News of Doctor Web
January 21, 2015
The downloader Trojan entered the Dr.Web virus database as Trojan.DownLoad3.35539. Criminals spread it as an attached ZIP archive in mass spam messages. According to Doctor Web security researchers, messages of this kind come in many languages including English, German and even Georgian.
The archive contains an SCR file—by default, the .scr extension is utilised for Windows screen savers. These files are executable. If the archived file is launched, Trojan.DownLoad3.35539 extracts an RTF document from its body, saves it onto the hard drive and displays it on the screen.
At the same time, Trojan.DownLoad3.35539 establishes a connection with one of the attackers' remote servers, downloads an archive containing the encryption ransomware Trojan.Encoder.686 (a.k.a. CTB-Locker), and then decompresses and runs it. Following its successful initialisation on the victim machine, Trojan.Encoder.686 encrypts files and displays the following message:
It is worth mentioning that attackers give their victims only 96 hours to pay the ransom required to recover their files and threaten that a failure to comply with their demands will result in permanent data loss. To acquire information about the terms and the ransom amount, users are directed to a site residing in the TOR network.
Trojan.Encoder.686 has been compiled using TOR and OpenSSL libraries and relies heavily on their encryption routines. While encrypting data, the ransomware makes use of CryptoAPI to generate random data as well as elliptic curve cryptography which for now makes it impossible to recover the affected data.
Doctor Web urges users to exercise caution and to never launch files received with emails, as well as to refrain from opening attachments in messages from unverified senders and to back up valuable data regularly.
In addition, please note that Dr.Web Security Space 9 and 10 incorporate several components that will facilitate automatic timely backups for your most valuable information and protect your computer from encryption ransomware and other malicious programs.
To keep your data safe, follow the recommendations below:
- Make sure that in the Dr.Web Security Space (9 and 10) settings, you toggle on the preventive protection which will protect your PC against threats yet unknown to Dr.Web.
- Go to the ‘Tools’ menu to turn on ‘Data loss prevention’, and configure the parameters of the backup storage containing your important files.
- Create a custom schedule to back up your valuable data.
Supplemented by some caution when working with emails, these measures will keep your system safe from most modern threats including encryption ransomware.
January 19, 2015
The plugin can now be installed under Microsoft Windows Server 2012 and 2012 R2.
In addition, the update resolves the "No MIME data" issue that occurred on machines running both Domino X64 and Lotus/Notes 9 whenever a memo that had had a threat removed from it earlier was opened.
To install the new version of Dr.Web for IBM Lotus Domino, you need to uninstall the previous one. All the current settings and the quarantine database will be deleted. If necessary, back up the database found in the Dr.Web directory.
More information about the upgrade process, as well as the system requirements for Dr.Web 6.01 for IBM Lotus Domino, can be found in the release notes.
January 15, 2015
In particular it corrects the defect that might cause the Scanning Engine to freeze while checking an object in RAM.
Also, in series 10 products the issue related to curing objects in shared folders has been eliminated.
The update will be performed automatically; however, a system reboot will be required. To use the updated Dr.Web CureIt! you need to download the new version.
December 29, 2014
Although incorporating malicious code in Android firmware is nothing new, criminals do not use this technique often. Yet, they don't discard it altogether, and security researchers occasionally come across a new Trojan for Android embedded in firmware or pre-installed on some handset model. In December several such incidents occurred. As before, the malicious programs detected were used by cybercriminals to covertly perform various actions to their advantage. In particular, the backdoor that entered the Dr.Web virus database as Android.Backdoor.126.origin could be instructed by criminals to add various text-specific SMS to the messages coming in on the infected mobile device. This feature provided criminals with the most diverse scam opportunities. Another malicious program lurking in Android firmware imparted its makers with an even more ample supply of features facilitating illicit activities. In particular, the program Android.Backdoor.130.origin (under the Dr.Web classification) could send short messages; make calls; display ads; download, install and launch applications without user consent; and transmit to its command and control (C&C) server all sorts of information including call history, SMS correspondence and location data. Furthermore, Android.Backdoor.130.origin could delete applications installed on the infected device. Since this backdoor was actually a system application, it didn't require user intervention to perform its tasks—this makes Android.Backdoor.130.origin particularly dangerous.
