Real-time threat news
September 12, 2017
The Trojan at issue is
Doctor Web virus analysts have discovered that cybercriminals are using
Subject: Kendra asked if you like hipster girls
A new girl is waiting to meet you. And she is a hottie! Go here to see if you want to date this hottie (Copy and paste the link to your browser) http://whi*******today.com/ check out sexy dating profiles There are a LOT of hotties waiting to meet you if we are being honest!
According to Doctor Web’s statistics, a device infected with
The number of unique IP addresses of infected devices is shown in the following diagram. It is worth mentioning that the figure shows only the number of bots monitored by Doctor Web analysts. The actual number of infected devices may be higher.
The below illustration shows the geographical locations from which
We can presume that the range of functions implemented by Linux Trojans will be expanded in the future. The Internet of things has long been a focal point for cybercriminals. The wide distribution of malicious Linux programs capable of infecting devices possessing various hardware architectures serves as proof of that.
August 24, 2017
Virus analysts have been familiar with Trojans of the
In addition to the loader for ARM devices, similar modules for devices with the MIPS and MIPSEL architectures have been distributed “in the wild” for over six months already. The first of them is
Statistics collected by Doctor Web specialists show that Mexico ranks first among the countries to which the IP addresses of the devices infected by
The following diagram shows the number of attacks carried out for the purpose of distributing
Doctor Web reminds users that one of the most reliable ways to prevent attacks on Linux devices is to promptly change the default login and password. It is also recommended that users place restrictions on external connections being made to their devices via the Telnet and SSH protocols and to timely update their firmware. Dr.Web for Linux detects and deletes all the aforementioned versions of
August 21, 2017
Miners Trojans are appearing regularly and Doctor Web’s virus analysts have noted a curious trend: the creators of these programs are now targeting the Linux platform. Of late, smart devices run on Linux have become very popular, and the owners of such devices are not changing the default settings, most notably the administrator login and password. This is why hacking into such devices is not a major problem for cybercriminals.
An analysis of the miner loader has revealed a peculiar feature of this app: in its source code, krebsonsecurity.com is mentioned several times. This website is owned by well-known cybersecurity expert Bryan Krebs. Apparently, the author of the Trojan is his secret admirer.
The Trojan is designed to mine Monero (XMR), a cryptocurrency created in 2014. Currently
August 17, 2017
The Domain Name System (DNS) allows information about domains to be obtained and provides for web addressing. Client software, browsers in particular, use DNS to determine the IP address of a web resource according to the input URL. Usually, domain owners themselves administer DNS servers.
Many web resources use several additional third-level and even fourth-level domains besides the main second-level domain. For example, the drweb.com domain uses the vms.drweb.ru subdomains. They contain a website that allows users to check a link or a file or to find a virus description. The domain free.drweb.ru is for the webpage of Dr.Web CureIt!; updates.drweb.com is for the Dr.Web update system page, etc. Various technical and support services are usually implemented with the use of such domains. Such services include a website administration and management system, online banking systems, mail server web interfaces and all kinds of internal websites for company staff. Subdomains can also be used to organize version control systems, bug trackers, various monitoring services, wiki resources and other needs.
When attacking websites for the purpose of compromising them, cybercriminals first collect information about the web resources they are targeting. In particular, they attempt to determine the type and version of the web server maintaining a website. They also try to identify the content management system version, the engine programming language and other technical information, including the list of subdomains of the attacked website’s main domain. Using this list, cybercriminals can try to get into the web resource’s infrastructure via a “back door” by generating account data and successfully logging into one of the internal private services. Many system administrators do not pay due attention to the security of such resources. Meanwhile, such “internal” websites may use outdated software containing known vulnerabilities, contain debugging information, or allow open registration. All that can significantly simplify the work of cybercriminals.
If the DNS servers maintaining a website are configured correctly, cybercriminals will not be able to obtain the domain zone information they request. However, if DNS server settings are incorrect, a special AXFR request allows cybercriminals to obtain full data on the subdomains registered in the domain zone. Having incorrect DNS server settings is not in itself a vulnerability, however, they can be the indirect cause of a web resource becoming compromised.
Doctor Web security analysts conducted research on the DNS server configurations of numerous Russian banks and governmental organizations. They found that 89 of the roughly 1,000 Russian bank domains they checked gave out the domain zone in response to external AXFR requests. This information was sent to the Bank of Russia’s Financial Sector Computer Emergency Response Team (FinCERT). In addition, incorrect settings were detected on the websites of several governmental organizations. Doctor Web reminds website administrators that correct DNS configuration is one factor contributing to web resource security.
August 2, 2017
Apparently, to distribute scam mailings, cybercriminals use contact database of domain administrators registered in RU-CENTER. Cybercriminals refer to some changes in the ICANN rules and offer the domain administrator to create the PHP file with certain contents in the root directory. The creation of this file is supposed to confirm the right for the domain use by the email recipient. The email itself contains the logo of RU-CENTER and is sent supposedly on its behalf.
