Real-time threat news
June 20, 2017
Security specialists view this case as an ordinary ransomware attack. Neglected software updates, configuration flaws, etc. But this is the largest ransom amount that has ever been paid to extortionists. And the most successful attack on Linux.
Who is to blame?
- The hosting provider didn't offer to create backups for its customers and didn't establish a«system to switch to if the existing infrastructure failed.
- Their customers relied upon the hosting infrastructure and didn't back up their data.
Successful attacks have been mounted against cloud service providers before, but none have drawn so much attention.
Doctor Web expects a sharp increase in the number of similar incidents.
And that’s because success stories of this sort encourage numerous copycats to appear. Perhaps, later on, the wave of attacks on providers of all kinds will decrease—or, perhaps, it will become a new trend just like the attacks on Linux did. It is too early to make predictions.
- If you store your data in a cloud and don't make backups, start doing it now, and make sure that you store them on servers belonging to a different provider, at home or in a different location.
- If you rent a cloud-based server, site, or service, it doesn't mean that you don't have to protect your data. Security is your concern. In addition to making backups, you need at minimum an anti-virus. One on your PC and in the cloud.
Dr.Web Server Security Suite (protects servers against malware) and Dr.Web Gateway Security Suite (scans inbound traffic and blocks access to dubious sites on the Internet) can provide protection for a service providers' infrastructure.
Dr.Web Enterprise Security Suite products provide protection for all corporate customers regardless of company size. Please pay special attention to the fact that anti-virus protection is necessary on the provider's end as well as on the customers' end (the corporate network and employee computers). This is the only way to protect against man-in-the-middle attacks..
June 19, 2017
The Trojan, named
Once launched, the Trojan offers to check how popular the mobile device owner is among other Telegram users. To do that, it asks the owner for their personal ID. After the victim inputs any information in the corresponding form,
After removing the shortcut,
Below are examples of files that have been transmitted by
Once the confidential information is stolen,
- call — make a phone call;
- sendmsg — send an SMS;
- getapps — forward information about the installed applications to the server;
- getfiles — forward information about all the available files to the server;
- getloc — forward device location information to the server;
- upload — upload to the server the file that is indicated in a command and stored on the device;
- removeA — delete from the device the file specified in a command;
- removeB — delete a file group;
- lstmsg — forward to the server the file containing information about all the sent and received SMS, including sender and recipient phone numbers, and message contents.
When each command is executed, the malicious program reports this information back to the cybercriminals’ Telegram bot.
Besides collecting confidential data when commanded to do so by cybercriminals,
Doctor Web security researchers are warning users that cybercriminals often distribute malicious applications under the guise of benign programs. To protect their devices from Android Trojans, users should install software distributed only by reliable developers and download it from such dependable sources as Google Play. All known versions of
June 15, 2017
This malicious program, designed for mining the Monero (XMR) cryptocurrency, was dubbed
The main module designed for mining the Monero cryptocurrency is also implemented as a library, and the Trojan contains both 32- and 64-bit versions of the miner. The respective implementation of the Trojan used on the infected computer depends on the bitness of the operating system. This module’s configuration indicates how many of the processor’s kernels and computing resources will be used for cryptocurrency mining, the intervals with which the miner will automatically restart, and other parameters. The Trojan tracks running processes on the infected computer and shuts itself down when an attempt is made to launch the Task Manager.
Despite the fact that the first mining Trojans were detected over six years ago (the signature for
June 5, 2017
The first of the two was added to the Dr.Web virus databases under the name
The other Trojan was named
A significant portion of the attacked IP addresses is located in Russia. In second place is China, and in third place—Taiwan. The below illustration shows the geographical locations from which
The Trojan uses a special range of methods to detect honeypots—special decoy servers used by digital security specialists to examine malicious software. Once launched, it connects to its command and control server and, after getting confirmation from it, runs a SOCKS proxy server on the infected device. Cybercriminals can use this Trojan to ensure that they remain anonymous online.
Both of these Trojans are successfully detected and removed by Dr.Web products for Linux, and, therefore, they pose no threat to our users.