Android.SmsBot.213.origin, which can also perform unwanted actions on an infected device, is another noteworthy malicious program for Android that was detected in December. In particular, it could intercept and send SMS messages, and forward confidential information found on the device to its C&C server. Here, the main danger lies in the malware's ability to provide criminals with access to bank accounts involved in online banking. By sending and intercepting SMS messages used in remote banking, Android.SmsBot.213.origin could covertly transfer all the available funds to the attackers' account. Interestingly, criminals spread this program in the guise of a popular game which would eventually be installed onto the compromised device. In particular, once installed and launched by the user, Android.SmsBot.213.origin would begin installing the game that is incorporated into the malware, delete its shortcut and further operate as a system service. This trick helped criminals reduce the risk of users getting upset after failing to acquire an expected game and deleting the malware. It also improved the program's chances of successfully accomplishing its tasks.
Also in December, cybercriminals targeting devices in South Korea carried on with their attacks. As before, they spread Android Trojans with unwanted SMS containing the relevant download links. Doctor Web registered about 160 spam campaigns of this sort throughout the month. The most common malicious programs spread in this way included Android.MulDrop.48.origin (40,25%),
December 26, 2014
Statistics collected by Dr.Web CureIt! demonstrate that the browser advertising plugins detected by Dr.Web as Trojan.BPlug.218 and Trojan.BPlug.341. are maintaining their leading position among the malicious programs detected on PCs in December. Trojan.Yontoo.115, another advertising Trojan program, ranks third in the December chart. Other malicious applications frequently identified during the past month by Dr.Web CureIt! include programs of the
According to the data gathered by Doctor Web statistics servers,
The botnets that are being closely monitored by Doctor Web security researchers continue to engage in malicious activity. In particular, the botnet comprised of machines compromised by the file infector
Backdoor for Linux
In December, Doctor Web virus analysts examined a multi-component malware program for Linux. Dubbed
This malicious program can operate using superuser privileges (root), as well as under an ordinary Linux account—in the latter case, the malware installs itself into a different directory and uses another name for its executable file.
Upon its initial launch,
The command and control (C&C) server address is hardcoded into the backdoor. The backdoor stores its encrypted configuration data and other information required for its operation in an SQLite3 database.
Malware for Android
In the last month of 2014, handheld users were in to receive a large number of pre-holiday malicious gifts. Cybercriminals employed all kinds of Trojans to attack smart phones and tablets running Android. In particular, in December a number of malicious programs were found pre-installed on some low-cost Android-powered devices. One of these Trojans, which entered the virus database as Android.Backdoor.126.origin, could perform malicious tasks upon receiving the corresponding commands from the server; for example, it could plant a message composed by criminals among incoming SMS on the device. Since criminals could add any content they wanted into messages like these, users whose devices were compromised by Android.Backdoor.126.origin could be lured into all sorts of scams.Android.Backdoor.130.origin, was another malicious program lurking on some Android devices, but this one allowed its makers to accomplish a wider range of objectives. In particular, it could send short messages; make calls; display ads; download, install and launch applications without user consent; and transmit all kinds of information to its C&C server.
Also in December, a host of other Trojans that could be used to steal confidential information and money from bank accounts were discovered. For example, discovered in mid-month, Android.SmsBot.213.origin was distributed under the guise of a game and enabled attackers to intercept and send SMS messages. It could also upload confidential data found on infected mobile devices onto a server. Access to SMS capabilities allowed Android.SmsBot.213.origin to transmit a variety of sensitive data to cybercriminals, including information about credit and debit cards used in online banking. As a result, the guileful intruders gained control over user accounts and could carry out transactions as they saw fit.
Malicious programs spread in South Korea were again found among the banking Trojans discovered in December. As before, to infect devices, criminals dispatched mass short messages containing download links. Throughout the month, Doctor Web registered about 160 such spam campaigns, most of them aimed at spreading malicious applications such as Android.MulDrop.48.origin,
Learn more with Dr.Web
December 17, 2014
In particular, it resolves the issue that might cause a system crash on start-up once the update KB3013769 for Windows 8.1 (32-bit) has been installed.
The update for Dr.Web 9.1 and 10.0 will be performed automatically; however, a system reboot will be required.