The file suggested for saving in the root directory contains a command that executes an arbitrary code specified in a variable. Cybercriminals can send this code to the script posted on the server as a GET or POST request. Doctor Web specialists warn that fulfillment of the demands of cybercriminals will lead to a compromise of the website. If you receive such email, ignore it. If you suppose that the email’s sender is actually the domain name registrar, check this information with the technical support service of the registrar company.
July 27, 2017
Unlike other Trojans of this family that try to get root privileges to perform malicious actions,
After the initialization, the malicious program sets up some parameters, creates a working directory, and checks in what environment it is running. If the Trojan is in the Dalvik environment, it intercepts one of the system methods, which allows it to track the start of all applications and perform malicious activity immediately after they start.
The main function of
As a result,
July 24, 2017
Doctor Web first reported
Recent research results have shown that an ePrica component was downloading and launching the Trojan onto targeted systems. Drugstore managers use this software component to analyze drug prices and choose the best suppliers. This module downloaded the
A further analysis of the application showed that
The module runmod.exe executes the launch of these plugins. It takes action when the server commands it to decrypt and launch them into the memory. After that they copy database information which is then sent to a remote server. The indicated application component is signed with the certificate “Protek”—a group of companies that includes “Spargo Tekhnologii”, ePrica’s developer.
It is important to note that even after ePrica is removed, the backdoor stays in the system and continues to spy on users. It is possible that
Its installer version 126.96.36.199, in which the Trojan modules were found, was released on November 18, 2013, while some of the backdoor’s files date back to 2010. Thus, the copying of drugstore and pharmaceutical company procurement information could have started at least a year before the backdoor was first detected.
More detailed information on the ePrica installer containing
July 18, 2017
Android.BankBot.211.origin is distributed under the guise of benign programs, for example, as Adobe Flash Player. Once a user installs and launches the Trojan, the banker tries to gain access to the Accessibility Service. For this purpose, Android.BankBot.211.origin displays a window with a request that reappears at every attempt to close it and doesn’t allow the device to be used.
The Accessibility Service makes it easier to work with Android smartphones and tablets and is used in a variety of ways, including to help people with disabilities. It allows programs to independently click on different interface elements, such as buttons in dialog boxes and system menus. The Trojan forces the user to grant it these rights and uses them to independently add itself to the device administrator list. Then Android.BankBot.211.origin establishes itself as the default message manager and gains access to the screen capture function. All these actions are accompanied by a display of system requests that can be overlooked entirely because the malicious program immediately confirms them. If, at a later stage, the device owner tries to disable any function obtained by Android.BankBot.211.origin, the banker forbids it and returns the user to previous system menus.
After a successful infection, the Trojan connects to its command and control service, registers the mobile device there, and awaits further commands. Android.BankBot.211.origin can execute the following actions:
- Send an SMS containing a specific text to the number specified in the command;
- Send to the server SMS data stored in the device memory;
- Forward to the server information about the installed applications, the contact list, and phone call data;
- Open the link specified in a command;
- Change the address of the command center.
In addition, the malicious program tracks all incoming SMS and sends them to cybercriminals.
Besides the standard commands, cybercriminals can send the Trojan special orders. They contain encrypted information about the applications the banker is supposed to attack. Once Android.BankBot.211.origin receives such commands, it can:
- Display fake input forms for login credentials on top of launched banking programs;
- Display a phishing dialog asking users to input their bank card details (for example, when making a purchase on Google Play);
- Block the operation of anti-viruses and other applications that could interfere with the Trojan’s work.
Android.BankBot.211.origin can attack users of any applications. Cybercriminals just have to update the configuration file with the list of targeted programs. The banker receives this list once connected to the command and control server. When the Trojan was first observed, cybercriminals were interested only in customers of Turkish banks. However, later on the list was expanded to include residents of other countries, including Germany, Australia, Poland, France, the United Kingdom, and the USA. At the moment this news article was posted, the list of programs attacked by the Trojan contained more than 50 applications designed to operate with payment systems, remote banking services (RBS), and other software.
Examples of the fraudulent windows Android.BankBot.211.origin can display:
The Trojan also collects information about all launched applications and user’s actions performed within them. For example, it tracks available text fields, such as menu elements, and logs key strokes and other components of the user interface.
Moreover, Android.BankBot.211.origin is capable of stealing login credentials and other authentication information input by users in any programs on any websites during authorization. To steal passwords, the Trojan takes a screenshot of every key stroke; as a result, it obtains the required sequence of characters before they are hidden. After that, the information input into the displayed fields and all the saved screenshots are sent to the command and control server.
