Real-time threat news
April 20, 2017
Most modern Trojans execute either only one function or several simultaneously with one function dominating. Multi-purpose malicious programs are quite rare.
Once launched on an attacked computer,
A representative of banking Trojan family designed to steal private information and money from user bank accounts.
The Trojan connects with a command and control server to receive such commands as:
- Launch a file from the temporary folder on the disk of the infected computer;
- Self inject in a running process;
- Delete the specified file;
- Launch the specified executable file;
- Save the SQLite database used by Google Chrome and send it to the cybercriminals;
- Change the command and control server to the one specified;
- Delete cookies;
- Restart the operating system;
- Turn off the computer.
The signature for
April 17, 2017
The traditional approach of cybercriminals engaged in so-called fixed matches is quite simple: they create a special website that offers for sale “reliable and verified information on the results of sporting events”. Later, buyers can use this information to make supposedly sure-win bets at bookmaker's offices. The creators of such websites represent themselves as retired coaches and sports analysts. In fact, while one segment of paying customers gets one forecast, another segment gets one that’s the exact opposite. If one of the victims complains, cybercriminals offer them their next forecast for free as compensation for their loss.
Recently cybercriminals have made some changes to this scheme. They are still creating websites to attract customers and public pages on social networks, but as a way of proving the quality of their services, they tell customers to download a password-protected, self-unpacking RAR archive that supposedly contains text files showing the match results of an event. Cybercriminals send the password for this archive after the match is finished. This is supposed to give users a chance to compare the predicted outcome with the real one.
Instead of the archive, cybercriminals send their victims their own program, one that fully imitates the interface and behaviour of an SFX archive created with WinRAR. This program has been added to the Dr.Web virus databases under the name
This fake “archive” contains the template of a text file that, with the help of a special algorithm, inserts the required match results which depend on what password is entered by the user. Thus, when the match is finished, the only thing that cybercriminals have to do is to send their victim the appropriate password, and the text file with the correct result will be “extracted” from the “archive” (in reality, the Trojan will generate it on the basis of the template).
There is also an alternative version of this fraudulent scheme—cybercriminals send their victims a password-protected Microsoft Excel file containing a special macro. This macro uses the same method to insert the required result, depending on what password is entered.
Doctor Web reminds users that all the various and sundry predictions criminals are making about match results is a type of fraud that any user can fall victim to. Do not trust websites offering you the chance to make a fortune using insider information to place bets, even if the promises of the cybercriminals involved look very convincing.
April 13, 2017
The mass mailing of malicious attachments is one of the most popular Trojan distribution methods. Cybercriminals try to compose a message in a manner that will make the recipient open the attached file which subsequently infects their computer.
Over the past few days, emails with the subject header “Made the payment” have been distributed on behalf of a certain LLC Globalniye Sistemy (“Global Systems”). These letters contain the following text (the author’s syntax and spelling have been preserved):
We made the payment on April, 6, but for some reason we haven’t received an answer from you.
We hereby request to process the payment as soon as possible and provide the services because time is an issue for us.
The copy of the billing statement and other documents are in the attached archive.
Please, check the details of the billing statement. Perhaps there has been a mistake that caused the failure in delivery of our payment. It could be the reason for the delay.
LLC Globalniye Sistemy
The email has an attached archive called “Billing from LLC Globalniye Sistemy April 6 2017.JPG.zip” that is more than 4 MB in size. It contains an executable file with the extension .JPG[several dozen spaces].exe which was added to the Dr.Web virus database under the name
The application is a packed container that was created using the capabilities of the Autoit language. On launch the program checks whether it is running as the sole copy, and then saves a library to a disk in order to bypass User Accounts Control (UAC) on 32-bit and 64-bit versions of Windows and some other files. Then
One of the components launched by
Another component of the Trojan, xservice.bin, which is also an encrypted Autoit container, extracts two executable files on a disk. These programs are 32-bit and 64-bit versions of the Mimikatz tool, which is designed to intercept passwords of open Windows sessions. xservice.bin can be launched with different keys. They influence the actions this file performs on infected computers.
|-help||display possible keys (support information is displayed in unknown encoding)|
|-screen||makes a screenshot, saves it as a file called Screen(<HOURS>_<MINUTES>).jpg (<HOURS>_<MINUTES> stands for the current time) and sets file attributes to “hidden” and “system”|
|-wallpaper <path>||changes wallpaper to the one indicated in the parameter <path>|
|-opencd||opens CD drive|
|-closecd||closes CD drive|
|-offdesktop||prints to the console the following text: “Not working =(”|
|-ondesktop||prints to the console the following text: “Not working =(”|
|-rdp||RDP launch (look below)|
|-getip||receives IP address of the infected computer using the following website: http://ident.me/|
|-msg <type> <title> <msg>||creates a dialog of the given type (err, notice, qst, inf) with a specified header and text|
|-banurl <url>||adds to the file %windir%\System32\drivers\etc\hosts the following string: “127.0.0.1 <url>”, where <url> is a command argument|
This application also activates a keylogger that records to the file any information about the keys pressed by a user. It also takes a screenshot at the moment of launch.
The Trojan gives criminals access to the infected device via RDP (Remote Desktop Protocol). For this purpose, it downloads a program called Rdpwrap from the Github server and installs it with parameters that allow it to run in the hidden mode. Dr.Web Anti-virus detects it as Program.Rdpwrap. Then
The signature for
April 10, 2017
Services that organize access to paid content using WAP-click are provided by many network providers. They actively use numerous partner programs that allow website owners to monetize mobile traffic. For example, MegaFon announced a new WAP-click technology in 2012. The provider marketed it as a service “that allows MegaFon subscribers to purchase audio, video and graphic files under a simplified procedure on websites belonging to the company’s partners and to use services that do not require loading”.
This technology is simple: a mobile web user is redirected to a webpage containing a message advising them that they must pay to access the requested content. The webpage is equipped with a button that subscribes the user to the paid service when they click on it.
Soon this service became a matter of discussion both among users and on the pages of online media: in particular, WAP-click has been mentioned by VC.RU, Apple Insider and many others. One of the users even prepared a petition, demanding that network providers ensure that paid subscriptions are confirmed via SMS.
And, the subscription is available for all of the users in the mobile provider’s network. Owners of USB modems have also fallen victim to unauthorized subscriptions and search for solutions to this problem on their own: some of the solutions are described in detail on such websites as http://vsyako.blogspot.ru/2014/06/podpiski.html and https://антиподписки.рф. For Windows users, one of the suggested methods of combating paid subscriptions is by making the corresponding changes in the hosts file. Initially the recommendations suggested limiting access to wap.megafonpro.ru, the website through which subscriptions are processed. Perhaps, this method was effective for a while, but later it was discovered that MegaFon owns a number of other domains with the same functionality:
|188.8.131.52||moy-m-portal.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-04-07T15:00:38Z|
|184.108.40.206||propodpiski.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:21Z|
|220.127.116.11||mfprovas.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:22Z|
|18.104.22.168||vasmfpro.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:22Z|
|22.214.171.124||propodpiskimf.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:23Z|
|126.96.36.199||promfvas.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:23Z|
|188.8.131.52||vasmpro.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:24Z|
Let’s review a real example of WAP-click technology at work. Doctor Web specialists conducted an experiment that reflects their experience using MegaFon’s mobile Internet. Let’s assume that on the eve of the summer growing season a user intends to plant onions in their vegetable garden. Naturally, the best way to do this is according to the instructions our gardener found via a Google search. The search request “how and when to plant onions” pulled up a link that seemed to meet the user’s needs.
A special script is embedded in the HTML code of the website the link leads to. This script identifies the user’s network provider. In our example, all the following actions are performed only for MegaFon subscribers.
When attempting to go to this web resource, a chain of automatic redirections is executed. It consists of at least 5-7 intermediates. This chain ends on an online subscription site belonging to MegaFon, according to data provided by WHOIS.
Information on the subscription service page clearly warns that the user must pay 30 rubles per day to access the website they need. The payment to view the web resource is explained by the presence of “articles and news intended for personal use”. However, in some cases, for example, on devices with high-screen resolution (a tablet or computer with a connected USB modem), this important warning becomes less noticeable. The visitor may simply miss this text in small print.
Even if the user agrees to the proposed terms and conditions, they will not see information on onions anyway. After clicking the subscription button, they will be redirected to infonews24.ru via another chain of redirections. This web resource belongs to LLC Informpartnyor (http://informpartner.com). The user will then receive an SMS notifying them that they subscribed to the paid service successfully. It’s worth noting as an aside that owners of USB modems that don’t support SMS notifications will not get a message telling them they have successfully signed up for a service—they will only find out about it when they get the bill from their network provider.
From the moment the subscription button is clicked, the user’s account is charged 30 rubles daily, even if they have not visited the paid website, used the Internet or even turned on the phone.
It is not that easy to unsubscribe from paid access to web resources. For several days, our specialists sent USSD requests from a mobile device in order to determine the presence of paid content services. However, the SMS replies from MegaFon stated that the given subscriber number had no active subscriptions.
We have observed the exact same result in the “Dashboard” of a MegaFon user, regardless of whether we logged in with a mobile device or via a desktop, and on the special website http://podpiski.megafon.ru: no mention was made about paid access to web resources. In our case, subscription information appeared in the “Dashboard” only several days later. In the interim period, the subscription fee was charged daily.
MegaFon itself offers its users a special content account designed specifically for the debiting of subscription payments. This account eliminates any chance of spending money from the user’s main account. To get this free service, users must contact the technical support service or visit the provider’s office.
There is also an alternative method of avoiding WAP-click subscriptions—MegaFon suggests sending the special request “УСТЗАПРЕТ1” (“USTZAPRET1”) to its service number. However, it should be noted that this ban on subscriptions is valid only for 90 days, after which a MegaFon user can once again accidentally subscribe to some paid service.
If you notice that funds are regularly being debited from your mobile account, you should absolutely check whether you are being charged for any paid subscriptions. It is also recommended that you connect a content account in order to keep the funds in your main account with the mobile network provider secure. Doctor Web advises you to be alert when using mobile Internet, and in case you discover you have accidentally subscribed to some paid services, it is recommended that you cancel them as soon as possible—on your own or by contacting your network provider’s support service.
March 17, 2017
Warning!!! All your files are encrypted with AESalgorithm! For decrypt use this instructions: Download tor browser Run tor and go to: http://vejtqvliimdv66dh.onion Or you can use tor2web services http://vejtqvliimdv66dh.onion.to in log panel enter your id (CRPTksrjghkrkwkrjthkewVM) follow next instructions if server is down, try connect later locker version 3.0.0
The id parameter can assume various values on different infected computers.
If you have fallen victim to this malicious program, follow the recommendations below:
- do not remove any files from your computer or reinstall the operating system. It is also not recommended to use the infected computer until you get detailed instructions from Doctor Web’s technical support;
- if you have run an anti-virus scan, do not try to cure or remove the threats that were detected—our technical support specialists may need them during their search for a decryption key;
- try to remember as much about the circumstances of the infection as possible: this can involve receiving dubious email messages, downloading programs from the Web, or visiting websites;
- if you have the email message containing the attachment that infected your computer after you opened it, do not remove it—our specialists may need it to identify which version of the Trojan is involved.
To decrypt files corrupted by
Once again, we would like to point out that our free decryption service is only available to users who have purchased commercial licenses for Dr.Web products. Doctor Web cannot guarantee that all of your files will be decrypted successfully. However, our specialists will do their best to recover the encrypted data.
March 3, 2017
Doctor Web specialists examined an on-screen keyboard app called TouchPal. Mobile device owners can use it instead of the standard one. It does indeed work as stated but contains an unwanted advertising module. In keeping with the Dr.Web classification system, the module was named
This plug-in displays several types of ads. For example, on the home screen it creates widgets that can’t be deleted until the device owner clicks on them. When the widget is clicked on,
Despite the fact that TouchPal itself is not a malicious program, the unwanted module within it—
February 13, 2017
This malicious program, which is based on the source code of another banking Trojan—Zeus (
Worth highlighting is the unique way in which the Trojan automatically launches itself on an infected machine:
Dr.Web successfully detects and removes
February 6, 2017
The new malicious program was dubbed
If the Trojan successfully connects to the attacked node via any of the available protocols, it executes the indicated sequence of commands. The only exception is a connection via RDP protocol: in this case, none of the instructions are executed. Besides that, while connecting to the Linux device via Telnet protocol, it downloads a binary file on the compromised device, and this file subsequently downloads and launches
January 24, 2017
The Trojan, used by cybercriminals to infect numerous Linux network devices, has been named
A script is generated with the help of this list, and it runs on the infected devices using sshpass. It infects the attacked system with
Besides that, the server belonging to the cybercriminals who distribute
To connect to a proxy server that is launched using
To protect devices from
January 13, 2017
The worm, named
After infecting a computer running Windows,
If access is obtained, the worm establishes the VNC connection and sends keystroke signals, using them to run the CMD command interpreter and execute the code for launching its copy over the FTP protocol. This is how the worm replicates itself.
