Real-time threat news
November 13, 2017
Doctor Web specialists detected
- Sweet Bakery Match 3 – Swap and Connect 3 Cakes 3.0;
- Bible Trivia, version 1.8;
- Bible Trivia – FREE, version 2.4;
- Fast Cleaner light, version 1.0;
- Make Money 1.9;
- Band Game: Piano, Guitar, Drum, version 1.47;
- Cartoon Racoon Match 3 - Robbery Gem Puzzle 2017, version 1.0.2;
- Easy Backup & Restore, version 4.9.15;
- Learn to Sing, version 1.2.
Our analysts informed Google about the presence of
Before starting its malicious activity,
The Trojan downloads from its C&C server a list of modules it needs to run. One of them was added to the Dr.Web virus database as
The second Trojan module, dubbed
Thus, the main purpose of
Dr.Web for Android successfully detects all the applications containing
October 26, 2017
The Trojan gathers information on the infected computer and also checks whether the processes of the two anti-virus programs have been launched: Dr.Web and McAfee (it is particularly interested in processes named dwengine.exe, dwwatcher.exe, dwarkdaemon.exe, dwservice.exe, McTray.exe, mfevtps.exe, and mcshield.exe). If BadRabbit detects such processes, it skips the first encryption stage in an apparent effort to avoid early detection. However, it attempts to run full disk encryption after a system’s restart. Due to the fact that current Dr.Web Anti-virus versions do not allow the boot record (MBR) to be modified, any attempt to encrypt disks will be unsuccessful. Thus, users of Dr.Web Anti-virus 9.1 and later and Dr.Web KATANA are completely protected from
The disk encoder then checks the arguments of its process, and if it is running without arguments, it operates as a decoder. Before starting its encrypting activities,
Then BadRabbit generates a 32-symbol password for disk encryption, records information about the computer to a special structure, encrypts it with a public key, and saves it in another structure, which is encoded with the Base64 algorithm and saved to MBR. The virus writers took disk encryption algorithm and a bootloader from the open source code Diskcryptor project and made some minor changes. The Trojan searches for the first system disk and installs its loader there. Then the contents of this disk are encrypted.
Part of BadRabbit’s code was adopted from
To launch these drivers, in the course of its operation, BadRabbit tries to register the system service “cscc” with the description “Windows Client Side Caching DDriver”. If the Trojan fails to register this service, it attempts to launch the DiskCryptor driver named “cdfs” by modifying the system registry.
After executing all of its preliminary operations, the Trojan creates a task called “drogon” to restart the computer. While finishing the session, BadRabbit clears system logs and removes the task it created earlier. The encoder encrypts files with the following extensions: .3ds, .7z, .accdb, .ai, .asm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm, .odp, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xml, .xvd, .zip. As the result of the Trojan's operation, the infected computer displays a demand for a ransom in Bitcoin, and a website of cybercriminals in TOR states that a victim has 48 hours to pay. When the time expires, the ransom is increased.
Our investigation into
#virus #ransom #Trojan #Trojan.Encoder
October 26, 2017
The detected vulnerabilities and the attack vector they use have been called BlueBorne. Security researchers have detected a problem in the components of most modern-day operation systems, including Windows, iOS, and Linux and the platforms based on its kernel, e.g., Tizen and Android.
BlueBorne includes the following vulnerabilities:
- CVE-2017-0781, CVE-2017-0782 – Android vulnerabilities that allow applications to be launched with system privileges;
- CVE-2017-0785 – an Android vulnerability that can lead to the leak and theft of confidential information;
- CVE-2017-0783 – an Android vulnerability that facilitates Man-in-The-Middle attacks;
- CVE-2017-1000251 – a vulnerability in a Linux kernel component that facilitates the execution of arbitrary code;
- CVE-2017-1000250 – a vulnerability in a Linux kernel component that may lead to the theft of confidential information.
BlueBorne allows cybercriminals to execute malicious code remotely on Android devices possessing an enabled Bluetooth transmitter by sending specially formed data packages. An attack is performed with OS kernel privileges and doesn’t require that devices be pre-paired or visibility mode enabled. For a vulnerability to be successfully exploited, it is enough for a potential victim’s device to have its Bluetooth adapter enabled and for the attacker to be within range of the transmitter.
Because the processes that make Bluetooth work have elevated privileges in all operating systems, these vulnerabilities can be exploited to give criminals almost full control over an attacked object. BlueBorne vulnerabilities let cybercriminals control devices, spread malicious software among them, gain access to their data and the networks they are connected to, and perform Man-in-The-Middle attacks. These vulnerabilities pose a danger to all Android smartphones, tablets and other devices that have not had the security update dated September 9, 2017, applied to them and to devices that use Bluetooth in anything other than the Bluetooth Low Energy mode.
In addition to cybercriminals using BlueBorne to carry out attacks directly, malicious programs that exploit these vulnerabilities may appear. They will be able to independently spread across Bluetooth channels from one device to another, similar to network worms. The devices most at risk are those that have not obtained security updates from the firmware manufacturers and OS developers.
The Security Auditor that comes with Dr.Web Security Space detects the numerous vulnerabilities that can be present on Android smartphones and tablets. Among those vulnerabilities are the widely known Extra Field, MasterKey, Heartbleed, and a host of others. When the updated version of Auditor was released, the aforementioned BlueBorne vulnerability and SIM Toolkit (CVE-2015-3843) had already been added to it..
The SIM Toolkit error in Android lets cybercriminals intercept and fake commands sent by a SIM card to a mobile device and back. That’s why cybercriminals can execute phishing attacks using fraudulent windows and steal confidential information such as login credentials.
To detect BlueBorne on mobile devices, Dr.Web Security Auditor checks whether the Google update is present on devices and warns users of the potential threat if it doesn’t find it. When this and other vulnerabilities are detected, it is recommended that users install all available updates.
October 16, 2017
This malicious program has been added to the Dr.Web virus databases under the name
After the computer is rebooted, the Trojan tries to infect all device’s drives with names from C to Z. For this purpose, it creates a hidden folder, saves there a copy of its executable file (also with the “hidden” attribute), after that it creates a link in the root disc directory in the form of <volume name>.lnk, which refers to the malicious executable file. All files different from .lnk, VolumeInformation.exe and .vbs are moved to the hidden folder created earlier.
Then the Trojan attempts to define an IP address and an available port of the command and control server by sending a request to several Internet servers, including pastebin.com, docs.google.com and notes.io. The received value looks as follows:
If the backdoor was successful in obtaining the IP address and port, it sends a special request to the C&C server. If the Trojan receives a response , it will download the Python scripts added to the Dr.Web virus databases as
- Steal information from such browsers as Chrome, Opera, Yandex, Amigo, Torch, and Spark;
- Perform the keylogger functions and make screenshots;
- Download additional modules written in Python and execute them;
- Download files and save then on a media of the infected device;
- Obtain contents of the specified folder;
- “Travel” across folders;
- Request system information.
Among other matters, structure of
October 12, 2017
As we all know, technology keeps forging ahead. Judging by the content of spam ads, evil-eye-thwarting red threads have gone out of style lately. Network fraudsters have replaced them with miraculous amulet coins that supposedly bring wealth and good luck.
Every aspect of this magical product is wondrous inside and out: beginning with the story invented by mysterious copywriters about the young Russian tsar who was given a miracle-working, enchanted amulet by the deacon of an orthodox monastery (such an amulet was a bulletproof sign of the most real kind of sorcery— sorcery that back in those days was rewarded with a ceremonial impaling before scores of onlookers), truly ending with the amusing description of the amulet itself. We pass our mic to the network merchants: “According to ritual, the amulet is manufactured and tied to a specific person, to their Name. The ritual is based on the force of prayers and ancestors. A tsarist coin serves as the basis for the amulet’s creation and the ritual’s conduction. We use only authentic coins from Tsarist times!”. Judging by the Chinese characters on the head side of these “amulets”, these real tsarist coins from ancient times were bought small wholesale exclusively on AliExpress, from where they were delivered to the court. Fraudsters assure readers that the miraculous amulet “attracts positive cash flow” (and, most probably, defers negative cash flow straight into the pockets of network fraudsters). As a result, whoever owns this trinket will surely find a well-paid job, repay their debts, win the lottery, build a house, grow a new liver, and develop chakras on the back of their head. We have no doubt that purchasing the amulet coin will bring wealth. Exclusively to those who sell it for a price that is one and half dozen times higher than on Celestial Empire’s online shop.
As the character of a popular fiction series once said, winter is coming. And when it is cold, a beard keeps a guy warm. So second place in our current ratings of absurd online goods is taken by the most authentic “serum for beard growth”.
Sellers of this magical elixir claim that growing such a beautiful beard is really possible; as proof of their statement, they offer a lightly airbrushed stock photo of a man who looks half Santa, half mujahideen. “Olga Alekseeva, a top-class hairdresser”, completely agrees with that. Her enthusiastic review is posted on a website of network merchants—it looks like she has already grown a long and silky beard with the help of this magical “serum” and is now a circus star. Unfortunately, none of Doctor Web’s specialists have had a chance to try this magical “serum for beard growth”, but they will try it first chance they get on an employee who is specially prepared to take on this challenge.
Folk tales say that advertising is usually untruthful. We know at least one example of truthful advertising—the slogan “Everything will stick!”, used by the sellers of an instant adhesive. This superglue does bond absolutely everything together: fingers, hair, clothes—everything except what we’d planned on bonding initially. However, online merchants offer a unique and modern solution for this problem: wondrous instant superglue at the price of a welding machine!
The magical superglue, which is produced, as judged by its price, from an alloy of gold and platinum, has unique properties: it hardens in five seconds and works on various materials, such as plastic, wood, and glass. In other words, it can do exactly the same thing as ordinary 20-ruble glue, except it is 100 times more expensive. It is hard to say whether this unique offer is in demand, but it gave us a good laugh.
Among the other entertaining products advertised by spammers lately, a wonderful device with the mysterious name “multi slicer” is worth a mention. No, it is not a cross between a glass cutter and a multicooker. It is a multifunctional device that has a razor handle, a grater blade, and the price of an airplane.