May 25, 2017
Doctor Web security researchers registered the first attacks of this Trojan from the
All the scripts included in
One of the
The danger of
Doctor Web’s specialists have collected statistics on the unique IP addresses of devices infected with
Doctor Web security researchers are familiar with several modifications of
May 17, 2017
The malware, known as WannaCry, is a network worm that infects computers running Microsoft Windows without any user involvement. Dr.Web Anti-virus detects all the worm’s components as
Once launched, the worm attempts to send a request to the remote server whose domain is stored inside the Trojan. If a response to this request is received, the worm shuts itself down. Some media sources have reported that the WannaCry outbreak was stopped once this domain was registered: up to the moment the Trojan started being spread, the domain was available due to a mistake made by the cybercriminals. In reality, the analysis of the Trojan shows that it will operate and infect computers that are connected to a local network but have no Internet connection. Thus, it is too early to talk about the epidemic being over.
After being launched, the Trojan registers itself as a system service named mssecsvc2.0. In addition, the worm is sensitive to command line parameters: if an argument is indicated, it attempts to enable an automatic restart of the service in case an error occurs. Within 24 hours after it is launched as a system service, the worm automatically shuts itself down.
After successfully starting up on an infected machine, the worm starts checking for servers that it can access in the infected machine’s local network and for computers on the Internet that have random IP addresses. It tries to connect to port 445. If the connection is successfully established, the worm attempts to infect these computers using a vulnerability in the SMB protocol.
A dropper is a component designed to install a malicious executable file into an operating system. WannaCry’s dropper contains a massive password-protected ZIP archive, which contains an encrypted file with a Trojan encoder, Windows Desktop wallpaper containing the cybercriminals’ demands, a file containing the addresses of onion servers and the name of a wallet for Bitcoin transactions, and also an archive containing programs for operating in the Tor network. The dropper is launched from the worm’s body, installs itself in the system, and then attempts to launch its copy as a randomly named system service. If this attempt is unsuccessful, it is executed as an ordinary program. The dropper’s main task is to save the contents of the archive on the disk and launch the encryptor.
A ransomware Trojan
The Trojan contains the author’s decoder, which deletes shadow copies on the infected computer and disables the system restore function. It changes the Windows Desktop wallpaper to a graphic file that reads as follows:
Then it unpacks the applications it uses to operate with the Tor network (or downloads them from the Web) and connects to onion servers, the addresses of which are indicated in the Trojan’s configuration. From there it receives the name of the wallet accepting Bitcoin electronic currency and writes it into the configuration. To exchange data with the onion servers,
The decoder permits the decryption of several test files, the list of which is stored in the file f.wnry. The private key needed to decrypt them is stored in one of the malicious program’s components. So it is possible to decrypt them even without using the Trojan. However, the test files and all the other files are decrypted with different keys. Therefore, there is no guarantee that the data corrupted by the encoder can be restored successfully, even if a ransom is paid.
Unfortunately, at present it is impossible to decrypt files encoded by
Signs of infection
The hallmark signs of a WannaCry infection are:
- The presence of the mssecsvc2.0 system service (visible name—”Microsoft Security Center (2.0) Service”);
- The presence of the Trojan encoder file C:\WINDOWS\tasksche.exe; the previous sample of the malicious program is stored in the file C:\WINDOWS\qeriuwjhrf.
What to do in case of infection
- To prevent the further spread of infection, isolate infected machines and PCs containing valuable data from computer networks;
- Save a backup copy of the information on separate storages that must thereafter remain disconnected from any computers.
This link will take you to a description of the worm.
May 15, 2017
The very first modification of the Trojan known to Dr.Web (Wanna Decryptor 1.0) was analyzed in Doctor Web’s laboratory on March 27, 2017, at 07:20 a.m. and was added to virus databases at 11:51 a.m., later that same day.
Trojan.Encoder.11432, which is also known as WannaCry, started actively spreading on Friday evening, and by the weekend it had infected computers of large organizations all over the world.
Doctor Web obtained its sample on May 12 at 10:45 a.m. and added it to the Dr.Web virus databases.
Before it was added to the database, Dr.Web had detected the Trojan as BACKDOOR.Trojan.
The Trojan itself is a multi-component encoder named Trojan.Encoder.11432. It includes the following four components: a network worm, an encoder dropper, an encoder and the author’s encoder.
Trojan.Encoder.11432 encrypts files on an infected computer and demands a ransom for their decryption. The money must be transferred to the specified e-wallets in Bitcoin cryptocurrency.
