May 22, 2013

Russian anti-virus company Doctor Web has released a new course, General principles of email traffic protection. The course is designed for technicians who are responsible for corporate network security, which includes mail servers. This training will help them acquire the knowledge required to maintain email security, pass the examination and, if successful, acquire the status of certified Dr.Web technical specialist.

Corporate e-mail is an essential component of any organisation. Mail servers that have reliable anti-virus protection will secure confidential information and documents from unauthorised access and ensure the uninterrupted operation of an entire company. After all, email is one of the most popular channels through which viruses and spam are distributed.

In a compromised corporate network, email often becomes a source of malware that can use contact information and email databases to spread infections to the computers of your partners, colleagues and customers. The new course on the basics of email security will give Dr.Web users the information they need to establish reliable protection for their corporate email.

Upon completion of the course, all students can take an exam to test their knowledge and, if successful, become certified Dr.Web specialists in email security. You can apply to take the exam at any time convenient for you. To do this, you must register on the My Dr.Web Training Portal. If you have not previously registered, you must first fill out an application.

Doctor Web wishes you successful training!

May 22, 2013

Russian anti-virus company Doctor Web is warning users about a new Trojan for Android that can intercept inbound short messages and forward them to criminals. Android.Pincer.2.origin poses a serious threat because stolen messages can contain sensitive information such as mTAN codes which are used to confirm online banking transactions.

The Trojan, discovered by Doctor Web's analysts several days ago, is a second representative of the Android.Pincer malware family. Like its predecessor, this malicious program is spread as a security certificate that supposedly must be installed onto an Android device. If a careless user does install the program and attempts to launch it, Android.Pincer.2.origin will display a fake notification about the certificate’s successful installation and will not perform any noticeable activities for a while.

To be loaded at startup, the Trojan will make sure that its process —CheckCommandServices — will be run as a background service.

If at some point Android.Pincer.2.origin is launched successfully at startup, it will connect to a remote server and send it information about the mobile device, including:

• Handset model
• Device's serial number
• IMEI
• Carrier
• Cell phone number
• Default system language
• Operating system
• Availability of the root account

After that, the program awaits instructions that contain commands in the following format: "command:[command]". The following directives can be sent to the malware by criminals:

• start_sms_forwarding [telephone number]— begin intercepting communications from a specified number
• stop_sms_forwarding — stop intercepting messages
• send_sms [phone number and text] — send a short message using the specified parameters
• simple_execute_ussd — send a USSD message
• stop_program—stop working
• show_message—display a message on the screen of the mobile device
• set_urls - change the address of the control server
• ping - send an SMS containing the text 'pong to a previously specified number
• set_sms_number—change the number to which messages containing the text string 'pong' are sent.

The command start_sms_forwarding is of particular interest since it allows attackers to indicate the number from which the Trojan needs to intercept messages. This feature enables criminals to use the Trojan for targeted attacks and steal specific messages, for example, those received from banking services and containing mTAN codes or other messages containing sensitive information.

Dr.Web anti-viruses for Android successfully detect Android.Pincer.2.origin and pose no threat to devices protected by Doctor Web software.

May 21, 2013

Doctor Web has updated Dr.Web Enterprise Agent for Novell NetWare to deliver fixes for known defects.

In particular, it resolves an issue when the agent couldn't reconnect to the server after three unsuccessful attempts.

To install the update, stop the drwebnw module in the Dr.Web anti-virus console and run the “unload nwesag” command. Then replace the nwesag.nlm file found in the agent installation directory with the new one and use the load nwesag command to restart the agent.

May 20, 2013

Doctor Web has updated Dr.Web Anti-rootkit Service (8.3.0.201305150), Dr.Web SelfPROtect (8.01.00.01172), Dr.Web Net Filtering Service (8.0.5.04300), the installation (8.0.3.04300), firewall (8.0.1.04150) and agent (8.1.0.201305140) modules in Dr.Web Security Space, and Dr.Web Anti-virus 8.0 for Windows.

