August 22, 2019

Russian anti-virus company Doctor Web has updated Dr.Web Scanner SE (12.0.6.08190) in its products Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0, and Dr.Web Anti-virus 12.0 for Windows Servers. The update delivers new features and resolves known issues.

Changes made to the scanner:

• An issue preventing the scanner from being launched in safe mode has been resolved.
• Now, if an administrator account is used to start the scanner, the UAC prompt to elevate privileges is not displayed.
• Furthermore, environmental variables can now be used to specify scanning exceptions.
• Minor scanner UI display issues have been resolved. UI elements now display properly on high-resolution screens.

The update will be downloaded and installed automatically.

August 19, 2019

Researchers at Doctor Web’s virus lab discovered a dangerous banking trojan, Win32.Bolik.2, being spread by hackers via fake websites of popular software. One of these resources is copied from a well-known VPN service, while others are disguised as corporate office software sites.

A copy of the NordVPN official website, which is a famous VPN service, was recently found by our researchers at nord-vpn[.]club. As with the original, it prompts users to download a program for using the VPN; but apart from the program itself, the fake authors distribute a dangerous banking trojan - Win32.Bolik.2.

It has the same design, a similar domain name, and a valid SSL certificate.

According to our data, the malware campaign that uses those fake websites is primarily targeted at English-speaking audiences and was launched on August 8, 2019. However, at the time this news was released, the malicious fake NordVPN website already had thousands of visits.

On top of that, at the end of June this year, the same hacker group copied websites of office programs: invoicesoftware360[.]xyz (the original is invoicesoftware360[.]com) and clipoffice[.]xyz (the original is crystaloffice[.]com), where the Win32.Bolik.2 trojan was distributed together with Trojan.PWS.Stealer.26645 malware.

The Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus. Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems.

Earlier this year, we reported another malware campaign from the same hacker group in which they distributed Win32.Bolik.2 through a hacked video editing software website.

Both of these trojans are successfully detected and removed by Dr. Web products and pose no threat to our users.

Indicators of compromise

#banker #banking_trojan #stealer

August 8, 2019

Clicker trojans are widespread malicious programs, designed to increase website visit rates and earn money on online traffic. They simulate user actions on web pages by clicking on links and other interactive elements. Doctor Web virus analysts have detected another such trojan on Google Play.

The trojan is a malicious module, which, according to Dr.Web classification, was dubbed Android.Click.312.origin. It is built into ordinary applications, such as dictionaries, online maps, audio players, barcode scanners, and other software. All these programs are operable and look harmless to Android users. Additionally, Android.Click.312.origin only starts its malicious activity after 8 hours after launch, so as not to raise suspicion.

Once launched, the trojan sends the following information about the infected device to the C&C server:

• manufacturer and model;
• operating system version;
• user’s country of residence and default system language;
• User-Agent ID;
• mobile carrier;
• internet connection type;
• display parameters;
• time zone;
• data on application containing trojan.

In response, the server sends the necessary settings. Some functions of the malware are using reflection, and the settings contain the names of methods and classes along with the parameters for them. They are used, for example, to register a broadcast receiver and a content observer, which Android.Click.312.origin uses to monitor the installation and updates of applications.

Upon installation of a new application or download of an apk file by the Play Market client, the trojan sends information about this software along with some technical data about the device to the command and control server. In response, Android.Click.312.origin receives website addresses to open in an invisible WebView, as well as links to load in a browser or on Google Play.

Thus, depending on the settings of the command and control server and the instructions it sends, the trojan can not only advertise applications on Google Play, but also covertly load any websites, including advertisements (even videos) or other dubious content. For example, after installing applications with the built-in trojan, users complained about being automatically subscribed to expensive content provider services.

Doctor Web specialists were unable to recreate the conditions for the trojan to open such websites. However, in the case of Android.Click.312.origin, this fraudulent scheme can potentially be implemented quite simply. Since the trojan informs the command and control server about the current Internet connection type, the server can send a command to open a website of a partner service that supports the WAP-Click technology if the device is connected to the Internet via a mobile carrier. This technology simplifies the subscription to various premium services, but it is often used illegally. Our company covered this problem in 2017 and 2018. In some cases, no confirmation from the user is required to subscribe to an unnecessary service: it can be done by a script on the same page, or even the trojan than can “click” the confirmation button. Since Android.Click.312.origin opens pages in an invisible WebView, the whole procedure can be done without the victim’s knowledge.

Doctor Web virus analysts have identified 34 applications with the embedded Android.Click.312.origin. They were installed by over 51.7 million users. Additionally, the trojan’s modification, dubbed Android.Click.313.origin, was downloaded by at least 50 million people. Thus, the total number of mobile device owners threatened by this trojan, exceeded 101.7 million. See below the list of programs, where this clicker was found:

Doctor Web informed Google about this trojan, and some applications we had detected were quickly removed from Google Play. Additionally, several applications have been updated, removing the malicious component. However, at the time of this publication, most applications still contained a malicious module and remained available for download.

Virus analysts recommend that developers responsibly choose modules to monetize their applications and not integrate dubious SDKs into their software. Dr.Web for Android successfully detects and removes applications that have the known modifications of Android.Click.312.origin embedded into them, so it poses no threat to our users.

Read more about Android.Click.312.origin

#Android, #Google_Play, #clicker

August 8, 2019

Russian anti-virus company Doctor Web has updated the Dr.Web Updater module (12.0.12.08020) in its products Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0, and Dr.Web 12.0 for Windows Servers.

The update optimizes routines incorporated into the module.

The update will be downloaded and installed automatically.

August 5, 2019

Doctor Web presents its July 2019 virus activity review. Over the last month, email traffic was dominated by threats that exploit Microsoft Office Documents vulnerabilities. The number of unique threats detected on users' devices has increased; and Doctor Web’s technical support has received less data decryption requests than in June. For more information about these and other events, have a look at our review.

Go to the review

August 5, 2019

In July Dr.Web’s statistics showed a 54.21% decrease in the number of detected threats compared to June. While the unique threats almost doubled. E-mail traffic was dominated by malware that uses Microsoft Office programs’ vulnerabilities. Adware and unwanted programs still occupy the top of all detected threats. The lead ransomware in July, Trojan.Encoder.858, accounted for 21.15% of all requests for data decryption received in support of Doctor Web.

Doctor Web’s researchers have prepared a study that describes trends in the most common threats for smart devices and the Internet of Things (IoT) as a whole. This review is based on statistical data that has been gathered from our honeypots since 2016 and intends to draw attention to the security problem in the field of IoT.

Read the research

According to Doctor Web’s statistics servers

Threats of the month:

Adware.Ubar.13

A torrent client designed to install unwanted programs on a user’s device.

Adware.Softobase.15

Installation adware that spreads outdated software and changes the browser’s settings.

Trojan.Packed.20771

This program installs malicious browser extensions that redirect search results to different websites.

Trojan.Winlock.14244

A ransomware trojan that blocks or limits a user’s access to the Windows operating system and its functionalities. In order to unlock the system, a user must transfer money to the cybercriminals.

Trojan.DownLoader29.14148

Downloads and runs malicious software without the user’s permission.

Statistics for malware discovered in email traffic

Exploit.Rtf.CVE2012-0158

A modified Microsoft Office document. It exploits the CVE2012-0158 vulnerability in order to run malicious code.

W97M.DownLoader.2938

A family of downloader trojans that exploit vulnerabilities in Microsoft Office applications. Designed to download other malware onto a compromised computer.

Exploit.ShellCode.69

Another malicious Microsoft Office Word document that uses the CVE-2017-11882 vulnerability.

JS.DownLoader.1225

A family of malicious JavaScripts. They download and install malicious software on a computer.

Encryption ransomware

In July, the most common cases involving the following ransomware were registered by Doctor Web’s technical support service:

• Trojan.Encoder.858 — 21.15%
• Trojan.Encoder.567 — 9.45%
• Trojan.Encoder.11464 — 8.01%
• Trojan.Encoder.25574 — 4.93%
• Trojan.Encoder.18000 — 3.90%
• Trojan.Encoder.11539 — 3.08%
• Trojan.Encoder.28004 — 1.85%

Dangerous websites

During July 2019, Doctor Web added 123,251 URLs to the Dr.Web database of non-recommended sites.

Malicious and unwanted programs for mobile devices

In mid-July, Doctor Web researchers detected a new dangerous trojan Android.Backdoor.736.origin on Google Play, through which attackers remotely controlled infected Android devices. This backdoor was able to install apps, steal sensitive data and perform other malicious actions at the developer’s command.

Among other detected threats were new trojans of the Android.HiddenAds family, which hid their icons from the main screen and displayed ads. Additionally, Doctor Web analysts discovered several programs with embedded the advertising module Adware.HiddenAds.9.origin. They displayed banners even while being closed.

New entries for detecting trojans of the Android.Spy family, which were used for cyber espionage, were added to the Dr.Web’s virus database.

Among the most notable July events related to mobile malware:

• detection of a dangerous backdoor that executes malicious commands;
• detection of new malicious programs on Google Play;
• the spread of trojans designed for cyber espionage.

Find out more about malicious and unwanted programs for mobile devices in our monthly review.

August 5, 2019

Doctor Web has updated its curing utility Dr.Web CureIt! to incorporate the latest versions of the anti-virus components.

It now features the most up-to-date version of Dr.Web Virus-Finding Engine (7.00.41.07240).

Download Dr.Web CureIt!

August 5, 2019

Doctor Web presents its July 2019 overview of malware for mobile devices. Last month, malware analysts discovered a dangerous backdoor that executed commands from cybercriminals. Cybercriminals also continue distributing adware trojans. We then identified other malicious and unwanted applications. Read more about these threats in our review.

Go to the review

August 5, 2019

Last month Doctor Web reported the dangerous Android.Backdoor.736.origin trojan that executed malicious commands, stole confidential data and displayed fraudulent windows and messages. In July, malware analysts discovered many new adware trojans of the Android.HiddenAds family on Google Play. The Dr.Web virus database has also been updated to detect the unwanted adware Adware.HiddenAds.9.origin, as well as the spyware trojans Android.Spy.567.origin and Android.Spy.568.origin.

Mobile threat of the month

In mid-July, Doctor Web virus analysts investigated the Android.Backdoor.736.origin trojan, spreading under the guise of OpenGL Plugin software. It allegedly checked the version of the OpenGL ES interface and installed its updates.

