May 16, 2012

Doctor Web has released an update for the Scanning Engine service implemented in single-user products Dr.Web Anti-virus and Dr.Web Security Space 7.0.

This update resolves a Scanning Engine error which may occur in Windows versions for East Asian countries.

The update will be automatically downloaded by the anti-viruses but applying the update will require a system reboot.

May 16, 2012

Doctor Web has updated the Dr.Web Virus Finding Engine to version 7.0 for Dr.Web Enterprise Security Suite, supporting centralized management. The update will be downloaded and installed automatically by solutions with server versions 6.0.3 and 6.0.2. Dr.Web Virus Finding Engine won't be updated if the server version is earlier than 6.0.2.

Increased scanning speed

A significant boost in scanning speed is one of the key new engine advantages that will be appreciated by users. Dr.Web Virus Finding Engine showed a several-fold increase in speed compared with the previous engine when tested on a 3 terabyte test file collection in Doctor Web's anti-virus lab. A four-fold speed boost was demonstrated on test systems similar to present-day desktop computers. The new virus database format and improved object scanning algorithm allowed the engine to achieve such an impressive result.

Performance

Another key advantage of the new engine is its dynamic memory allocation that takes into account the overall system performance and current load. The memory is allocated in real time, so scanning and unpacking large files does not slow down other applications. The new engine has also been optimized for multi-core systems.

ScriptHeuristic and other detection technologies

With the new ScriptHeuristic technology, Dr.Web Virus Finding Engine can quickly identify malicious objects in HTML and PDF documents—the most common sources of virus threats. Routines for extraction and analysis of hidden IFRAME have also been introduced. The signature-based scan takes into account JavaScript syntax.

The structure entropy technology implemented in the new anti-virus engine is truly unique and serves as an alternative to the signature-based search. It significantly improves malware detection.

The optimization of the universal extraction technology FLY-CODE, already used in other Dr.Web products, reduces scanning time by nearly one-third. New heuristic analysis algorithms ensure nearly 100% probability for detection of well disguised Trojan horses. An enhancement in Origins Tracing™ allows it to be used to scan DEX-files (Android).

The update will be downloaded and installed automatically.

May 15, 2012

The Russian IT security company Doctor Web is informing users about the worm Win32.HLLW.Autoruner.64548, which can infect RAR archives. It can download executables files from a remote server to perform malicious tasks in the compromised system.

Win32.HLLW.Autoruner.64548 spreads as many other worms do: it creates its copy on a disk and places the file autorun.inf into the root directory to launch the worm as soon as the device is connected to the computer. When launched on the infected computer, Win32.HLLW.Autoruner.64548 searches disks for RAR archives and places itself into them under one of the following names: secret.exe, AVIRA_License.exe, Warcraft_money.exe, CS16.exe, Update.exe, private.exe, Autoruns.exe, Tutorial.exe, Autorun.exe, Readme.exe, Real.exe, readme.exe, Keygen.exe, or Avast_keygen.exe. In some cases, such a modification damages archives.

In addition, the worm has a payload module. Its body also contains an executable file that Win32.HLLW.Autoruner.64548 saves into the Windows folder as mssys.dll. The malicious program registers the library file in the registry. The worm injects the payload code into a copy of its own process. Then the malware connects to a remote server and waits for malicious commands to download and run executable files.

Win32.HLLW.Autoruner.64548 represents a rare category of malicious programs that can infect RAR archives. When unpacking RAR archives, pay attention if suspicious executable files appear in the archive: their accidental launch may harm your computer. The worm's signature has been added to the Dr.Web virus databases.

May 14, 2012

Doctor Web has released a public beta version of its utility Dr.Web CureIt! 7.0. Dr.Web CureIt! is a popular malicious-software-removal- and system-curing tool combining all the advantages of the alternative commercial products offered by other vendors. The enhanced mode, designed to counter Windows locker programs, and compatibility with other anti-viruses are the key features of this application. This utility incorporates the latest IT security technologies that enable it to neutralize even the most dangerous threats.

Dr.Web CureIt! 7.0 is not just another update of the popular product but a brand-new generation of a renowned anti-virus security tool. The seventh version features multi-thread scanning and takes full advantage of multi-core systems. The utility is optimized for use with the latest operating systems, which not only allows the scan speed to be increased, but also makes the user experience more comfortable. The stability has also improved significantly. Now it is virtually impossible for the utility to cause a system failure and bring up a BSOD (Blue Screen of Death).

The seventh version of the curing utility also features a revamped user interface. The program also incorporates an anti-rootkit component that has already been used in versions 7.0 of Dr.Web Anti-virus and Dr.Web Security Space. It offers new custom scan options to users: now one can individually perform a memory test, scan boot sectors and start-up objects, etc. The seventh version can block a network connection while scanning and shut down the system upon completion.

