Russian anti-virus company Doctor Web has updated Dr.Web Firewall for Windows driver (12.05.00.10070), Dr.Web Scanning Engine (12.5.1.201910020), Dr.Web Anti-rootkit API (12.5.2.201910080), Dr.Web File System Monitor (12.05.01.09230), the Dr.Web Protection for Windows (12.05.01.09250) and Dr.Web SysInfo (12.5.0.201909270) modules, Dr.Web Thunderstorm Cloud Client SDK (12.0.7.09170) and Lua-script main (12.5.0.10040) in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0 and Dr.Web 12.0 for Windows Servers. Furthermore, Dr.Web Net Filtering Service (12.5.0.09270), Dr.Web Firewall for Windows (12.05.00.10110), Dr.Web for Outlook Plugin (12.0.7.201910040), and the Lua-script for net-filter (12.0.0.06170) configuration script have been updated in Dr.Web Security Space 12.0 and Dr.Web Anti-virus 12.0. The update resolves known issues and delivers feature upgrades.
Changes made to Dr.Web Firewall for Windows driver:
An issue causing user-defined application blocking rules to be ignored has been resolved.
Changes made to Dr.Web Scanning Engine:
A scanning service defect was eliminated. The issue in question, which occurred when the option to scan local networks was enabled, prevented files from being restored to their previous versions from their respective shadow copies on the server.
Changes made to Dr.Web Anti-rootkit API:
Enhanced threat detection and neutralisation routines.
Changes made to Dr.Web Protection for Windows:
A problem has been fixed that rendered the self-protection module non-operational if Dallas Lock software was being used alongside Dr.Web in a system.
Changes made to the Dr.Web Net Filtering Service:
Problems occurring when the Mikrotik router web interface was being accessed have been fixed;
An issue preventing the Your Phone application on Windows 10 PCs from establishing a connection to Android devices has been resolved;
Also resolved was a problem preventing other nodes from appearing in the network neighbourhood under Windows 10.
Changes made to Dr.Web for Outlook Plugin:
The routines that block outgoing malicious attachments have been upgraded;
Adjustments have been made to the routines that process emails with attachments to avoid SpIDer Guard file monitor issues.
The update will be performed automatically; however, a system reboot will be required.
Russian anti-virus company Doctor Web has updated its Dr.Web Light for macOS product to version 11.1.1. The update resolves a known software issue.
Specifically, it addresses an issue preventing the UI from displaying properly in Dark Mode under macOS 10.14 and later.
To update Dr.Web Light for macOS to version 11.0.1, go to the Mac App Store and in the Update section, click Update next to the product name. Dr.Web Light for macOS users can update the product free of charge.
Please note that Dr.Web Light for macOS has a limited set of features. To fully protect your Mac, use Dr.Web for macOS.
Doctor Web has detected a clicker trojan that can automatically subscribe users to paid services in the official Android app store.
Virus analysts have identified several modifications of this malicious code, dubbed Android.Click.322.origin, Android.Click.323.origin, and Android.Click.324.origin. To hide their true purpose, as well as make the trojans harder to detect, cybercriminals used several tricks. They integrated the clicker into harmless applications, such as camera apps and image collections, that did work as described. As a result, users and information security experts had no obvious reason to consider them as a threat.
Apart from that, all malware was protected by the commercial Jiagu packer, which makes it harder for antiviruses to detect them and hinders the code analysis. Thus, the trojan was more likely to avoid detection by the built-in security tools of Google Play.
Besides, virus writers tried to disguise the trojan as well-known advertising and analytics libraries. After being added to the host software, it embedded itself in the Facebook and Adjust SDKs, hiding among their components.
The clicker attacked users selectively; it did not perform any malicious actions if the potential victim was not residing in one of the attackers’ countries of interest.
See below examples of apps with this trojan:
Upon installation and launch, the clicker (hereinafter, we will take its modification Android.Click.322.origin as an example) prompts the user to give it access to notifications of the operating system:
If the user grants it the permissions, the trojan will be able to hide all notifications about incoming text messages and hook them.
Next, the clicker sends the technical data about the infected device to the command and control server and checks the serial number of the victim’s SIM card. If it corresponds to one of the target countries, Android.Click.322.origin sends information about the phone number to the server. The clicker also displays a phishing window to users of certain countries, where it offers them to enter the phone number or log in to their Google account:
If the victim’s SIM card is not registered in a country of interest, the trojan does not take any action and stops its malicious activity. The studied modifications attack residents of the following states:
Austria
Italy
France
Thailand
Malaysia
Germany
Qatar
Poland
Greece
Ireland
After transmitting the number, Android.Click.322.origin waits for a command from the command and control server, which sends tasks with websites to load and JavaScript code. This code controls the clicker via JavascriptInterface, displays pop-up notifications on the device, clicks on web pages, and performs other actions.
