Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to the news list

June 2012 virus review: Trojan.Hottrend banking malware,a three million host Win32.Rmnet.12 botnet and labour market fraud

July 2, 2012

June 2012 turned out to be fairly quiet in terms of information security—no abnormal bursts of virus activity or epidemics were registered. However, criminals conducted several mass mailings to spread malicious software, and new Trojans for Android appeared. In general, we can say that the number of identified threats has decreased slightly, however, that is quite typical of summer—the time for holidays and vacations.

Viruses

According to statistics collected by Dr.Web CureIt!, in June, Trojan.Mayachok.1 was the malware most frequently detected on users' computers, the same as a month ago. The number of its detections has increased markedly: from 3.73% (45,327 cases) in May to 5.82% (56,767 cases) in June. Detections of Trojan downloader modifications have multiplied as well. Trojan.SMSSend variations were found on infected computers as frequently as before, while, in contrast, detections of various Trojan.Carberp versions fell by a few percentage points. The graph below shows in percentage terms the distribution of the most common threats detected by Dr.Web CureIt!.

Threats detected on computers in 2012

As for threats spread via e-mail, BackDoor.Andromeda.22, which downloads a host of other dangerous applications onto an infected computer, is the undisputed leader. Programs of this backdoor family can exchange encrypted data with a remote server, and upon command, can download various files onto an infected machine.

Second and third places are occupied by Trojan downloaders, while the fourth position is taken by Trojan.Inject1.4969 whose mass distribution was already reported on in a recent news post. Also frequently delivered via e-mail are Win32.HLLM.MyDoom worms and different versions of Windows blockers.

Botnets

Back in April, Doctor Web discovered the largest botnet in history, comprised of a huge number of Apple-compatible computers infected with BackDoor.Flashback.39. Surprisingly, the botnet is still operating properly, although the number of its bots is declining gradually. According to verified data, 364,741 infected Macs were connected to the network at the beginning of June, and the number dropped to 191,756 by month's end. The average daily increase in bot numbers is also very small: an average of 25 newly infected computers are connecting to the BackDoor.Flashback39 network every 24 hours. See how the total number of BackDoor.Flashback.39 bots changed through June 2012 on the graph below.

BackDoor.Flashback.39 network decline in June 2012

The graph indicates a strong tendency towards the number of active, Apple-compatible computers infected with BackDoor.Flashback.39 being reduced. You can get more information about this threat and check your computer for a possible infection online at drweb.com/flashback, which has been specially designed by Doctor Web to help users neutralize the threat.

But in the case of the Win32.Rmnet.12 file infector, the situation is rather different: as we've already reported, its botnet has broken the three million mark The virus’s geographical reach has not changed much: the countries most exposed to infection still include Indonesia, Bangladesh, Vietnam, India, and Egypt; a large number of infected PCs can be found in Russia. To learn more about the Win32.Rmnet.12 file infector, refer to our recent publication. On average, 9-150 thousand new bots are registered in Win32.Rmnet.12 networks on a daily basis, which significantly increases the total number of infected machines. Win32.Rmnet.12 botnet growth through June 2012 is illustrated in the graph below.

Win32.Rmnet.12 botnet growth in June 2012

At the same time, the Win32.Rmnet.16 botnet also continues to grow, though not as rapidly. If at the end of May, this malware modification that is widespread mainly in the UK and Australia, infected 84,491 computers, within exactly one month, the number increased to 104,874. You can use the graph below to trace how Win32.Rmnet.16 infections increased in number.

img

Scammers are on the alert

In June, Doctor Web warned users about another fraud technique that was gaining popularity among criminals, and that publication triggered a wide response. The technique in question targeted online job seekers.

People, who register on a job offer portal as individuals seeking employment, typically fill out a special form in which they provide their full name, contacts, information about their educational background and work experience, as well as other data that may be of interest to a potential employer. Representatives of companies registered on the site as employers can view such CVs. In pursuing their goals, attackers create an account for a non-existing company on such a resource or pose as a well-known firm. Then the scammers search for CVs published on the website and send job offers to applicants. To get a job, a user is invited to an online interview, during which they must answer several simple questions via a specified website. Designed by criminals specifically for this purpose, such sites look like they belong to respected companies, so the unsuspecting victim falls into a trap.

screen

An online interview usually consists of a short test involving several dozen simple questions, and the applicant is not asked for their name, contact information, or information about work experience or qualifications. But after they have passed the test, the victim is invited to send an SMS message containing their personal result code to a short number and enter into the appropriate field the verification code received in a reply message. By doing this, the user winds up agreeing to the terms of a pseudo subscription to an information-access service, and the service fee will be debited from their account on a monthly basis.