The mass proliferation of the Trojan is being caused by a vulnerability in the SMB protocol. All Windows operating systems older than version 10 are subject to this vulnerability. Trojan.Encoder.11432 didn’t pose any threat to our users from the moment it started spreading.
To eliminate any chance of your computers getting infected with this Trojan, we recommend that you do the following:
- Install the MS17-010 update for your operating system, which is available at technet.microsoft.com/en-us/library/security/ms17-010.aspx, and all current security updates;
- Update the Anti-virus;
- Close attacked network ports (139, 445), using the firewall;
- Disable the attacked and vulnerable service of the operating system;
- Forbid the installation and running of new software (executable files);
- Remove excessive user rights (rights for launching and installing new software);
- Delete unnecessary services in the system;
- Forbid access to the Tor network.
May 12, 2017
The Trojan backdoor has been added to the Dr.Web virus databases under the name
The Trojan stores encrypted information in its own file. This information determines whether
- Name and version of the operating system;
- User name;
- Availability of root privileges;
- MAC addresses of all available network interfaces;
- IP addresses of all available network interfaces;
- External IP address;
- CPU type;
- RAM amount;
- Data about the malware version and its configuration.
The Trojan has its own file manager, which allows cybercriminals to execute various actions with files and folders on the infected computer. The backdoor can execute the following commands:
- Receive a list of the contents of a specified directory;
- Read a file;
- Write to a file;
- Get the contents of a file;
- Delete a file or folder;
- Rename a file or folder;
- Change the privileges for a file or folder (chmod command);
- Change the owner of a file object (chown command);
- Create a folder;
- Execute a command in the bash shell;
- Update the Trojan;
- Reinstall the Trojan;
- Change the command and control server’s IP address;
- Install a plug-in.
May 4, 2017
Recently, in the official “Doctor Web” group on the “VK” social network, messages appeared from anonymous users offering the option to download free license keys for the Dr.Web Anti-virus. Usually such messages contain a short link to RGhost file hosting. If a potential victim follows it, they will be asked if they want to download a 26 KB RAR archive. Naturally, moderators of the Doctor Web group try to delete such messages as quickly as possible, but sometimes they are not quick enough to remove them right after they are published.
The archive contains a small executable file that has an icon of a simple text document. All the examined samples of this application reveal that it is the same backdoor, but the cybercriminals have repacked the malicious program each time before publishing it online in order to avoid signature detection. As a result, the Trojan, named
After launch, the backdoor connects to its command and control (C&C) server and sends information about the infected computer, the serial number of a hard drive, the version and bitness of the installed operating system, the name of the computer, the name of the manufacturer, the version of the anti-virus, if present, and the availability of a connected webcam. The Trojan can execute the following commands of cybercriminals:
- Replace the Windows Desktop wallpaper;
- Turn off or restart the computer;
- Output a system message with the specified text on the screen;
- Swap the functions of mouse keys;
- Play a specific phrase using a voice synthesizer and speakers;
- Hide and then restore the Windows taskbar;
- Open or close the optical disc drive;
- Turn a display on and off;
- Open the specified link in a browser;
- Read, install or remove the specified value of the system registry;
- Receive a screenshot and send it to the C&C server;
- Download and launch the specified executable file;
- Refresh or remove the Trojan’s executable file;
One of the most dangerous functions of the backdoor is an embedded keylogger that records pressed keys. Upon command, this data is downloaded on the cybercriminals’ server. In addition, the Trojan is able to unexpectedly display on the infected computer SWF videos containing frightening images.
Doctor Web’s specialists note that such malicious programs, whose main purpose is to frighten or confuse users, are quite rare these days. The majority of Trojans are aimed at making a profit, and secondary school age children are the ones most likely to distribute viruses in order to frighten users just for “fun”.
Conventional wisdom says that there is no such thing as a free lunch, so all the different kinds of offers users come across to download license keys for commercial software are fraud anyway. Doctor Web advises users to be vigilant and not fall for such provocations.
April 20, 2017
Most modern Trojans execute either only one function or several simultaneously with one function dominating. Multi-purpose malicious programs are quite rare.
Once launched on an attacked computer,
A representative of banking Trojan family designed to steal private information and money from user bank accounts.
The Trojan connects with a command and control server to receive such commands as:
- Launch a file from the temporary folder on the disk of the infected computer;
- Self inject in a running process;
- Delete the specified file;
- Launch the specified executable file;
- Save the SQLite database used by Google Chrome and send it to the cybercriminals;
- Change the command and control server to the one specified;
- Delete cookies;
- Restart the operating system;
- Turn off the computer.