After receiving a website address, Android.Click.322.origin opens it in an invisible WebView, where it also loads the received JavaScript code with the parameters for clicking. After opening a website with a premium service, the trojan automatically clicks on the corresponding links and buttons. Then it hooks verification codes from text messages and independently confirms the subscription.
Even though the clicker is not designed to work with text messages and has no access to them, it bypasses the restriction as follows. The trojan service monitors notifications from the default application that works with text messages. When there is an incoming message, the service hides the system notification. Then it hooks the information about the received text from the notification and transmits it to the trojan broadcast receiver. As a result, the user does not see any notifications about incoming texts and does not know what is happening. They only know about the subscription when money withdraws from their account, or if they go to the message menu and see texts related to the premium service.
Doctor Web experts have contacted Google and the detected malicious applications were removed from Google Play. All known modifications of this clicker are successfully detected and removed by Dr.Web for Android and do not pose any threat to our users.
Russian anti-virus company Doctor Web will be participating in the international cybersecurity conference Avar 2019, which will be held in Osaka, Japan, on November 6-9, 2019. The company's security researchers will report on the infamous botnet Trojan.Belonard, which has targeted the computers of Counter Strike players. It is also worth mentioning that Dr.Web successfully detects all Belonard modules.
Doctor Web is participating in Avar 2019
Usually when it comes to threats related to video games, the first thing we talk about is stolen accounts. However, there exists another kind of danger, one many security researchers often overlook—an entire industry of underground services is at work promoting game servers. More often than not, illegal methods are involved, including infecting game clients. The Trojan.Belonard botnet was designed to promote servers running Counter Strike 1.6.
On November 8, at the Conference, Igor Zdobnov, Doctor Web’s chief malware researcher, and his colleague, Ivan Korolev, will talk at length about the Trojan.Belonard threat. Doctor Web has conducted thorough research on this threat. The company published published the results on its website in March 2019. By leveraging a Counter Strike client vulnerability, the botnet makers herded infected machines into their infrastructure in order to promote game servers for a fee. Thanks to the efforts of our security researchers, Dr.Web is now able to detect all the Trojan’s modules, rendering it incapable of posing a threat to users whose systems are protected by Dr.Web.
Doctor Web invites all Dr.Web users to participate in the new project in its “Configure Dr.Web” series in order to learn more about the features within Dr.Web Firewall’s settings.
Each survey participant who has a Doctor Web account will be awarded with 100 Dr.Weblings as a “thank you” for taking time out to answer the survey questions.
Doctor Web will award participants 100 Dr.Weblings for taking part in its “Configure Dr.Web” project about Dr.Web Firewall’s settings.
Many users, especially inexperienced ones, opt not to install the firewall when installing Dr.Web anti-virus products because this component periodically displays messages that require a response, thereby allegedly distracting users so frequently that they can’t work in peace on the Internet.
Dr.Web Firewall indeed operates according to the rules and settings users configure for it. Usually, the rules are established during the "dialogue" that takes place between the user and the application: the firewall issues requests for program network access, and its owner decides whether to allow the connection or not. That is why it is very important to be extremely meticulous when working with the firewall; programs used should only be given the network access permissions they need.
The new project in the “Configure Dr.Web” series is devoted to properly configuring Dr.Web Firewall, and all Dr.Web users are invited to participate. We invite IT professionals involved in administering Dr.Web products for business, as well as Dr.Web Security Space and Dr.Web Anti-virus users, to test how well they know how to configure this Dr.Web component. Answering the survey questions will help participants learn more about the firewall’s features and show them that it is an important tool for keeping them safe on the Internet. Doctor Web will award each participant with 100 Dr.Weblings as a “thank you” for spending time answering the survey questions.
Now the utility incorporates the latest versions of the anti-virus components and boasts enhancements that further improve malware detection.
The updated modules include Dr.Web Anti-rootkit API (12.5.2.201910080), Dr.Web Scanning Engine (12.5.1.201910020), and Dr.Web Protection for Windows (12.05.01.09250).
In addition, the anti-rootkit scan false positive REG:SUSPICIOUS.UserinitCorrupted has been eliminated.Furthermore, an anti-rootkit module issue that made it difficult to neutralise threats discovered in Task Scheduler has been resolved.