It should be noted that some large companies do conduct such online interviews in order to accelerate the recruitment process. The best way to avoid such traps is to search the Internet for information about the company offering the job—many publications are available about any large and respected business. You can also search for the company's contact information and call them to find out more about the proposed interview. A telephone conversation with a company representative will certainly dispel a job seeker’s arising doubts.

The threat of the month: Trojan.Hottrend

The smallest known banking Trojan, dubbed Tinba (short for “tiny banker”) by security experts, won the title for Threat of the Month. Written in Assembly, it occupies as little as 20 KB. In the Dr.Web virus database, this threat is listed under the name Trojan.Hottrend, and the first records concerning this Trojan family were added to the Dr.Web virus databases as early as late April 2012.

The main purpose of this malware is to monitor Internet traffic to intercept sensitive (including banking) information and send it to criminals. In June, Doctor Web's analysts also discovered several other species of small-sized banking Trojans, for example, Trojan.PWS.Banker.64540 which occupies about 80 KB on a disk. A detailed description of this can be found onthreatDoctor Web's site, and a separate review has been published concerning Trojan.Hottrend malignant payload.

Threats to Android

The rate at which new threats to Android are identified appears to be steady. During the month, more than 35 new Android.SmsSend modifications were added to the virus database as well as several other malicious programs that may harm mobile devices. In addition, in the second half of June, we reported on the distribution of Trojan Android.SpyEye.2.origin, which is capable of stealing short messages on an infected mobile phone.

At the end of the month, Android.SmsBot.1.origin, distributed with spam, was added into the Dr.Web virus database. This malicious program uses a fairly complex algorithm to generate a Twitter account name and acquires control server names via this account. Having established a connection to a command center, Android.SmsBot.1 can send information about an infected device to criminals, receive commands, and report back upon their execution. Covert SMS sending is one of its key functions. It may be a danger to users of mobile devices, though some anonymous users (perhaps, individuals related to the program’s creation) argue that this application is intended to automate telephone voting.

Top 20 malware detected in June in mail traffic

 01.06.2012 00:00 - 29.06.2012 16:00 
1BackDoor.Andromeda.222.14%
2Win32.HLLW.Siggen.29842.06%
3Trojan.DownLoader6.198101.53%
4Trojan.Inject1.49691.23%
5Trojan.DownLoader6.209431.18%
6Trojan.DownLoader6.180491.09%
7Win32.HLLM.MyDoom.338081.01%
8Win32.HLLM.MyDoom.544640.88%
9Trojan.Winlock.56000.83%
10Trojan.AVKill.190240.74%
11Trojan.AVKill.187630.66%
12Win32.HLLM.Beagle0.61%
13Trojan.AVKill.187550.53%
14Win32.HLLM.Netsky.353280.48%
15Trojan.DownLoader6.183730.48%
16SCRIPT.Virus0.44%
17Trojan.AVKill.187490.44%
18Trojan.MulDrop3.558450.39%
19Win32.HLLM.Netsky.based0.39%
20Trojan.PWS.Panda.7860.35%

Top 20 malware detected in June on user PCs

 01.06.2012 00:00 - 29.06.2012 16:00 
1Trojan.Fraudster.2560.50%
2SCRIPT.Virus0.44%
3Trojan.Fraudster.2920.42%
4Adware.Downware.1790.38%
5Tool.Unwanted.JS.SMSFraud.150.36%
6Trojan.Fraudster.2960.35%
7Trojan.SMSSend.29250.35%
8JS.IFrame.2330.34%
9Win32.HLLW.Shadow0.34%
10Trojan.Fraudster.2610.33%
11Trojan.Mayachok.10.33%
12Trojan.SMSSend.29050.33%
13Trojan.SMSSend.28840.33%
14Tool.Unwanted.JS.SMSFraud.100.32%
15Win32.HLLW.Autoruner.598340.32%
16Trojan.SMSSend.27260.28%
17Trojan.Fraudster.3080.26%
18Win32.HLLW.Shadow.based0.26%
19Adware.Downware.3160.25%
20Tool.InstallToolbar.550.24%

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments