Real-time threat news
September 14, 2016
Once launched, the
When launched successfully, the Trojan creates two child processes. The first one exchanges data with a command and control server. The second one verifies the parent process is running in an infinite loop (if not, it launches it). The parent process then does the same for the child process—thus, the Trojan operates continuously on the infected machine.
- Update the malicious program
- Download and run the file specified in the command
- Remove itself
- Launch a UDP flood attack on a specified port
- Launch a UDP flood attack on a random port
- Launch a Spoofed UDP flood attack
- Launch a TCP flood attack
- Launch a TCP flood attack (random data up to 4096 B long is added to the packages)
- Launch an HTTP flood attack using GET requests
- Launch an HTTP flood attack using POST requests
- Launch an HTTP flood attack using HEAD requests
- Send HTTP requests with the parameters specified to 255 random IP addresses
- Terminate execution
- Send a PING command
When the Trojan receives the command to launch a DDoS attack or send random requests, it first shuts down all the child processes and then launches 25 new ones which subsequently carry out criminal-ordered attacks. The signature of
September 8, 2016
The Trojan can execute just four commands. It can connect to a specified chat channel; send cybercriminals information about an infected computer; send cybercriminals data about the applications running in a system; and delete itself from an infected machine.
Unlike the majority of its counterparts,
The signature for
August 29, 2016
The Trojan is notable for its ability to bypass the Windows protection system—Accounts Control (UAC). Information about this technology was first posted in an Internet blog on August 15. Just three days later, the first sample of this Trojan, which was subsequently named
First, a dropper, which saves an installer to the disk and runs it, and a BAT file, which is responsible for the dropper’s removal, are simultaneously launched. Then the installer connects to the command and control server to receive a configuration file which specifies an address for downloading the browser.
The browser, named Outfire, is a special build of Google Chrome. During installation, it registers itself in the Windows system registry, launches several system services, and creates tasks in the Windows Task Manager in order to load and install its updates. In addition, Outfire modifies the installed Google Chrome browser by removing or creating new shortcuts and copying current Chrome user account information into the new browser. Finally,
Once the installation is complete, the fake browser displays a home page which cannot be changed in the browser’s settings. In addition, it has a fixed extension designed to replace advertisements in browsed webpages and uses its own search engine, set by default—however, it can be changed in the application’s settings.
Dr.Web successfully detects and removes
August 19, 2016
The new Trojan, named
Today’s botnets can be divided into two types. Botnets of the first type use command and control (C&C) servers to receive instructions; and botnets of the second type transmit information from one infected machine directly to another and are called peer-to-peer (P2P) botnets.
The malware program receives directives over the HTTPS protocol and sends them to other botnet nodes, if necessary. When commanded by cybercriminals,
The Trojan uses a known vulnerability to hack websites built using Drupal. After performing a SQL injection, it logs itself into the system. If a site is hacked,
August 15, 2016
The Trojan, named
Like its counterpart
The Trojan’s main payload is placed into the avicap32.dll library, and its operation parameters are stored in an encrypted configuration block.
If a Windows program needs a dynamic library to be loaded in order to operate, the system starts searching for the file with that name in the same folder from which the program was run, and only then in the Windows system directory. Virus makers decided to take advantage of this Windows feature: TeamViewer needs a standard avicap32.dll library, which is stored in one of the default system catalogs. However, the Trojan stores a malicious library with that same name right in the folder with the original TeamViewer executable file, and, as a result, Windows loads the malicious library, rather than the legitimate one, into the memory.