Both the paid and the free editions of the utility have been updated.
Russian anti-virus company Doctor Web has updated a number of modules in its Dr.Web products for Unix-like systems. The updated modules include drweb-maild (11.1.4-1910081539), drweb-antispam (11.1.4-1909241809), drweb-ctl (11.1.3-1909181025), drweb-update (11.1.2-1907241204), drweb-smbspider (11.1.2-1909131526, 11.1.2-1909131619), drweb-statd (11.1.2-1909261115), drweb-icapd (11.1.2-1908052330), drweb-common (11.1.2-1908131611), drweb-esagent (11.1.3-1909121441), drweb-configd (11.1.4-1909121647) and drweb-gated (11.1.1-1909042330). The update introduces new features, resolves known issues, and delivers minor upgrades.
Changes affecting Dr.Web Anti-virus 11.1 for Unix Mail Servers, Dr.Web Anti-virus 11.1 for Unix Server, and Dr.Web Anti-virus 11.1 for Internet gateways Unix and Dr.Web Anti-virus 11.1 for Linux.
drweb-maild, drweb-antispam:
A Milter protocol issue involving connections to unknown socket types has been resolved.
Memory usage during mail processing has been optimised.
drweb-smbspider (linux amd64 - drweb-smbspider):
Samba 4.10 has been rebuilt to avoid issues under FreeBSD.
drweb-icapd
Now Lua can be used to create rules.
Changes made to drweb-ctl and drweb-update in Dr.Web Anti-virus for Linux and Dr.Web Anti-virus 11.1 for UNIX Mail Servers:
Offline updating is now available.
Changes made to drweb-statd in Dr.Web Anti-virus 11.1 for Unix Server:
Database rotation is now applied to the event database.
The update is performed via the Dr.Web repository. If you encounter any problems when updating, please use the instructions from our previous news post to specify the additional repository for the Dr.Web software you use.
Russian anti-virus company Doctor Web has updated the Dr.Web Anti-rootkit API module (12.5.1.201910040) in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0 and Dr.Web 12.0 for Windows Servers. The update resolves known issues and delivers minor upgrades.
Specifically, it addresses an anti-rootkit module issue that made it difficult to neutralise threats discovered in Task Scheduler.
The update will be downloaded and installed automatically.
Doctor Web presents its September 2019 overview of malware activity. Last month, users mostly faced adware. Email traffic mostly showed threats exploiting Microsoft Word vulnerabilities. The number of requests to technical support for file decryption has increased, as well as the number of dangerous and non-recommended websites. Read about these and other events in our review.
In September, Dr.Web server statistics showed an increase in the total number of threats by 19.96%, as compared with the previous month. At the same time, the share of unique threats decreased by 50.45%. Users were mostly attacked by adware, as well as software downloaders and installers. In email traffic, again, prevailed the threats that exploit Microsoft Office vulnerabilities to infect devices.
The number of requests to decrypt files affected by trojan encoders has increased. Trojan.Encoder.858 was the most active encoder, accounting for 16.60% of all incidents. Besides, the database of non-recommended and malicious websites was updated with almost twice as many Internet addresses as in August.
Principal trends in September
Growing number of users targeted by encoders
Advertising trojans and adware remain amongst the most active threats
According to Doctor Web’s statistics servers
The most common threats in September:
Adware.SweetLabs.1
Adware.SweetLabs.2
Alternative app store and add-on for Windows GUI from the creators of Adware.Opencandy.
Adware.Elemental.14
Detects adware downloaded from file sharing services because of link spoofing. Instead of normal files, victims get applications that display advertising as well as install unwanted software.
Adware.Softobase.15
Installation adware that spreads outdated software and changes the browser’s settings.
Adware.Ubar.13
A torrent client designed to install unwanted programs on a user’s device.
Statistics for malware discovered in email traffic
Exploit.Rtf.CVE2012-0158
Modified Microsoft Office document. Exploits the CVE2012-0158 vulnerability in order to run malicious code.
Trojan.SpyBot.699
Trojan spyware that hooks characters entered using the keyboard (keylogger).
W97M.DownLoader.2938
A family of trojan downloaders that exploit vulnerabilities in Microsoft Office applications and can download other malware to a compromised device.
PDF.DownLoader.57 (new threat)
Represents a family of trojan downloaders that spread in specifically created PDF documents.
Exploit.ShellCode.69
Another malicious Microsoft Office Word document, which uses the CVE-2017-11882 vulnerability.