The signature for
April 20, 2017
This vulnerability has been detected in Microsoft Word. Cybercriminals have developed an active exploit for this application, and it has been added to the Dr.Web virus database as
This exploit is implemented as a Microsoft Word document with the DOCX extension. Once this document is opened, another file called doc.doc is loaded. It contains an embedded HTA script, detected by Dr.Web as
Currently, cybercriminals use this mechanism to install
Dr.Web successfully detects and removes files containing
April 17, 2017
The traditional approach of cybercriminals engaged in so-called fixed matches is quite simple: they create a special website that offers for sale “reliable and verified information on the results of sporting events”. Later, buyers can use this information to make supposedly sure-win bets at bookmaker's offices. The creators of such websites represent themselves as retired coaches and sports analysts. In fact, while one segment of paying customers gets one forecast, another segment gets one that’s the exact opposite. If one of the victims complains, cybercriminals offer them their next forecast for free as compensation for their loss.
Recently cybercriminals have made some changes to this scheme. They are still creating websites to attract customers and public pages on social networks, but as a way of proving the quality of their services, they tell customers to download a password-protected, self-unpacking RAR archive that supposedly contains text files showing the match results of an event. Cybercriminals send the password for this archive after the match is finished. This is supposed to give users a chance to compare the predicted outcome with the real one.
Instead of the archive, cybercriminals send their victims their own program, one that fully imitates the interface and behaviour of an SFX archive created with WinRAR. This program has been added to the Dr.Web virus databases under the name
This fake “archive” contains the template of a text file that, with the help of a special algorithm, inserts the required match results which depend on what password is entered by the user. Thus, when the match is finished, the only thing that cybercriminals have to do is to send their victim the appropriate password, and the text file with the correct result will be “extracted” from the “archive” (in reality, the Trojan will generate it on the basis of the template).
There is also an alternative version of this fraudulent scheme—cybercriminals send their victims a password-protected Microsoft Excel file containing a special macro. This macro uses the same method to insert the required result, depending on what password is entered.
Doctor Web reminds users that all the various and sundry predictions criminals are making about match results is a type of fraud that any user can fall victim to. Do not trust websites offering you the chance to make a fortune using insider information to place bets, even if the promises of the cybercriminals involved look very convincing.
April 13, 2017
The mass mailing of malicious attachments is one of the most popular Trojan distribution methods. Cybercriminals try to compose a message in a manner that will make the recipient open the attached file which subsequently infects their computer.
Over the past few days, emails with the subject header “Made the payment” have been distributed on behalf of a certain LLC Globalniye Sistemy (“Global Systems”). These letters contain the following text (the author’s syntax and spelling have been preserved):
We made the payment on April, 6, but for some reason we haven’t received an answer from you.
We hereby request to process the payment as soon as possible and provide the services because time is an issue for us.
The copy of the billing statement and other documents are in the attached archive.
Please, check the details of the billing statement. Perhaps there has been a mistake that caused the failure in delivery of our payment. It could be the reason for the delay.
LLC Globalniye Sistemy
The email has an attached archive called “Billing from LLC Globalniye Sistemy April 6 2017.JPG.zip” that is more than 4 MB in size. It contains an executable file with the extension .JPG[several dozen spaces].exe which was added to the Dr.Web virus database under the name
The application is a packed container that was created using the capabilities of the Autoit language. On launch the program checks whether it is running as the sole copy, and then saves a library to a disk in order to bypass User Accounts Control (UAC) on 32-bit and 64-bit versions of Windows and some other files. Then
One of the components launched by
Another component of the Trojan, xservice.bin, which is also an encrypted Autoit container, extracts two executable files on a disk. These programs are 32-bit and 64-bit versions of the Mimikatz tool, which is designed to intercept passwords of open Windows sessions. xservice.bin can be launched with different keys. They influence the actions this file performs on infected computers.
