News of Doctor Web
May 22, 2013
Corporate e-mail is an essential component of any organisation. Mail servers that have reliable anti-virus protection will secure confidential information and documents from unauthorised access and ensure the uninterrupted operation of an entire company. After all, email is one of the most popular channels through which viruses and spam are distributed.
In a compromised corporate network, email often becomes a source of malware that can use contact information and email databases to spread infections to the computers of your partners, colleagues and customers. The new course on the basics of email security will give Dr.Web users the information they need to establish reliable protection for their corporate email.
Upon completion of the course, all students can take an exam to test their knowledge and, if successful, become certified Dr.Web specialists in email security. You can apply to take the exam at any time convenient for you. To do this, you must register on the My Dr.Web Training Portal. If you have not previously registered, you must first fill out an application.
Doctor Web wishes you successful training!
May 22, 2013
The Trojan, discovered by Doctor Web's analysts several days ago, is a second representative of the
To be loaded at startup, the Trojan will make sure that its process —CheckCommandServices — will be run as a background service.
If at some point Android.Pincer.2.origin is launched successfully at startup, it will connect to a remote server and send it information about the mobile device, including:
- Handset model
- Device's serial number
- Cell phone number
- Default system language
- Operating system
- Availability of the root account
After that, the program awaits instructions that contain commands in the following format: "command:[command]". The following directives can be sent to the malware by criminals:
- start_sms_forwarding [telephone number]— begin intercepting communications from a specified number
- stop_sms_forwarding — stop intercepting messages
- send_sms [phone number and text] — send a short message using the specified parameters
- simple_execute_ussd — send a USSD message
- stop_program—stop working
- show_message—display a message on the screen of the mobile device
- set_urls - change the address of the control server
- ping - send an SMS containing the text 'pong to a previously specified number
- set_sms_number—change the number to which messages containing the text string 'pong' are sent.
The command start_sms_forwarding is of particular interest since it allows attackers to indicate the number from which the Trojan needs to intercept messages. This feature enables criminals to use the Trojan for targeted attacks and steal specific messages, for example, those received from banking services and containing mTAN codes or other messages containing sensitive information.
Dr.Web anti-viruses for Android successfully detect Android.Pincer.2.origin and pose no threat to devices protected by Doctor Web software.
May 21, 2013
In particular, it resolves an issue when the agent couldn't reconnect to the server after three unsuccessful attempts.
To install the update, stop the drwebnw module in the Dr.Web anti-virus console and run the “unload nwesag” command. Then replace the nwesag.nlm file found in the agent installation directory with the new one and use the load nwesag command to restart the agent.
May 20, 2013
Dr.Web Anti-rootkit Service’s caching routines have been optimised.
In the self-protection module, an issue causing the operating system to freeze or crash when eBoostr—a system optimization program—was in use has been resolved.
Also fixed was a Dr.Web Net Filtering Service bug that could cause continuous CPU loading.
The update also corrects installation module errors that occurred when removing Dr.Web or upon adding or removing its components and led to false requests to restart the operating system and restore the product’s integrity.
A firewall issue with Windows 8 has been resolved where the system was not able to obtain an IP address via DHCP.
Issues when the agent terminated abnormally upon changing the IU lagnauge have also been resolved.
The update will be performed automatically; however, a system reboot will be required.
May 20, 2013
Anti-virus software available with the subscription packages Dr.Web Classic, Dr.Web Standard and Dr.Web Premium (both home and business) can now be installed under Windows 8. Support of Windows 8 is also available for corresponding promotional packages.
Windows Server 2012 is now supported by all Dr.Web businesses subscription packages and the Dr.Web Premium Server package, which is intended only for individuals.
It is not necessary to uninstall the Dr.Web AV-Desk SCC to update from versions 5.x-6.x to version 6.0.6.
May 16, 2013
Anti-virus scans on the latest Android smart phones are now significantly faster thanks to multi-thread scanning that divides tasks between the CPU cores.
The new version supports Android 4.2.
With Dr.Web for Android 8.0 you can use multiple trusted SIM cards with the Anti-theft enabled. Now, if you regularly switch between several SIM cards on one smartphone, you can add these SIM cards to your trusted list, so that the Anti-theft won't block access to the device when changing them. You can add SIM cards to your trusted list when you restart the device or when launching Dr.Web for Android.
Dr.Web also now lets you disable the detection of adware and riskware by the file monitor SpIDer Guard and the anti-virus scanner.
In addition, Dr.Web for Android can send statistics about its operation to Doctor Web with the user's consent. To use this feature, after installing version 8.0, you will need to accept the license agreement again.
In addition to the aforementioned innovations, several upgrades have also been made. Now, if SpIDer Guard and the anti-spam service are terminated, they will be restarted automatically.
Version 8.0 also includes Latvian and Estonian language support and tweaks that have been made to the custom scan interface.
Among other things, known defects have been corrected. In particular, the scanning process no longer decelerates as soon as the device's screen turns off and scanning can no longer be interrupted by touching the screen. A widget display issue that had the ability to impact certain devices has also been fixed.
Dr.Web for Android will be updated to version 8.0 automatically. If automatic updates are disabled on the device, go to Google Play, choose Dr.Web Anti-virus (paid) or Dr.Web Anti-Virus Life license on the application list, and click "Update”.
For updates via Doctor Web's site, download a new distribution file. If the option “New application version” is enabled, a new version notification will be displayed when updating the virus databases. You can start the download directly from this dialogue box.
May 13, 2013
According to statistics collected by Dr.Web CureIt!, the number of machines infected with
Doctor Web attributes such a large number of infections to multiple incidents of websites being compromised—the company published a report on this in March.
According to data gathered by Dr.Web CureIt!,
The table below lists the most common threats detected with Dr.Web CureIt! on home computers in April 2013.
In early April, Doctor Web's analysts managed to gain control over a control server of a botnet comprised of computers infected with
This malware sends massive volumes of spam and can execute criminal commands including commands to perform updates, download new message templates or spam mailing lists, or stop sending spam. If the program terminates abnormally, it can notify the intruders
The growth rate of the botnet created with the file infector
Another botnet, formed by a related file infector
The threat of the month
A new representative of the well-known malicious family Trojan.Mayachok was one of the most peculiar threats analysed by Doctor Web in April. Despite the fact that analysts currently know about 1,500 species of the family,
The attackers’ main objective is to force the user to enter their mobile phone number into a specific field. After that they are subscribed to services promoted by http://vkmediaget.com for a fee of 0.60 USD per 24 hours.
Encoders on the offensive
Encoder Trojans are among the most dangerous threats in the modern IT world. Two such programs—
Spread with spam, these Trojans can do a lot of damage— several hundred systems have already been compromised by the encoders. More information on how to neutralize such threats can be found in news material published by Doctor Web.
Threats to Android
The second month of spring 2013 once again confirmed that Android is the main target for cybercriminals interested in mobile platforms. Throughout April, Doctor Web's analysts discovered new malicious Android applications whose definitions were promptly added to the Dr.Web virus databases.
The discovery on Google Play of programs containing the malicious adware module Android.Androways.1.origin became one of the most significant events related to Android security. Criminals distributed the module as part of their seemingly harmless ad network which enables developers to integrate the module into their software so that it generates revenue. Similarly to legal ad network modules, Android.Androways.1.origin can display push notifications in the status bar, however, these messages can be used to show fake prompts to update various programs. If the user agrees to an update, they risk downloading an
In addition, Android.Androways.1.origin can execute a number of commands from a remote server and upload such information as the device's phone number and IMEI, and the operator code to the server. More detailed information about this threat can be found in our news material.
Trojan horses primarily targeting devices used in China stand out from the multitude of malware designed to attack Android. Criminals usually embed them into legitimate applications. Various software catalogues and forums remain the most popular ways to distribute them. In April, Doctor Web's analysts discovered several such malicious programs. These include Android.Uapush.2.origin, Android.MMarketPay.3.origin, Android.DownLoader.17.origin, and several versions of
Android.Uapush.2.origin is a Trojan horse whose main purpose is to display advertising messages in the notification bar. However, it also has other functions. In particular, Android.Uapush.2.origin collects information about browser bookmarks, outbound calls, address book contact details and personal information stored by the IM client QQ. The Trojan uploads stolen information to a remote server.