The application is also able to scan PCs for BIOS kits. Doctor Web recommends that users scan their computers with the seventh version of the curing utility to make sure no new types of malware hide in their system. If you wish to participate in the beta testing, you can download Dr.Web CureIt! 7.0 beta from the site.

May 14, 2012

Doctor Web has updated its Dr.Web Virus Finding Engine to version 7.0.2 incorporated into Dr.Web Anti-virus and Dr.Web Security Space 6.0 and 7.0, Dr.Web Desktop Security Suite, Dr.Web Server Security Suite (except for Dr.Web for Novell Netware file servers), Dr.Web Mail Security Suite, Dr.Web Gateway Security Suite without the Control Center, Dr.Web AV-Desk Internet service, Dr.Web CureIt! and Dr.Web CureNet! as well as Dr.Web LiveCD/LiveUSB system recovery tools.

Now, the updated engine includes the procedure of heuristic analysis of the disk boot sectors. Bugs related to memory leaks as well as problems occurring when scanning apk (dex) and bzip2 files have been fixed.

The update will be downloaded and installed automatically.

May 14, 2012

Doctor Web has released Dr.Web for Qbik WinGate 6.00.1. The updated build incorporates the Dr.Web Virus Finding Engine and virus database version 7.0, the latest version of the Scanning Engine service and other improvements.

Dr.Web Virus Finding Engine 7.0 features new malware detection technologies, such as file structure entropy analysis and ScriptHeuristic which enables the anti-virus to detect and neutralize threats embedded in HTML and PDF documents. Other key advantages of the new engine are a manifold increase in scanning speed and dynamic memory allocation that takes into account system performance and current load. The signature-based scan takes into account JavaScript syntax.

In addition, the anti-spam adds the Dr.Web-SpamREason field containing the e-mail's spam score to the headers of unsolicited messages. A minor issue that caused errors when checking traffic has been resolved. An issue where the wrong path to updated virus databases was written into the Dr.Web's ini file has also been resolved.

To install Dr.Web 6.00.1 for Qbik WinGate, you need to remove the current version manually and use the updated distribution to install the latest version.

May 14, 2012

In April 2012 the Russian IT security company Doctor Web already reported that a botnet created by hackers using the Win32.Rmnet.12 virus exceeded one million infected hosts. Doctor Web's virus analysts have recently noted the spread of the new virus’s modification dubbed Win32.Rmnet.16. Its main difference from the previous version is a digital signature used to sign a control server IP-address. The virus makers also updated the virus's functional modules. The vast majority of infection incidents involving Win32.Rmnet.16 occured in the UK and Australia.

Win32.Rmnet.16 is written in C and Assembly and consists of several functional modules. The injector that deploys the virus in the system works in exactly the same way as that of Win32.Rmnet.12: it injects its code into browser processes, saves its driver into a temporary folder and runs it as a Micorsoft Windows Service, then copies the virus body into a temporary directory and startup folder. The body file has a random name and the extension. exe.

The backdoor payload is also similar to that of Win32.Rmnet.12. This component can execute commands received from a remote server, in particular, to download and run arbitrary files, update itself, to take screenshots and send them to criminals, and even render the operating system non-operational. However, there are also important differences: Win32.Rmnet.16 uses a digital signature to sign control server IP-addresses which are no longer embedded in the malicious application resources but generated using a special routine. In addition, the module can end processes of the majority of popular anti-virus programs, which makes the malware even more dangerous. Malicious components and configuration files downloaded by the backdoor are stored in an encrypted file with the extension .log while the file name is generated using information about the compromised system. This file is located in the folder% APPDATA%. The module implemented in the modules.dll file loads data from the file with the extension. log and performs all the manipulations with the loaded code in the computer's memory, so the components' code is not decrypted onto the hard drive.

Like its predecessor, Win32.Rmnet.16 can modify the MBR and encrypt and save its files at the end of the disk. After rebooting, control is transferred to malicious code in the infected boot record, which reads and decrypts modules in the memory and then runs them. This component of the malicious program is dubbed MBR.Rmnet.1. It should be noted that the Dr.Web anti-virus software can restore a boot record, modified by Win32.Rmnet.

Modules downloaded by Win32.Rmnet.16 from remote command centers also include Ftp Grabber v2.0, designed to steal passwords stored by popular FTP-clients, its own FTP-server and a spy module.

The Infection module incorporated into the new version is polymorphic. It is downloaded from a remote site maintained by intruders. The virus infects all exe and dll files found on the disks, including system ones, but, unlike Win32.Rmnet.12, can not copy itself to removable flash drives.