Encoders
In September, Doctor Web’s technical support service registered 14.59% more requests to decode files encoded by trojan ransomware than in August.
The majority of cases involve the following encoders:
Trojan.Encoder.858 — 16.60%
Trojan.Encoder.11464 — 6.93%
Trojan.Encoder.11539 — 5.04%
Trojan.Encoder.25574 — 2.94%
Trojan.Encoder.10700 — 2.52%
Trojan.Encoder.567 — 1.89%
Trojan.Encoder.24383 — 1.47%
Dr.Web Security Space for Windows protects against encryption ransomware
Malicious and unwanted programs for mobile devices
In September, we detected a lot of malware on Google Play. Earlier this month, Doctor Web virus analysts detected the banking trojan Android.Banker.347.origin that attacked users from Brazil. It hooked text messages with confirmation codes and could load fraudulent websites at the command of attackers. Another banker, found at the end of the month, was dubbed Android.Banker.352.origin. It stole the credentials of users at the YoBit cryptocurrency exchange.
Among the threats spreading via Google Play were the trojan downloaders Android.DownLoader.920.origin and Android.DownLoader.921.origin that downloaded other malicious applications. Virus analysts have also detected the Android.HiddenAds adware trojans. Besides, our experts discovered several modifications of trojans of the Android.Joker family. They subscribed users to expensive services, could hook text messages, and transmitted the contact lists of infected devices to cybercriminals. These trojans could also download and then launch auxiliary modules and were able to execute arbitrary code.
Virus analysts have also identified new versions of riskware designed for cyber spying.
The following events are among the most notable regarding mobile security in September:
distribution of malware on Google Play;
detection of new spyware versions.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Doctor Web presents its September 2019 overview of malware for mobile devices. Last month, we detected a number of trojans on Google Play, disguised as harmless games and software. Apart from that, users were targeted by trojans and malware distributed outside the official Android app store.
In September, Android users were threatened by various malware, many of which was distributed via Google Play. Those were the Android.DownLoader downloaders, the Android.Banker and Android.HiddenAds banking and adware trojans, as well as other threats. Doctor Web experts have also discovered several new versions of potentially dangerous applications, designed to spy on users, including Program.Panspy.1.origin, Program.RealtimeSpy.1.origin, and Program.MonitorMinor.
PRINCIPAL TRENDS IN SEPTEMBER
Google Play remains the source of malicious and unwanted applications
Users are still threatened by spyware
Mobile threat of the month
One of the malware detected last month was the Android.Banker.352.origin banking trojan, spread under the guise of the YoBit crypto exchange official application.
When launched, Android.Banker.352.origin displayed a fake authentication window and stole the credentials entered by customers. Then, it displayed an error message claiming the service was unavailable.
The trojan hooked two-factor authentication codes from text messages, as well as access codes from emails. It also hooked and blocked notifications from instant messengers and email clients. Android.Banker.352.origin stored all the stolen data in the Firebase Database.
According to statistics collected by Dr.Web for Android
Android.RemoteCode.6122
Android.RemoteCode.5564
Malicious applications that download and execute arbitrary code.
Android.HiddenAds.455.origin
Android.HiddenAds.472.origin (new threat)
Trojans that display unwanted ads on mobile devices.
Android.Backdoor.682.origin
A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:
Adware.Patacore.253
Adware.Gexin.3.origin
Adware.Zeus.1
Adware.Altamob.1.origin
Riskware that silently launches applications without user intervention:
Tool.SilentInstaller.6.origin
Threats on Google Play
In addition to the Android.Banker.352.origin banking trojan, September saw Doctor Web specialists detect the Android.Banker.347.origin malware on Google Play. It targeted Brazilian customers of credit service organizations. It is a modification of Android.BankBot.495.origin, Android.Banker.346.origin, and other bankers, reported by our company in earlier publications.
Attackers distributed Android.Banker.347.origin via Google Play under the guise of software that helped locate family members.
The banker used the Android Accessibility Service to steal information from text messages, such as confirmation codes and other sensitive data. Similarly to its previous modifications, it could also open phishing pages at the command of cybercriminals.
Last month, virus analysts detected several new adware trojans of the Android.HiddenAds family on Google Play, such as Android.HiddenAds.444.origin. This malware was embedded in harmless software and games. When launched, it hid its icon and started to display obnoxious advertising banners. At the command of the command and control server, it could download and try to install APK files.
Among the detected malware were trojan downloaders, such as Android.DownLoader.920.origin and Android.DownLoader.921.origin. They were spreading under the guise of games. The trojans downloaded and tried to install various software, as well as other malicious programs, at the server’s command.