One more function of
In addition, the Trojan copies itself to the ICQ client folder together with folders of programs designed to establish P2P connections. Once
The existence of samples of a previous version of
December 16, 2016
If the Trojan does not find anything suspicious, it saves the file 1.zip on the disk.
The picture above shows a non-standard Microsoft Windows “save” dialog box: in the bottom-left corner, you can see the link “Additional settings”. When the link is clicked,
If the user clicks “Save”,
Among the applications
While TrayCalendar is being copied to the disk, the Trojan saves and installs an extension for Google Chrome. The most notable feature of
Dr.Web Anti-virus successfully detects and removes all the Trojans mentioned above. Therefore, they do not pose any threat to our users.
December 12, 2016
One of these Trojans, dubbed
- MegaFon Login 4 LTE
- Irbis TZ85
- Irbis TX97
- Irbis TZ43
- Bravis NB85
- Bravis NB105
- SUPRA M72KG
- SUPRA M729G
- SUPRA V2N10
- Pixus Touch 7.85 3G
- Itell K3300
- General Satellite GS700
- Digma Plane 9.7 3G
- Nomi C07000
- Prestigio MultiPad Wize 3021 3G
- Prestigio MultiPad PMT5001 3G
- Optima 10.1 3G TT1040MG
- Marshal ME-711
- 7 MID
- Explay Imperium 8
- Perfeo 9032_3G
- Ritmix RMD-1121
- Oysters T72HM 3G
- Irbis tz70
- Irbis tz56
- Jeka JK103
However, the number of infected Android devices can be, in fact, even bigger.
The Trojan can download not only benign applications but also malware and unwanted ones. For example,
On various forums, Android users note that even if they delete H5GameCenter, it is soon installed on the system once again. It happens because
Another Trojan found on the devices Lenovo A319 and Lenovo A6000 was named
The payload of
- Download an APK file and try to install it by obtaining the confirmation from a user.
- Run an installed application.
- Open the specified link in a browser.
- Make a phone call on a certain number by using a standard system application.
- Run a standard system phone application in which a specified number is already dialed.
- Show advertisement on top of all applications.
- Display advertisements in the status bar.
- Create a shortcut on the home screen.
- Update a main malicious module.
It is known that cybercriminals generate their income by increasing application download statistics and by distributing advertising software. Therefore,
Doctor Web has already informed smartphone manufacturers about this incident. Users of the infected devices are recommended to contact technical support specialists to get the updated system software as soon as it is ready.
Dr.Web for Android detects
December 9, 2016
The Trojan, dubbed
First, other malicious programs download and run
Dr.Web for Android successfully detects all the known Trojans belonging to the
November 17, 2016
Now we will briefly focus on some technical features of
The Trojan’s resources contain the window “About the Bot project” which is not displayed while the backdoor is in operation—the virus makers probably forgot to remove it when they copied the code. The window has the string “Copyright © 2015”; however, the current version was compiled on April 21, 2016.
Once launched, the Trojan checks whether the configuration file is present; if not, it creates one.
- A received command can be executed using the command interpreter cmd;
- A file can be downloaded from a specified link and saved to a certain folder on a computer;
- A list of folder content can be generated and sent to the C&C server;
- A screenshot can be taken and sent to the C&C server;
- A file can be loaded to a specified server over the FTP protocol;
- A file can be loaded to a specified server over the HTTP protocol.
Doctor Web specialists have determined that some of
- Get a list of files and folders using the specified path;
- Delete particular files;
- Shut down certain processes;
- Copy the specified files;
- Send a list of running processes and information on the current operating system and disks of the infected computer the C&C server;
- Terminate itself.
The second Trojan—
The signatures for these Trojans are already in the Dr.Web databases and do not pose any threat to our users.