Doctor Web virus analysts closely monitor operation of one of the Win32.Rmnet.16 botnets. As of May 11, 2012, this botnet included 55,310 infected hosts and 55.9% of compromised machines are located in the UK. Australia comes second with 40% , the United States and France divide the third place (1.3%) , less than 1% of infected computers are located in Austria, Iran, India and Germany. London accounts for the greatest number of Win32.Rmnet.16 infection incidents (5747 infected PCs, or 10.4%), Sydney ranks second (3120 computers, or 5.6%), followed by Melbourne (2670 cases of infection, or 4.8%), Brisbane (2323 PCs, or 4.2%), Perth (1481 PCs, or 2.7%) and Adelaide (1176 PC, or 2.1%). Around 1.5 of infected hosts are found in Birmingham and Manchester in Britain. The figure below shows distribution of hosts infected by Win32.Rmnet.16 across the world.

The spread of the botnet Win32.Rmnet.16 by country

In Russia the cases of infection by Win32.Rmnet.16 still are rare, but over time this may change. Doctor Web continues to closely monitor activity of the botnet.

May 5, 2012

Doctor Web, a Russian IT security vendor, warns about a new scheme of scam and fraud to emerge in Facebook, the world's most popular social network. Attackers have adopted the scheme notoriously known to Russian participants of Vkontakte and Odnoklassniki social networks, and created a special application for Facebook called Profile Visitor, which requests access to a user's wall, promising to show the list of those who visited his page. But in fact, this application posts a picture containing a link to the fraudulent website instead. In their turn, the victim's friends on Facebook are notified that they are alleged to have been marked in this picture, which extends the spread of the malicious link.

When visiting his page on Facebook, a user can have a look at the news feed and find a link to the Profile Visitor allegedly capable of recording and showing visitors of his profile on a special web page. As a rule, that link is published on behalf of a friend of the user, and leads to a Facebook embedded application page. To activate the application, it needs to be allowed to publish content on behalf of the user account. As soon as an unsuspecting victim clicks Allow, a link to the application posted on his behalf will appear on the wall of his profile and in the news feed of all of his friends as well. However, even if the user does not allow Profile Visitor to publish anything on his behalf, everyone who is registered in the list of his friends, will be automatically marked in a "picture", which is actually a Profile Visitor banner link. A notification of the event will be automatically sent out to the contact list on Facebook.

After that, the victim's browser will automatically open a malicious web page that contains a dynamically changing array of links. Clicking on any of them, the user will be redirected to a variety of fraudulent websites whose content depends on the visitor's IP address. For example, some of them require your credit card details to allow access to the information, while others want you to enter your own phone number into a special form, and then type a code received in a reply SMS in the corresponding field. This method is mostly practiced in regards of Russian-speaking visitors: that's how scammers sign up a victim to a kind of a paid "information service", for the provision of which a certain amount will be debited from a victim's account on a monthly basis.

By clicking on fraudulent links you can get to resources containing pseudo draws promising a variety of prizes, online casinos, psychological tests, individual diet selection services, etc. All of these sites are automatically blocked by the Dr.Web SpIDer Gate filter embedded in Dr.Web products.

Previously, these scams have been repeatedly used towards Russian users of Vkontakte and Odnoklassniki social networks, but now network crooks apparently decided to pay attention to residents of foreign countries. Doctor Web strongly recommends Facebook users not install Profile Visitor and not click on the links with this application, which are published in their news feeds, as well as always be cautious and circumspect.

May 2, 2012

Users will remember April 2012 as the most intense month in terms of events related to information security threats. In the early month, the Doctor Web experts discovered the first ever large-scale botnet consisting of computers running the Mac OS X operating system. A little later, Doctor Web announced that it took control over the Win32.Rmnet.12 botnet, which incorporated more than one million infected computers. In the second half of April, the invasion of Trojan encoders began that first concerned Western Europe inhabitants, and later on — users around the world. These and other significant April events will be reviewed in this survey.

Macs under attack globally

The first botnet in the history that was created by hackers using BackDoor.Flashback.39 malware, literally struck more than 800,000 computers running Mac OS X, and figuratively — numerous informational web portals and a large number of mass media. The news quickly spread all over the world, becoming a sensation.

Back in late March the Doctor Web virus laboratory received the first reports that the attackers were actively using known Java vulnerabilities to spread malware for Mac OS X. Since this information came with some regularity and from various sources, it was suggested that the BackDoor.Flashback.39 Trojan that uses Java vulnerabilities can form a botnet on Apple-compatible computers. This malware, like so many other similar ones, has a built-in algorithm for selection of domain names, which are then used by the Trojan as control servers: such an approach, firstly, can significantly increase the network "survivability", and secondly, redistribute the load efficiently between command centers in a timely manner, if the traffic generated by bots exceeds some critical values. On the other hand, this provides an opportunity for information security professionals to "reveal" the method the Trojan is using to choose control centers, and to create a "fake" command server to gather necessary statistics, or even seize control over the network. This approach is called the "sinkhole" and is widely used in anti-virus practices. To test the hypothesis that a botnet running on the Mac OS X platform exists, on April 3, 2012, Doctor Web experts registered a number of BackDoor.Flashback.39 control servers domains. Nobody had expected at that time to detect the biggest ever botnet for Mac OS X, given the high reliability and architectural features of this operating system that ensure relative safety for users. However, the reality surpassed all expectations: during the very first hours, Doctor Web-controlled servers recorded activities of more than 130,000 bots; by the morning, their number reached 550,000, and control centres just ceased to process the load. On April 4, 2012, Doctor Web published a press release to announce the discovery of the BackDoor.Flashback.39 botnet. This was a real bombshell announcement, being quoted by many authoritative world news agencies and other media within just 24 hours.