In September, several modifications of the Android.Joker trojan family were found on Google Play. These malicious applications were embedded in seemingly harmless software, such as plug-ins for cameras, photo editors, image collections, various system utilities, and other software.
Trojans are able to load and run auxiliary DEX files, as well as execute arbitrary code. They can also automatically subscribe users to expensive services by loading websites with premium content and clicking the appropriate links without user’s knowledge. To confirm the subscription, they hook verification codes from text messages. The Android.Joker malware also transfers the data from victims’ contact lists to the command and control server.
Other trojans that subscribed users to expensive services were dubbed Android.Click.781 and Android.Click.325.origin. They also loaded websites to subscribe the victims to premium services. Besides, they could hook notifications of the operating system and other software at the server’s command. The cybercriminals were spreading these trojans under the guise of camera applications.
Spyware
In September, Doctor Web experts discovered several new versions of riskware, designed to spy on Android device users. The list included Program.Panspy.1.origin, Program.RealtimeSpy.1.origin, and Program.MonitorMinor. This spyware enables control of texting and phone calls, instant messaging, tracking the location of devices, and receiving other confidential information.
To protect your Android device from malware and unwanted programs, we recommend that you install Dr.Web for Android.
Your Android needs protection.
Use Dr.Web
The first Russian anti-virus for Android
Over 140 million downloads—just from Google Play
Available free of charge for users of Dr.Web home products
Russian anti-virus company Doctor Web has updated Dr.Web Anti-rootkit API (11.1.23.201901160) in FSB-certified editions of its Dr.Web Enterprise Security Suite 10.1, Dr.Web Desktop Security Suite 11.0 and Dr.Web Server Security Suite 11.0.The products were certified by the FSB on July 16, 2018.
The update addresses an Anti-rootkit API issue resulting in increased CPU and memory usage by the applications.
The update will be downloaded and installed automatically.
Doctor Web virus lab specialists have detected a malicious copy of the website of Russian Federal Bailiffs Service (FSSP). Cybercriminals use this fake website to infect users with Trojan.DownLoader28.58809.
Our experts discovered the copy of Russia’s FSSP website at 199.247.**.***. The fake looks almost no different from the original, but some elements are displayed incorrectly, unlike the official website.
If a user tries to click some of the links, they will be redirected to a page prompting to update Adobe Flash Player. At the same time, an .EXE file will be downloaded to the user's device. If the user launches it, Trojan.DownLoader28.58809 will be installed.
This trojan adds itself to the autorun list in the user's system, connects to the command and control server, and downloads another malicious module, Trojan.Siggen8.50183. In addition, a file with a valid Microsoft digital signature is downloaded to the user's device to run the main malicious library. Then Trojan.Siggen8.50183 collects information about the user's system and sends it to the command and control server. After installation, the trojan will always be active on the user's device and will be able to perform various actions upon a command from the server.
When launched on a victim’s device, the trojan can do the following:
obtain information about disks;
obtain information about any file;
obtain information about any folder (i.e. the number of files, subfolders, and their size);
obtain the list of files in a specified folder;
delete a file;
create a folder;
move a file;
run a process;
stop a process;
obtain the list of processes.
According to our data, cybercriminals have not yet launched any large-scale virus campaigns using the fake website, but it could be used in attacks aimed at individual users or organizations.
Both of these trojans are successfully detected and removed by Dr.Web products and pose no threat to our users.
Russian anti-virus company Doctor Web presents version 1.4.0 of its intelligent, interactive threat analyser Dr.Web vxCube. The new version incorporates an API that allows it to be integrated with other services and a smarter behaviour analyser. It also boasts enhanced malware-detection capabilities (specifically, when dealing with banking Trojans). Furthermore, Dr.Web vxCube 1.4.0 features UI upgrades and offers enhanced analysis capabilities with regard to mobile threats. Known issues have been resolved.
New integration options
Now users can take advantage of the open vxCube API. It can be installed with the following command:
$ pip install -U vxcube-api
The Dr.Web vxCube API code, as well as the command list and usage examples, can be found on Doctor Web's page on Github.
Furthermore, analysis results can now be saved in the MAEC and STIX formats, which are supported by other developers� solutions and services. This makes it easy to integrate Dr.Web vxCube with popular SIEM solutions.
More options for reports
Dr.Web vxCube reports can now also be saved in PDF format. Users can also select which report sections will be included in the generated report.