“For an affordable price you will get a device to slice produce”,—the online merchants inform everybody who has never held a kitchen knife in their life. It is true that slicing produce is a hi-tech process that can only be managed by a specialist with a higher culinary education, and exclusively using this special, certified “device”. But the most important thing is that the “multi slicer” is so omnipurpose, it can even be washed (!) in a dishwasher. Just think of it! Can you imagine? True—today’s dishwasher manuals state that any kitchen utensil can be washed in the dishwasher. One of our employees once accidently washed his IPhone, and nothing terrible ended up happening to the dishwasher. In contrast to the IPhone. So we are not planning on buying a “multi slicer” yet—we are going to wait until technology reaches the level where it can be washed with a sponge in an ordinary sink.
To conclude this article, we would like to remind our readers once again that questionable offers published on all kinds of trading platforms should be treated with skepticism and a healthy dose of humor. And we, in turn, will continue to add the website addresses of such network “miracle traders” to our database of non-recommended websites.
September 12, 2017
The Trojan at issue is
Doctor Web virus analysts have discovered that cybercriminals are using
Subject: Kendra asked if you like hipster girls
A new girl is waiting to meet you. And she is a hottie! Go here to see if you want to date this hottie (Copy and paste the link to your browser) http://whi*******today.com/ check out sexy dating profiles There are a LOT of hotties waiting to meet you if we are being honest!
According to Doctor Web’s statistics, a device infected with
The number of unique IP addresses of infected devices is shown in the following diagram. It is worth mentioning that the figure shows only the number of bots monitored by Doctor Web analysts. The actual number of infected devices may be higher.
The below illustration shows the geographical locations from which
We can presume that the range of functions implemented by Linux Trojans will be expanded in the future. The Internet of things has long been a focal point for cybercriminals. The wide distribution of malicious Linux programs capable of infecting devices possessing various hardware architectures serves as proof of that.
August 24, 2017
Virus analysts have been familiar with Trojans of the
In addition to the loader for ARM devices, similar modules for devices with the MIPS and MIPSEL architectures have been distributed “in the wild” for over six months already. The first of them is
Statistics collected by Doctor Web specialists show that Mexico ranks first among the countries to which the IP addresses of the devices infected by
The following diagram shows the number of attacks carried out for the purpose of distributing
Doctor Web reminds users that one of the most reliable ways to prevent attacks on Linux devices is to promptly change the default login and password. It is also recommended that users place restrictions on external connections being made to their devices via the Telnet and SSH protocols and to timely update their firmware. Dr.Web for Linux detects and deletes all the aforementioned versions of
August 21, 2017
Miners Trojans are appearing regularly and Doctor Web’s virus analysts have noted a curious trend: the creators of these programs are now targeting the Linux platform. Of late, smart devices run on Linux have become very popular, and the owners of such devices are not changing the default settings, most notably the administrator login and password. This is why hacking into such devices is not a major problem for cybercriminals.
An analysis of the miner loader has revealed a peculiar feature of this app: in its source code, krebsonsecurity.com is mentioned several times. This website is owned by well-known cybersecurity expert Bryan Krebs. Apparently, the author of the Trojan is his secret admirer.
The Trojan is designed to mine Monero (XMR), a cryptocurrency created in 2014. Currently
August 17, 2017
The Domain Name System (DNS) allows information about domains to be obtained and provides for web addressing. Client software, browsers in particular, use DNS to determine the IP address of a web resource according to the input URL. Usually, domain owners themselves administer DNS servers.
Many web resources use several additional third-level and even fourth-level domains besides the main second-level domain. For example, the drweb.com domain uses the vms.drweb.ru subdomains. They contain a website that allows users to check a link or a file or to find a virus description. The domain free.drweb.ru is for the webpage of Dr.Web CureIt!; updates.drweb.com is for the Dr.Web update system page, etc. Various technical and support services are usually implemented with the use of such domains. Such services include a website administration and management system, online banking systems, mail server web interfaces and all kinds of internal websites for company staff. Subdomains can also be used to organize version control systems, bug trackers, various monitoring services, wiki resources and other needs.
When attacking websites for the purpose of compromising them, cybercriminals first collect information about the web resources they are targeting. In particular, they attempt to determine the type and version of the web server maintaining a website. They also try to identify the content management system version, the engine programming language and other technical information, including the list of subdomains of the attacked website’s main domain. Using this list, cybercriminals can try to get into the web resource’s infrastructure via a “back door” by generating account data and successfully logging into one of the internal private services. Many system administrators do not pay due attention to the security of such resources. Meanwhile, such “internal” websites may use outdated software containing known vulnerabilities, contain debugging information, or allow open registration. All that can significantly simplify the work of cybercriminals.
If the DNS servers maintaining a website are configured correctly, cybercriminals will not be able to obtain the domain zone information they request. However, if DNS server settings are incorrect, a special AXFR request allows cybercriminals to obtain full data on the subdomains registered in the domain zone. Having incorrect DNS server settings is not in itself a vulnerability, however, they can be the indirect cause of a web resource becoming compromised.