Two simple conditions must be met for a system to get infected with BackDoor.Flashback.39: Java Virtual Machine must be installed in the system, and a user must load a compromised webpage in the browser. These are specifically designed malicious webpages, and compromised resources which virus writers have access to. Malicious code on such a web page loads a Java applet. The applet exploits a Java vulnerability and saves an executable and a .plist file responsible for its launching on the hard drive of the Apple computer. After that, the applet transfers the saved configuration file to the launchd service that allows it to run the Trojan without user intervention. In fact, users notice nothing at all — they are viewing webpages in their browsers while their Macs are already infected with malware.

Initially, Doctor Web had information only about some part of botnet that used the modified BackDoor.Flashback Trojan, but already on April 16 additional domains whose names are generated based on the date were registered. Since those domains are used by all the BackDoor.Flashback.39 subversions, the registration of additional domains for control servers allowed to more accurately estimate the malicious network size. Most infected computers reside in the United States (56.6% of infected hosts), Canada comes second (19.8% of infected computers), the third place is taken by the United Kingdom (12.8% infection cases), and Australia with 6.1% is the fourth.

On April 4, 2012, Apple released an update to Java to fix a vulnerability used by the BackDoor.Flashback Trojan. However, if a computer has already been infected before, the update does not protect a user from malware. Shortly afterwards, the number of infected Macs exceeded 800,000. In spite of this, just a few days later, numerous computer security experts reported a significant reduction in the number of BackDoor.Flashback.39 hosts. The joy turned to be premature though: Doctor Web conducted an investigation and found out that there had been an unfortunate error in the experts' calculations.

BackDoor.Flashback.39 uses a sophisticated routine to generate control server names: a larger part of the domain names is generated using parameters embedded in the malware resources, others are created using the current date. The Trojan performs sends consecutive queries at the generated addresses according to its pre-defined priorities. The main domains for BackDoor.Flashback.39 command servers were registered by Doctor Web at the beginning of April, and bots first send requests using these names. However, after communicating with servers controlled by Doctor Web, Trojans send requests to the server at 74.207.249.7, controlled by an unidentified third party. This server communicates with bots but doesn't close a TCP connection. As the result, bots switch to the standby mode and wait for the server's reply and, as a consequence, they do not communicate with other command centers, many of which have been specially registered by information security experts. That is why different anti-virus companies delivered contradictory statistics — on the one hand, Symantec and Kaspersky Lab claimed a significant reduction in the number of bots, while on the other hand, data provided by Doctor Web consistently pointed to a significantly larger number of infected computers, with a very weak trend to reduce. The real BackDoor.Flashback.39 growth progress is presented on the chart below:

As of April 28, 2012, the BackDoor.Flashback.39 network had a total of 824,739 bots registered, 334,592 of which were active.

A file that is downloaded by the BackDoor.Flashback.39 Trojan on infected computers is of particular interest. This malicious application can be run with administrator privileges or an ordinary user (at the time the payload is applied, the Trojan displays a dialog box for the administrator password to be entered on a Mac screen) and utilizes two types of control servers. Servers belonging to the first group intercept web search traffic and redirect a user to malicious sites controlled by criminals. The second group issues commands to bots to perform backdoor tasks in the compromised system. Doctor Web analysts managed to take over control server domain names known to BackDoor.Flashback payload malware and analyse requests sent by bots to servers.

The first group of control domains is generated using the list found in its configuration data; in addition, another domain name list is generated where resulting names are determined by the current date. The second level domain name is the same, while a top-level domain name can be org,. com,. co.uk,. cn,. in. The Trojan horse sends consecutive requests to control servers according to its generated list. An /owncheck/ or /scheck/ GET request sent to a server contains the infected Mac's UUID in the useragent field. If the reply contains a SHA1 hash value of the domain name, this domain will be considered as trusted and from the moment on will be used as a command server name. First domains in this category have been successfully taken over by Doctor Web since April 12, 2012.