Due to the fact that Android.BankBot.211.origin prevents anyone from removing it, the following actions must be performed in order to combat it:
- Load an infected smartphone or tablet in safe mode;
- Log into the system settings and go to the list of device administrators;
- Find the Trojan in this list and recall the corresponding rights (here the malicious program will try to frighten the device’s owner by warning them about the possible loss of all of their important data, but this is just a trick—the files are in no danger);
- Restart the device, perform a full anti-virus scan on it, and remove the Trojan after the scanning is complete.
All known versions of Android.BankBot.211.origin are successfully detected by Dr.Web Anti-virus; therefore, this banker does not pose any threat to our users.
July 13, 2017
The start date the website was compromised and past activity in this attack vector are currently impossible to determine. There are at least 15 domain addresses registered by an unknown individual. The malicious code forces the browser of any visitor to the website to covertly connect to one of them. These domains can reply with any independent document, from a fraudulent input form for entering bank card details to a brute-force attack of vulnerabilities, aimed at obtaining access to a visitor’s computer.
While a website page requested by a user is being generated dynamically, the container <iframe> is added to the website code. It allows any external data to be downloaded or requested from the user’s browser. Currently, the security researchers have detected at least 15 domains. Among them are m3oxem1nip48.ru, m81jmqmn.ru and other addresses of intentionally inconclusive names. At least five of them belong to a range of addresses of companies registered in the Netherlands. Over the past day, requests to these domains are either unsuccessful, because the security certificate of most of these websites is expired, or don’t contain any malicious code. However, there’s nothing to prevent the domain owners from updating the certificates at any moment and publishing malicious code on these domains.
Currently, the website gosuslugi.ru is still compromised. Information has been sent to the website’s technical support service, but it has yet to confirm that it has launched an investigation and initiated measures to prevent such incidents in the future. Doctor Web recommends that users be careful when using the Government Services Portal of the Russian Federation until the situation is resolved. Doctor Web, Ltd., recommends that the administration of the website gosuslugi.ru and the relevant authorities perform a security check on the website.
Any user can check for the code’s presence themselves by using a search tool and making the following request:
UPDATE: The potentially malicious code was removed from gosuslugi.ru after approximately 3 hours from the publication.
July 5, 2017
The malicious application, dubbed
In contrast with the standard update procedure, when an old version of an application is entirely replaced with a new one, the SDK indicated above allows needed components to be loaded separately without reinstalling the entire software package. This allows developers to keep the version of software installed on mobile devices current even if users do not keep track of the release of new versions. However, Excelliance operates as a loader Trojan because it can download and run unchecked application components. This update method violates Google Play rules because it is dangerous.
The Trojan module tracks network activity and tries to connect to its command and control server. Depending on the server settings,
Besides the application’s additional resources and updates,
Meanwhile, while the downloaded APK files are being installed, the user sees a standard dialog box; however, if
Doctor Web specialists have informed Google about the dangerous behavior of the Trojan component in SDK, which is used in the game BlazBlue. However, at the moment this news article was posted, the game version containing
Applications containing this Trojan are successfully detected by Dr.Web for Android anti-virus products as
July 4, 2017
The reports state that