Dr.Web Anti-rootkit Service’s caching routines have been optimised.

In the self-protection module, an issue causing the operating system to freeze or crash when eBoostr—a system optimization program—was in use has been resolved.

Also fixed was a Dr.Web Net Filtering Service bug that could cause continuous CPU loading.

The update also corrects installation module errors that occurred when removing Dr.Web or upon adding or removing its components and led to false requests to restart the operating system and restore the product’s integrity.

A firewall issue with Windows 8 has been resolved where the system was not able to obtain an IP address via DHCP.

Issues when the agent terminated abnormally upon changing the IU lagnauge have also been resolved.

The update will be performed automatically; however, a system reboot will be required.

May 20, 2013

Doctor Web has released Subscription Control Center (SCC) 6.0.6 for its Dr.Web AV-Desk Internet service. The list of supported versions of Windows, under which the anti-virus subscription software can be installed, has been expanded. Known defects have been corrected.

Anti-virus software available with the subscription packages Dr.Web Classic, Dr.Web Standard and Dr.Web Premium (both home and business) can now be installed under Windows 8. Support of Windows 8 is also available for corresponding promotional packages.

Windows Server 2012 is now supported by all Dr.Web businesses subscription packages and the Dr.Web Premium Server package, which is intended only for individuals.

It is not necessary to uninstall the Dr.Web AV-Desk SCC to update from versions 5.x-6.x to version 6.0.6.

May 16, 2013

Doctor Web has released the eighth version of Dr.Web for Android. Version 8.0’s major innovations include faster scanning on multi-core smart phones, Android 4.2 support, and Anti-theft Module recognition of multiple, trusted SIM cards.

Anti-virus scans on the latest Android smart phones are now significantly faster thanks to multi-thread scanning that divides tasks between the CPU cores.

The new version supports Android 4.2.

With Dr.Web for Android 8.0 you can use multiple trusted SIM cards with the Anti-theft enabled. Now, if you regularly switch between several SIM cards on one smartphone, you can add these SIM cards to your trusted list, so that the Anti-theft won't block access to the device when changing them. You can add SIM cards to your trusted list when you restart the device or when launching Dr.Web for Android.

Dr.Web also now lets you disable the detection of adware and riskware by the file monitor SpIDer Guard and the anti-virus scanner.

In addition, Dr.Web for Android can send statistics about its operation to Doctor Web with the user's consent. To use this feature, after installing version 8.0, you will need to accept the license agreement again.

In addition to the aforementioned innovations, several upgrades have also been made. Now, if SpIDer Guard and the anti-spam service are terminated, they will be restarted automatically.

Version 8.0 also includes Latvian and Estonian language support and tweaks that have been made to the custom scan interface.

Among other things, known defects have been corrected. In particular, the scanning process no longer decelerates as soon as the device's screen turns off and scanning can no longer be interrupted by touching the screen. A widget display issue that had the ability to impact certain devices has also been fixed.

The new version of Dr.Web for Android is available on Google Play (Dr.Web Anti-virus, Dr.Web Anti-Virus Life license) and on Doctor Web's site (Dr.Web for Android).

Dr.Web for Android will be updated to version 8.0 automatically. If automatic updates are disabled on the device, go to Google Play, choose Dr.Web Anti-virus (paid) or Dr.Web Anti-Virus Life license on the application list, and click "Update”.

For updates via Doctor Web's site, download a new distribution file. If the option “New application version” is enabled, a new version notification will be displayed when updating the virus databases. You can start the download directly from this dialogue box.

May 13, 2013

IT security experts will remember April 2013 for several remarkable events. At the beginning of the month, Doctor Web's analysts hijacked a rapidly growing botnet comprised of computers infected with BackDoor.Bulknet.739. The middle of April saw the discovery of a new Trojan of the most common family – Trojan.Mayachok– and an upsurge of spam containing subject matter related to the terrorist acts that occurred in Boston. It was a rough time for handhelds, too, with 28 infected applications spread via Google Play to as many as five million devices.