Once the malicious program has determined a domain of the first category, it begins to search for a second type domain. The bot uses the list found in its configuration data to send the /auupdate/ GET-request to a number of control servers. The useragent field in these requests contains detailed information on the infected system. If the control server does not return a correct reply, the Trojan uses the current date to generate a string that serves as a hash tag in a search using the address http://mobile.twitter.com/searches?q = # <string>. If the Trojan manages to find a Twitter message containing bumpbegin and endbump tags enclosing a control server address, it will be used as a domain name. Doctor Web began to take over domains of this category on April 13, but on the following day, Saturday, April 14, the Twitter account registered by Doctor Web analysts for this purpose was blocked.

As of April 13, 2012, 30,549 requests containing a UUID were sent to control servers of the first domain name category in 24 hours and 28,284 requests containing a UUID were transmitted to control servers of the second domain name category in the same period of time. Total 95,563 requests containing a UUID were sent to servers meant to control BackDoor.Flashback payload from April 12 till 26, 2012. Below are graphs showing statistics gathered by Doctor Web experts. The data are based on the analysis of daily hits of the BackDoor.Flashback botnet payload to the control server on April 13, 2012.

Shortly after the BackDoor.Flashback was detected, Doctor Web created a special information websitededicated to this threat. On this online resource, owners of Apple-compatible computers can scan their Macs for infection. On the same resource, you can find additional materials and a video presentation on the BackDoor.Flashback Trojan, as well as links to a free scanner for Mac OS X that allows you to scan the operating system and delete the Trojan, if detected. Doctor Web is keeping a close eye on any further developments.

Meet Rmnet — another botnet

According to statistics available to Doctor Web, one of the leading places among threats that infect Microsoft Windows workstations, is now occupied by the Win32.Rmnet.12 file virus. The virus spreads in various ways, in particular, by exploiting browser vulnerabilities that enable intruders to save and launch executables upon loading webpages. The virus searches for all html files stored on disks and embeds VBScript code into them. Besides, Win32.Rmnet.12 infects all executable files with the .exe extension found on the disks, and is able to replicate itself to removable flash drives. It saves an autorun file and a shortcut to a malicious application into the root folder. This application, in its turn, launches the virus.

Win32.Rmnet.12 is a complex multicomponent virus consisting of several modules and capable of self-replication. One of the virus components is a backdoor. Once launched, it tries to determine the Internet connection speed by sending requests to google.com, bing.com and yahoo.com every 70 seconds and analysing responses. Then Win32.Rmnet.12 launches an FTP server on the infected machine, connects to a command center and transmits information about an infected computer. The backdoor can execute commands received from the remote server, in particular, to download and run arbitrary files, update itself, to take screenshots and send them to criminals, and even render the operating system non-operational.

Another virus component steals passwords fstored by the most popular FTP-clients, such as Ghisler, WS FTP, CuteFTP, FlashFXP, FileZilla, Bullet Proof FTP and others. This information can later be exploited to carry out network attacks or to place various malicious objects on remote servers. Also, Win32.Rmnet.12 takes care to search through user's cookies, so attackers can gain access to the user's accounts at different websites that require authentication. In addition, the module can block access individual sites, and redirect the user to a site controlled by virus writers. One of the Win32.Rmnet.12 modifications is also able to make web injections to steal bank account information.

The botnet comprised of hosts infected with Win32.Rmnet.12 was discovered by Doctor Web as long ago as back in September 2011; soon afterwards, control server names stored in the Win32.Rmnet.12 resources were decrypted. After a while, experts analysed the protocol used for communication between bots and control servers which enabled them to determine the number of bots in the network and to control them. On February 14, 2012, Doctor Web's virus analysts succesfully implemented a technoque known as the sinkhole, it was subsequently used to study the BackDoor.Flashback.39 botnet. Namely, they registered domain names for several servers controlling one of the Win32.Rmnet.12 networks and gained full control over that botnet. In late February, another Win32.Rmnet.12 subnet was hijacked this way. Quantatitive dynamics of the botnet controlled by Doctor Web specialists are shown in the chart below.

The greatest number of infected PCs is located in Indonesia comprising 320,014 infected machines, or 27.12%. Bangladesh rates second with 166,172 infected hosts which constitute 14.08% of the botnet size. The third rank is taken by Vietnam (154,415 bots, or 13.08%), followed by India (83,254 bots, or 7.05%), Pakistan (46,802 bots, or 3.9%), Russia (43 153 infected machines, or 3.6%), Egypt (33,261 hosts, or 2.8%), Nigeria (27,877 bots, or 2.3%), Nepal (27,705 bots, or 2.3%) and Iran (23,742 bots, or 2.0%). A sufficiently large number of compromised hosts is found in Kazakhstan (19,773 cases of infection, or 1.67%) and the Republic of Belarus (14,196 bots, or 1.2%). 12,481 compromised hosts, or 1.05% of the total number of Win32.Rmnet.12 bots are located in the Ukraine. A relatively small number of infected computers reside in the U.S. – 4,327 machines, which corresponds to 0.36%. The smallest numbers of compromised hosts are found in Canada (250 computers, or 0.02% of the network's bulk) and Australia (only 46 computers). One infected computer has been found in each of Albania, Denmark, and Tajikistan. Win32.Rmnet.12 botnet geography is shown below.

Encryptors to conquer Europe

In April, Europeans had also to face troubles: approximately in the middle of the month, Doctor Web anti-virus lab began to receive reports from foreign users who have suffered from encoder Trojans, and first of all, the Trojan.Encoder.94 malware. Like other encoders of this family, Trojan.Encoder.94 searches for user's files, in particular, Microsoft Office documents, music, photos, images and archives on disks available in the infected system, and encrypts them. Once user files are encrypted , the Trojan displays a demand to pay 50 euros or pounds to criminals via Ukash or Paysafecard.

The Trojan features the English interface, but infections have been registered in Germany, Italy, Spain, England, Poland, Austria, Norway, Bulgaria and other countries. Soon afterwards, alarm reports from residents of Brazil, Argentina and other countries in Latin America started to arrive. The Trojan spread through Europe, including such countries as Croatia, Switzerland, Netherlands, Slovenia and Belgium, France, Hungary and Romania. Doctor Web's engineers managed to decrypt data for virtually all users' requests which indicates the high efficiency of technologies employed for this purpose.

In late April, a spike distribution of e-mail messages bearing the title "Ute Lautensack Vertrag Nr 46972057" and the attached zip archive with the name of Abrechnung or Rechnung was recorded. Archives contain the Trojan.Matsnu.1 Trojan. Trying to run it leads to the encryption of all the files on the victim's computer disks. Doctor Web experts have analysed Trojan.Matsnu.1 in the shortest time and developed a special utility that allows user data to be decoded. Download this utility for free from ftp://ftp.drweb.com/pub/drweb/tools/matsnu1decrypt.exe. Remember that if you fell victim to an encoder Trojan, follow these simple guidelines:

• Never attempt to solve the problem by reinstallling the operating system.
• Do not delete any files from the heard drives.
• Do not try to restore the encrypted data on your own.
• Contact Doctor Web's anti-virus laboratory and submit a ticket in the Request for curing section. This service is provided free of charge.
• Attach a file encrypted by the Trojan to the ticket.
• Wait for a response from a virus analyst. Due to the large number of requests it may take some time.

To minimize the damage from an infection by Trojan.Encoder.94 and Trojan.Matsnu.1 Doctor Web recommends users to timely back up all the files they need for their work.

Other "April highlights" and virus threats

Compared to what has been described above, all the other information security threats identified and neutralized by Doctor Web experts in April 2012 do not look that sensational and are significantly less dangerous to users. For example, Trojan.Spambot.11349 description has been added to the the virus databases. This malware is designed to steal email client accounts (in particular, from Microsoft Outlook and The Bat!) and transfer data used by the Autocomplete forms feature in web browsers, to attackers. The Trojan spreads over well-known Backdoor.Andromeda botnets.

The Trojan.Spambot.11349 consists of two components: Delphi-based loader and DLL, which contains a payload. Loader application functions are in general common for this kind of malware: it bypasses a firewall and installs malicious library into the system. Once the library is loaded into an infected computer memory, it takes control of the PC.

Having control of the PC, the library checks for its own copy on the disk, and writes a value of nine random digits that serves as a unique identifier for the bot, to the system registry. Then the Trojan.Spambot.11349 saves a library to work with SSL, and a zlib library, with which the Trojan compresses its request lines, on the disk. At the same time, the HOST field of requests sent by the bot contains a foreign IP address, which is a characteristic feature of the Trojan.Spambot.11349. Using a separate dynamic link library to work with zlib and SSL is not also common for malware architectures.

One of the distinguishing features of the Trojan.Spambot.11349 is that this malware sends a sequence of requests to random IP addresses selected by a special algorithm from a list of subnets stored in the Trojan resources. After that, the Trojan.Spambot.11349 establishes a connection to one of three control servers whose addresses are stored encrypted in the library body, and waits for the configuration file to be received from the server. In case of success, the Trojan creates a request line containing stolen credentials for Microsoft Outlook and The Bat! e-mail clients, packs them with the zlib library and transfers them to a remote server belonging to the attackers. After infecting the system, the Trojan.Spambot.11349 checks the possibility to send spam from an infected computer, sending an e-mail message that contains a random set of characters. If the check is successful, the Trojan retrieves data from a remote server for subsequent spamming. As of April 24, the Trojan.Spambot.11349 Trojans sent out emails that contained advertisements for Viagra.

New threats to the Android mobile operating system also appeared in the past month. Hence, in early April, a family of Android.Gongfu malware was replenished with a new malware instance. An updated modification of the Android.Gongfu was found simultaneously in multiple applications, which were distributed via unofficial software resources. In particular, this Trojan was discovered in a modified Angry Birds Space distribution.