- Restart the computer
- Turn off the computer
- Remove TeamViewer
- Relaunch TeamViewer
- Start listening through the microphone
- Stop listening through the microphone
- Identify the web camera
- Start viewing via the web camera
- Stop viewing via the web camera
- Download a file; then save it to a temporary folder and run it
- Update a configuration file and the backdoor’s executable file
- Connect to the specified remote server; and then run cmd.exe and execute input/output redirection to a remote server
Once executed, these commands provide cybercriminals with great opportunities to spy on users and steal their personal information. In particular, we know that virus makers have used this Trojan to install malware programs belonging to the Trojan.Keylogger and Trojan.PWS.Stealer families. In the course of their investigation, Doctor Web’s security researchers found out that the backdoor targets residents of particular countries and regions at different times. For example, in July,
Nevertheless, a large number of cases involving this Trojan were also registered in Russia:
Doctor Web specialists are keeping a close watch on this Trojan and recommend that users be more careful and update their virus databases in a timely manner. Dr.Web Anti-virus successfully detects and removes
August 8, 2016
A Trojan, named
Dr.Web for Linux successfully detects and removes
August 4, 2016
This Trojan, named
Although the Trojan may appear to be a benign application, it performs typical adware functions. Therefore, once
- Add a shortcut to the home screen
- Display an advertisement
- Open advertising webpages in the browser or in a Google Play application
To do this,
Nevertheless, the Trojan’s abilities to covertly buy and install apps are limited. First,
Dr.Web for Android products successfully detect and remove
August 2, 2016
The Trojan, named
The Trojan first checks whether its copy and any virtual machines, emulators, and debuggers are present in the infected system. If
The wmic.exe utility then runs the executable file of
Dr.Web Anti-virus successfully detects and removes this Trojan, and, therefore, this malicious program poses no threat to Dr.Web users.
July 28, 2016
This Trojan, named
Among these malicious applications are live wallpapers, image catalogs, utilities, photo editors, radio applications, and so on. Thus far Doctor Web’s security researchers have registered 155 dangerous applications, which have already been downloaded over 2.8 million times. Although the company informed Google as to which applications contain Android.Spy.305.origin, many of them are still available for download.
Once one of these applications is launched,
The Trojan then sends the following data to the C&C server:
- Email address connected to the Google user account
- List of installed applications
- Current system language
- Name of the device manufacturer
- Mobile device model
- IMEI identifier
- OS version
- Screen resolution
- Mobile network operator
- Name of the application containing the Trojan
- Developer’s ID
- SDK platform’s version
Despite the fact that Google Play is an official and reliable source of software for Android, various Trojans can still periodically be found in Google Play applications. Thus, Doctor Web’s specialists recommend that users pay attention to negative feedback posted by other users and download software created by reliable developers. Dr.Web for Android products successfully detect and remove
June 27, 2016
All information sent by
- 1C version 8
- 1C version 7 and 7.7
- Microsoft Word
- Microsoft Excel
- Microsoft Outlook
- Microsoft Outlook Express and Windows Mail
- Mozilla Thunderbird
In addition, the Trojan collects information about connected devices for Smart Card use. Separate components of
Dr.Web Anti-virus detects and removes all the above-mentioned malware programs. Therefore, they do not pose any thereat to our users. Doctor Web specialists would like to thank Yandex for providing the Trojan’s sample for research.
June 23, 2016
- Battery Booster;
- Power Booster;
- Blue Color Puzzle;
- Blue And White;
- Battery Checker;
- Hard Jump - Reborn 3D.
These programs, which are games and service tools, have been downloaded by more than 15,500 users. Besides, Doctor Web security researchers registered over 55,000 downloads of these applications after they gained access to the Trojan’s C&C server. Our specialists have already informed Google about this incident. So far, applications containing
Once one of these applications is launched,
The Trojan can also perform another function—download software, including malicious programs. For instance, Doctor Web specialists detected the
If you do not want to fall victim to these fraudulent schemes, we recommend you to pay careful attention to all pop-up messages and notifications and warn you against entering your phone number into suspicious input forms.
Most of applications compromised with
June 22, 2016
It is no doubt that
The Trojan is distributed as an attachment to the following email message titled “Our BIC code has been changed”:
Greetings! Our BIC code has been changed. Please update your bank classifier. The classifier can be updated automatically in 1C Enterprise 8. File – Open classifier update processor from the attachment. Click YES to update the classifier automatically. Within 1-2 minutes if there is Internet connection.