|-help||display possible keys (support information is displayed in unknown encoding)|
|-screen||makes a screenshot, saves it as a file called Screen(<HOURS>_<MINUTES>).jpg (<HOURS>_<MINUTES> stands for the current time) and sets file attributes to “hidden” and “system”|
|-wallpaper <path>||changes wallpaper to the one indicated in the parameter <path>|
|-opencd||opens CD drive|
|-closecd||closes CD drive|
|-offdesktop||prints to the console the following text: “Not working =(”|
|-ondesktop||prints to the console the following text: “Not working =(”|
|-rdp||RDP launch (look below)|
|-getip||receives IP address of the infected computer using the following website: http://ident.me/|
|-msg <type> <title> <msg>||creates a dialog of the given type (err, notice, qst, inf) with a specified header and text|
|-banurl <url>||adds to the file %windir%\System32\drivers\etc\hosts the following string: “127.0.0.1 <url>”, where <url> is a command argument|
This application also activates a keylogger that records to the file any information about the keys pressed by a user. It also takes a screenshot at the moment of launch.
The Trojan gives criminals access to the infected device via RDP (Remote Desktop Protocol). For this purpose, it downloads a program called Rdpwrap from the Github server and installs it with parameters that allow it to run in the hidden mode. Dr.Web Anti-virus detects it as Program.Rdpwrap. Then
The signature for
April 10, 2017
Services that organize access to paid content using WAP-click are provided by many network providers. They actively use numerous partner programs that allow website owners to monetize mobile traffic. For example, MegaFon announced a new WAP-click technology in 2012. The provider marketed it as a service “that allows MegaFon subscribers to purchase audio, video and graphic files under a simplified procedure on websites belonging to the company’s partners and to use services that do not require loading”.
This technology is simple: a mobile web user is redirected to a webpage containing a message advising them that they must pay to access the requested content. The webpage is equipped with a button that subscribes the user to the paid service when they click on it.
Soon this service became a matter of discussion both among users and on the pages of online media: in particular, WAP-click has been mentioned by VC.RU, Apple Insider and many others. One of the users even prepared a petition, demanding that network providers ensure that paid subscriptions are confirmed via SMS.
And, the subscription is available for all of the users in the mobile provider’s network. Owners of USB modems have also fallen victim to unauthorized subscriptions and search for solutions to this problem on their own: some of the solutions are described in detail on such websites as http://vsyako.blogspot.ru/2014/06/podpiski.html and https://антиподписки.рф. For Windows users, one of the suggested methods of combating paid subscriptions is by making the corresponding changes in the hosts file. Initially the recommendations suggested limiting access to wap.megafonpro.ru, the website through which subscriptions are processed. Perhaps, this method was effective for a while, but later it was discovered that MegaFon owns a number of other domains with the same functionality:
|126.96.36.199||moy-m-portal.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-04-07T15:00:38Z|
|188.8.131.52||propodpiski.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:21Z|
|184.108.40.206||mfprovas.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:22Z|
|220.127.116.11||vasmfpro.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:22Z|
|18.104.22.168||propodpiskimf.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:23Z|
|22.214.171.124||promfvas.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:23Z|
|126.96.36.199||vasmpro.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:24Z|
Let’s review a real example of WAP-click technology at work. Doctor Web specialists conducted an experiment that reflects their experience using MegaFon’s mobile Internet. Let’s assume that on the eve of the summer growing season a user intends to plant onions in their vegetable garden. Naturally, the best way to do this is according to the instructions our gardener found via a Google search. The search request “how and when to plant onions” pulled up a link that seemed to meet the user’s needs.
A special script is embedded in the HTML code of the website the link leads to. This script identifies the user’s network provider. In our example, all the following actions are performed only for MegaFon subscribers.
When attempting to go to this web resource, a chain of automatic redirections is executed. It consists of at least 5-7 intermediates. This chain ends on an online subscription site belonging to MegaFon, according to data provided by WHOIS.
Information on the subscription service page clearly warns that the user must pay 30 rubles per day to access the website they need. The payment to view the web resource is explained by the presence of “articles and news intended for personal use”. However, in some cases, for example, on devices with high-screen resolution (a tablet or computer with a connected USB modem), this important warning becomes less noticeable. The visitor may simply miss this text in small print.
Even if the user agrees to the proposed terms and conditions, they will not see information on onions anyway. After clicking the subscription button, they will be redirected to infonews24.ru via another chain of redirections. This web resource belongs to LLC Informpartnyor (http://informpartner.com). The user will then receive an SMS notifying them that they subscribed to the paid service successfully. It’s worth noting as an aside that owners of USB modems that don’t support SMS notifications will not get a message telling them they have successfully signed up for a service—they will only find out about it when they get the bill from their network provider.