December 10, 2014
In particular, the update provides support for iPhone 6 and iPhone 6+.
In addition, it resolves issues that involved switching between languages when sending messages or restarting remote hosts.
The updated is available free of charge via the App Store..
December 10, 2014
In addition, the routine for detecting new modifications of previously discovered malicious programs has been upgraded for Dr.Web for Android Light.
The update will be downloaded and installed automatically. If automatic updates are disabled on the device, go to Google Play, choose Dr.Web Anti-virus, Dr.Web Anti-Virus Life license or Dr.Web Anti-virus Light on the application list, and click "Update”.
To update via the Doctor Web site, you need to download a new distribution file. If the option “New application version” is enabled, a new version notification will be displayed when updating the virus databases. You can start the download directly from this dialogue box.
December 9, 2014
The update enables the anti-viruses to connect to Dr.Web Enterprise Security Suite 10.0. Detailed instructions on how to connect the products to the suite can be found in the updated documentation.
To update Dr.Web for Unix installed from the repository, use your package manager. If you installed Dr.Web using a universal package, download the updated distribution and reinstall the application.
December 9, 2014
Now the product can be installed on computers running Windows 2012 Server and Windows 2012 R2 Server.
To apply the update, you need to remove the current version manually and use the updated distribution to install the latest version.
December 8, 2014
Doctor Web invites all holders of Dr.Web Anti-virus licenses that expire in no less than 3 months to take advantage of an expanded list of protection components, while maintaining coverage for the same number of protected objects and for the same duration specified in their license. Moreover, those who upgrade to Dr.Web Security Space will have the remainder of their license rounded up in their favour!
To keep things simple, we’ve designed a special web page where customers need to enter their valid serial number for the Dr.Web Anti-virus, their registered email address and another email address that is to be associated with their new license (optional). The new Dr.Web Security Space license won't require activation—all you need to do is to install Dr.Web Security Space instead of Dr.Web Anti-virus and replace your old key with the file you receive upon upgrading.
|Upgrade to Dr.Web Security Space free of charge|
December 8, 2014
A number of upgrades have been made to this Dr.Web product for all supported Android versions. In particular, the program's ability to neutralise screen lockers and malicious programs that have self-defence mechanisms has been enhanced. Another innovation enables Dr.Web to identify the FakeID vulnerability and to warn users about the presence of software on their device that exploits this vulnerability. Also, users can now search the Doctor Web virus library via the Statistics section. In addition, a number of improvements have been introduced to make working with licenses more convenient.
Fixes have been introduced that restore operation of the URL-filter Cloud Checker in Google browser and help prevent Dr.Web from terminating abnormally.
A number of additional changes were implemented in the anti-virus for Android 4.0 and later. Operational defects on Samsung Galaxy Note tablets have been corrected. The Blacklist has been upgraded for devices running Android 4.4. Also, the URL filter Cloud Checker now works properly in the HTC browser under Android 4.4. Furthermore, information about the traffic being used by installed applications is displayed in a floating window.
Firewall issues that involved transferring data to other devices have been resolved, and UI tweaks have been introduced.
The updated anti-viruses are available on Google Play (Dr.Web for Android. Comprehensive protection, Dr.Web for Android. Life License); and on Doctor Web's site you can download the application for Android 4.0 and later.
The update will be downloaded and installed automatically. If automatic updates are disabled on your device, go to Google Play, choose Dr.Web Anti-virus or Dr.Web Anti-Virus Life license on the application list, and click "Update”.
To update via the Doctor Web site, you need to download a new distribution file. If the option “New application version” is enabled, a new version notification will be displayed when the virus databases are being updated. You can start the download directly from this dialogue box.
December 8, 2014
If a Dr.Web 10.0 agent is installed on a machine, Dr.Web for MS Exchange 9.0.3 will use the centralised protection features of Dr.Web Enterprise Security Suite to filter emails.
In addition, the Administrative CMS console can now be used to adjust the scanner load timeout and select archive types that will be regarded as corrupt.
More information about the upgrade process, as well as the system requirements for Dr.Web 9.0.3 for MS Exchange, can be found in the release notes.