This backdoor spied on users, sending information about their contacts, phone calls, and their device location to the attackers. It also uploaded files from devices to a remote server, as well as download and installed software. Features of Android.Backdoor.736.origin:

• the main malicious component of the trojan was hiding in an auxiliary module, encrypted and stored in the application’s resource directory;
• with root privileges, it could automatically install software;
• could execute shell commands, received from the C&C server.

For more information regarding Android.Backdoor.736.origin, refer to the news article on our website.

According to statistics collected by Dr.Web for Android

Android.Backdoor.682.origin

A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.

Android.HiddenAds.1424

A trojan designed to display obnoxious ads. It is distributed under the guise of popular applications.

Android.RemoteCode.197.origin

Android.RemoteCode.5564

Android.RemoteCode.216.origin

Malicious applications designed to download and execute arbitrary code.

Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:

Adware.Zeus.1

Adware.Gexin.3.origin

Adware.Patacore.253

Adware.Altamob.1.origin

A riskware platform that allows applications to launch APK files without installing them:

Tool.VirtualApk.1.origin

Threats on Google Play

Since the beginning of July, Doctor Web malware analysts have detected many new adware trojans of the Android.HiddenAds family on Google Play, installed by over 8.2 million users. These malware spread under the guise of harmless games and useful applications, such as camera filters, system utilities, alarm clocks, etc. After launching, the trojans hid their icons from the software list on the main screen and started displaying banners that interfered with device operation.

In addition, a new unwanted advertising module named Adware.HiddenAds.9.origin was uncovered. It was embedded into the compass software and a collection of wallpapers for the desktop. It displayed ads even when these applications were closed.

Cyberespionage

Last month, the Dr.Web virus database was also updated to detect the spyware trojans Android.Spy.567.origin and Android.Spy.568.origin. The first one transferred the data from text messages, phone calls, calendar, and phone book entries to a remote server, as well as information about files stored on the device.

The second one displayed a fraudulent message, prompting a potential victim to update a Google Play component. If the user agreed, the trojan displayed a phishing window that simulated a Google account login page.

Virus writers made a spelling mistake in the phrase “Sign in”, which could indicate a fake. If the victim did not notice this and logged into the account, Android.Spy.568.origin stole the data of the current session, and the attackers gained access to confidential information, such as calendar entries, verification codes, phone numbers, and email addresses to restore access to the account.

To protect your Android device from malware and unwanted programs, we recommend you install Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

August 1, 2019

Russian anti-virus company Doctor Web has updated Dr.Web Virus-Finding Engine (7.00.41.07240) in several Dr.Web products. The update resolves known issues of the component.

Specifically, it eliminates an engine issue causing Dr.Web to terminate abnormally under Linux.

Dr.Web Virus-Finding Engine has been updated in the following products:

• Dr.Web 9.0/11.0/11.1 for macOS
• Dr.Web 6/11.0/11.1 for Unix Server
• Dr.Web 6/11.0/11.1 for Unix Mail Servers
• Dr.Web Anti-virus 6/11.0/11.1 for Internet gateways Unix
• Dr.Web Anti-virus 6/11.0/11.1 for Linux
• Dr.Web Security Space 7/8/9/10/11.0/11.5/12
• Dr.Web Anti-virus 7/8/9/10/11.0/11.5/12 for Windows
• Dr.Web 7/8/10/11.0/11.5/12 for Windows Servers
• Dr.Web 10/11/11.5/12 for MS Exchange
• Dr.Web 10/11.0/11.5/12 for M Lotus Domino (version for Windows)
• Dr.Web 6.0 for IBM Lotus Domino (Linux-version)
• Dr.Web AV-Desk 10.0/10.1
• Dr.Web ATM Shield 6
• Dr.Web Enterprise Security Suite 10.0.0/10.00.1/10.01.0/11.00 (Windows)
• Dr.Web for MIMEsweeper 6
• Dr.Web LiveCD 9
• Dr.Web 7.0 for Novell NetWare 7
• Dr.Web 6.0 for Qbik WinGate
• Dr.Web 6.0 for for Trafficinspector
• Dr.Web CureNet! 10/11
• Dr.Web 11.0 for Microsoft ISA Server and Forefront TMG
• Dr.Web 6.0 for Kerio mail servers (Windows)
• Dr.Web 11.1 for Kerio mail servers (Linux)
• Dr.Web 6.0 for Internet gateways Kerio (Windows)
• Dr.Web 11.0/11.1 for Internet gateways Kerio (Linux)

The update will be downloaded and installed automatically.

July 31, 2019

Russian anti-virus company Doctor Web has released Dr.Web Light 11.3.2 for Android. The new version incorporates fixes for known defects.

Fixes:

• An issue causing the application to terminate abnormally when working with some of its components;
• An issue involving increased memory usage by the application.

If you downloaded your Dr.Web application from Google Play, the update will be downloaded and installed automatically. If automatic updates are disabled on your device, you need to go to Google Play, choose Dr.Web Light on the application list, and tap "Update".

July 31, 2019

Russian anti-virus company Doctor Web has updated Dr.Web for Outlook Plugin (11.5.2.201907190), the Dr.Web Protection for Windows module (11.05.08.06260) as well as the Dr.Web Control Service (11.5.17.07023) in Dr.Web Enterprise Security Suite 11.0. The update resolves known issues and delivers minor upgrades.