The email message contains an external data processor for “1C: Enterprise” named ПроверкаАктуальностиКлассификатораБанков.epf. The body of this module is password-protected—thus, standard methods cannot be used to view its source code. If the user runs this file in the 1C:Enterprise mode, the following window is displayed:
Clicking on any button of this window will launch
Meanwhile, the Trojan starts its malicious activity on the computer. First, it searches the 1C database for contractors with known email addresses and then sends the above-mentioned text message with its own copy attached. The Trojan uses the email address specified in the victim’s 1C user account as the sender’s address. If the user has not specified their email, the Trojan substitutes it with email@example.com and attaches the ОбновитьБИКБанка.epf external data processor that contains the Trojan’s copy. If the file is run in the 1C software, the ransomware Trojan will affect the computer as well; yet, this copy of
- Trade Management 11.1
- Trade Management (basic) 11.1
- Trade Management 11.2
- Trade Management (basic) 11.2
- Accounting 3.0
- Accounting (basic) 3.0
- 1C:Comprehensive Automation 2.0
June 15, 2016
The Trojan is implemented as a fully-featured VK audio player. If the user wants to listen to music, they should enter their user profile by typing the login and the password. Yet, in fact, all this private information is immediately sent to the C&C server, which means that attackers get full control over the user’s VK profile.
Doctor Web specialists registered the attempts of virus makers to sell user profiles hacked with
Attackers have already tried to distribute
The Trojan’s authors have created their own VK community, which has more than 44,600 subscribers. All the members are offered to download
In addition, attackers published one more application named “Music and video for VK” («Музыка и видео для ВК») and developed by Gomunkul. At present, this player does not contain the payload.
Despite its apparent harmlessness, this player may become a full-blown Trojan once attackers decide to modify one of its parameters (or add any functions including malicious ones) and update the malicious program. If this happens, the Trojan will continuously prompt the user to install a plug-in necessary for its operation. It should be noted that the plug-in and
More than 1,000,000 users have currently downloaded the player and can fall victim to the Trojan at any time. Because of the danger that this player represents for Android devices, it was added to our virus database under the name of
Doctor Web strongly advises users to install only official applications and protect their devices with anti-virus software.
June 14, 2016
If you have fallen victim to this malicious program, and files on your computer were encrypted before June 2016, it is possible to restore the compromised data. However, it depends on several conditions and especially on the user’s actions.
To decrypt files compromised with CryptXXX, go to the Doctor Web decryption service page. Free decryption services are only available to users who have valid commercial Dr.Web licenses and whose systems—at the moment of infection—were protected by Dr.Web Security Space (Windows) or by Dr.Web Anti-virus for OS X or Linux (version 10 or later) or by Dr.Web Enterprise Security Suite (6+). Other users can purchase Dr.Web Rescue Pack by sending the standard request form: the service is charged if the analysis shows that your files can be recovered. Besides, clients who used this service can get free two-year license for Dr.Web Security Space for 1 computer. To find more information about ransomware Trojans, follow this link.
June 10, 2016
As we have mentioned before, some samples of
It turns out that
Despite the fact that
June 3, 2016
Due to the ability to be spread without any user intervention and infect executable files, the malicious application, or
The most dangerous features of this banking Trojan are the abilities of self-spreading and program infecting. The function of self-spreading is activated by cybercriminals. Then
Dr.Web Anti-virus detects programs infected by this virus as
As Carberp’s successor,
The main purpose of
Functions and architecture of
May 26, 2016
This time, attackers focused their attention on those who prefer to play hacked games, which makes a gameplay easier and faster. To successfully distribute the Trojan, virus makers monitor whether the potential victim surfs the Web in order to find cheat codes for the game to simplify its walkthrough (for example, infinite gold, crystals, and so on) or they would like to download a hacked version of the favorite game. Thus, among the search results, the user sees links that lead to various fraudulent websites specially designed to trick naive gamers.
These websites can inform users about more than 1,000 different mobile games—thus, the search engine displays fraudulent links on top of the search results. It is noteworthy that all these resources have valid digital signatures, which makes them seem quite legitimate.
When the user tries to download a game from this site, they are redirected to another scam webpage that is used to spread
After that, the Trojan determines whether there is an online banking application installed on the device, and how much funds are available on the user’s bank accounts. To do that,
Moreover, attackers control the Trojan from the remote server. Thus, this malware can enable forwarding to the specified number, hide and intercept SMS messages, send text messages and USSD requests, and perform other malicious actions.