December 8, 2014
The redesigned main menu keeps all the elements involved in daily routines at hand. Settings changes are now applied on the fly—just enter the required data, check a box or move a slider.
Exceptions settings are now also placed in a separate section. You no longer need to define exceptions individually for each protection component. Exceptions can include websites you need to access; Files and folders; Applications and processes; Email addresses for the anti-spam filter.
The controls of the new device blocking system are found in the Devices tab.
The Office Control has been upgraded too. If you disable the component temporarily, the settings will be saved and applied automatically as soon as Office Control is toggled on again.
Notifications about threats detected or problems in the product's operation are now more noticeable.
The update will be performed automatically; however, a system reboot will be required.
December 4, 2014
To distribute the program, criminals incorporated Android.BankBot.35.origin into another malware program that is registered in the virus database as Android.MulDrop.46.origin. This Trojan performs dropper tasks and can be downloaded in the guise of various applications. Currently, Doctor Web security researchers know about incidents of Android.MulDrop.46.origin spreading as a popular browser; however, the choice of disguise depends entirely upon the imagination of the virus makers.
Once the dropper has been installed on an Android handheld, it can be launched by the user (when they tap on the corresponding icon) or automatically during the next screen unlock or device reboot. If a user launches Android.MulDrop.46.origin, the Trojan prompts them to grant it access to the administrative features of the mobile device, and then deletes its icon. From then on, the malware operates as a system service and becomes 'invisible' to the device's user.
Following its successful initialisation, the dropper extracts the dex executable <44><42Android.BankBot.35.origin from its resources using the DexClassLoader routine, allowing applications (in this case, Android.MulDrop.46.origin) to load additional software modules without pre-installation or user participation. After gaining control, Android.BankBot.35.origin goes into standby mode and periodically checks whether certain online banking applications belonging to several South Korean financial organisations are present on the infected device. If any of the programs is discovered, the malware downloads the relevant fake application for it from a remote server and then attempts to replace the legitimate program with the fake one. To accomplish this, Android.BankBot.35.origin prompts the user to install a supposedly new version of the banking program. If the user consents to installing the 'update', the malware will initiate the removal of the legitimate application and, when done, will commence with installing the bogus one.
All the fake banking applications downloaded by Android.BankBot.35.origin are in fact various modifications of Android.Banker.46.origin. This malicious program gives criminals access to the bank accounts of South Korean users, which can result in unintended financial transactions and even wiped-out accounts. To steal all the sensitive information it needs, Android Banker.46.origin mimics the interface of legitimate online banking applications and prompts users to enter data such as the login and password they use to access their accounts, their account number, and credit card number, and information about the digital certificate used to secure their transactions.
Along with replacing legitimate banking applications with bogus copies, Android.BankBot.35.origin can also perform other unwanted actions. In particular, when tasked by a command and control (C&C) server, the malware can:
- Send SMS with a specific text to a specified number.
- Enable or disable Wi-Fi.
- Upload data from the phone book (including phone numbers saved in the SIM card) to the server.
- Download a specified dex file from the remote host and run it.
To run the downloaded file, the Trojan uses the dex-related routine of Android.MulDrop.46.origin which was previously employed to initialise Android.BankBot.35.origin. Thus, this malicious program makes use of modular architecture and, depending on the needs of virus makers, can significantly expand its payload.
In addition to stealing contact information, the Trojan can also relay other sensitive information to the C&C server, such as the phone number, handheld model, OS version and type of mobile and Wi-Fi network used. In addition, Android.BankBot.35.origin can intercept and delete SMS messages from certain numbers on the Trojan's blacklist.
It is noteworthy that the malware also possesses an interesting self-defence mechanism. So, if the Trojan detects a popular South Korean anti-virus being launched on an infected device, Android.BankBot.35.origin will disrupt its initialisation and return the user to the home screen. Similarly, the Trojan blocks access to the application manager and to the feature used to assign device administrators, which is why users of compromised devices won't be able to manage their installed applications if the Trojan's self-defence mechanism has been activated. However, this protective mechanism does not work if at least one of the original banking clients hasn't yet been replaced or if the Trojan hasn't been granted administrator permissions.
To avoid infection, owners of Android handhelds should refrain from installing applications that haven't been obtained from Google Play. Doctor Web also encourages users to install reliable anti-virus software on their devices. Dr.Web Anti-virus for Android and Dr.Web Anti-virus for Android Light detect and neutralise the Trojans above, so they pose no threat to devices protected with Dr.Web.
December 4, 2014
- Optimised rinterface for the web-page showing repository update status and the option to save update reports in PDF format.
- Schedule sending messages to protected hosts.
- An issue that could result in recurring server repository update errors;
- A defect involving the display of server notifications in the Dr.Web Mobile Control Center;
- Defects that could cause issues with license distribution between neighbouring Dr.Web servers;
- An issue that occasionally prevented agents on Android-powered handhelds from updating normally;
- A defect involving the processing of viewed Dr.Web news posts when receiving new revisions;
- A defect involving the compressed export of databases when updating server software under Windows;
- Defects causing LDAP authorisation to malfunction;
- An issue rendering it impossible to install Dr.Web Agent via Dr.Web Enterprise Proxy in low network bandwidth conditions.
The updated Dr.Web Enterprise Security Suite is available through the Dr.Web Control Center web interface, where it will appear as an update dated 11.21.2014.
The updated Dr.Web Enterprise Proxy can be downloaded from Doctor Web's site.
December 1, 2014
According to statistics collected with Dr.Web CureIt!, in November 2014, the advertising Trojan programs Trojan.BPlug.123, Trojan.BPlug.100 , Trojan.Packed.24524 and Trojan.BPlug.48 were most frequently detected on PCs—together, they make up 8.7% of the malware identified. Other dangerous applications are far behind in the detection rankings.
However, Doctor Web's statistics servers show a slightly different picture: Trojan.InstallCore.12, which installs different adware, toolbars and browser extensions that are commonly used by developers to generate profit from all sorts of dubious programs, ranks first. BackDoor.Andromeda.404, which downloads other malicious programs into an infected system when commanded to do so by intruders, ranks second. In November, cybercriminals distributed this malware in large quantities via email. In particular, they used emails with the subject line "my new photo", and the backdoor was concealed in the attached file my_photo.zip
Trojan.InstallMonster.1017 ranks third among the Trojans identified in November—this malignant application is spread by criminals under various referral programmes. Also discovered in the last month of autumn were Trojans from the Trojan.Bayanker, Trojan.MulDrop, Trojan.LoadMoney and Trojan.Zadved families.
In November, BackDoor.Andromeda.404 was by far the Trojan most frequently discovered in email traffic; as previously mentioned, in mid-November criminals sent a mass spam email containing this backdoor. It accounted for 2.4% of the malware detected. Its close relative BackDoor.Andromeda.559 ranked second. The third and fourth positions were taken by Trojan.Download programs. The “Top 10” also includes applications that steal confidential information—Trojan.PWS.Panda and Trojan.PWS.Stealer programs.
The botnets monitored by Doctor Web security researchers didn't undergo any significant changes in the past month. The one created by hackers using the file infector Win32.Rmnet.12 (two of its subnets are controlled by Doctor Web's virus analysts) is still operational. In the first subnet, an average of 278,400 infected hosts contacted command and control (C&C) servers on a daily basis, while in the second one, around 394,000 infected machines were active. The botnet comprised of computers compromised by another file infector—Win32.Sector—shrank slightly in November. Roughly 50,300 nodes per day were active in it. The number of machines running Mac OS X and infected with BackDoor.Flashback.39 also declined slightly, reaching 13,250.
In June 2014, Doctor Web issued a report about Linux.BackDoor.Gates.5–a program designed to mount DDoS attacks on web servers and capable of infecting 32-bit versions of Linux. This malware was rather active in November. Within just that one month, security researchers registered 3,713 unique IP addresses as having been attacked by this backdoor. Their geographic distribution is illustrated in the figure below:
Other events in November
Definitions for several programs targeting Mac OS X were added to the Dr.Web virus database. In particular, in early November Doctor Web's researchers examined the program Mac.BackDoor.Ventir.2—this backdoor can execute commands from a remote server, log key strokes and relay information to criminals. Another backdoor for Mac OS X— Mac.BackDoor.Tsunami—is a Mac OS X port of the Linux backdoor known as Linux.BackDoor.Tsunami. Criminals control this program via the IRC (Internet Relay Chat) protocol. Yet another backdoor for Mac OS X (also exposed in November) was named Mac.BackDoor.WireLurker.1—unlike many programs of its kind, this malware waits for the moment when an iOS device is connected to an infected Mac and uploads its files onto the device. There are two versions of these files: one of them is intended for jailbroken devices, while the other is intended for unaltered iOS devices. As soon as an iOS device connects to an infected Mac via USB, Mac.BackDoor.WireLurker.1 uses an Apple digital certificate to install a compromised application onto the target device. To accomplish this task, the backdoor takes advantage of the “enterprise provisioning” feature that enables companies to bypass the AppStore and install applications onto its employees’ devices.