Changes made to Dr.Web for Outlook Plugin:

• An issue causing anti-spam false positives has been eliminated.

Changes made to Dr.Web Control Service:

• An issue preventing devices with similar IDs from being blocked has been resolved.

The update will be performed automatically; however, a system reboot will be required.

July 31, 2019

Russian anti-virus company Doctor Web has updated Dr.Web for Outlook Plugin (12.0.5.201907190), Dr.Web Thunderstorm Cloud Client SDK (12.0.6.07180), and Dr.Web Security Space, Anti-virus for Windows setup (12.0.12.06280) in Dr.Web Security Space 12.0 and Dr.Web Anti-virus 12.0. Furthermore, the modules Dr.Web Thunderstorm Cloud Client SDK (12.0.6.07180) and Dr.Web Anti-virus for Windows servers setup (12.0.12.06280) have been updated in Dr.Web for Windows Servers. The update resolves known issues and delivers minor upgrades.

Changes made to Dr.Web for Outlook Plugin:

• An issue causing anti-spam false positives has been eliminated.

Changes made to Dr.Web Security Space, Anti-virus for Windows setup and Dr.Web Anti-virus for Windows servers setup:

• Minor UI tweaks.

The update will be performed automatically; however, a system reboot will be required.

July 30, 2019

Russian anti-virus company Doctor Web is pleased to announce the release of Dr.Web 12.4.2 for Android. The new version incorporates fixes for known defects.

Fixes:

• An issue causing the application to terminate abnormally when working with some of its components;
• An issue involving increased memory usage by the application.

If you downloaded your Dr.Web application from Google Play, the update will be downloaded and installed automatically. If you've disabled automatic updating on your device, go to Google Play, select the Dr.Web Security Space or Dr.Web Security Space Life icon in the application list, and tap "Update".

To update via the Doctor Web site, you need to download a new distribution file. If you've enabled the "New app version" option in the settings, a notification will be displayed whenever the virus databases are updated. You can start the download directly from this dialogue box.

July 26, 2019

Doctor Web is offering all Dr.Web Security Space for Android Life users who purchased their licenses on Google Play, and, due to recent changes in Google’s SMS and call permission policy, have been deprived of the ability to use the Call and SMS Filter and the Anti-theft included in the anti-virus, to exchange their license—for free—for a Dr.Web Security Space for Android subscription with no end date.

In connection with recent changes in Google’s policy regarding the use of permissions for SMS messages and calls, Dr.Web Security Space for Android Life was removed from the Google Play Store. The policy changes have affected the anti-virus products of all anti-virus manufacturers. Some vendors have removed the above-mentioned functionality, and others are offering SMS filters as a separate commercial application. Doctor Web strongly rejects taking such a course of action and believes that restricting mobile device users throughout the world from using important Dr.Web anti-virus features is a critical blow to their security, especially the most vulnerable of users—children and elderly people who can suffer from calls and SMS messages from unknown people and annoying fraudulent ads.

Since negotiations with Google were fruitless and Doctor Web cannot permit the security level of its users to be lowered, we are offering everyone who purchased Dr.Web Security Space for Android Life on Google Play to exchange their license—for free—for a Dr.Web Security Space for Android subscription with no end date—the Dr.Web Mobile Life tariff.

How to regain access to the full version of Dr.Web Security Space for Android

1. Sign in at https://drweb.com. If you don't yet have an account, you need to register.
2. In the form on the Dr.Web Mobile Life subscription page, enter the order number of your Dr.Web Security Space Life license on Google Play and the email address associated with this order.
3. After your order information is verified, if such an order is found, you will be redirected to the My subscriptions page of your personal area of the Dr.Web Anti-virus service.
4. In the Dr.Web Mobile Life subscription section, you can download an unending license to Dr.Web for Android. You will be able to access 5 links to use for 5 devices. A perpetual license gives you the right to use Dr.Web to protect from 1 to 5 devices.

Exchange for free or buy a subscription with no end date

If you experience difficulties online when exchanging your order for a subscription, please contact our support service.

July 26, 2019

Doctor Web is pleased to present Dr.Web Mobile Life — a new tariff for Dr.Web Anti-virus service subscribers. Now, up to five Android handhelds can be protected by a single subscription that will last for as long as the gadgets are in use.

66.99€

The creation of the new tariff is connected with recent changes in Google's permission policy. These changes make the SMS functionality of all anti-virus products for Android 8 and later versions inaccessible to users (this concerns our Call and SMS filter and Anti-theft). Use a Dr.Web Mobile Life subscription to simultaneously protect 5 Android smartphones or tablets with the complete set of Dr.Web Security Space for Android components.

Subscribe to the Dr.Web Anti-virus service, and may your mobile devices remain under the reliable protection of our Russian anti-virus for as long as you use them!

#service #Dr.Web #Android

July 18, 2019

Russian anti-virus company Doctor Web has updated its Dr.Web CureIt! utility: it now uses the latest versions of the software modules (including the anti-virus engine) that had already been incorporated into Dr.Web 12.0 software for Windows.

