February 1, 2012

The first month of this leap year did not offer any major surprises in terms of information security. However, Doctor Web's anti-virus laboratory received samples of several new banking Trojan horses that turned out to be rather unusual. In addition, a new technique for distributing malicious links was discovered.

Virus threats in January

The file infector Win32.Expiro.23 (19.23% of all detections) was the leader among malicious programs found on users' computers by Dr.Web CureIt! in January When launched, it attempts to elevate its privileges in the system, searches for running services and infects the corresponding executables.

Win32.Rmnet.8 (8.86% of infections) was not far behind. This virus gets onto computers from infected flash drives or when an infected executable file is run, and it can replicate itself. The program infects .exe, .dll, .scr, .html, .htm and, in some cases, .doc and .xls files, and can create autorun.inf files on removable storage devices. Immediately after its launch, Win32.Rmnet modifies the master boot record, registers Microsoft Windows Service (it can work as a rootkit in the system), attempts to remove RapportMgmtService and adds several malicious modules into the system that appear in the Windows Task Manager as four entries named iexplore.exe. Win32.Rmnet steals passwords from popular ftp-clients, such as Ghisler, WS FTP, CuteFTP, FlashFXP, FileZilla, Bullet Proof FTP. This information can later be exploited to carry out network attacks or to place various malicious objects on remote servers. Trojan.WMALoader and Trojan.Inor are also often found on infected computers of Russian users.

Financial affairs

A Trojan.PWS.Ibank sample fell into Doctor Web virus analysts' hands in early January. It is equipped to keep up with the latest online banking trends. This malicious program allows attackers to get user authentication data, keys and information about the configuration of many different banking applications. The distinguishing feature of this Trojan horse modification is its VNC-server functions. The server code provides support for the protocol used to communicate with a Zeus dedicated-server (Trojan.PWS.Panda) which, in fact, is used to control the malware remotely. This Trojan horse contains another important feature: a module that is designed to monitor and intercept information processed by specialized software used in one of Russia’s state-owned financial institutions.. Its architecture is rather complex. It can send intercepted information to criminals as well as execute various commands from a remote server in the infected system— including commands that may render the system non-operational. A detailed technical description of this program was promptly handed to law enforcement agencies by Doctor Web.

Around the same time, another malware was discovered—hackers intended to use this one for a phishing attack on Russian bank customers. Once the program has gotten into a system, Trojan.Hosts.5590 creates a new explorer.exe process containing its code and then places its file as Eldesoft.exe into the autorun folder.

If the user accesses the bank's site via Microsoft Internet Explorer, the Trojan horse utilizes crypt32.dll to install a fake certificate. When a certificate is added to the store, the operating system usually shows a warning. The Trojan horse intercepts and closes the warning window.

If the bank site is accessed with a different browser, the standard library nss3.dll is used to install the certificate. Trojan.Hosts.5590 connects to a remote server and retrieves a configuration file that contains the IP address of the phishing server and domain names to be replaced. Later, whenever the user attempts to connect to the banking system via HTTPS, they will be displayed a fake web-page, and the account information they submit will be sent to criminals. Prompt and competent measures taken by the bank’s security service and efforts made by Doctor Web's specialists have ensured that the Trojan horse no longer poses a serious threat to users.

Windows lockers in decline

January 2012 saw a 25% decline in the number of support requests from users whose systems were affected by Windows blockers.

This welcome trend emerged due not only to the decrease in extortion malware but also to the recently launched https://www.drweb.com/xperf/unlockerportal that enables users to search for codes to unlock computers infected by Trojan.Winlock. Currently 13-15 thousand users visit the portal daily.

However, there are examples of extortionist programs that have no unlock code at all. These include, in particular, Trojan.Winlock.5490 which targets French users. Trojan.Winlock.5490, written in C, will only run in a system with French set as the default language. The Trojan horse incorporates anti-debugging features: when loaded, it checks whether its process has been launched in a VirtualBox, QEmu or VMWare environment. If so, the Trojan horse process is ended.

Once Trojan.Winlock.5490 is in the system, it starts an svchost.exe process with its injected code, orders Windows to hide the Task bar and stops all explorer.exe and taskmgr.exe process threads. Then the Trojan horse adds its registry entry to be launched automatically and displays a window containing a demand to pay 100 euros with a Paysafecard or Ukash card. The message language is French. Then the card number entered by the victim is sent to the remote command server and the user is informed that the payment will be processed in 24 hours.

Search results bring up malicious links

Techniques employed by criminals to spread links to malicious files and fraudulent sites are perfected on a monthly basis. These include all sorts of text disguise tricks and social engineering methods. In January, network con artists turned their attention to search engine result pages.

While searching the web, people often send several search requests in different tabs or browser windows. It is these pages that criminals fake, hoping that in the confusion a user won't notice an extra search result page. People also tend to trust search results more than ordinary link lists. In some cases, fraudsters even set up fake search engines, as did the founders of the search service LiveTool, whose interface is almost identical to the Yandex design, and the About Us link leads to a fraudulent site that mimics a VK page.

A fake search engine page may open automatically when clicking on a link found on a genuine search results page. In addition, a malicious SERP typically contains links relevant to the search initiated by the user and at first glance does not cause any suspicion. In turn, following links from this page may lead to a fraudulent site or resource, spreading malicious software. Currently, such links point to sites faking social networking resources or sites offering questionable services on a subscription basis as well as sites spreading Trojan.SmsSend malware.

In the recent past, criminals created a large number of fake social networking sites, but fake SERP or search engines are surely a new phenomenon.

Top 20 malware detected in January in mail traffic

Total scanned: 1,149,052,932
Infected: 3,399,130 (0.30%)

Top 20 malware detected in January on user PCs

Total scanned: 114,007,715,914
Infected: 79,017,655 (0.07%)