Doctor Web security analysts conducted research on the DNS server configurations of numerous Russian banks and governmental organizations. They found that 89 of the roughly 1,000 Russian bank domains they checked gave out the domain zone in response to external AXFR requests. This information was sent to the Bank of Russia’s Financial Sector Computer Emergency Response Team (FinCERT). In addition, incorrect settings were detected on the websites of several governmental organizations. Doctor Web reminds website administrators that correct DNS configuration is one factor contributing to web resource security.
August 2, 2017
Apparently, to distribute scam mailings, cybercriminals use contact database of domain administrators registered in RU-CENTER. Cybercriminals refer to some changes in the ICANN rules and offer the domain administrator to create the PHP file with certain contents in the root directory. The creation of this file is supposed to confirm the right for the domain use by the email recipient. The email itself contains the logo of RU-CENTER and is sent supposedly on its behalf.
The file suggested for saving in the root directory contains a command that executes an arbitrary code specified in a variable. Cybercriminals can send this code to the script posted on the server as a GET or POST request. Doctor Web specialists warn that fulfillment of the demands of cybercriminals will lead to a compromise of the website. If you receive such email, ignore it. If you suppose that the email’s sender is actually the domain name registrar, check this information with the technical support service of the registrar company.
July 27, 2017
Unlike other Trojans of this family that try to get root privileges to perform malicious actions,
After the initialization, the malicious program sets up some parameters, creates a working directory, and checks in what environment it is running. If the Trojan is in the Dalvik environment, it intercepts one of the system methods, which allows it to track the start of all applications and perform malicious activity immediately after they start.
The main function of
As a result,
July 24, 2017
Doctor Web first reported
Recent research results have shown that an ePrica component was downloading and launching the Trojan onto targeted systems. Drugstore managers use this software component to analyze drug prices and choose the best suppliers. This module downloaded the
A further analysis of the application showed that
The module runmod.exe executes the launch of these plugins. It takes action when the server commands it to decrypt and launch them into the memory. After that they copy database information which is then sent to a remote server. The indicated application component is signed with the certificate “Protek”—a group of companies that includes “Spargo Tekhnologii”, ePrica’s developer.
It is important to note that even after ePrica is removed, the backdoor stays in the system and continues to spy on users. It is possible that
Its installer version 184.108.40.206, in which the Trojan modules were found, was released on November 18, 2013, while some of the backdoor’s files date back to 2010. Thus, the copying of drugstore and pharmaceutical company procurement information could have started at least a year before the backdoor was first detected.
More detailed information on the ePrica installer containing
July 18, 2017
Android.BankBot.211.origin is distributed under the guise of benign programs, for example, as Adobe Flash Player. Once a user installs and launches the Trojan, the banker tries to gain access to the Accessibility Service. For this purpose, Android.BankBot.211.origin displays a window with a request that reappears at every attempt to close it and doesn’t allow the device to be used.
The Accessibility Service makes it easier to work with Android smartphones and tablets and is used in a variety of ways, including to help people with disabilities. It allows programs to independently click on different interface elements, such as buttons in dialog boxes and system menus. The Trojan forces the user to grant it these rights and uses them to independently add itself to the device administrator list. Then Android.BankBot.211.origin establishes itself as the default message manager and gains access to the screen capture function. All these actions are accompanied by a display of system requests that can be overlooked entirely because the malicious program immediately confirms them. If, at a later stage, the device owner tries to disable any function obtained by Android.BankBot.211.origin, the banker forbids it and returns the user to previous system menus.
After a successful infection, the Trojan connects to its command and control service, registers the mobile device there, and awaits further commands. Android.BankBot.211.origin can execute the following actions:
- Send an SMS containing a specific text to the number specified in the command;
- Send to the server SMS data stored in the device memory;
- Forward to the server information about the installed applications, the contact list, and phone call data;
- Open the link specified in a command;
- Change the address of the command center.
In addition, the malicious program tracks all incoming SMS and sends them to cybercriminals.
Besides the standard commands, cybercriminals can send the Trojan special orders. They contain encrypted information about the applications the banker is supposed to attack. Once Android.BankBot.211.origin receives such commands, it can:
- Display fake input forms for login credentials on top of launched banking programs;
- Display a phishing dialog asking users to input their bank card details (for example, when making a purchase on Google Play);
- Block the operation of anti-viruses and other applications that could interfere with the Trojan’s work.
Android.BankBot.211.origin can attack users of any applications. Cybercriminals just have to update the configuration file with the list of targeted programs. The banker receives this list once connected to the command and control server. When the Trojan was first observed, cybercriminals were interested only in customers of Turkish banks. However, later on the list was expanded to include residents of other countries, including Germany, Australia, Poland, France, the United Kingdom, and the USA. At the moment this news article was posted, the list of programs attacked by the Trojan contained more than 50 applications designed to operate with payment systems, remote banking services (RBS), and other software.
Examples of the fraudulent windows Android.BankBot.211.origin can display:
The Trojan also collects information about all launched applications and user’s actions performed within them. For example, it tracks available text fields, such as menu elements, and logs key strokes and other components of the user interface.