Specifically, the utility includes the updated versions of Dr.Web Anti-rootkit API (12.0.8.201906240) and Dr.Web Virus-Finding Engine (7.00.40.06260).

Download Dr.Web CureIt!

July 22, 2019

Russian anti-virus company Doctor Web has updated Dr.Web Virus-Finding Engine (7.00.40.06260) in Dr.Web Security Space and Dr.Web Anti-virus as well as in Dr.Web Enterprise Security Suite, the Internet service Dr.Web AV-Desk, the Dr.Web CureIt! utility, Dr.Web for macOS and in the emergency system recovery solution Dr.Web LiveDisk. The update enhances heuristic malware detection routines.

Dr.Web Virus-Finding Engine has been updated in the following products:

• Dr.Web 9.0/11.0/11.1 for macOS
• Dr.Web 6/11.0/11.1 for 1 for Unix Server
• Dr.Web 6/11.0/11.1 for Unix Mail Servers
• Dr.Web Anti-virus 6/11.0/11.1 for Internet gateways Unix
• Dr.Web Anti-virus 6/11.0/11.1 for Linux
• Dr.Web Security Space 7/8/9/10/11.0/11.5/12
• Dr.Web Anti-virus 7/8/9/10/11.0/11.5/12 for Windows
• Dr.Web 7/8/10/11.0/11.5/12 for Windows Servers
• Dr.Web 10/11/11.5/12 for MS Exchange
• Dr.Web 10/11.0/11.5/12 for M Lotus Domino (version for Windows)
• Dr.Web 6.0 for IBM Lotus Domino (Linux-version)
• Dr.Web AV-Desk 10.00.1/10.01.0
• Dr.Web ATM Shield 6
• Dr.Web Enterprise Security Suite 10.00.0/10.00.1/10.01.0/11.00 (Windows)
• Dr.Web ??? MIMEsweeper 6
• Dr.Web LiveCD 9
• Dr.Web 7.0 for Novell NetWare
• Dr.Web 6.0 for Qbik Wingate
• Dr.Web 6.0 for TrafficInspector
• Dr.Web CureNet! 10/11
• Dr.Web 11.0 for Microsoft ISA Server and Forefront TMG
• Dr.Web 6.0 for Kerio mail servers (Windows)
• Dr.Web 11.1 for Kerio mail servers (Linux)
• Dr.Web 6.0 for Internet gateways Kerio (Windows)
• Dr.Web 11.0/11.1 for Internet gateways Kerio (Linux)

The update will be downloaded and installed automatically.

July 22, 2019

Russian anti-virus company Doctor Web has updated several modules in its Dr.Web 11.1 products for Unix-like systems. The updated modules include drweb-ctl (11.1.2-1907091642), drweb-statd (11.1.1.1907111244), drweb-se (11.1.1-1907082330), drweb-gui (11.1.3-1907081322), drweb-ctemplate (11.1.0-1906261742), drweb-maild (11.1.2-1907051644), drweb-firewall (11.1.1-1906282048) and drweb-filecheck (11.1.3-1907051721). The update introduces new features, resolves known issues, and delivers minor upgrades.

Changes affecting Dr.Web Anti-virus 11.1 for Unix mail servers, Dr.Web Anti-virus 11.1 for Linux, Dr.Web Anti-virus 11.1 for Unix servers and Dr.Web Anti-virus 11.1 for Unix Internet gateways

drweb-filecheck:

• An issue in the scanning process that could cause hang-ups has been eliminated.

drweb-se:

• If a file container has internal structure issues, the resulting scanning error is logged as a container processing error.

Changes affecting Dr.Web 11.1 for Unix mail servers and Dr.Web Anti-virus 11.1 for Linux

drweb-ctl ? drweb-statd:

• The ability to generate mail scanning statistics reports in HTML format was added.

drweb-maild:

• The ability to specify random archive names for messages being repacked was added;
• Scan error checking routines have been upgraded;
• The ability to use the component version information when working with custom message parsing scripts.

The update is performed via the Dr.Web repository. If you encounter any problems while updating, please use the instructions from our previous news post to specify an additional repository for the Dr.Web software you use.

August 7, 2019

Introduction

In addition to computers, smartphones, tablets, and routers, the World Wide Web now increasingly covers smart TVs, surveillance cameras, smart watches, refrigerators, cars, fitness trackers, video recorders, and even children's toys. The number of IoT devices already exceeds several billion, and this number is growing every year.

Many of them are badly or not at all protected from attacks. For example, they can be connected using simple or well-known credentials, set for hundreds of thousands of models by default. The owners either do not think about changing the factory settings, or are not able to do this due to restricted access. Cybercriminals can relatively easy access such devices by matching combinations from a dictionary (the so-called brute force method). They can also exploit the vulnerabilities of the operating systems.

Since 2016, Doctor Web have been closely following the threats of the Internet of Things. To do this, our experts have set up a network of baits, i.e. honeypots. They imitate various types of smart devices and record attempts to infect them. Honeypots cover several hardware platforms, including ARM, MIPS, MIPSEL, PowerPC, and Intel x86_64. They allow us to monitor attack vectors, detect and research new malware samples, improve the detection mechanisms, and deal with attacks more effectively.

This article dwells on the identified smart device-targeted attacks, as well as the most common IoT threats.