Doctor Web specialists strongly recommend to avoid visiting such-like dubious resources and downloading hacked mobile games and applications if you do not want to lose all the money from your bank accounts. Dr.Web for Android successfully detects all the known modifications of this Trojan, and, therefore, this malicious program poses no threat to our users.
May 25, 2016
As a rule, Trojans use TeamViewer to get access to the user’s computer. Yet, in this case, TeamViewer plays another role:
Once TeamViewer is launched,
What is more, there is another encrypted library that is hard-coded in the Trojan's body and is responsible for performing malicious activity of
The malicious program can execute several commands. Yet, its main functions are to establish connection to the server (including authorization to it) and to redirect traffic from the server to the specified remote server via the infected computer. Thus, cybercriminals can remain anonymous on the Web while connecting to remote servers using the computer like via a proxy server.
Dr.Web Anti-virus detects and removes
Doctor Web specialists would like to thank Yandex for providing the Trojan’s sample for research.
May 12, 2016
Early versions of
It is noteworthy that all first versions of the Trojan attacked users only in Russia and CIS countries. At that time, it was spread via spam SMS messages that offered the victim to follow the given link and get familiar with the reply to the announcement posted on the Web. In fact, all those links redirected the user to scam websites that distributed the malicious application under the guise of a benign program.
Later, the number of attacks considerably reduced. Yet, at the end of 2015, Doctor Web security researchers registered the emergence of new and more sophisticated versions of Android.SmsSpy.88.origin designed to infect Android devices all over the world.
This Trojan still masquerades as benign programs—for example, Adobe Flash Player. Once launched,
The Trojan establishes Internet connection and keeps it active by using Wi-Fi or a transmission channel of mobile network operator. Therefore, the Trojan is continuously connected to the C&C server and prevents possible malfunctions. The malware then generates a unique identifier for the infected device. The identifier and other technical details are sent to the server, where the infected device is registered.
The main purpose of
Once one of the specified applications is launched,
One of the malware’s key features lies in the fact that it can attack clients of almost any bank in the world. Thus, cybercriminals create a new template of a fraudulent authentication form and command the Trojan to update its configuration file. Once updated, the file will contain the name of the necessary banking application.
Apart from stealing logins and passwords for user accounts, the Trojan still tries to get information on the user’s bank card information.
However, the Trojan is able to perform other malicious functions: to intercept and send SMS and MMS messages, to send USSD requests, to send SMS messages to all contacts from the contact list, to transmit all saved messages to the server, to set a password to the lock screen, and to lock the home screen by using a specially-formed dialog. If the command is to lock the home screen, the Trojan displays a template of a fake dialog that informs the user that they illegally store and distribute pornography and have to pay for the iTunes Gift Card if they want to unlock the device.
At the beginning of 2016, Doctor Web security researchers accessed to more than 50 botnets that consisted of mobile devices infected with different versions of
Users in the following countries suffered most of all: Turkey (18,29%), India (8,81%), Spain (6,90%), Australia (6,87%), Germany (5,77%), France (3,34%), the USA (2,95%), the Philippines (2,70%), Indonesia (2,22%), Italy (1,99%), South Africa (1,59%), Great Britain (1,53%), Pakistan (1,51%), Poland (1,1%), Iran (0,98%), Saudi Arabia (0,96%), China (0,92%), and Bangladesh (0,85%).
At that, the majority of infected mobile devices were running Android 4.4 (35,71%), 5.1 (14,46%), 5.0 (14,10%), 4.2 (13,00%), and 4.1 (9,88%).
The reason why
To protect your smartphone or tablet from such-like banking Trojans, Doctor Web recommends you to follow the guidance below:
- Use another mobile device for making online bank transactions if possible.
- Set a limit on cash withdrawal from your bank account via online banking services.
- Do not follow links received in dubious SMS messages.
- Do not download applications from unreliable resources.
- Protect your device with anti-virus software.
Dr.Web for Android successfully detects all the known applications containing
May 6, 2016
The Trojan is distributed via a dropper in the form of the Microsoft Excel file with a special macros. This macros collects a self-extracting archive by bytes and runs it. The archive consists of an executable file, which has a valid digital signature registered to Symantec, and a dynamic library, in which all the main functions of the Trojan are implemented.