From the moment the subscription button is clicked, the user’s account is charged 30 rubles daily, even if they have not visited the paid website, used the Internet or even turned on the phone.
It is not that easy to unsubscribe from paid access to web resources. For several days, our specialists sent USSD requests from a mobile device in order to determine the presence of paid content services. However, the SMS replies from MegaFon stated that the given subscriber number had no active subscriptions.
We have observed the exact same result in the “Dashboard” of a MegaFon user, regardless of whether we logged in with a mobile device or via a desktop, and on the special website http://podpiski.megafon.ru: no mention was made about paid access to web resources. In our case, subscription information appeared in the “Dashboard” only several days later. In the interim period, the subscription fee was charged daily.
MegaFon itself offers its users a special content account designed specifically for the debiting of subscription payments. This account eliminates any chance of spending money from the user’s main account. To get this free service, users must contact the technical support service or visit the provider’s office.
There is also an alternative method of avoiding WAP-click subscriptions—MegaFon suggests sending the special request “УСТЗАПРЕТ1” (“USTZAPRET1”) to its service number. However, it should be noted that this ban on subscriptions is valid only for 90 days, after which a MegaFon user can once again accidentally subscribe to some paid service.
If you notice that funds are regularly being debited from your mobile account, you should absolutely check whether you are being charged for any paid subscriptions. It is also recommended that you connect a content account in order to keep the funds in your main account with the mobile network provider secure. Doctor Web advises you to be alert when using mobile Internet, and in case you discover you have accidentally subscribed to some paid services, it is recommended that you cancel them as soon as possible—on your own or by contacting your network provider’s support service.
March 17, 2017
Warning!!! All your files are encrypted with AESalgorithm! For decrypt use this instructions: Download tor browser Run tor and go to: http://vejtqvliimdv66dh.onion Or you can use tor2web services http://vejtqvliimdv66dh.onion.to in log panel enter your id (CRPTksrjghkrkwkrjthkewVM) follow next instructions if server is down, try connect later locker version 3.0.0
The id parameter can assume various values on different infected computers.
If you have fallen victim to this malicious program, follow the recommendations below:
- do not remove any files from your computer or reinstall the operating system. It is also not recommended to use the infected computer until you get detailed instructions from Doctor Web’s technical support;
- if you have run an anti-virus scan, do not try to cure or remove the threats that were detected—our technical support specialists may need them during their search for a decryption key;
- try to remember as much about the circumstances of the infection as possible: this can involve receiving dubious email messages, downloading programs from the Web, or visiting websites;
- if you have the email message containing the attachment that infected your computer after you opened it, do not remove it—our specialists may need it to identify which version of the Trojan is involved.
To decrypt files corrupted by
Once again, we would like to point out that our free decryption service is only available to users who have purchased commercial licenses for Dr.Web products. Doctor Web cannot guarantee that all of your files will be decrypted successfully. However, our specialists will do their best to recover the encrypted data.
March 3, 2017
Doctor Web specialists examined an on-screen keyboard app called TouchPal. Mobile device owners can use it instead of the standard one. It does indeed work as stated but contains an unwanted advertising module. In keeping with the Dr.Web classification system, the module was named
This plug-in displays several types of ads. For example, on the home screen it creates widgets that can’t be deleted until the device owner clicks on them. When the widget is clicked on,
Despite the fact that TouchPal itself is not a malicious program, the unwanted module within it—
February 13, 2017
This malicious program, which is based on the source code of another banking Trojan—Zeus (
Worth highlighting is the unique way in which the Trojan automatically launches itself on an infected machine:
Dr.Web successfully detects and removes
February 6, 2017
The new malicious program was dubbed
If the Trojan successfully connects to the attacked node via any of the available protocols, it executes the indicated sequence of commands. The only exception is a connection via RDP protocol: in this case, none of the instructions are executed. Besides that, while connecting to the Linux device via Telnet protocol, it downloads a binary file on the compromised device, and this file subsequently downloads and launches
January 24, 2017
The Trojan, used by cybercriminals to infect numerous Linux network devices, has been named
A script is generated with the help of this list, and it runs on the infected devices using sshpass. It infects the attacked system with
Besides that, the server belonging to the cybercriminals who distribute
To connect to a proxy server that is launched using
To protect devices from
January 13, 2017
The worm, named
After infecting a computer running Windows,
If access is obtained, the worm establishes the VNC connection and sends keystroke signals, using them to run the CMD command interpreter and execute the code for launching its copy over the FTP protocol. This is how the worm replicates itself.