Viruses

According to statistics collected by Dr.Web CureIt!, the number of machines infected with Trojan.Hosts malware declined in the past month. The programs in question modify the hosts file which contains DNS server addresses. However, infections with Trojan.Hosts constituted more than 4.78% of the total infections which amounts to 40,000 detected malicious samples. The most common Trojan.Hosts modifications are listed in the table below.

Doctor Web attributes such a large number of infections to multiple incidents of websites being compromised—the company published a report on this in March.

According to data gathered by Dr.Web CureIt!, Trojan.Mods.1 (earlier known as Trojan.Redirect.140), became one of the most common Trojans in April 2013. This program redirects browsers to bogus web pages. BackDoor.IRC.NgrBot.42 and Trojan.Zekos were also found in large numbers. Available for 32- and 64-bit versions of Windows, the latter can intercept DNS queries of Internet Explorer, Mozilla Firefox, Google Chrome, Opera and Safari. Consequently, when attempting to go to an address, the user ends up on a web page crafted by criminals; meanwhile, the correct URL will be displayed in the address bar. Virus writers use this method to prompt the user, their potential victim, to submit a phone number into a field and reply to a short message; doing so signs the user up to a chargeable service.

The table below lists the most common threats detected with Dr.Web CureIt! on home computers in April 2013.

Botnets

In early April, Doctor Web's analysts managed to gain control over a control server of a botnet comprised of computers infected with BackDoor.Bulknet.739 This malware sends massive volumes of spam and can execute criminal commands including commands to perform updates, download new message templates or spam mailing lists, or stop sending spam. If the program terminates abnormally, it can notify the intruders.

This malware sends massive volumes of spam and can execute criminal commands including commands to perform updates, download new message templates or spam mailing lists, or stop sending spam. If the program terminates abnormally, it can notify the intruders BackDoor.Bulknet.739. contacted the server controlled by Doctor Web's analysts. Statistics collected by the virus analysts helped greatly to analyse this malware, the details of which can be found in one of our previously published reviews.

The growth rate of the botnet created with the file infector Win32.Rmnet.12 remained unchanged: 569,274 infected computers joined the network in April, and the total number of infected machines has reached 9,232,024. The diagram below illustrates how the network expanded:

Another botnet, formed by a related file infector Win32.Rmnet.16, showed a significant drop in its growth rate compared with previous months with around 500 hundred new joiners in April and reached a total of 262,604 infected hosts (against 262,083 hosts at the end of March). It should be noted that this is the lowest rate of growth demonstrated by the Win32.Rmnet.16 botnet over the last year. A similar tendency persists with regard to the BackDoor.Finder botnet which grew by only 114 nodes in April, and the daily number of corresponding infections ranged between 1 and 3. If this trend continues, it will be possible to speak about a decline in the spread of these malicious programs and state that the aforementioned botnets have almost stopped growing.

The threat of the month

A new representative of the well-known malicious family Trojan.Mayachok was one of the most peculiar threats analysed by Doctor Web in April. Despite the fact that analysts currently know about 1,500 species of the family, Trojan.Mayachok.18607 is quite different from the rest: apparently, its developers decided to completely rewrite the program, after keeping some of their basic features.

Trojan.Mayachok.18607 can infect both 32- and 64-bit versions of Windows. Trojan.Mayachok.18607’s main function is to implement web injects: as users load various web pages, the malware embeds third-party content into them. Google Chrome, Mozilla Firefox, Opera and several versions of Microsoft Internet Explorer, including the latest one, are at risk. When the user of an infected machine visits some popular sites, genuine web pages are displayed in the browser window; these pages contain content injected by the Trojan.

The attackers’ main objective is to force the user to enter their mobile phone number into a specific field. After that they are subscribed to services promoted by http://vkmediaget.com for a fee of 0.60 USD per 24 hours.