Moreover, Android.BankBot.211.origin is capable of stealing login credentials and other authentication information input by users in any programs on any websites during authorization. To steal passwords, the Trojan takes a screenshot of every key stroke; as a result, it obtains the required sequence of characters before they are hidden. After that, the information input into the displayed fields and all the saved screenshots are sent to the command and control server.
Due to the fact that Android.BankBot.211.origin prevents anyone from removing it, the following actions must be performed in order to combat it:
- Load an infected smartphone or tablet in safe mode;
- Log into the system settings and go to the list of device administrators;
- Find the Trojan in this list and recall the corresponding rights (here the malicious program will try to frighten the device’s owner by warning them about the possible loss of all of their important data, but this is just a trick—the files are in no danger);
- Restart the device, perform a full anti-virus scan on it, and remove the Trojan after the scanning is complete.
All known versions of Android.BankBot.211.origin are successfully detected by Dr.Web Anti-virus; therefore, this banker does not pose any threat to our users.
July 13, 2017
The start date the website was compromised and past activity in this attack vector are currently impossible to determine. There are at least 15 domain addresses registered by an unknown individual. The malicious code forces the browser of any visitor to the website to covertly connect to one of them. These domains can reply with any independent document, from a fraudulent input form for entering bank card details to a brute-force attack of vulnerabilities, aimed at obtaining access to a visitor’s computer.
While a website page requested by a user is being generated dynamically, the container <iframe> is added to the website code. It allows any external data to be downloaded or requested from the user’s browser. Currently, the security researchers have detected at least 15 domains. Among them are m3oxem1nip48.ru, m81jmqmn.ru and other addresses of intentionally inconclusive names. At least five of them belong to a range of addresses of companies registered in the Netherlands. Over the past day, requests to these domains are either unsuccessful, because the security certificate of most of these websites is expired, or don’t contain any malicious code. However, there’s nothing to prevent the domain owners from updating the certificates at any moment and publishing malicious code on these domains.
Currently, the website gosuslugi.ru is still compromised. Information has been sent to the website’s technical support service, but it has yet to confirm that it has launched an investigation and initiated measures to prevent such incidents in the future. Doctor Web recommends that users be careful when using the Government Services Portal of the Russian Federation until the situation is resolved. Doctor Web, Ltd., recommends that the administration of the website gosuslugi.ru and the relevant authorities perform a security check on the website.
Any user can check for the code’s presence themselves by using a search tool and making the following request:
UPDATE: The potentially malicious code was removed from gosuslugi.ru after approximately 3 hours from the publication.
July 5, 2017
The malicious application, dubbed
In contrast with the standard update procedure, when an old version of an application is entirely replaced with a new one, the SDK indicated above allows needed components to be loaded separately without reinstalling the entire software package. This allows developers to keep the version of software installed on mobile devices current even if users do not keep track of the release of new versions. However, Excelliance operates as a loader Trojan because it can download and run unchecked application components. This update method violates Google Play rules because it is dangerous.
The Trojan module tracks network activity and tries to connect to its command and control server. Depending on the server settings,
Besides the application’s additional resources and updates,
Meanwhile, while the downloaded APK files are being installed, the user sees a standard dialog box; however, if
Doctor Web specialists have informed Google about the dangerous behavior of the Trojan component in SDK, which is used in the game BlazBlue. However, at the moment this news article was posted, the game version containing