Additional network settings
Network settings can now be customised to redirect TCP/UDP traffic to a proxy server so that the sample being analysed doesn't notice what is happening:
VPN
TOR
SOCKS4
SOCKS5
SHADOWSOCKS
Android 7.1 support
Files in apk format can now be examined using Android 7.1. Furthermore, we�ve enhanced all apk analysis routines so that they are better protected from VM awareness. We�ve also added the ability to examine system apps and have improved overall performance.
UI upgrades
When VNC is used to analyse files, a progress bar showing the estimated analysis time and the progress taking place is displayed.
Malicious modules are now marked with a special icon in the process graph. This lets users see when malicious code has been injected into trusted processes.
Enhanced behaviour analyser
Now, if users opt to examine files via VNC, they can make use of all the vxCube features, instead of just running a simplified analysis, and they can monitor all running processes.
The new version of the service is already available to everyone who has a Dr.Web vxCube license. If you don't have a license yet, you can purchase one in Doctor Web's eStore. You can also opt to use a trial license to evaluate the service before making your purchase.
Russian anti-virus company Doctor Web has updated the Dr.Web Protection for Windows module (11.05.09.09250), the Dr.Web Enterprise Agent for Windows setup module (11.5.10.09260), and Dr.Web Scanning Engine (11.5.8.201910020) in Dr.Web Enterprise Security Suite 11. The update resolves known issues and delivers minor upgrades.
Specifically, it addresses a problem that rendered the self-protection module non-operational if Dallas Lock software was being used alongside Dr.Web in a system.
It also eliminates a scanning service issue that occurred when the option to scan local networks was enabled and prevented files from being restored to their previous versions from their respective shadow copies on the server.
The update will be performed automatically; however, a system reboot will be required.
Russian anti-virus company Doctor Web has updated a variety of software components in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0 and Dr.Web 12.0 for Windows Servers. The updated components include SpIDer Agent for Windows (12.0.7.09111), Dr.Web Updater (12.0.14.08220), Dr.Web Firewall for Windows (12.00.01.01170), Dr.Web Firewall for Windows driver (12.00.04.08120), Dr.Web Anti-rootkit API (12.5.0.201908280), Dr.Web Scanning Engine (12.5.0.201908140), Dr.Web Protection for Windows (12.05.00.08270), Dr.Web File System Monitor (12.05.00.06270), Dr.Web Control Service (12.5.0.09130), Dr.Web SysInfo (12.5.0.201909090), Dr.Web Security Space, Anti-virus for Windows, Anti-virus for Windows servers setup (12.5.0.08151), Thunderstorm Cloud Client SDK (12.0.7.09061) and the configuration scripts Lua-script for av-service, main (12.5.0.06170), and Lua-script for dwl (12.5.0.09060). Furthermore, Outlook Plugin (12.0.6.201909100) and Lua-script for antispam (12.0.0.08131) were updated in the anti-virus products for PCs. The update brings back Windows XP support and delivers upgrades and error fixes.
Changes made to Dr.Web Firewall for Windows driver:
An issue that could prevent users from signing in to their accounts on a Russian ISP's website has been resolved.
Changes made to Dr.Web Anti-rootkit API:
A false positive involving Cisco VPN has been eliminated;
Threat detection and neutralisation routines have been enhanced.
Changes made to Dr.Web Scanning Engine:
An issue preventing information about threats discovered on FAT32 partitions from displaying correctly in the quarantine manager has been resolved;
A scanning problem involving password-protected RAR archives has been fixed;
A threat neutralisation mechanism that deals with malware in the memory when SpIDer Guard is being launched has been upgraded.
Changes made to Dr.Web Protection for Windows:
Adjustments have been made to avoid compatibility issues with ViPNet software.
Changes made to Dr.Web File System Monitor:
A threat neutralisation mechanism that deals with malware in the memory when SpIDer Guard is being launched has been upgraded.
Changes made to Dr.Web Security Space, Anti-virus for Windows, Anti-virus for Windows servers setup:
The products now can be installed on machines running Windows XP/Windows Server 2003;
Improved detection of incompatible Avast software by Dr.Web during its initial setup.
Changes made to Lua-script for antispam:
An issue causing the anti-virus setup to freeze while updating has been eliminated.
The documentation has been updated with the resumption of support for Windows XP and Windows Server 2003.
The update will be performed automatically; however, a system reboot will be required.
Russian anti-virus company Doctor Web has updated Dr.Web CureIt! to version 12.5. The utility now incorporates up-to-date software component versions and a fix for an identified issue.