Encoders on the offensive

Encoder Trojans are among the most dangerous threats in the modern IT world. Two such programs— Trojan.Encoder.205 and Trojan.Encoder.215—were spread on a large scale in April. Trojan.Encoder programs seek out music, Microsoft Office, image and archive files on the hard drives of infected computers and then encrypt them. After that they display a demand requiring that the user pay as much as several thousand dollars to decrypt the data.

Spread with spam, these Trojans can do a lot of damage— several hundred systems have already been compromised by the encoders. More information on how to neutralize such threats can be found in news material published by Doctor Web.

Threats to Android

The second month of spring 2013 once again confirmed that Android is the main target for cybercriminals interested in mobile platforms. Throughout April, Doctor Web's analysts discovered new malicious Android applications whose definitions were promptly added to the Dr.Web virus databases.

The discovery on Google Play of programs containing the malicious adware module Android.Androways.1.origin became one of the most significant events related to Android security. Criminals distributed the module as part of their seemingly harmless ad network which enables developers to integrate the module into their software so that it generates revenue. Similarly to legal ad network modules, Android.Androways.1.origin can display push notifications in the status bar, however, these messages can be used to show fake prompts to update various programs. If the user agrees to an update, they risk downloading an Android.SmsSend program to their device.

In addition, Android.Androways.1.origin can execute a number of commands from a remote server and upload such information as the device's phone number and IMEI, and the operator code to the server. More detailed information about this threat can be found in our news material.

Trojan horses primarily targeting devices used in China stand out from the multitude of malware designed to attack Android. Criminals usually embed them into legitimate applications. Various software catalogues and forums remain the most popular ways to distribute them. In April, Doctor Web's analysts discovered several such malicious programs. These include Android.Uapush.2.origin, Android.MMarketPay.3.origin, Android.DownLoader.17.origin, and several versions of Android.Infostealer spy programs and a number of SMS Trojans.

Android.Uapush.2.origin is a Trojan horse whose main purpose is to display advertising messages in the notification bar. However, it also has other functions. In particular, Android.Uapush.2.origin collects information about browser bookmarks, outbound calls, address book contact details and personal information stored by the IM client QQ. The Trojan uploads stolen information to a remote server.

Android.MMarketPay.3.origin is a malicious program discovered in early April. This Trojan is a modification of malware that Doctor Web reported on last year. Similarly to its predecessor, Android.MMarketPay.3.origin is designed to automatically buy applications on the Mobile Market portal maintained by the carrier China Mobile. This program can bypass the online store’s security restrictions and cause significant damage to Chinese users' finances by covertly purchasing applications.

As for Android.DownLoader.17.origin, it is a Trojan downloader that can download other applications from the Internet. Once the apk-package is downloaded, Android.DownLoader.17.origin attempts to install it. This Trojan was found in a large number of games and other applications available for downloading from several Chinese sites, so it can be assumed that the criminals who made it have ambitious plans with regard to the program. In particular, they can use it to increase the rating of applications or adjust the installations counter for programs distributed from partner sites. The illustration below provides information about some of the compromised applications that contain Android.DownLoader.17.origin.

Discovered in April, Android.Infostealer.4.origin, Android.Infostealer.5.origin and Android.Infostealer.6.origin are Trojans that steal such sensitive information as a device's IMEI, phone number and list of installed applications and sends this data to a remote, criminal-controlled server.

In the past month, cybercriminals didn't spare other East Asian countries, namely South Korea and Japan. An entry concerning the program Android.SmsSpy.27.origin, which also steals information, was added to the Dr.Web virus database at the end of the past month. This malware, which steals incoming short messages and sends them to a remote server, is spread as a Japanese and Korean version of a UI theme for Vertu phones.

Malicious files detected in mail traffic in April

Malicious files detected on user computers in April

May 7, 2013

Specialists from the Russian anti-virus company Doctor Web have studied one of the most widespread threats in April 2013, the Trojan Trojan.Mods.1, formerly known as Trojan.Redirect.140. According to statistics compiled by the curing utility Dr.Web CureIt!, the number of infections with this Trojan represent 3.07% of the total number of detected threats. A summary of the study can be found below.

The Trojan has two components: the dropper and the dynamic link library which stores the payload. During installation, the dropper creates a copy of itself in one of the folders on the hard drive and runs itself for execution. In Microsoft Windows Vista, the dropper can be launched as a Java update that requires user confirmation to bypass User Accounts Control.

Then the dropper saves on the hard drive the main library which injects its code into all running processes on the infected computer but operates only in the processes of the following browsers: Microsoft Internet Explorer, Mozilla Firefox, Opera, Safari, Google Chrome, Chromium, Mail.Ru Internet, Yandex.Browser, and Rambler Nichrome. The configuration file containing all the data needed to run Trojan.Mods.1 is encrypted and stored in the dynamic linking library.

Trojan.Mods.1 is chiefly designed to replace web pages visited by users with malicious web pages by intercepting the system functions responsible for translating DNS names to IP addresses. As a result, instead of the sites they have requested, users are redirected to fraudulent pages where they are asked to enter a mobile phone number and reply to an SMS sent from the short number 4012. If they comply, a certain amount will be debited from their account.

The architecture of Trojan.Mods.1 contains a special algorithm that allows redirection to a certain group of addresses to be disabled.

The signature of this threat has been added to the Dr.Web virus database, so Trojan.Mods.1 does not pose a serious threat to systems protected by Doctor Web products.

April 29, 2013

Doctor Web has updated the Scanning Engine service (8.1.0.201304260) in Dr.Web Security Space and Dr.Web Anti-virus 8.0 for Windows.

The update resolves the issue when SpIDer Guard would stop scanning files if the option to check running programs and modules were disabled.

The update will be automatically downloaded by the anti-viruses, but applying it will require a system reboot.

April 25, 2013

Russian anti-virus company Doctor Web has updated the plugin Dr.Web for IBM Lotus Domino for Linux to version 6.0.2.1. The plugin is designed to protect IBM Lotus Domino servers from viruses and spam.

The updated version of the module supports Red Hat Enterprise Linux (RHEL) 6 and Novell SuSE Linux Enterprise Server (SLES) 11 and incorporates updates of all plug-in components, including Dr.Web Virus Finding Engine, Dr.Web Daemon and Dr.Web Updater.

To install the new version of Dr.Web for IBM Lotus Domino you need to uninstall the previous one. All the current settings and the quarantine database will be deleted. If necessary, backup the database found in the Dr.Web directory.

April 24, 2013

Russian anti-virus company Doctor Web has released an update for the Dr.Web Anti-rootkit Service (8.3.0.201304151), the Scanning Engine (8.1.0.201303280) and the file monitor Dr.Web SpIDer Guard (8.00.03.01110) incorporated in Dr.Web Security Space and Dr.Web Anti-virus 8.0 for Windows.

The scanning service tweaks improve overall performance, accelerate the launch of processes and speed up file scanning. Also, the service no longer needs Windows API to detect system processes, so they can be removed from the list of scanned objects. This significantly increases system boot-up speed and accelerates the launch of trusted applications.

The updated Dr.Web SpIDer Guard can use some Dr.Web Anti-rootkit Service routines and, if necessary, utilize the service to neutralize threats.

The update also resolves known issues to improve the overall stability of Dr.Web Security Space and Dr.Web Anti-virus 8.0 for Windows.

• An error that could cause a system failure when the Dr.Web Anti-rootkit Service was running has been fixed.
• Also resolved was a problem involving system files being processed longer than they should have been while removable data storage devices were being initialized at the same time when incorrect settings were being used to establish an Internet connection.
• A defect keeping the size of the quarantine from resetting after being cleaned has been corrected.
• Previously, malignant files were being moved to the local disk quarantine from a removable media device even if the option to create the quarantine on a removable media had been enabled; that issue has been fixed.
• The error message “Access denied or incorrect program usage” was being displayed when Dr.Web was being removed, and that issue has also been rectified.