Statistics

When they only started the monitoring, our malware analysts recorded a relatively low activity of malware aimed at IoT devices. In the first four months of 2016, Doctor Web experts detected 729,590 attacks. However, the number grew 32-fold over a year, hitting 23,741,581. Twelve months later, the figure rose to 99,199,444. Now, the first half of the current year already saw 73,513,303 attacks, almost as many as the entire 2018.

The patterns of attack detection by honeypots is shown on the diagram:

In less than three years, the number of hacking attempts and infecting the IoT devices has increased by 13,497%.

Smart devices were targeted from IP addresses in more than 50 countries. Most attempts were made from the US, the Netherlands, Russia, Germany, Italy, the United Kingdom, France, Canada, Singapore, India, Spain, Romania, China, Poland, and Brazil.

The geographic spread of attack sources and the percentage is shown on this diagram:

After compromising the devices, cybercriminals downloaded one or several trojans onto them. The total number of unique malicious files detected by our traps during the observation period was 131,412. The detection patterns are shown below.

Smart devices run on different processor architectures, and malware often has versions for several hardware platforms at once. Among those mimicked by our honeypots, devices with ARM, MIPSEL, and MIPS processors are targeted more often than the others. This is clearly seen on the diagram:

According to statistics gathered by honeypots, the most active malware is the Linux.Mirai family, responsible for over 34% of attacks. They are followed by Linux.DownLoader (3% of attacks) and the Linux.ProxyM trojans (1.5% of attacks). The Linux.Hajime, Linux.BackDoor.Fgt, Linux.PNScan, Linux.BackDoor.Tsunami, and Linux.HideNSeek malware are also ranked among the top ten. This figure shows the percentage of the most active trojans:

Malicious code that targets smart devices falls under several basic categories according to the main features:

• DDoS trojans (such as Linux.Mirai);
• trojans that distribute, download, and install other malware and components (such as Linux.DownLoader, Linux.MulDrop);
• trojans that enable the remote control of the infected devices (such as Linux.BackDoor);
• trojans that turn devices into proxy servers (such as Linux.ProxyM, Linux.Ellipsis.1, Linux.LuaBot);
• trojans for cryptocurrency mining (such as Linux.BtcMine);
• others.

However, most malware pose multifunctional threats, since many of them can combine several functions at once.

Threat Trends for Smart Devices

• Due to the availability of trojan source codes, such as Linux.Mirai, Linux.BackDoor.Fgt, Linux.BackDoor.Tsunami, and others, the number of new malware is growing.
• A growing number of malicious applications in non-trivial programming languages, such as Go and Rust.
• Cybercriminals have access to information about many vulnerabilities that can be exploited to infect smart devices.
• The persisting popularity of cryptocurrency miners (mainly Monero) for IoT devices.

See the information below on the most common and notable IoT trojans.

More on IoT Threats

Linux.Mirai

Linux.Mirai is one of the most active trojans targeting IoT devices. The first version of this malware appeared in May 2016. Then, its source codes were published in open, quickly introducing a large number of modifications by various virus writers. Now Linux.Mirai is the most common trojan for Linux, which works on many processor architectures, such as x86, ARM, MIPS, SPARC, SH-4, M68K, etc.

After infecting the target device, Linux.Mirai connects to the command and control server and waits for further commands. Its main function is to perform DDoS attacks.

The following diagram shows the patterns of detecting active copies of this malware by honeypots:

Modifications of Linux.Mirai are the most active in China, Japan, USA, India, and Brazil. Below are the countries with the highest number of bots of this family detected during observation.

Linux.Hajime

Another dangerous malware for smart devices is Linux.Hajime. This trojan has been known to virus analysts since late 2016. It works on ARM, MIPS, and MIPSEL architectures and acts as a worm, using the Telnet protocol to spread. Infected devices become part of a decentralized P2P botnet and are used to infect other available online objects. The malware blocks the access to the compromised devices for other malicious software, closing ports 23, 7547, 5555, and 5358.

The peak of Linux.Hajime activity was in late 2016—early 2017, when the number of simultaneously active copies of trojans of this family exceeded 43,000. After that, the activity of this malware dropped and keeps gradually decreasing. Now, the number of active Linux.Hajime bots is no more than a few hundred.

These trojans are most common in Brazil, Turkey, Vietnam, Mexico, and South Korea. The map shows the countries with the largest number of active Linux.Hajime trojans, recorded during the entire observation period.

Linux.BackDoor.Fgt

The top five trojans designed for IoT devices include Linux.BackDoor.Fgt, which has been spreading since autumn 2015. Its different versions support MIPS, SPARC, and other architectures and run on Linux. Linux.BackDoor.Fgt source code is publicly available, which is why it is so popular among virus writers.

These backdoors are distributed via the Telnet and SSH protocols, brute-forcing credentials to access the objects. The main purpose of these trojans is to perform DDoS attacks and remotely monitor the infected devices.

Linux.ProxyM

Linux.ProxyM trojan is one of the malware that cybercriminals use to stay anonymous on the Internet. It runs a SOCKS proxy server on infected Linux devices, using it to transfer the network traffic of cybercriminals. Doctor Web specialists discovered the first versions of Linux.ProxyM in February 2017, and this trojan is still active.