Unlike early Android.Gongfu implementations, new versions do not use the Android vulnerability which would allow them to get root privileges in the system without user intervention. Instead, the infected application comes with a step-by-step manual describing how to run the OS with administrator privileges. The manual claims that it is necessary for normal operation of the program and its updating. When launched with administrator privileges Android.Gongfu is able to inject its code into Android system processes including those critical to stable operation of the OS. The Trojan is able not only to convey information about the infected device to criminals and run commands from a remote server, but also covertly download and install other applications.

In addition, virus writers specialized on mobile platforms began to use the new psychological ploy to spread malicious software — namely, users' concerns about security issues. With the help of various systems that display advertising, attackers show a message for the user to urgently scan a mobile device for viruses. By clicking on this advertising message, the user gets to a site that allegedly scans a mobile device. This site imitates one of the Dr.Web Security Space 7.0 icons and the program appearance. However, by simulating the user interface, the attackers made a mistake in the details: a fake "anti-virus" finds a non-existent threats on a mobile device, such as Trojan.Carberp.60 that belongs to the category of banking Trojans for the Windows, whereas its mobile version does not currently exist. If the user agrees to "neutralize" the threat the Android.SmsSend family Trojan is downloaded to its device.

All these threats can be successfully detected and neutralized by the Dr.Web anti-virus software, but users are still advised to be careful and not to run programs obtained from unreliable sources.

Malicious files detected in mail traffic in April

Malicious detected on users' computers in April

27 апреля 2012 года

Doctor Web is pleased to announce an updated anti-virus engine for the Dr.Web Desktop Security Suite and Dr.Web Server Security Suite with centralized management option, which will be released on May 15, 2012. Server versions 6.0.2 and 6.0.3 will be updated automatically. Dr.Web Virus Finding Engine for versions prior to 6.0.2 will not be updated so Doctor Web strongly recommends installing a mandatory update of the server software for all users.

Dr.Web Virus Finding Engine 7.0 lets significantly increase the scanning speed. Besides, it features a dynamic memory allocation that operates depending on the system performance and applications running on Windows. The heuristic analyzer incorporated in the new engine can boast of the ScriptHeuristic technology, which enables search and analysis of threats in HTML and PDF documents. This technology makes it possible to extract and process hidden IFRAME elements, while the scanning against the virus databases is now performed taking into account the JavaScript syntax.

The Dr.Web Virus Finding Engine update will be released on May 15, 2012, and will be downloaded and installed automatically. Users of earlier versions of Dr.Web Enterprise Security Suite servers should upgrade to version 6.0.3. Users of Dr.Web Enterprise Agent for Novell NetWare, Dr.Web Anti-virus for Linux, Dr.Web for UNIX file servers, Dr.Web for UNIX mail servers, Dr.Web for UNIX Internet gateways, Dr.Web for Novell Storage Services, Dr.Web for Mac OS X Server file servers, and Dr.Web Anti-virus for Mac OS X should also upgrade to the latest versions of the corresponding software products if they work in a centralized management mode, so as to avoid potential incompatibility problems.

April 27, 2012

Doctor Web has updated Dr.Web for Mac OS X and Dr.Web for Mac OS X Server to version 6.0.3. The updated builds incorporate the Dr.Web Virus Finding Engine and virus databases 7.0. The 6.0.3 products support multi-thread scanning and boast improved stability and reliability, and other enhancements.

Dr.Web Virus Finding Engine 7.0 features new malware detection technologies, such as file structure entropy analysis and ScriptHeuristic which enables the anti-virus to detect and neutralize threats embedded in HTML and PDF documents. Another key advantage of the new engine is a manifold increase in scanning speed. The signature-based scan takes into account JavaScript syntax.

Version 6.0.3 applications support multi-thread scanning, which also greatly boosts scanning speed. The introduced curing routine for neutralizing active threats stops malicious processes and removes files required for their automatic launching. In addition, the anti-virus is able to neutralize malware, bypassing system file access restrictions. Deleting, moving, and restoring files in the Quarantine is faster now. E-mail files can now be excluded from the list of objects to be scanned. Fixes of known errors have contributed to the installer's greater stability. Dr.Web SpIDer Guard File Monitor uses fewer system resources. In addition, the program notifies the user about the availability of a new version. The optimization of the applications' architecture has improved their stability.

To update Dr.Web for Mac OS X and Dr.Web for Mac OS X Server to version 6.0.3, download the appropriate distribution from www.drweb.com and install the program over an existing installation or first remove the previous version.

April 27, 2012

Doctor Web virus analysts continue to study the first-ever large-scale botnet created by means of BackDoor.Flashback and comprised of computers running Mac OS X. Files downloaded by the Trojan horse from servers controlled by criminals have become one of the main subjects for analysis.