One more function of
In addition, the Trojan copies itself to the ICQ client folder together with folders of programs designed to establish P2P connections. Once
The existence of samples of a previous version of
December 16, 2016
If the Trojan does not find anything suspicious, it saves the file 1.zip on the disk.
The picture above shows a non-standard Microsoft Windows “save” dialog box: in the bottom-left corner, you can see the link “Additional settings”. When the link is clicked,
If the user clicks “Save”,
Among the applications
While TrayCalendar is being copied to the disk, the Trojan saves and installs an extension for Google Chrome. The most notable feature of
Dr.Web Anti-virus successfully detects and removes all the Trojans mentioned above. Therefore, they do not pose any threat to our users.
December 12, 2016
One of these Trojans, dubbed
- MegaFon Login 4 LTE
- Irbis TZ85
- Irbis TX97
- Irbis TZ43
- Bravis NB85
- Bravis NB105
- SUPRA M72KG
- SUPRA M729G
- SUPRA V2N10
- Pixus Touch 7.85 3G
- Itell K3300
- General Satellite GS700
- Digma Plane 9.7 3G
- Nomi C07000
- Prestigio MultiPad Wize 3021 3G
- Prestigio MultiPad PMT5001 3G
- Optima 10.1 3G TT1040MG
- Marshal ME-711
- 7 MID
- Explay Imperium 8
- Perfeo 9032_3G
- Ritmix RMD-1121
- Oysters T72HM 3G
- Irbis tz70
- Irbis tz56
- Jeka JK103
However, the number of infected Android devices can be, in fact, even bigger.
The Trojan can download not only benign applications but also malware and unwanted ones. For example,
On various forums, Android users note that even if they delete H5GameCenter, it is soon installed on the system once again. It happens because
Another Trojan found on the devices Lenovo A319 and Lenovo A6000 was named
The payload of
- Download an APK file and try to install it by obtaining the confirmation from a user.
- Run an installed application.
- Open the specified link in a browser.
- Make a phone call on a certain number by using a standard system application.
- Run a standard system phone application in which a specified number is already dialed.
- Show advertisement on top of all applications.
- Display advertisements in the status bar.
- Create a shortcut on the home screen.
- Update a main malicious module.
It is known that cybercriminals generate their income by increasing application download statistics and by distributing advertising software. Therefore,
Doctor Web has already informed smartphone manufacturers about this incident. Users of the infected devices are recommended to contact technical support specialists to get the updated system software as soon as it is ready.
Dr.Web for Android detects
December 9, 2016
The Trojan, dubbed
First, other malicious programs download and run
Dr.Web for Android successfully detects all the known Trojans belonging to the
November 17, 2016
Now we will briefly focus on some technical features of
The Trojan’s resources contain the window “About the Bot project” which is not displayed while the backdoor is in operation—the virus makers probably forgot to remove it when they copied the code. The window has the string “Copyright © 2015”; however, the current version was compiled on April 21, 2016.
Once launched, the Trojan checks whether the configuration file is present; if not, it creates one.
- A received command can be executed using the command interpreter cmd;
- A file can be downloaded from a specified link and saved to a certain folder on a computer;
- A list of folder content can be generated and sent to the C&C server;
- A screenshot can be taken and sent to the C&C server;
- A file can be loaded to a specified server over the FTP protocol;
- A file can be loaded to a specified server over the HTTP protocol.
Doctor Web specialists have determined that some of
- Get a list of files and folders using the specified path;
- Delete particular files;
- Shut down certain processes;
- Copy the specified files;
- Send a list of running processes and information on the current operating system and disks of the infected computer the C&C server;
- Terminate itself.
The second Trojan—
The signatures for these Trojans are already in the Dr.Web databases and do not pose any threat to our users.
November 14, 2016
The Trojan is being actively promoted on underground forums. Its creators claim that a botnet consisting of 100 infected computers is capable of generating up to 20,000-25,000 requests per second with a peak value of 30,000. As proof, they show a diagram of a test attack on the NGNIX http server:
Currently, 314 active connections are registered on one of the IRC channels controlling the
The signature for