Android.MMarketPay.3.origin is a malicious program discovered in early April. This Trojan is a modification of malware that Doctor Web reported on last year. Similarly to its predecessor, Android.MMarketPay.3.origin is designed to automatically buy applications on the Mobile Market portal maintained by the carrier China Mobile. This program can bypass the online store’s security restrictions and cause significant damage to Chinese users' finances by covertly purchasing applications.
As for Android.DownLoader.17.origin, it is a Trojan downloader that can download other applications from the Internet. Once the apk-package is downloaded, Android.DownLoader.17.origin attempts to install it. This Trojan was found in a large number of games and other applications available for downloading from several Chinese sites, so it can be assumed that the criminals who made it have ambitious plans with regard to the program. In particular, they can use it to increase the rating of applications or adjust the installations counter for programs distributed from partner sites. The illustration below provides information about some of the compromised applications that contain Android.DownLoader.17.origin.
Discovered in April, Android.Infostealer.4.origin, Android.Infostealer.5.origin and Android.Infostealer.6.origin are Trojans that steal such sensitive information as a device's IMEI, phone number and list of installed applications and sends this data to a remote, criminal-controlled server.
In the past month, cybercriminals didn't spare other East Asian countries, namely South Korea and Japan. An entry concerning the program Android.SmsSpy.27.origin, which also steals information, was added to the Dr.Web virus database at the end of the past month. This malware, which steals incoming short messages and sends them to a remote server, is spread as a Japanese and Korean version of a UI theme for Vertu phones.
Malicious files detected in mail traffic in April
|01.04.2013 00:00 - 30.04.2013 23:00|
Malicious files detected on user computers in April
|01.04.2013 00:00 - 30.04.2013 23:00|
May 7, 2013
The Trojan has two components: the dropper and the dynamic link library which stores the payload. During installation, the dropper creates a copy of itself in one of the folders on the hard drive and runs itself for execution. In Microsoft Windows Vista, the dropper can be launched as a Java update that requires user confirmation to bypass User Accounts Control.
Then the dropper saves on the hard drive the main library which injects its code into all running processes on the infected computer but operates only in the processes of the following browsers: Microsoft Internet Explorer, Mozilla Firefox, Opera, Safari, Google Chrome, Chromium, Mail.Ru Internet, Yandex.Browser, and Rambler Nichrome. The configuration file containing all the data needed to run
The architecture of
The signature of this threat has been added to the Dr.Web virus database, so
April 29, 2013
The update resolves the issue when SpIDer Guard would stop scanning files if the option to check running programs and modules were disabled.
The update will be automatically downloaded by the anti-viruses, but applying it will require a system reboot.
April 25, 2013
The updated version of the module supports Red Hat Enterprise Linux (RHEL) 6 and Novell SuSE Linux Enterprise Server (SLES) 11 and incorporates updates of all plug-in components, including Dr.Web Virus Finding Engine, Dr.Web Daemon and Dr.Web Updater.
To install the new version of Dr.Web for IBM Lotus Domino you need to uninstall the previous one. All the current settings and the quarantine database will be deleted. If necessary, backup the database found in the Dr.Web directory.
April 24, 2013
The scanning service tweaks improve overall performance, accelerate the launch of processes and speed up file scanning. Also, the service no longer needs Windows API to detect system processes, so they can be removed from the list of scanned objects. This significantly increases system boot-up speed and accelerates the launch of trusted applications.
The updated Dr.Web SpIDer Guard can use some Dr.Web Anti-rootkit Service routines and, if necessary, utilize the service to neutralize threats.
The update also resolves known issues to improve the overall stability of Dr.Web Security Space and Dr.Web Anti-virus 8.0 for Windows.