Doctor Web specialists noted this registry key because Trojan.Encoder.12703 uses the same path for its operation. An analysis of the Dr.Web Anti-virus log obtained from one of our customer’s computers showed that Trojan.Encoder.12703 was launched on the infected machine by the application ProgramData\Medoc\Medoc\ezvit.exe, which is a component of M.E.Doc:
id: 425036, timestamp: 15:41:42.606, type: PsCreate (16), flags: 1 (wait: 1), cid: 1184/5796:\Device\HarddiskVolume3\ProgramData\Medoc\Medoc\ezvit.exe
source context: start addr: 0x7fef06cbeb4, image: 0x7fef05e0000:\Device\HarddiskVolume3\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
created process: \Device\HarddiskVolume3\ProgramData\Medoc\Medoc\ezvit.exe:1184 --> \Device\HarddiskVolume3\Windows\System32\cmd.exe:6328
bitness: 64, ilevel: high, sesion id: 1, type: 0, reason: 1, new: 1, dbg: 0, wsl: 0
curdir: C:\Users\user\Desktop\, cmd: "cmd.exe" /c %temp%\wc.exe -ed BgIAAACkAABSU0ExAAgAAAEAAQCr+LiQCtQgJttD2PcKVqWiavOlEAwD/cOOzvRhZi8mvPJFSgIcsEwH8Tm4UlpOeS18o EJeJ18jAcSujh5hH1YJwAcIBnGg7tVkw9P2CfiiEj68mS1XKpy0v0lgIkPDw7eah2xX2LMLk87P75rE6 UGTrbd7TFQRKcNkC2ltgpnOmKIRMmQjdB0whF2g9o+Tfg/3Y2IICNYDnJl7U4IdVwTMpDFVE+q1l+Ad9 2ldDiHvBoiz1an9FQJMRSVfaVOXJvImGddTMZUkMo535xFGEgkjSDKZGH44phsDClwbOuA/gVJVktXvD X0ZmyXvpdH2fliUn23hQ44tKSOgFAnqNAra
status: signed_microsoft, script_vm, spc / signed_microsoft / clean
id: 425036 ==> allowed , time: 0.285438 ms
2017-Jun-27 15:41:42.626500  [INF]  [arkdll]
id: 425037, timestamp: 15:41:42.626, type: PsCreate (16), flags: 1 (wait: 1), cid: 692/2996:\Device\HarddiskVolume3\Windows\System32\csrss.exe
source context: start addr: 0x7fefcfc4c7c, image: 0x7fefcfc0000:\Device\HarddiskVolume3\Windows\System32\csrsrv.dll
created process: \Device\HarddiskVolume3\Windows\System32\csrss.exe:692 --> \Device\HarddiskVolume3\Windows\System32\conhost.exe:7144
bitness: 64, ilevel: high, sesion id: 1, type: 0, reason: 0, new: 0, dbg: 0, wsl: 0
curdir: C:\windows\system32\, cmd: \??\C:\windows\system32\conhost.exe "1955116396976855329-15661177171169773728-1552245407-149017856018122784351593218185"
status: signed_microsoft, spc / signed_microsoft / clean
id: 425037 ==> allowed , time: 0.270931 ms
2017-Jun-27 15:41:43.854500  [INF]  [arkdll]
id: 425045, timestamp: 15:41:43.782, type: PsCreate (16), flags: 1 (wait: 1), cid: 1340/1612:\Device\HarddiskVolume3\Windows\System32\cmd.exe
source context: start addr: 0x4a1f90b4, image: 0x4a1f0000:\Device\HarddiskVolume3\Windows\System32\cmd.exe
created process: \Device\HarddiskVolume3\Windows\System32\cmd.exe:1340 --> \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\wc.exe:3648
bitness: 64, ilevel: high, sesion id: 1, type: 0, reason: 1, new: 1, dbg: 0, wsl: 0
curdir: C:\Users\user\Desktop\, cmd: C:\Users\user\AppData\Local\Temp\wc.exe -ed BgIAAACkAABSU0ExAAgAAAEAAQCr+LiQCtQgJttD2PcKVqWiavOlEAwD/cOOzvRhZi8mvPJFSgIcsEwH8Tm4UlpOeS18oE JeJ18jAcSujh5hH1YJwAcIBnGg7tVkw9P2CfiiEj68mS1XKpy0v0lgIkPDw7eah2xX2LMLk87P75rE6U GTrbd7TFQRKcNkC2ltgpnOmKIRMmQjdB0whF2g9o+Tfg/3Y2IICNYDnJl7U4IdVwTMpDFVE+q1l+Ad92 ldDiHvBoiz1an9FQJMRSVfaVOXJvImGddTMZUkMo535xFGEgkjSDKZGH44phsDClwbOuA/gVJVktXvDX 0ZmyXvpdH2fliUn23hQ44tKSOgFAnqNAra
fileinfo: size: 3880448, easize: 0, attr: 0x2020, buildtime: 01.01.2016 02:25:26.000, ctime: 27.06.2017 15:41:42.196, atime: 27.06.2017 15:41:42.196, mtime: 27.06.2017 15:41:42.196, descr: wc, ver: 188.8.131.52, company: , oname: wc.exe
hash: 7716a209006baa90227046e998b004468af2b1d6 status: unsigned, pe32, new_pe / unsigned / unknown
id: 425045 ==> undefined , time: 54.639770 ms
The file ZvitPublishedObjects.dll, which was requested from the infected machine, had the same hash as a sample examined in the Doctor Web virus laboratory. Thus, our security researchers concluded that the M.E.Doc update module, which is implemented as the dynamic library ZvitPublishedObjects.dll, contains a backdoor. Further research showed that this backdoor can execute the following functions in the infected system:
- Collect data for accessing mail servers;
- Execute arbitrary commands in the infected system;
- Load arbitrary files to the infected computer;
- Load, save and start any executable files;
- Upload arbitrary files to a remote server.