Linux.Ellipsis.1

Linux.Ellipsis.1 is another trojan designed to transform IoT devices and Linux computers into proxy servers. It was detected by Doctor Web analysts in 2015. Once launched, it deletes the log files and prevents the device from creating new ones, deletes some system utilities, and also blocks access to certain IP addresses. If the trojan detects suspicious traffic from one of the IP addresses, it also blacklists the IP. Linux.Ellipsis.1 can also terminate applications connecting to the forbidden addresses at the command of the C&C server.

Linux.LuaBot

Doctor Web has discovered the first versions of the Linux.LuaBot family of trojans in 2016. These malware are written in the Lua scripting language and support devices with the Intel x86_64, MIPS, MIPSEL, Power PC, ARM, SPARC, SH4 and M68k architectures. They consist of several dozen modules, each for a specific task. The trojans can receive updates for these modules from the C&C server, as well as download new ones. Linux.LuaBot are multifunctional. Depending on the modification and the set of scripts, cybercriminals can use them to remotely control the infected devices, as well as create proxy servers to anonymize themselves on the Internet.

Linux.BtcMine.174

Cryptocurrency mining is one of the main reasons for infecting IoT devices for cybercriminals. The Linux.BtcMine family of trojans and other malware help them with this. One of them, Linux.BtcMine.174, was detected by Doctor Web experts in late 2018. It mines Monero (XMR). Linux.BtcMine.174 is a shell script. If it was not launched with root privileges, the trojan attempts to elevate its privileges using several exploits.

Linux.BtcMine.174 searches for anti-malware processes and attempts to terminate them, as well as remove their files from the device. Then it downloads and launches several additional components, including a backdoor and a rootkit module, then launches a miner on the system.

The trojan adds itself to autorun, so that rebooting of the infected device does not help. It also keeps checking whether the mining software process is active. If necessary, the trojan initiates it again, ensuring that cryptocurrency is mined at all times.

Linux.MulDrop.14

The Linux.MulDrop trojan family is used to distribute and install other malware. They work on many hardware architectures and device types. In 2017, Dr.Web virus analysts discovered the Linux.MulDrop.14 trojan that purposefully attacked Raspberry Pi computers. This dropper is a script with an encrypted cryptocurrency miner embedded in its body. Once launched, the trojan unpacks and launches the miner, and then attempts to infect other devices available in the local area network. In order to prevent “competitors” from accessing the resources of an infected device, Linux.MulDrop.14 closes network port 22.

Linux.HideNSeek

The Linux.HideNSeek malware infects smart devices, computers, and servers running Linux, integrating them into a decentralized botnet. To spread itself, the trojan generates IP addresses and attempts to connect to them using a brute-force attack, as well as a list of known combinations of authentication data. It can also exploit various hardware vulnerabilities. Linux.HideNSeek can be used to remotely control the infected devices, i.e. execute commands from cybercriminals, copy files, etc.

Linux.BrickBot

Unlike most other malware, the Linux.BrickBot trojans are not intended to bring any profit. They are vandals, designed to disable computers and smart devices. They have been known since 2017.

Linux.BrickBot trojans are trying to infect devices via the Telnet protocol, brute-forcing the credentials. Then they try to erase the data from the permanent storage modules, reset the network settings, block all connections, and perform a reboot. As a result, to restore the objects, the user would need to reflash them or even replace the components. Those trojans are rare, but extremely dangerous.

In late June 2019, the Linux.BrickBot.37 trojan, also known as Silex, became popular. It acted in a similar way as other members of the Linux.BirckBot family, i.e. erasing data from device drives, deleting the network settings, and performing a reboot, after which they could no longer correctly switch on and operate. Our traps detected over 2,600 attacks using this trojan.

Conclusion

Millions of high-tech devices, increasingly used in everyday life, are actually small computers with the corresponding flaws. They are targeted by similar attacks and have the similar vulnerabilities, but due to the nature and limitations of their form, they are far more difficult or even impossible to protect. Additionally, many users are not fully aware of the potential risks and still perceive smart devices as safe and convenient toys.

The IoT market is actively developing and largely repeating the start of the mass distribution of personal computers, when the mechanisms against threats were only being developed. While manufacturers and owners of smart devices are adapting to new realities, cybercriminals have huge opportunities to attack them. Thus, we should expect new malware for the Internet of Things in the near future.

Doctor Web continues to monitor the spread of trojans and other threats aimed at smart devices and will inform our users about all noteworthy events in this area. Dr.Web anti-virus products successfully detect and remove the malware mentioned in this review.

July 17, 2019

Russian anti-virus company Doctor Web has updated the Control Service (11.0.40.07101) in Dr.Web Enterprise Security Suite 10.1 and in the Internet-service Dr.Web AV-Desk 10.1. The update fixes a recently identified problem.

Specifically, it eliminates an issue that could potentially prevent Windows XP from restarting properly after installing a Dr.Web Agent.

The update is downloaded and installed automatically.

July 12, 2019

Doctor Web has identified a new backdoor trojan on Google Play that executes cybercriminal commands, allowing the criminals to remotely control the infected Android devices and spy on users.

The malware was dubbed Android.Backdoor.736.origin. It is distributed under the guise of the OpenGL Plugin application that is supposed to check the existing version of the OpenGL ES interface and download its updates.