Neither did attackers disregard Linux: in November Doctor Web warned users against the dangerous backdoor application Linux.BackDoor.Fgt.1, which was targeting all sorts of devices running various versions of this OS. There are versions of Linux.BackDoor.Fgt.1 that are tailored for particular Linux distributions. This backdoor was designed to mount DDoS attacks. To spread to other devices, Linux.BackDoor.Fgt.1 scans random IP addresses on the Internet and launches a brute force attack in an attempt to establish a Telnet connection with their nodes. If successful, it commands the attacked host to download a special script. The script is used to download and launch Linux.BackDoor.Fgt.1 on the compromised machine. It is noteworthy that the C&C server stores a large number of Linux.BackDoor.Fgt.1 executable files compiled for different Linux versions and distributions, including MIPS and SPARC server ports. Thus, the backdoor can infect not only Internet-connected servers and PCs running Linux, but also other devices, such as routers. More information about this malicious program can be found in a corresponding review published by Doctor Web on its site.
Windows machines were also in danger of getting infected with various malicious programs. In particular, many media outlets reported the discovery of a dangerous Trojan dubbed Trojan.Regin under the Dr.Web classification system. In the past month, security researchers discovered several modifications of this malware, and the corresponding entries were promptly added into the virus databases.
In November, Doctor Web researched another backdoor for Windows—Backdoor.OnionDuku.1. It is noteworthy that attackers are using this malware to infect executable files transferred over their TOR network node. Thus, if their traffic is transmitted via a malicious network node, users can get their systems infected simply by using the TOR-browser and downloading executable files from various sources with it.
However, there is good news for Windows users, too. In November, Doctor Web completed a research project that enabled its security researchers to decrypt files affected by the encryption ransomware Trojan.Encoder.398. This malicious program encrypts various types of files and usually offers the following email addresses for communicating with the intruders: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org.
Malicious programs for Android
In November, Doctor Web registered a large number of various malicious programs for Android, a large portion of which was comprised of banking Trojans that stole money from accounts associated with the compromised devices.
Android.BankBot.33.origin was one such program. This malware can covertly steal money from Russian customers of financial institutions who use mobile banking. Android.BankBot.33.origin uses SMS commands to covertly transfer money to the intruders’ account and hide SMS replies from the bank, so that the user won't notice unauthorised transactions. It can also load a bogus web page in the browser to lure users into submitting their online banking credentials.
Android.BankBot.34.origin bears a similar payload. In addition to the ability to steal money from bank accounts, the malware can also acquire logins and passwords stored by a number of popular applications, and gather information about the phone number and credit card associated with a compromised device. You can find more information about Android.BankBot.34.origin in a corresponding publication on Doctor Web's site.
Discovered in mid-November, Android.Wormle.1.origin turned out to be another malicious program that could steal money from bank accounts accessed from Android-powered devices. Android.Wormle.1.origin could not just steal money from its victims, but could also perform other unwanted actions as directed by the intruders. For example, it could steal confidential information, download various applications onto a compromised device and remove certain files from the SD card. More detailed information about this threat can be found in a review published by Doctor Web.
In November, handhelds in Brazil were attacked by banking malware. Android.Banker.127 and Android.Banker.128, which were spread via Google Play, were designed to steal login data from customers of Brazilian banks. To accomplish this, they displayed a fraudulent web page where victims were prompted to enter their bank account logins and passwords.