The following code fragment of the M.E.Doc update module looks rather unique—it allows the payload to be launched using the tool rundll32.exe with the parameter #1:
This is exactly how the encryption Trojan, known as NePetya, Petya.A, ExPetya and WannaCry-2 (
Reuters published an interview with the developers of M.E.Doc who stated that their application contains no malicious functions. Because of that, and also taking into account the results of a static code analysis, Doctor Web security researchers concluded that some unidentified cybercriminals infected one of M.E.Doc’s components with the malicious program. This component was added to the Dr.Web virus databases under the name
June 29, 2017
The security researchers who examined
Back in 2012, Doctor Web security researchers detected a targeted attack on drugstores and pharmaceutical companies that involved the use of a malicious program called
Doctor Web specialists conducted an investigation lasting four years. One of the affected companies provided its hard drives which had been compromised by
The similarity of these two cases shows that the software development infrastructure requires a heightened level of awareness in terms of information security. Above all, the update process for any commercial software should be closely scrutinized by both users and the developers themselves. Some update tools of different programs have the right to install and launch executable files in an operating system. This can be an unexpected source of infection. In the case of MEDoc, the infection was caused by cybercriminals hacking into and compromising an update server. In the case of
June 28, 2017
At the moment, it is known that the Trojan has infected computers by exploiting the same vulnerabilities exploited by cybercriminals during the WannaCry attack. The spread of
In its body, the Trojan contains four compressed resources. Two of these resources are 32-bit and 64-bit versions of the Mimikatz tool, which is designed to intercept passwords of open Windows sessions. Depending on an operating system’s capacity, the Trojan unpacks the necessary version of the Mimikatz tool, saves it to a temporary folder, and runs the Mimikatz tool. Using Mimikatz and some other methods,
The encoder checks its second launch using a file it saved to the C:\Windows\ folder. The file name matches the Trojan’s name, without the extension. Since the worm sample spreading at the moment is named perfc.dat, the file preventing its launch is C:\Windows\perfc. However, if cybercriminals change the original Trojan’s name, creating the file C:\Windows\perfc (as many anti-virus developers advise) will not save a computer from infection. In addition, the Trojan checks the existence of the file only if it has enough privileges to do so.
Once launched, the Trojan sets its privileges, loads its copy to the memory, and grants the copy control. Then, the encoder overwrites its own file with the trash data and removes the file. First,
The Trojan encrypts files only on the fixed drives. The data on each drive is encrypted in a separate thread. The files are encrypted using the AES-128-CBC algorithm; a separate key is created for each drive (a characteristic feature of the Trojan that has not been noted by other specialists). This key is encrypted with the RSA-2048 algorithm (other researchers say that an 800-bit key is used) and is saved to the file named README.TXT to the root folder of the system drive. An additional extension is not added to the encrypted files.
After the computer is rebooted according to the created task, control is granted to the Trojan boot record. On the screen of the infected computer, it displays a text similar to the CHDISK standard tool’s text.
Power down your computer immediately if you see the CHDISK text at system startup. In this case, the boot records will be damaged, but they can be repaired using the Windows recovery tool or Recovery Console if you boot the computer using the distribution disk. Normally, recovery of the boot record is possible in Windows 7 and later operating systems if the hidden portion containing the critical data backup copy is present on the drive. You can also use Dr.Web LiveDisk; create a boot disk or a boot USB, start the operating system from this boot removable media, run the Dr.Web scanner, check the infected drive, and choose the Neutralize action for the detected threats.
According to some sources, the only email address used by the cybercriminals behind
To avoid infection by
June 27, 2017
According to data of our information security specialists, the Trojan is distributed independently, just as infamous WannaCry. Yet there is no precise data if it uses the same distribution mechanism. At present, our security researchers examine the new Trojan; we will give the details later on. Some mass media sources draw parallels with the ransomware Petya (in particular, Dr.Web detects it as Trojan.Ransom.369) due to the external side of the ransomware operation. However, a distribution method of the new threat is different from the standard pattern of Petya.
Today, on June 27 at 4.30 p.m., this encryption ransomware has been added to Dr.Web virus databases as
Doctor Web advises all users to be vigilant and refrain from opening suspicious emails (this measure is required but is not fully sufficient). It is necessary to make backup copies of critically important data and to install all software security updates. Availability of an installed anti-virus is also crucial.
June 23, 2017
During May 2017, in Ukraine, access to the services of several Russian companies was restricted by Presidential Decree. Among those companies were the social networks “VK” and “Odnoklassniki”. This has led to the growth in popularity of methods that allow people to bypass blocking measures—for example, the Tor browser, VPN services, and anonymizers. In addition, new programs offering similar functionality have started cropping up. However, by no means are all these latest programs safe.
Doctor Web specialists have found several applications on Google Play that allow people to work with the blocked “VK” and “Odnoklassniki” websites. To access these social networks, owners of Android devices are asked to input their login credentials; after that the programs log into the user’s account, bypassing blocking measures. Doctor Web security researchers have detected eight such programs, which are being distributed by these developers: JDX Studio, Soukaina Bousfiha, Zikolabs, Boubakri yassir, affzakanab, and simon faiz.
All these applications look exceedingly similar. They are installed on mobile devices as programs with the names «ВК В Украина», «ВК Украина», «ВК Украина 2», «ОК Украина», «Украина ОК», «ВК VPN Украина.», «ВК Украiна» and «ВК Украина VPN» and have similar shortcuts. At least 122,000 users have downloaded these applications, and each of them risks having their personal data leaked.