The updated modules include Dr.Web Anti-rootkit API (12.5.0.201908280), Dr.Web Scanning Engine (12.5.0.201908140), and Dr.Web Protection for Windows (12.05.00.08270).
In addition, the anti-rootkit scan false positive REG:SUSPICIOUS.UserinitCorrupted has been eliminated.
Both the paid and the free editions of the utility have been updated.
Russian anti-virus company Doctor Web has updated the ES Service module (11.5.19.09110) in the Dr.Web Enterprise Security Suite 11.0 agent software. The update delivers a fix for an identified problem.
Specifically, when the preventative protection was triggered, the path to the protected object was not sent to the Server. This error has been fixed.
The update will be downloaded and installed automatically.
Russian anti-virus company Doctor Web has updated a number of modules in its Dr.Web 11.1 products for Unix-like systems. The updated modules include drweb-esagent (11.1.2-1909031741), drweb-mimetic (11.1.2-1907301551), drweb-maild (11.1.3-1908220946), drweb-netcheck (11.1.1-1908271619), drweb-rpm (11.1.2-1907191359), drweb-libzypp (11.1.2-1907191422), drweb-uninst (11.1.1-1908092037), drweb-httpd (11.1.2-1908211705) and drweb-gui (11.1.4-1908211700). The update resolves known issues and delivers minor upgrades.
Changes affecting drweb-esagent in Dr.Web Anti-virus 11.1 for Unix Mail Servers, Dr.Web Anti-virus 11.1 for Unix File Servers, Dr.Web Anti-virus 11.1 for Internet gateways Unix, and Dr.Web Anti-virus 11.1 for Linux:
an issue preventing users from changing the settings of some components when there was no connection with the ES server has been resolved;
an error concerning the implementation of task processing for weekly scanning has been fixed;
an error that occurred while the checkbox "Run the task according to UTC" (scheduler) was being processed has been resolved;
Also fixed was a defect that prevented the sending of statistics to the ES server from being blocked.
Changes affecting drweb-mimetic and drweb-maild in Dr.Web Anti-virus 11.1 for Unix Mail Servers:
a new option to scan by categories was added to the Url table.
The update is performed via the Dr.Web repository. If you encounter any problems during updating, please use the instructions from our previous news post to specify an additional repository for the Dr.Web software you are using.
Russian anti-virus company Doctor Web has released version 12.0.5 of Dr.Web for Microsoft Exchange Server. The update delivers a fix for an identified problem.
An issue involving the scanner's abnormal termination when processing large volumes of messages has been resolved.
More information about the update process, as well as about the system requirements for Dr.Web 12.0.5 for Microsoft Exchange Server, can be found in the product documentation (https://download.drweb.com/doc/).
Russian anti-virus company Doctor Web has released a new distribution of Dr.Web for macOS version 11.1.4. The distribution’s release delivers a fix for an identified problem.
The distribution resolves an issue that could result in the abnormal termination of Dr.Web's graphical interface on workstations running macOS 10.14.5 and later versions.
Please note that this version and newer versions of the distribution will not work for macOS 10.7—a separate distribution will be available for this OS.
In the last month of summer, Doctor Web virus analysts detected the clicker trojan Android.Click.312.origin on Google Play built into harmless applications. We also detected additional malicious software, including the Android.DownLoader.915.origin downloader trojan and trojan adware of the Android.HiddenAds family, distributed under the guise of useful software, as well as the Android.Banker.346.origin banker.
PRINCIPAL TRENDS IN AUGUST
Detection of new malware on Google Play
Emergence of new adware modules
Mobile threat of the month
In early August, Doctor Web reported the Android.Click.312.origin trojan detected in 34 applications on Google Play. It was a malicious module that developers built into their software. A total of 101.7 million users downloaded the software with this trojan.
Android.Click.312.origin opened links via invisible WebView at the direction of the command and control server. It could also load websites in a browser and advertise applications on Google Play. Features of the trojan are as follows:
it began operating 8 hours after startup;
some features were implemented using reflection;
it could subscribe users to premium mobile services using WAP-Click.
For more information on Android.Click.312.origin, refer to the news article on our website.
According to statistics collected by Dr.Web for Android
Android.HiddenAds.455.origin
A trojan designed to display unwanted ads on mobile devices.
Android.Backdoor.682.origin
A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Android.Triada.467.origin
A multi-functional trojan that performs various malicious actions.
Android.RemoteCode.197.origin
Android.RemoteCode.5564
Malicious applications designed to download and execute arbitrary code.
Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:
Adware.Gexin.3.origin
Adware.Patacore.253
Adware.Zeus.1
Adware.Altamob.1.origin
Adware.Myteam.2.origin (a new threat)
Threats on Google Play
Along with the Android.Click.312.origin clicker, we detected the downloader trojan Android.DownLoader.915.origin among the malware on Google Play. It spread as a VPN client. It downloaded and attempted to install applications, as well as opened Instagram, Telegram, and Google Play web pages and other services specified by attackers.
Virus analysts also identified new trojan adware of the Android.HiddenAds family; for example, Android.HiddenAds.1598 and Android.HiddenAds.467.origin. Like other malicious programs of this family, they hid the software icons where they were embedded and displayed obnoxious ads.
At the end of August, Doctor Web experts discovered another banking trojan that attacked Brazilian Android users. This malware was dubbed Android.Banker.346.origin. Like similar trojans reported by our company earlier (for example, at the end of 2018), Android.Banker.346.origin uses the Android Accessibility Service to steal information from text messages, which could contain transaction confirmation codes and other confidential data. The banker also opens phishing pages at the command of cybercriminals.
To protect your Android device from malware and unwanted programs, we recommend that you install Dr.Web for Android.
Your Android needs protection.
Use Dr.Web
The first Russian Anti-virus for Android
More than 140 million downloads on Google Play alone
Doctor Web presents its August 2019 overview of malware for mobile devices. This month, users were still targeted by malware on Google Play, including a clicker trojan, trojan adware and other threats. Read more about these events in our review.
In August, Dr.Web server statistics detected a 21.28% decrease in the total number of threats compared to July. The number of unique threats dropped only slightly by 2.82%. The most common threat in email traffic is malware that exploits vulnerabilities in Microsoft Office documents, as well as trojan downloaders. Similarly to the previous month, the majority of detected malware and unwanted software is adware.
Principal trends in August
A decline in malware spreading activity
A growing number of non-recommended and malicious websites
An upturn of encoder activity
Threat of the month
In August, researchers at Doctor Web’s virus lab discovered a dangerous banking trojan spread by cybercriminals via fake websites of popular software. One of these resources is copied from a well-known VPN service, while others are disguised as corporate office software websites.
Installation adware that spreads outdated software and changes the browser’s settings.
Adware.Ubar.13
A torrent client designed to install unwanted programs on a user’s device.
Trojan.Winlock.14244
A ransomware trojan that blocks or limits a user’s access to the Windows operating system and its functionalities. In order to unlock the system, a user must transfer money to the cybercriminals.
Trojan.InstallCore.3553
Another well-known adware installer. It displays ads and installs new software without a user’s permission.
Statistics for malware discovered in email traffic
Exploit.Rtf.CVE2012-0158
Modified Microsoft Office document. Exploits the CVE2012-0158 vulnerability in order to run malicious code.
W97M.DownLoader.2938
A family of trojan downloaders that exploit vulnerabilities in Microsoft Office applications and can download other malware to a compromised device.
Exploit.ShellCode.69
Another malicious Microsoft Office Word document, which uses the CVE-2017-11882 vulnerability.
Trojan.PWS.Stealer.19347
A family of trojans designed to steal passwords and other confidential information stored on an infected computer.
Encoders
In August, cases involving the following ransomware were most often registered by Doctor Web’s technical support service:
Trojan.Encoder.858—17.73%
Trojan.Encoder.11464—7.09%
Trojan.Encoder.18000—4.96%
Trojan.Encoder.28004—4.26%
Trojan.Encoder.11539—2.60%
Trojan.Encoder.25574—1.18%
Trojan.Encoder.567—1.65%
Dr.Web Security Space for Windows protects against encryption ransomware
Malicious and unwanted programs for mobile devices
In August, Doctor Web experts discovered several new malware on Google Play. In early August, the Dr.Web virus database was updated to detect the Android.Click.312.origin trojan, which could open links and various websites following the command of the server. Virus analysts also detected new adware Android.HiddenAds, as well as the Android.DownLoader.915.origin downloader that was able to download other malicious applications.
At the end of the month, Doctor Web experts discovered another banking trojan that attacked users from Brazil. The malware, dubbed Android.Banker.346.origin, exploited the Android OS Accessibility Service and could hook text messages.
The following events are among the most notable regarding mobile security in August:
Distribution of malware on Google Play;
New unwanted adware modules.
Learn more about malicious and unwanted programs for mobile devices in our August overview.
By continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies related to the collection of visitor statistics. Learn more