November didn't pass without incident in South Korea either. This past month, Doctor Web registered roughly 100 spam campaigns spreading malicious applications for Android. Most of the programs distributed were various versions of banking Trojans. Android.BankBot.29.origin, Android.MulDrop.36.origin, Android.SmsBot.190.origin and Android.SmsSpy.78.origin were the most common.
In addition to a large quantity of different banking Trojans, many other malicious applications for Android were discovered in November. One of them was the Trojan Android.Becu.1.origin. Discovered by Doctor Web's security researchers, this program is interesting in that it was incorporated into the Android firmware used on a large number of inexpensive Android handhelds. Android.Becu.1.origin can download, install, and remove programs without user consent and block inbound short messages from specified numbers. More information about this malicious program can be found in a related news publication.
Learn more with Dr.Web
December 1, 2014
In particular, it resolves an issue that could result in a system crash when launching the mini-agent component on machines running Windows XP SP2.
A Dr.Web Device Guard defect that could cause an error when plugging in different USB devices has been eliminated. To integrate the updated Dr.Web Device Guard into the anti-virus, corresponding adjustments have been made to the control service.
Also, Dr.Web Device Guard can now recover automatically from any disruption to its operation.
The update will be performed automatically; however, a system reboot will be required.
November 27, 2014
An issue that involved processing SpIDer Gate databases.
A defect in operation of the anti-virus on machines running Mac OS X. 10.7 (x86).
To update Dr.Web for Mac OS X to version 10.0.3, download the package from the website and install the application on top of the previously installed version or after its removal.
November 27, 2014
The new component—the HTTP monitor SpIDer Gate—significantly improves the security of machines protected with Dr.Web for Linux. The monitor scans inbound HTTP traffic and blocks the transfer of malicious code. Also, SpIDer Gate operates as an office control, blocking access to unwanted sites, which helps companies avoid exposure to Internet threats and contributes to higher employee productivity.
The SpIDer Guard file monitor boasts enhanced scanning of running processes for neutralising active threats such as Windows malware launched via Wine.
Now Dr.Web Anti-virus for Linux supports Red Hat Enterprise Linux 7, 6.5 and 5.10, as well as CentOS Linux 7, 6.5 and 5.10.
Furthermore, visual and audio event notifications are now available on a larger number of desktop environments, and support for Dr.Web Enterprise Security Suite 10.0 has been enhanced. Users can also now start several scanning sessions simultaneously.
Users of Dr.Web Anti-virus for Linux must use the updated distribution to install the program.
November 26, 2014
- Google Play;
- Google Play Music;
Eventually, the data submitted by the user is forwarded to a remote server.
The second attack scenario, on the contrary, does not rely upon user actions and is implemented solely in accordance with the instructions sent by the intruders via a remote host. In particular, a command and control (C&C) server can order
- Start or stop intercepting inbound and outbound SMS.;
- Send a USSD query.
- Blacklist a specific number, so that all messages from that number are concealed from the user (by default, the list includes customer service numbers of certain carriers, a Russian online banking provider, and an e-commerce business);
- Clear the black list;
- Forward information about the applications installed on the device to the remote server;
- Send an SMS;
- Relay the malware’s ID to the server;
- Display a dialogue box or a message in accordance with parameters transmitted by the C&C server (e.g., a server instruction can specify the message text to be displayed on the screen, the number of input fields, etc.).
It is noteworthy that the address of the principal
Moreover, the malware’s ability to display on a mobile device any message or dialogue box of any form and content opens up almost unlimited opportunities for mounting the most diverse attacks. For example, criminals can steal the user's social networking credentials, change the password and instruct the malware to show messages like "Your account is locked; to have it unlocked, transfer funds to number 1234". The makers of
To avoid infection, Doctor Web recommends that users refrain from installing applications from dubious sources and disable the feature that lets them bypass Google Play to download software. In addition, when installing applications, pay attention to the list of features those applications will be accessing. If you have any doubts about a particular program, it is best not to install it.
An entry for detecting
November 24, 2014
A compatibility problem between the self-protection module and Secret Disk has been eliminated.
The reason causing SpIDer Guard to terminate abnormally when interacting with Microsoft Office Starter 2010 has been eradicated.
A scanning engine defect that could result in error 2147614719 when scanning is initiated has been eliminated.