The problem is that to circumvent the blocking measures put in place by social media websites, this software redirects traffic through an online anonymizer. Anonymizers are special servers that process network requests and also hide information about a computer or a mobile device in order to bypass restrictions that prevent the visitation of blocked Internet resources. Such services are in demand, for example, among users of corporate networks where system administrators have restricted access to social network domains at the gateway level.
The unencrypted login credentials input by users are sent to an anonymizing server so there is nothing to prevent the server’s owners from using the information it receives for illegal purposes. For example, these server owners can log into a social network as a user and send messages without that user’s knowledge; they can add friends, join groups, read correspondence, go through photos, etc. The user doesn’t know that they have logged into the social network via a third-party domain because the applications don’t display an address bar. Any subsequent activity conducted on the “VK” and “Odnoklassniki” websites via this software is also unencrypted, which allows all actions performed in these social networks to be monitored.
Even assuming that an anonymizing server’s owners have taken such an irresponsible approach to protecting confidential data through sheer error or elementary ignorance of information security basics, there is no guarantee that cybercriminals won’t intercept the unencrypted network traffic.
As usage of the programs indicated could lead to a leak of personal information, Dr.Web Anti-virus detects them as the potentially dangerous applications
To protect themselves, users of blocked online sources should avoid suspicious applications and services used to bypass access restrictions. There are safer solutions on the market that provide a sufficient level of safety. Among them are commercial and free VPN services (Virtual Network Provider or private virtual networks) and Proxy servers.
All known versions of
June 20, 2017
Security specialists view this case as an ordinary ransomware attack. Neglected software updates, configuration flaws, etc. But this is the largest ransom amount that has ever been paid to extortionists. And the most successful attack on Linux.
Who is to blame?
- The hosting provider didn't offer to create backups for its customers and didn't establish a«system to switch to if the existing infrastructure failed.
- Their customers relied upon the hosting infrastructure and didn't back up their data.
Successful attacks have been mounted against cloud service providers before, but none have drawn so much attention.
Doctor Web expects a sharp increase in the number of similar incidents.
And that’s because success stories of this sort encourage numerous copycats to appear. Perhaps, later on, the wave of attacks on providers of all kinds will decrease—or, perhaps, it will become a new trend just like the attacks on Linux did. It is too early to make predictions.
- If you store your data in a cloud and don't make backups, start doing it now, and make sure that you store them on servers belonging to a different provider, at home or in a different location.
- If you rent a cloud-based server, site, or service, it doesn't mean that you don't have to protect your data. Security is your concern. In addition to making backups, you need at minimum an anti-virus. One on your PC and in the cloud.
Dr.Web Server Security Suite (protects servers against malware) and Dr.Web Gateway Security Suite (scans inbound traffic and blocks access to dubious sites on the Internet) can provide protection for a service providers' infrastructure.
Dr.Web Enterprise Security Suite products provide protection for all corporate customers regardless of company size. Please pay special attention to the fact that anti-virus protection is necessary on the provider's end as well as on the customers' end (the corporate network and employee computers). This is the only way to protect against man-in-the-middle attacks..
June 19, 2017
The Trojan, named
Once launched, the Trojan offers to check how popular the mobile device owner is among other Telegram users. To do that, it asks the owner for their personal ID. After the victim inputs any information in the corresponding form,
After removing the shortcut,
Below are examples of files that have been transmitted by
Once the confidential information is stolen,
- call — make a phone call;
- sendmsg — send an SMS;
- getapps — forward information about the installed applications to the server;
- getfiles — forward information about all the available files to the server;
- getloc — forward device location information to the server;
- upload — upload to the server the file that is indicated in a command and stored on the device;
- removeA — delete from the device the file specified in a command;
- removeB — delete a file group;
- lstmsg — forward to the server the file containing information about all the sent and received SMS, including sender and recipient phone numbers, and message contents.
When each command is executed, the malicious program reports this information back to the cybercriminals’ Telegram bot.
Besides collecting confidential data when commanded to do so by cybercriminals,
Doctor Web security researchers are warning users that cybercriminals often distribute malicious applications under the guise of benign programs. To protect their devices from Android Trojans, users should install software distributed only by reliable developers and download it from such dependable sources as Google Play. All known versions of
June 15, 2017
This malicious program, designed for mining the Monero (XMR) cryptocurrency, was dubbed
The main module designed for mining the Monero cryptocurrency is also implemented as a library, and the Trojan contains both 32- and 64-bit versions of the miner. The respective implementation of the Trojan used on the infected computer depends on the bitness of the operating system. This module’s configuration indicates how many of the processor’s kernels and computing resources will be used for cryptocurrency mining, the intervals with which the miner will automatically restart, and other parameters. The Trojan tracks running processes on the infected computer and shuts itself down when an attempt is made to launch the Task Manager.
Despite the fact that the first mining Trojans were detected over six years ago (the signature for
June 5, 2017
The first of the two was added to the Dr.Web virus databases under the name
The other Trojan was named
A significant portion of the attacked IP addresses is located in Russia. In second place is China, and in third place—Taiwan. The below illustration shows the geographical locations from which
The Trojan uses a special range of methods to detect honeypots—special decoy servers used by digital security specialists to examine malicious software. Once launched, it connects to its command and control server and, after getting confirmation from it, runs a SOCKS proxy server on the infected device. Cybercriminals can use this Trojan to ensure that they remain anonymous online.
Both of these Trojans are successfully detected and removed by Dr.Web products for Linux, and, therefore, they pose no threat to our users.
May 25, 2017
Doctor Web security researchers registered the first attacks of this Trojan from the
All the scripts included in
One of the
The danger of
Doctor Web’s specialists have collected statistics on the unique IP addresses of devices infected with
Doctor Web security researchers are familiar with several modifications of
May 17, 2017
The malware, known as WannaCry, is a network worm that infects computers running Microsoft Windows without any user involvement. Dr.Web Anti-virus detects all the worm’s components as
Once launched, the worm attempts to send a request to the remote server whose domain is stored inside the Trojan. If a response to this request is received, the worm shuts itself down. Some media sources have reported that the WannaCry outbreak was stopped once this domain was registered: up to the moment the Trojan started being spread, the domain was available due to a mistake made by the cybercriminals. In reality, the analysis of the Trojan shows that it will operate and infect computers that are connected to a local network but have no Internet connection. Thus, it is too early to talk about the epidemic being over.
After being launched, the Trojan registers itself as a system service named mssecsvc2.0. In addition, the worm is sensitive to command line parameters: if an argument is indicated, it attempts to enable an automatic restart of the service in case an error occurs. Within 24 hours after it is launched as a system service, the worm automatically shuts itself down.
After successfully starting up on an infected machine, the worm starts checking for servers that it can access in the infected machine’s local network and for computers on the Internet that have random IP addresses. It tries to connect to port 445. If the connection is successfully established, the worm attempts to infect these computers using a vulnerability in the SMB protocol.
A dropper is a component designed to install a malicious executable file into an operating system. WannaCry’s dropper contains a massive password-protected ZIP archive, which contains an encrypted file with a Trojan encoder, Windows Desktop wallpaper containing the cybercriminals’ demands, a file containing the addresses of onion servers and the name of a wallet for Bitcoin transactions, and also an archive containing programs for operating in the Tor network. The dropper is launched from the worm’s body, installs itself in the system, and then attempts to launch its copy as a randomly named system service. If this attempt is unsuccessful, it is executed as an ordinary program. The dropper’s main task is to save the contents of the archive on the disk and launch the encryptor.
A ransomware Trojan
The Trojan contains the author’s decoder, which deletes shadow copies on the infected computer and disables the system restore function. It changes the Windows Desktop wallpaper to a graphic file that reads as follows:
Then it unpacks the applications it uses to operate with the Tor network (or downloads them from the Web) and connects to onion servers, the addresses of which are indicated in the Trojan’s configuration. From there it receives the name of the wallet accepting Bitcoin electronic currency and writes it into the configuration. To exchange data with the onion servers,
The decoder permits the decryption of several test files, the list of which is stored in the file f.wnry. The private key needed to decrypt them is stored in one of the malicious program’s components. So it is possible to decrypt them even without using the Trojan. However, the test files and all the other files are decrypted with different keys. Therefore, there is no guarantee that the data corrupted by the encoder can be restored successfully, even if a ransom is paid.
Unfortunately, at present it is impossible to decrypt files encoded by
Signs of infection
The hallmark signs of a WannaCry infection are:
- The presence of the mssecsvc2.0 system service (visible name—”Microsoft Security Center (2.0) Service”);
- The presence of the Trojan encoder file C:\WINDOWS\tasksche.exe; the previous sample of the malicious program is stored in the file C:\WINDOWS\qeriuwjhrf.
What to do in case of infection
- To prevent the further spread of infection, isolate infected machines and PCs containing valuable data from computer networks;
- Save a backup copy of the information on separate storages that must thereafter remain disconnected from any computers.
This link will take you to a description of the worm.
May 15, 2017
The very first modification of the Trojan known to Dr.Web (Wanna Decryptor 1.0) was analyzed in Doctor Web’s laboratory on March 27, 2017, at 07:20 a.m. and was added to virus databases at 11:51 a.m., later that same day.
Trojan.Encoder.11432, which is also known as WannaCry, started actively spreading on Friday evening, and by the weekend it had infected computers of large organizations all over the world.
Doctor Web obtained its sample on May 12 at 10:45 a.m. and added it to the Dr.Web virus databases.
Before it was added to the database, Dr.Web had detected the Trojan as BACKDOOR.Trojan.
The Trojan itself is a multi-component encoder named Trojan.Encoder.11432. It includes the following four components: a network worm, an encoder dropper, an encoder and the author’s encoder.
Trojan.Encoder.11432 encrypts files on an infected computer and demands a ransom for their decryption. The money must be transferred to the specified e-wallets in Bitcoin cryptocurrency.
The mass proliferation of the Trojan is being caused by a vulnerability in the SMB protocol. All Windows operating systems older than version 10 are subject to this vulnerability. Trojan.Encoder.11432 didn’t pose any threat to our users from the moment it started spreading.
To eliminate any chance of your computers getting infected with this Trojan, we recommend that you do the following:
- Install the MS17-010 update for your operating system, which is available at technet.microsoft.com/en-us/library/security/ms17-010.aspx, and all current security updates;
- Update the Anti-virus;
- Close attacked network ports (139, 445), using the firewall;
- Disable the attacked and vulnerable service of the operating system;
- Forbid the installation and running of new software (executable files);
- Remove excessive user rights (rights for launching and installing new software);
- Delete unnecessary services in the system;
- Forbid access to the Tor network.
May 12, 2017
The Trojan backdoor has been added to the Dr.Web virus databases under the name
The Trojan stores encrypted information in its own file. This information determines whether
- Name and version of the operating system;
- User name;
- Availability of root privileges;
- MAC addresses of all available network interfaces;
- IP addresses of all available network interfaces;
- External IP address;
- CPU type;
- RAM amount;
- Data about the malware version and its configuration.
The Trojan has its own file manager, which allows cybercriminals to execute various actions with files and folders on the infected computer. The backdoor can execute the following commands:
- Receive a list of the contents of a specified directory;
- Read a file;
- Write to a file;
- Get the contents of a file;
- Delete a file or folder;
- Rename a file or folder;
- Change the privileges for a file or folder (chmod command);
- Change the owner of a file object (chown command);
- Create a folder;
- Execute a command in the bash shell;
- Update the Trojan;
- Reinstall the Trojan;
- Change the command and control server’s IP address;
- Install a plug-in.
May 4, 2017
Recently, in the official “Doctor Web” group on the “VK” social network, messages appeared from anonymous users offering the option to download free license keys for the Dr.Web Anti-virus. Usually such messages contain a short link to RGhost file hosting. If a potential victim follows it, they will be asked if they want to download a 26 KB RAR archive. Naturally, moderators of the Doctor Web group try to delete such messages as quickly as possible, but sometimes they are not quick enough to remove them right after they are published.
The archive contains a small executable file that has an icon of a simple text document. All the examined samples of this application reveal that it is the same backdoor, but the cybercriminals have repacked the malicious program each time before publishing it online in order to avoid signature detection. As a result, the Trojan, named
After launch, the backdoor connects to its command and control (C&C) server and sends information about the infected computer, the serial number of a hard drive, the version and bitness of the installed operating system, the name of the computer, the name of the manufacturer, the version of the anti-virus, if present, and the availability of a connected webcam. The Trojan can execute the following commands of cybercriminals:
- Replace the Windows Desktop wallpaper;
- Turn off or restart the computer;
- Output a system message with the specified text on the screen;
- Swap the functions of mouse keys;
- Play a specific phrase using a voice synthesizer and speakers;
- Hide and then restore the Windows taskbar;
- Open or close the optical disc drive;
- Turn a display on and off;
- Open the specified link in a browser;
- Read, install or remove the specified value of the system registry;
- Receive a screenshot and send it to the C&C server;
- Download and launch the specified executable file;
- Refresh or remove the Trojan’s executable file;
One of the most dangerous functions of the backdoor is an embedded keylogger that records pressed keys. Upon command, this data is downloaded on the cybercriminals’ server. In addition, the Trojan is able to unexpectedly display on the infected computer SWF videos containing frightening images.
Doctor Web’s specialists note that such malicious programs, whose main purpose is to frighten or confuse users, are quite rare these days. The majority of Trojans are aimed at making a profit, and secondary school age children are the ones most likely to distribute viruses in order to frighten users just for “fun”.
Conventional wisdom says that there is no such thing as a free lunch, so all the different kinds of offers users come across to download license keys for commercial software are fraud anyway. Doctor Web advises users to be vigilant and not fall for such provocations.
April 20, 2017
This vulnerability has been detected in Microsoft Word. Cybercriminals have developed an active exploit for this application, and it has been added to the Dr.Web virus database as
This exploit is implemented as a Microsoft Word document with the DOCX extension. Once this document is opened, another file called doc.doc is loaded. It contains an embedded HTA script, detected by Dr.Web as
Currently, cybercriminals use this mechanism to install
Dr.Web successfully detects and removes files containing