- An error that could cause a system failure when the Dr.Web Anti-rootkit Service was running has been fixed.
- Also resolved was a problem involving system files being processed longer than they should have been while removable data storage devices were being initialized at the same time when incorrect settings were being used to establish an Internet connection.
- A defect keeping the size of the quarantine from resetting after being cleaned has been corrected.
- Previously, malignant files were being moved to the local disk quarantine from a removable media device even if the option to create the quarantine on a removable media had been enabled; that issue has been fixed.
- The error message “Access denied or incorrect program usage” was being displayed when Dr.Web was being removed, and that issue has also been rectified.
The update will be performed automatically; however, a system reboot will be required.
April 24, 2013
Dr.Web for Kerio mail servers now supports Kerio Connect 8.0 and later, and Dr.Web for Internet gateways Kerio is now compatible with Kerio Control 7.0.0–7.4.2. The Dr.Web Virus Finding Engine has been updated in both products.
To update Dr.Web for Kerio mail servers or Dr.Web for Internet gateways Kerio, download the updated distribution and reinstall the application after removing the installed program.
April 23, 2013
Advertising in applications for Android has long been successfully used by various developers to generate income from their work: it is a legal and a very convenient way to get compensated for time and money spent creating software. It was in 2011 when crafty cybercriminals also decided to use mobile ad networks to spread Trojans. Android.SmsSend programs designed to send short messages to premium numbers and subscribe users to chargeable services are the most popular among them. Doctor Web recently reported an incident involving such a program. However, the list of malware being spread in such a way is expanding.
Despite the fact that ad networks like Google AdMob, Airpush, and Startapp meet criminals' demands, intruders decided to go even further and created an ad network of their own. At first sight, it appears quite similar to others: Android software developers are offered very favourable advertising API usage terms, and are promised a high and steady income and easy account management. So it's hardly surprising that some developers became very interested in the ad network.
The advertisement API provides push notification ads that deliver small alerts to an Android phone's notification bar. However, there are also some undocumented features.
Push ads sent via the ad network can prompt a user to install an important update for a certain application. If an unsuspecting user agrees to install this update, the advertising module downloads an apk package and places it into the download directory /mnt/sdcard/download on the memory card. The module can also create a shortcut linked to the downloaded package, so if the user taps on it, it will start the installation of the downloaded program.
An investigation conducted by Doctor Web's analysts revealed that such apk-files contain Android.SmsSend Trojans. Analysts also found that these malicious programs were being downloaded from various fake application catalogues. The ad module in three analysed applications would connect to a control server at 188.139.xxx.xx, while the module in the remaining 25 apps would try to connect to a server at 91.226.xxx.xx. These IP addresses were promptly added to the Dr.Web Parental Control database, so access to the respective sites is blocked.
Below you can find a full list of the commands sent by a controlling server to the malignant module:
- news – display a push-notification
- showpage – open a web page in a browser
- install – download and install an apk package
- showinstall – show a push-notification about the installation of an apk package
- iconpage – create a shortcut to a web page
- iconinstall – create a shortcut to the downloaded apk package
- newdomen – change the control server address
- seconddomen – an alternate server address
- stop – stop sending queries to the server
- testpost – re-send a request
- ok – do nothing
In addition to executing these commands, the fraudulent module is also able to collect and send the device's IMEI, operator code, and the phone number to the server.
The advertising API is particularly dangerous because applications that use it are found on Google Play, which de facto is the safest sourceof programs for Android. Many users have come to trust the security of Google Play, so the number of installations of the software that feature the advertising module is very large. Since statistics about downloads of applications from Google Play are hard to get, Doctor Web can't say exactly how many devices have been compromised, but it can be assumed that the number exceeds 5.3 million handhelds. This is the largest and most massive case of infection on Google Play since Google Bouncer was introduced.
Considering the advertising API’s malignant features and the connection between the ad network and sites spreading malware for Android, Doctor Web has classified this module as belonging to adware designed to perform malicious tasks. The module has been added to the virus databases as Android.Androways.1.origin and poses no threat to devices running Dr.Web anti-virus for Android.