A defect related to the compatibility between Dr.Web for Microsoft Outlook and 64-bit versions of MS Outlook software has been corrected.
A configuration script defect involving possible errors occurring when connecting removable hard drives to the computer has also been corrected. A problem with making Dr.Web services operational while restoring the integrity of the anti-virus has been resolved.
SpIDer Agent for Windows. A SpIDer Agent for Windows issue involving the lock icon disappearing in the “Password” tab has been eliminated. Now device categories can't be whitelisted if the option to block access to devices has been enabled. An amendment has been made to the quarantine settings so that the table of logical drives now displays correctly. An issue related to accessing help information from modal windows. Also, an individual icon is now displayed for a remote agent when the “Anti-virus network” feature is being used.
In addition, users can now change the firewall packet filter settings via the mini-agent and go to the “Support” page by clicking on the context menu title.
The update also fixes defects in the German and Polish language modules.
The update will be performed automatically; however, a system reboot will be required.
November 20, 2014
After its launch on an infected device, Linux.BackDoor.Fgt.1 sends a request to one of Google's servers to determine whether the device is connected to the Internet and, if the response is affirmative, determines the device's IP and MAC addresses. Then Linux.BackDoor.Fgt.1 attempts to communicate with the command and control (C&C) server whose address is hardcoded in the backdoor's body, by sending information about its version to the server. In response, Linux.BackDoor.Fgt.1 expects to receive a block of data containing the command that is to be executed on the infected device. If the C&C server sends the instruction PING, the backdoor sends back PONG and continues to operate on the infected device. If the command DUP is received, Linux.BackDoor.Fgt.1 shuts down.
The backdoor incorporates a special routine to scan 256 random IP addresses in one loop. The scan cycle is initiated by the attackers. While generating IP addresses, Linux.BackDoor.Fgt.1 checks whether they fall within the address range used within the LAN—these addresses are ignored. If connection fails, Linux.BackDoor.Fgt.1 sends the information about the failure to the attackers' C&C server. If a connection is established, the malicious program tries to connect to a remote host port via Telnet and stands by for a login prompt. After sending a login from its generated list to the remote host, Linux.BackDoor.Fgt.1 begins to analyse the remote machine’s responses. If any of them contains a password request, the backdoor tries to log in by providing passwords found on its list. If successful, Linux.BackDoor.Fgt.1 forwards to the C&C server the IP address, login and password it used for remote host authorisation, and the target node is instructed to download a special script. The script is used to download and launch Linux.BackDoor.Fgt.1 on the compromised machine. It is noteworthy that the C&C server stores a large number of Linux.BackDoor.Fgt.1 executable files compiled for different Linux versions and distributions, including MIPS and SPARC server ports. Thus, the backdoor can infect not only Internet-connected servers and PCs running Linux, but also other devices, such as routers.
Linux.BackDoor.Fgt.1 can execute a number of intruder-issued commands, including the following:
- Determine the infected device's IP address;
- Start/stop IP scanning;
- Mount a DNS amplification attack on a specified host;
- Mount a UDP Flood attack on a specified host;
- Mount a SYN Flood attack on a specified node;
- Cease DDoS attacks;
- Shutdown the backdoor.
A definition for Linux.BackDoor.Fgt.1 that enables the anti-virus to detect and remove the program has been added to the Dr.Web virus database, so machines running Doctor Web anti-viruses for Linux are well protected from any danger.
November 20, 2014
Doctor Web never stops upgrading its products and working to make them even more accessible. If you can't find your license certificate containing the serial number for your Dr.Web anti-virus or have accidentally deleted the message from the eStore confirming your Dr.Web purchase, take advantage of the new service, and we will quickly return your lost information. You won't need to contact our support service!
Please note that only registered serial numbers can be restored. If a license hasn't yet been activated, you will need to contact the Doctor Web reseller through which you purchased the anti-virus in order to reacquire your license data.
Doctor Web wishes you to gain and never lose with Dr.Web!
November 19, 2014
In particular, it corrects the scanning engine defect that might cause error 2147614719 when one started scanning.
Dr.Web Security Space, Dr.Web Anti-virus, and Dr.Web Enterprise Security Suite will be updated automatically. However, a system restart will be required.
Dr.Web for MS Exchange will be updated automatically.