The update will be performed automatically; however, a system reboot will be required.

April 24, 2013

Doctor Web has updated the sixth version of its products Dr.Web for Kerio mail servers and Dr.Web for Internet gateways Kerio.

Dr.Web for Kerio mail servers now supports Kerio Connect 8.0 and later, and Dr.Web for Internet gateways Kerio is now compatible with Kerio Control 7.0.0–7.4.2. The Dr.Web Virus Finding Engine has been updated in both products.

To update Dr.Web for Kerio mail servers or Dr.Web for Internet gateways Kerio, download the updated distribution and reinstall the application after removing the installed program.

April 23, 2013

Russian anti-virus company Doctor Web is warning users that twenty-eight applications incorporating a malicious adware module that can download Trojans to Android devices have been discovered on Google Play. The total number of installations of these programs has reached several million.

Advertising in applications for Android has long been successfully used by various developers to generate income from their work: it is a legal and a very convenient way to get compensated for time and money spent creating software. It was in 2011 when crafty cybercriminals also decided to use mobile ad networks to spread Trojans. Android.SmsSend programs designed to send short messages to premium numbers and subscribe users to chargeable services are the most popular among them. Doctor Web recently reported an incident involving such a program. However, the list of malware being spread in such a way is expanding.

Despite the fact that ad networks like Google AdMob, Airpush, and Startapp meet criminals' demands, intruders decided to go even further and created an ad network of their own. At first sight, it appears quite similar to others: Android software developers are offered very favourable advertising API usage terms, and are promised a high and steady income and easy account management. So it's hardly surprising that some developers became very interested in the ad network.

The advertisement API provides push notification ads that deliver small alerts to an Android phone's notification bar. However, there are also some undocumented features.

Push ads sent via the ad network can prompt a user to install an important update for a certain application. If an unsuspecting user agrees to install this update, the advertising module downloads an apk package and places it into the download directory /mnt/sdcard/download on the memory card. The module can also create a shortcut linked to the downloaded package, so if the user taps on it, it will start the installation of the downloaded program.

An investigation conducted by Doctor Web's analysts revealed that such apk-files contain Android.SmsSend Trojans. Analysts also found that these malicious programs were being downloaded from various fake application catalogues. The ad module in three analysed applications would connect to a control server at 188.139.xxx.xx, while the module in the remaining 25 apps would try to connect to a server at 91.226.xxx.xx. These IP addresses were promptly added to the Dr.Web Parental Control database, so access to the respective sites is blocked.

Below you can find a full list of the commands sent by a controlling server to the malignant module:

• news – display a push-notification
• showpage – open a web page in a browser
• install – download and install an apk package
• showinstall – show a push-notification about the installation of an apk package
• iconpage – create a shortcut to a web page
• iconinstall – create a shortcut to the downloaded apk package
• newdomen – change the control server address
• seconddomen – an alternate server address
• stop – stop sending queries to the server
• testpost – re-send a request
• ok – do nothing

In addition to executing these commands, the fraudulent module is also able to collect and send the device's IMEI, operator code, and the phone number to the server.

The advertising API is particularly dangerous because applications that use it are found on Google Play, which de facto is the safest sourceof programs for Android. Many users have come to trust the security of Google Play, so the number of installations of the software that feature the advertising module is very large. Since statistics about downloads of applications from Google Play are hard to get, Doctor Web can't say exactly how many devices have been compromised, but it can be assumed that the number exceeds 5.3 million handhelds. This is the largest and most massive case of infection on Google Play since Google Bouncer was introduced.

Considering the advertising API’s malignant features and the connection between the ad network and sites spreading malware for Android, Doctor Web has classified this module as belonging to adware designed to perform malicious tasks. The module has been added to the virus databases as Android.Androways.1.origin and poses no threat to devices running Dr.Web anti-virus for Android.