After being launched,
Before connecting to the server, the backdoor collects the following data on the infected computer: its name, version of the operating system, and information about the processor, RAM, and drives. This information is then transmitted to the server. After that, the Trojan gathers more detailed data on the computer’s drives, which is sent to cybercriminals, together with the kelogger file.
To receive instructions, the Trojan sends a special request to the server. Upon a command, the malware can send a particular file or information about the specified folder, to delete or rename a file, to create a new folder, and to take a screenshot and send it to attackers.
Dr.Web successfully detects and removes BackDoor.Apper.1, and, therefore, this malicious program poses no threat to our users.
April 29, 2016
All applications containing
To solve a sudden problem that that the user had no clue about, the victim, of course, has to install a fraudulent application. And to ensure downloading the offered application,
If the user decides to download the malicious application, they are redirected to the Google Play store and right to the relevant section in which this app is located. For each download, fraudsters receive interest under the terms of affiliate advertising agreements. It explains why
Doctor Web strongly advises Android users to be very careful and not to install dubious applications even if these applications are distributed via Google Play. Dr.Web for Android successfully detects and removes
April 29, 2016
The malicious plug-in for Google Chrome is detected as
If the user follows the specified link, they are redirected to some webpage whose appearance is identical to the Facebook web design. Yet, if another website was used to follow this link, the user is redirected to a blank webpage.
The webpage is named “Hello please watch my video” and contains an allegedly standard video player. If the victim uses Chrome, they are prompted to download and install a browser plug-in that is, in fact, another copy of
Doctor Web security researchers registered more than 12,000 cases involving the
April 22, 2016
At present, number of cases involving online shopping scam continues to grow. To make a profit out of gullible Internet users, attackers implement diverse fraud schemes. In this paper, we are going to focus on one of them that is quite popular on the Russian Internet judging from the number of people affected by it.
As a rule, this scheme starts from emergence of some online store, which offers its customers to buy expensive electronic goods, photography equipment, garden or construction tools, jewelry, and many other products on a very attractive price. Such stores have a big number of positive recommendations published by allegedly happy customers, and its URL is very much alike to URLs of other popular online stores. In addition, these fraudulent websites contain such standard information as their office address, a contact number (answered by a dispatcher), and a founding company’s name. Yet, it is noteworthy that all of them are created using one and the same website template.
Scammers provide fast delivery of goods to any Russian region and offer to pay for them by using QIWI Wallet, a bank card, POS terminals, or other payment services. The only one important condition is that a potential victim has to make a full prepayment.
Having made the prepayment, the victim waits for a purchase confirmation. However, after some time, the website and the phone number become unavailable, and all messages sent by the scammed user to the contact email address are returned. In several days, the same shop with similar range of goods but with a different name and URL emerges on the Internet.
Usually, it is rather problematic to track down these scammers because they use voice-over-IP (VoIP) service to organize their underground activity, and fly-by-night companies, stolen documents, and figureheads—to be able to withdraw money from the account.
Unfortunately, the growing number of such scams can be explained by the fact that victims
- Are often tricked by an unbelievably low price of a product or by attractive benefits that advertised goods or services might have, which sounds too good to be true.
- Neglect to look up when a domain of the online store was registered, by using any WHOIS service.
- Do not search for or pay attention to feedback about the chosen online store.
- Do not use any online map service for finding the location of the office or a warehouse of the online store to make sure that there is not wasteland or an abandoned factory on this place.
Therefore, Doctor Web strongly recommends to be careful when shopping online and to make purchases only from reliable online stores.
April 13, 2016
The infection begins with the ELF file, which is detected by Dr.Web as
In the second thread,
Security researchers registered that
April 8, 2016
This malware, which runs on 32- and 64-bit Windows, is able to carry out a wide range of malicious activities. Thus, it can steal information entered by the user into web data forms and perform web injections and keylogging functions. In addition, the Trojan is also designed to get remote access to the user’s machine by means of Virtual Network Computing (VNC). Moreover, upon a command, the Trojan can run the SOCKS proxy server and download and install various plug-ins.
Like many other today’s malware programs,
All the mentioned-above functions, especially the Trojan’s ability to perform web injections, are used to steal various confidential data from the user’s computer, including login credentials to access online banking systems. Dr.Web successfully detects and removes