When launched, Android.Backdoor.736.origin requests several important system permissions that allow it to collect confidential information and work with the file system. It also tries to get permission to overlay its windows over the interfaces of other programs.

Its window contains a button to “check” for updates to the OpenGL ES interface. When a user taps the window, the trojan simulates a search for new versions of OpenGL ES, but does not actually perform any checks.

When the victim closes the application window, Android.Backdoor.736.origin removes its icon from the list on the main screen and creates a shortcut instead. This makes it harder for the user to remove the trojan, since deleting the shortcut will not effect the malware itself.

Android.Backdoor.736.origin is continuously active in the background and can be launched not only via its icon or a shortcut, but also automatically at startup and at the cybercriminals’ command via Firebase Cloud Messaging. The trojan’s basic malicious functionality is contained in an encrypted auxiliary file, stored in the directory containing the program resources. It is decrypted and loaded into memory upon each launch of Android.Backdoor.736.origin.

The backdoor communicates with several command and control servers to receive commands from the attackers and send the collected data. The cybercriminals can also control the trojan via the Firebase Cloud Messaging service. Android.Backdoor.736.origin is capable of:

• sending information on contacts from the contact list to the server;
• sending information on text messages to the server (the investigated version of the trojan did not have the permissions for this);
• sending the phone call history to the server;
• sending the device location to the server;
• downloading and launching an APK or a DEX file using the DexClassLoader class;
• sending the information on the installed software to the server;
• downloading and launching a specified executable file;
• downloading a file from the server;
• uploading a specified file to the server;
• transmitting information on files in the specified directory or a memory card to the server;
• executing a shell command;
• launching the activity specified in a command;
• downloading and installing an Android application;
• displaying a notification specified in a command;
• requesting permission specified in a command;
• sending the list of permissions granted to the trojan to the server;
• not letting the device go into sleep mode for a specified time period.

The trojan AES encrypts all data transmitted to the server. Each request is protected with a unique generated key based on the current time. The same key encrypts the server response.

Android.Backdoor.736.origin can install applications using several methods:

• automatically, if the system has root access (using a shell command);
• using a system package manager (system software only);
• displaying a standard system installation dialog where the user needs to confirm the installation.

As you can see, this backdoor is a serious threat. Not only does it act as spyware, but it can also be used for phishing because it can display windows and notifications with any content. It can also download and install any other malicious application, as well as execute arbitrary code. For example, at the command of attackers, Android.Backdoor.736.origin can download and launch an exploit to obtain root privileges. It will then no longer need the user's permission to install other programs.

Doctor Web has notified Google about the trojan; it was already removed from Google Play at the time of publication.

Android.Backdoor.736.origin and its components are successfully detected and removed by Dr.Web for Android, so they do not pose any threat to our users.

Read more about Android.Backdoor.736.origin

#Android, #backdoor, #Google_Play, #spyware

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

July 9, 2019

Russian anti-virus company Doctor Web has announced the release of Dr.Web Security Space 12.4.1 for Android and Dr.Web Light 11.3.1 for Android. The products incorporate new features and fixes for known issues and boast enhanced anti-virus security.

Changes affecting Dr.Web Security Space for Android:

• An issue causing the SpIDer Guard icon to disappear from the status bar under Android 7.0 and 7.1 has been resolved.
• Routines that track changes in the system memory have been readjusted.
• Also resolved was a problem causing the URL filter to shut down when in centralised protection mode.
• The update also addresses an issue causing the application to terminate abnormally on some Samsung devices if the option to track changes in the system memory was turned on.

Changes affecting Dr.Web Light for Android:

• An issue causing the application to terminate abnormally has been resolved.
• Routines that track changes in the system memory have been readjusted.
• The update also addresses an issue causing the application to terminate abnormally on some Samsung devices if the option to track changes in the system memory was turned on.
• An issue causing the SpIDer Guard icon to disappear from the status bar under Android 7.0 and 7.1 has been eliminated.

If you downloaded your Dr.Web application from Google Play, the update will be downloaded and installed automatically. If you’ve disabled automatic updating on your device, go to Google Play, select Dr.Web Security Space, Dr.Web Security Space Life or Dr.Web Anti-virus Light on the application list, and click "Update”.

To update via the Doctor Web site, you need to download a new distribution file. If you’ve enabled the “New app version” option in the settings, a notification will be displayed whenever the virus databases are updated. You can start the download directly from this dialogue box.

July 4, 2019

Russian anti-virus company Doctor Web has updated the Dr.Web Anti-rootkit API (12.0.8.201906240) module in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0 and Dr.Web 12.0 for Windows servers.

The update eliminates increased CPU and memory usage originating from the dwservice.exe process. The issue typically occurred under 64-bit editions of Windows 10.

Also resolved were the false positives generated by the "Preventive Protection" during installation of Google Backup and Sync.

The update will be downloaded and installed automatically.

July 4, 2019

Russian anti-virus company Doctor Web has updated the Dr.Web File System Monitor in its products Dr.Web Security Space 7.0, Dr.Web Anti-virus 7.0, and Dr.Web 7.0 for Windows Servers.

The Dr.Web File System Monitor (9.01.03.09260 ) has been updated to address the printing delay issue involving terminal servers.

A system restart is required to apply the update.