is somewhat more moderate in its appetite and demands only around 100 dollars; however, delaying a payment incurs a fee for every 24 hours overdue. Both programs ask their victims to pay the ransom with bitcoins.
Online banking is also a primary target for intruders. Most often they orchestrate attacks on the client host which is a less secure element in customer-bank communications. To conceal the presence of malware on an infected PC, virus makers use modified versions of legitimate applications that incorporate a malicious payload. One such attack involved a modified version of a legitimate program called Program.RemoteAdmin. Attackers used the software to upload a banking Trojan and a key logger onto the target machine after which they were able to draw up and send a payment order instructing the bank to transfer funds from the victim's account to theirs.
In September, attackers used a new version of the Trojan BlackEnergy to collect data from hard drives belonging mostly to public and private companies in Poland and Ukraine. The Trojan's first modification was analysed in 2007 and was designed to launch relatively simple DDoS attacks. This simple DDoS Trojan horse has now evolved into a sophisticated piece of malicious software with a modular architecture which enables attackers to alter the program's functions depending on their objectives. New BlackEnergy modifications are detected by Dr.Web as Trojan.Siggen6.19887 and BackDoor.BlackEnergy.73.
In September, an entry for another IPhoneOS.PWS.Stealer. 2, modification was added to the virus database. This program targets jailbroken iOS handhelds. Initial samples were discovered in May 2014. The Trojan harvests the logins and passwords required to buy software in the App Store. It is believed that IPhoneOS.PWS.Stealer.2 gets onto devices when users download a Cydia Substrate tweaker or a program used for jailbreaking. IPhoneOS.PWS.Stealer.2 downloads and installs on the infected device a fake utility that allows an attacker to access the App Store and buy applications without the user's knowledge or consent.
At the end of September, backdoors targeting Linux—Linux.BackDoor.Shellshock.1 and Linux. BackDoor.Shellshock.2—were discovered. Attackers have developed their programs to exploit the ShellShock vulnerability (or CVE-2014-7169) which allows intruders to execute arbitrary commands on affected machines whose operating systems are based on the Linux kernel and feature the shell Bash (such as CentOS, Debian, Redhat, and Ubuntu). Affected devices include servers, modems, routers, cameras, and many other pieces of Internet-connected hardware with embedded operating systems. And the software for many of them never gets updated. The ShellShock vulnerability was assigned the highest level of risk.
Threats to Android
This past September, Doctor Web added to its virus database many new definitions for a variety of malicious software programs for Android mobile devices. Among them is yet another locker ransomware which has been dubbed Android.Locker.38.origin. Like most programs of its kind, the extortionist locks the infected mobile device's screen and demands a ransom to unlock it. But, in addition, the malware can lock an Android smart phone or tablet with a password, which complicates its neutralisation significantly. You can find more information about Android.Locker.38.origin in the corresponding publication on Doctor Web's site.
Banking Trojans constituted a significant portion of the malware for Android discovered in September. Many of them were used along with SMS spam for the now regular attacks against users in South Korea. All in all, Doctor Web's security researchers discovered over 100 spam campaigns aimed at distributing Android malware in South Korea. The most common malicious programs included Android.Banker.28.origin, Android.BankBot.27.origin, Android.SmsBot.121.origin, Android.SmsSpy.78.origin, Android.Banker.32.origin and Android.MulDrop.21.origin.
Chinese users had their share of cyber attacks too. In September, Doctor Web's security researchers discovered a spying Trojan that was added to the virus database as Android.Spy.130.origin. This malicious application steals various types of sensitive information such as SMS messages, the call history, and GPS coordinates. Also, it can covertly call specified numbers which effectively turns compromised smart phones or tablets into eavesdropping devices.
Discovered at the end of last month, Android. Elite.1.origin turned out to be the exact opposite of most threats to Android. In contrast to them, Android.Elite.1.origin is not designed for illicit profit or for stealing valuable information, but it still represents a grave danger. Once on a mobile device, this Trojan would format the memory card and interfere with the normal operation of a variety of applications. In addition, this malicious program would dispatch a bulk of short messages, which could deplete the user's mobile account. More information about this threat can be found in the relevant publication on Doctor Web's site.