BackDoor.Flashback.39 exploits a Java vulnerability to save an executable and configuration file, responsible for its automatic launching by launchd, onto a hard drive of the compromised Mac. Then BackDoor.Flashback.39 connects to a control server, downloads an executable onto the infected machine and installs it in the system. At this moment the Trojan brings up a dialogue window prompting the user to enter an administrator password. If the user does enter the password, the malicious program runs with elevated privileges, but even if they don't, the Trojan will be saved in the user's home directory and launched with the current user permissions. It will be enough to perform its malicious tasks.

The downloaded malignant application interacts with two types of control servers. Servers belonging to the first category intercept web search traffic and redirect the user to malicious sites controlled by criminals. The second group issues commands to bots to perform backdoor tasks in the compromised system. Doctor Web analysts managed to take over control server domain names known to BackDoor.Flashback payload malware and analysed requests sent by bots to servers.

Control server names of the first group are generated using the list found in the Trojan’s configuration data; in addition, another domain name list is created where resulting names are determined by the current date. The second level domain name is the same, while a top-level domain name can be org,. com,. co.uk,. cn,. in. The Trojan horse sends consecutive requests to control servers according to its generated list. An /owncheck/ or /scheck/ GET request sent to a server contains the infected Mac's UUID in the useragent field. If the reply contains a SHA1 hash value of the domain name, this domain will become trusted and from this moment on will be considered to be a command server name. First domains in this category have been successfully taken over by Doctor Web since April 12, 2012.

Once the malicious program has determined a domain of the first category, it begins to search for a second type domain. The bot uses the list found in its configuration data to send the /auupdate/ GET-request to a number of control servers. The useragent field in these requests contains detailed information on the infected system. The request example can be found below:

20|i386|9.8.0|4DE360BE-E79E-5AD6-91CF-D943761B3785|6bbbbfb49b1659ebaaadffa20215bfc787577bd8|001|007|0

Where:

1. bot version
2. hw.machine)
3. kern.osrelease
4. Hardware UUID
5. payload file SHA1 value
6. third-party browser availability bitmask
7. constant
8. value indicating bot privileges 0 — ordinary user, 1 — privileged user

If the control server does not return a correct reply, the Trojan uses the current date to generate a string that serves as a hash tag in a search using http://mobile.twitter.com/searches?q=<string>. For example, some Trojan versions generate a string of the "rgdgkpshxeoa" format for the date 04.13.2012 (other bot versions can generate a different string). If the Trojan manages to find aTwitter message containing bumpbegin and endbump tags enclosing a control server address, it will be used as a domain name. Doctor Web began to take over domains of this category on April 13, but on the following day, Saturday, April 14, the Twitter account registered by Doctor Web analysts for this purpose was blocked.

As of April 13, 2012, 30 549 requests containing a UUID were sent to control servers of the first domain name category in 24 hours and 28,284 requests containing a UUID were transmitted to control servers of the second domain name category in the same period of time. Total 95 563 requests containing a UUID were sent to servers meant to control BackDoor.Flashback payload from April 12 till 26, 2012. Other statistical data obtained during the 24 hour analysis of requests sent by BackDoor.Flashback payload to control servers on April 13, 2012, is presented on the graph below.

April 26, 2012

The Russian anti-virus vendor Doctor Web warns Western-European users of a spam mailing that spreads Trojan.Encoder ransomware...

The number of requests to Doctor Web's Technical support service from Western European users, who received an e-mail with the subject "Ute Lautensack Vertrag Nr 46972057" has increased in the last 24 hours. The e-mail contains the following text:

Sehr geehrte(r) Ute Lautensack,
Sie haben sich für unseren Mail Upgrade eingetragen und wir freuen uns Sie als unseren frischen Teilnehmer zu begrüssen Sie können jetzt bis zu 500 Mitteilungen pro Monat frei versenden und Ihr Speicherplatz erhöht sich um 5 Gb.

433,29 Euro für Registration werden Ihnen pro 12 Monate im Vorraus von Ihrem Bankkonto abgeschrieben. Entnehmen Sie die Rechnungsdaten bitte dem Anhang, dort finden Sie auch die Erläuterung für Ihre 2 Wochen Kündigungsfrist.

Mit freudlichen Grüssen
Ihr Kundenservice

An archive file named Abrechnung or Rechnung can be attached to the message. If the attached application is launched, the Trojan encrypts files found on hard disks.

A warning from Doctor Web: do not open attachments in these e-mails! If the Trojan has encrypted files on your computer, follow the guidance below to avoid loss of valuable information:

• Notify the police.
• Never attempt to solve the problem by reinstallling the operating system.
• Do not delete any files from the heard drives.
• Do not try to restore the encrypted data on your own.
• Contact Doctor Web's virus laboratory When file a request, select Request for curing. This service is provided free of charge.
• Attach a file encrypted by the Trojan to the ticket.
• Wait for a response from a virus analyst. Due to the large number of requests it may take some time.