Applications containing this Trojan are successfully detected by Dr.Web for Android anti-virus products as
July 4, 2017
The reports state that
Doctor Web specialists noted this registry key because Trojan.Encoder.12703 uses the same path for its operation. An analysis of the Dr.Web Anti-virus log obtained from one of our customer’s computers showed that Trojan.Encoder.12703 was launched on the infected machine by the application ProgramData\Medoc\Medoc\ezvit.exe, which is a component of M.E.Doc:
id: 425036, timestamp: 15:41:42.606, type: PsCreate (16), flags: 1 (wait: 1), cid: 1184/5796:\Device\HarddiskVolume3\ProgramData\Medoc\Medoc\ezvit.exe
source context: start addr: 0x7fef06cbeb4, image: 0x7fef05e0000:\Device\HarddiskVolume3\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
created process: \Device\HarddiskVolume3\ProgramData\Medoc\Medoc\ezvit.exe:1184 --> \Device\HarddiskVolume3\Windows\System32\cmd.exe:6328
bitness: 64, ilevel: high, sesion id: 1, type: 0, reason: 1, new: 1, dbg: 0, wsl: 0
curdir: C:\Users\user\Desktop\, cmd: "cmd.exe" /c %temp%\wc.exe -ed BgIAAACkAABSU0ExAAgAAAEAAQCr+LiQCtQgJttD2PcKVqWiavOlEAwD/cOOzvRhZi8mvPJFSgIcsEwH8Tm4UlpOeS18o EJeJ18jAcSujh5hH1YJwAcIBnGg7tVkw9P2CfiiEj68mS1XKpy0v0lgIkPDw7eah2xX2LMLk87P75rE6 UGTrbd7TFQRKcNkC2ltgpnOmKIRMmQjdB0whF2g9o+Tfg/3Y2IICNYDnJl7U4IdVwTMpDFVE+q1l+Ad9 2ldDiHvBoiz1an9FQJMRSVfaVOXJvImGddTMZUkMo535xFGEgkjSDKZGH44phsDClwbOuA/gVJVktXvD X0ZmyXvpdH2fliUn23hQ44tKSOgFAnqNAra
status: signed_microsoft, script_vm, spc / signed_microsoft / clean
id: 425036 ==> allowed , time: 0.285438 ms
2017-Jun-27 15:41:42.626500  [INF]  [arkdll]
id: 425037, timestamp: 15:41:42.626, type: PsCreate (16), flags: 1 (wait: 1), cid: 692/2996:\Device\HarddiskVolume3\Windows\System32\csrss.exe
source context: start addr: 0x7fefcfc4c7c, image: 0x7fefcfc0000:\Device\HarddiskVolume3\Windows\System32\csrsrv.dll
created process: \Device\HarddiskVolume3\Windows\System32\csrss.exe:692 --> \Device\HarddiskVolume3\Windows\System32\conhost.exe:7144
bitness: 64, ilevel: high, sesion id: 1, type: 0, reason: 0, new: 0, dbg: 0, wsl: 0
curdir: C:\windows\system32\, cmd: \??\C:\windows\system32\conhost.exe "1955116396976855329-15661177171169773728-1552245407-149017856018122784351593218185"
status: signed_microsoft, spc / signed_microsoft / clean
id: 425037 ==> allowed , time: 0.270931 ms
2017-Jun-27 15:41:43.854500  [INF]  [arkdll]
id: 425045, timestamp: 15:41:43.782, type: PsCreate (16), flags: 1 (wait: 1), cid: 1340/1612:\Device\HarddiskVolume3\Windows\System32\cmd.exe
source context: start addr: 0x4a1f90b4, image: 0x4a1f0000:\Device\HarddiskVolume3\Windows\System32\cmd.exe
created process: \Device\HarddiskVolume3\Windows\System32\cmd.exe:1340 --> \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\wc.exe:3648
bitness: 64, ilevel: high, sesion id: 1, type: 0, reason: 1, new: 1, dbg: 0, wsl: 0
curdir: C:\Users\user\Desktop\, cmd: C:\Users\user\AppData\Local\Temp\wc.exe -ed BgIAAACkAABSU0ExAAgAAAEAAQCr+LiQCtQgJttD2PcKVqWiavOlEAwD/cOOzvRhZi8mvPJFSgIcsEwH8Tm4UlpOeS18oE JeJ18jAcSujh5hH1YJwAcIBnGg7tVkw9P2CfiiEj68mS1XKpy0v0lgIkPDw7eah2xX2LMLk87P75rE6U GTrbd7TFQRKcNkC2ltgpnOmKIRMmQjdB0whF2g9o+Tfg/3Y2IICNYDnJl7U4IdVwTMpDFVE+q1l+Ad92 ldDiHvBoiz1an9FQJMRSVfaVOXJvImGddTMZUkMo535xFGEgkjSDKZGH44phsDClwbOuA/gVJVktXvDX 0ZmyXvpdH2fliUn23hQ44tKSOgFAnqNAra
fileinfo: size: 3880448, easize: 0, attr: 0x2020, buildtime: 01.01.2016 02:25:26.000, ctime: 27.06.2017 15:41:42.196, atime: 27.06.2017 15:41:42.196, mtime: 27.06.2017 15:41:42.196, descr: wc, ver: 220.127.116.11, company: , oname: wc.exe
hash: 7716a209006baa90227046e998b004468af2b1d6 status: unsigned, pe32, new_pe / unsigned / unknown
id: 425045 ==> undefined , time: 54.639770 ms
The file ZvitPublishedObjects.dll, which was requested from the infected machine, had the same hash as a sample examined in the Doctor Web virus laboratory. Thus, our security researchers concluded that the M.E.Doc update module, which is implemented as the dynamic library ZvitPublishedObjects.dll, contains a backdoor. Further research showed that this backdoor can execute the following functions in the infected system:
- Collect data for accessing mail servers;
- Execute arbitrary commands in the infected system;
- Load arbitrary files to the infected computer;
- Load, save and start any executable files;
- Upload arbitrary files to a remote server.
The following code fragment of the M.E.Doc update module looks rather unique—it allows the payload to be launched using the tool rundll32.exe with the parameter #1:
This is exactly how the encryption Trojan, known as NePetya, Petya.A, ExPetya and WannaCry-2 (
Reuters published an interview with the developers of M.E.Doc who stated that their application contains no malicious functions. Because of that, and also taking into account the results of a static code analysis, Doctor Web security researchers concluded that some unidentified cybercriminals infected one of M.E.Doc’s components with the malicious program. This component was added to the Dr.Web virus databases under the name
June 29, 2017
The security researchers who examined
Back in 2012, Doctor Web security researchers detected a targeted attack on drugstores and pharmaceutical companies that involved the use of a malicious program called
Doctor Web specialists conducted an investigation lasting four years. One of the affected companies provided its hard drives which had been compromised by
The similarity of these two cases shows that the software development infrastructure requires a heightened level of awareness in terms of information security. Above all, the update process for any commercial software should be closely scrutinized by both users and the developers themselves. Some update tools of different programs have the right to install and launch executable files in an operating system. This can be an unexpected source of infection. In the case of MEDoc, the infection was caused by cybercriminals hacking into and compromising an update server. In the case of
June 28, 2017
At the moment, it is known that the Trojan has infected computers by exploiting the same vulnerabilities exploited by cybercriminals during the WannaCry attack. The spread of
In its body, the Trojan contains four compressed resources. Two of these resources are 32-bit and 64-bit versions of the Mimikatz tool, which is designed to intercept passwords of open Windows sessions. Depending on an operating system’s capacity, the Trojan unpacks the necessary version of the Mimikatz tool, saves it to a temporary folder, and runs the Mimikatz tool. Using Mimikatz and some other methods,
The encoder checks its second launch using a file it saved to the C:\Windows\ folder. The file name matches the Trojan’s name, without the extension. Since the worm sample spreading at the moment is named perfc.dat, the file preventing its launch is C:\Windows\perfc. However, if cybercriminals change the original Trojan’s name, creating the file C:\Windows\perfc (as many anti-virus developers advise) will not save a computer from infection. In addition, the Trojan checks the existence of the file only if it has enough privileges to do so.
Once launched, the Trojan sets its privileges, loads its copy to the memory, and grants the copy control. Then, the encoder overwrites its own file with the trash data and removes the file. First,
The Trojan encrypts files only on the fixed drives. The data on each drive is encrypted in a separate thread. The files are encrypted using the AES-128-CBC algorithm; a separate key is created for each drive (a characteristic feature of the Trojan that has not been noted by other specialists). This key is encrypted with the RSA-2048 algorithm (other researchers say that an 800-bit key is used) and is saved to the file named README.TXT to the root folder of the system drive. An additional extension is not added to the encrypted files.
After the computer is rebooted according to the created task, control is granted to the Trojan boot record. On the screen of the infected computer, it displays a text similar to the CHDISK standard tool’s text.
Power down your computer immediately if you see the CHDISK text at system startup. In this case, the boot records will be damaged, but they can be repaired using the Windows recovery tool or Recovery Console if you boot the computer using the distribution disk. Normally, recovery of the boot record is possible in Windows 7 and later operating systems if the hidden portion containing the critical data backup copy is present on the drive. You can also use Dr.Web LiveDisk; create a boot disk or a boot USB, start the operating system from this boot removable media, run the Dr.Web scanner, check the infected drive, and choose the Neutralize action for the detected threats.
According to some sources, the only email address used by the cybercriminals behind
To avoid infection by
June 27, 2017
According to data of our information security specialists, the Trojan is distributed independently, just as infamous WannaCry. Yet there is no precise data if it uses the same distribution mechanism. At present, our security researchers examine the new Trojan; we will give the details later on. Some mass media sources draw parallels with the ransomware Petya (in particular, Dr.Web detects it as Trojan.Ransom.369) due to the external side of the ransomware operation. However, a distribution method of the new threat is different from the standard pattern of Petya.
Today, on June 27 at 4.30 p.m., this encryption ransomware has been added to Dr.Web virus databases as
Doctor Web advises all users to be vigilant and refrain from opening suspicious emails (this measure is required but is not fully sufficient). It is necessary to make backup copies of critically important data and to install all software security updates. Availability of an installed anti-virus is also crucial.
June 23, 2017
During May 2017, in Ukraine, access to the services of several Russian companies was restricted by Presidential Decree. Among those companies were the social networks “VK” and “Odnoklassniki”. This has led to the growth in popularity of methods that allow people to bypass blocking measures—for example, the Tor browser, VPN services, and anonymizers. In addition, new programs offering similar functionality have started cropping up. However, by no means are all these latest programs safe.
Doctor Web specialists have found several applications on Google Play that allow people to work with the blocked “VK” and “Odnoklassniki” websites. To access these social networks, owners of Android devices are asked to input their login credentials; after that the programs log into the user’s account, bypassing blocking measures. Doctor Web security researchers have detected eight such programs, which are being distributed by these developers: JDX Studio, Soukaina Bousfiha, Zikolabs, Boubakri yassir, affzakanab, and simon faiz.
All these applications look exceedingly similar. They are installed on mobile devices as programs with the names «ВК В Украина», «ВК Украина», «ВК Украина 2», «ОК Украина», «Украина ОК», «ВК VPN Украина.», «ВК Украiна» and «ВК Украина VPN» and have similar shortcuts. At least 122,000 users have downloaded these applications, and each of them risks having their personal data leaked.
The problem is that to circumvent the blocking measures put in place by social media websites, this software redirects traffic through an online anonymizer. Anonymizers are special servers that process network requests and also hide information about a computer or a mobile device in order to bypass restrictions that prevent the visitation of blocked Internet resources. Such services are in demand, for example, among users of corporate networks where system administrators have restricted access to social network domains at the gateway level.
The unencrypted login credentials input by users are sent to an anonymizing server so there is nothing to prevent the server’s owners from using the information it receives for illegal purposes. For example, these server owners can log into a social network as a user and send messages without that user’s knowledge; they can add friends, join groups, read correspondence, go through photos, etc. The user doesn’t know that they have logged into the social network via a third-party domain because the applications don’t display an address bar. Any subsequent activity conducted on the “VK” and “Odnoklassniki” websites via this software is also unencrypted, which allows all actions performed in these social networks to be monitored.
Even assuming that an anonymizing server’s owners have taken such an irresponsible approach to protecting confidential data through sheer error or elementary ignorance of information security basics, there is no guarantee that cybercriminals won’t intercept the unencrypted network traffic.
As usage of the programs indicated could lead to a leak of personal information, Dr.Web Anti-virus detects them as the potentially dangerous applications
To protect themselves, users of blocked online sources should avoid suspicious applications and services used to bypass access restrictions. There are safer solutions on the market that provide a sufficient level of safety. Among them are commercial and free VPN services (Virtual Network Provider or private virtual networks) and Proxy servers.
All known versions of
June 20, 2017
Security specialists view this case as an ordinary ransomware attack. Neglected software updates, configuration flaws, etc. But this is the largest ransom amount that has ever been paid to extortionists. And the most successful attack on Linux.
Who is to blame?
- The hosting provider didn't offer to create backups for its customers and didn't establish a«system to switch to if the existing infrastructure failed.
- Their customers relied upon the hosting infrastructure and didn't back up their data.
Successful attacks have been mounted against cloud service providers before, but none have drawn so much attention.
Doctor Web expects a sharp increase in the number of similar incidents.
And that’s because success stories of this sort encourage numerous copycats to appear. Perhaps, later on, the wave of attacks on providers of all kinds will decrease—or, perhaps, it will become a new trend just like the attacks on Linux did. It is too early to make predictions.
- If you store your data in a cloud and don't make backups, start doing it now, and make sure that you store them on servers belonging to a different provider, at home or in a different location.
- If you rent a cloud-based server, site, or service, it doesn't mean that you don't have to protect your data. Security is your concern. In addition to making backups, you need at minimum an anti-virus. One on your PC and in the cloud.
Dr.Web Server Security Suite (protects servers against malware) and Dr.Web Gateway Security Suite (scans inbound traffic and blocks access to dubious sites on the Internet) can provide protection for a service providers' infrastructure.
Dr.Web Enterprise Security Suite products provide protection for all corporate customers regardless of company size. Please pay special attention to the fact that anti-virus protection is necessary on the provider's end as well as on the customers' end (the corporate network and employee computers). This is the only way to protect against man-in-the-middle attacks..
June 19, 2017
The Trojan, named
Once launched, the Trojan offers to check how popular the mobile device owner is among other Telegram users. To do that, it asks the owner for their personal ID. After the victim inputs any information in the corresponding form,
After removing the shortcut,
Below are examples of files that have been transmitted by
Once the confidential information is stolen,
- call — make a phone call;
- sendmsg — send an SMS;
- getapps — forward information about the installed applications to the server;
- getfiles — forward information about all the available files to the server;
- getloc — forward device location information to the server;
- upload — upload to the server the file that is indicated in a command and stored on the device;
- removeA — delete from the device the file specified in a command;
- removeB — delete a file group;
- lstmsg — forward to the server the file containing information about all the sent and received SMS, including sender and recipient phone numbers, and message contents.
When each command is executed, the malicious program reports this information back to the cybercriminals’ Telegram bot.
Besides collecting confidential data when commanded to do so by cybercriminals,
Doctor Web security researchers are warning users that cybercriminals often distribute malicious applications under the guise of benign programs. To protect their devices from Android Trojans, users should install software distributed only by reliable developers and download it from such dependable sources as Google Play. All known versions of
June 15, 2017
This malicious program, designed for mining the Monero (XMR) cryptocurrency, was dubbed
The main module designed for mining the Monero cryptocurrency is also implemented as a library, and the Trojan contains both 32- and 64-bit versions of the miner. The respective implementation of the Trojan used on the infected computer depends on the bitness of the operating system. This module’s configuration indicates how many of the processor’s kernels and computing resources will be used for cryptocurrency mining, the intervals with which the miner will automatically restart, and other parameters. The Trojan tracks running processes on the infected computer and shuts itself down when an attempt is made to launch the Task Manager.
Despite the fact that the first mining Trojans were detected over six years ago (the signature for
June 5, 2017
The first of the two was added to the Dr.Web virus databases under the name
The other Trojan was named
A significant portion of the attacked IP addresses is located in Russia. In second place is China, and in third place—Taiwan. The below illustration shows the geographical locations from which
The Trojan uses a special range of methods to detect honeypots—special decoy servers used by digital security specialists to examine malicious software. Once launched, it connects to its command and control server and, after getting confirmation from it, runs a SOCKS proxy server on the infected device. Cybercriminals can use this Trojan to ensure that they remain anonymous online.
Both of these Trojans are successfully detected and removed by Dr.Web products for Linux, and, therefore, they pose no threat to our users.
May 25, 2017
Doctor Web security researchers registered the first attacks of this Trojan from the
All the scripts included in
One of the
The danger of
Doctor Web’s specialists have collected statistics on the unique IP addresses of devices infected with
Doctor Web security researchers are familiar with several modifications of