November 14, 2016
The Trojan is being actively promoted on underground forums. Its creators claim that a botnet consisting of 100 infected computers is capable of generating up to 20,000-25,000 requests per second with a peak value of 30,000. As proof, they show a diagram of a test attack on the NGNIX http server:
Currently, 314 active connections are registered on one of the IRC channels controlling the
The signature for
November 10, 2016
The Trojan has a unique modular architecture. Part of its functionality is located in two auxiliary modules, which are encrypted and hidden inside a PNG image in the resource catalog of
One of these components not only performs benign functions but also contains several advertising plug-ins used by the Trojan’s authors to generate income. The malicious module
Apart from Google Play,
Dr.Web for Android successfully detects all the known versions of
October 20, 2016
The Trojan, dubbed
Once launched, the Trojan saves itself to the folder .gconf/apps/gnome-common/gnome-common, located in the user’s home directory. It then searches for a hidden file, whose name matches the file name of the Trojan, and replaces the executable file with it. For instance, if an ELF file of
Then the Trojan checks the name of the installed Linux distribution: if the name is something other than openSUSE,
- Send the C&C server the quantity of messages transferred during the session;
- Send a list of the contents of the specified folder;
- Send the C&C server the specified file or a folder with all its contents;
- Delete a directory;
- Delete a file;
- Rename a folder;
- Remove itself;
- Launch a new copy of a process;
- Close the current session;
- Establish backconnect and run sh;
- Terminate backconnect;
- Open the executable file of the process for writing;
- Close the process file;
- Create a file or folder;
- Write the transmitted values to a file;
- Obtain the names, permissions, sizes, and creation dates of files in the specified directory;
- Set 777 privileges on the specified file;
- Terminate the backdoor’s operation.
October 17, 2016
Currently, the virus makers spreading Trojans for the IoT are mostly concerned with creating botnets to carry out DDoS attacks. Nevertheless, some Trojans are implemented to make a proxy server from an infected device. Since mid-September 2016, Doctor Web’s specialists have registered 11,636 attacks by Linux Trojans—9,582 of them were performed over the SSH protocol; and 2,054—over the Telnet protocol. Cybercriminals installed 15 different malware programs, the majority of which belong to the
Judging from these statistics,
Cybercriminals download all these Trojans to devices after they have cracked the login credentials and established a connection over the Telnet or SSH protocol. Attackers use the login “root” if they want to establish a connection via the Telnet protocol; and the login “admin” if they are using the SSH protocol:
The table below shows some standard combinations of the logins and passwords used by attackers to hack Linux devices.
|Informix||Informix||Family of the Informix relational database management system (RDBMS) developed by IBM|
|Root||Nagiosxi||Nagios Server and Network Monitoring Software|
|admin||Articon||ProxySG - Secure Web Gateway by Blue Coat Systems|
|Root||Vizxv||Dahua surveillance cameras|
|Root||Anko||Anko surveillance cameras|
|Root||XA1bac0MX||CNB surveillance cameras|
The average number of IP addresses from which cybercriminals attack Linux devices monitored by Doctor Web is 100:
The number of unique malicious files downloaded by cybercriminals to hacked devices varies from just a few to several dozen:
Worth noting are the statistics pertaining to Linux.Mirai downloads to vulnerable devices: once the source code of this Trojan became public, Linux.Mirai’s popularity with virus makers increased dramatically. This fact is illustrated by the growing number of IP addresses from which the malware program is downloaded onto devices:
In October, a Trojan belonging to the
Below you can see the geographical spread of the IP addresses from which malware programs were installed onto Linux devices:
Doctor Web’s specialists are keeping a close watch on the Linux malware landscape and will inform users about new threats in a timely manner.
October 11, 2016
New versions of ransomware Trojans appear every month. What makes this Trojan notable is that it is the first ransomware program written in Go, the language developed by Google. Doctor Web’s analysts had never before come across an encoder developed using this technology. Once launched,
tmp winnt Application Data AppData Program Files (x86) Program Files temp thumbs.db Recycle.Bin System Volume Information Boot Windows .enc Instructions Windows_Security.exe
The Trojan encrypts 140 different types of files, identifying them according to their extensions.
Then, in a browser window, the Trojan opens the file Instructions.html, which demands that a ransom be paid in the Bitcoin cryptocurrency:
It should be noted that
Doctor Web’s security researchers have developed a new technique that can help decrypt files compromised by the malware. If you have fallen victim to
- Notify the police.
- Do not, under any circumstances, attempt to solve the problem by using some utility to reinstall, “optimize” or “clean” the operating system.
- Do not delete any files from your computer.
- Do not try to restore the encrypted data yourself.
- Contact Doctor Web’s technical support (its free decryption service is only available to users who have purchased commercial licenses for Dr.Web products).
- Attach a file encrypted by the Trojan to the request ticket.
- Wait for a response from technical support. Due to the large volume of requests, this may take some time.
Once again we would like to point out that the free decryption service is only available to users who have purchased commercial licenses for Dr.Web products. Doctor Web cannot guarantee that all of your files will be decrypted successfully. However, our specialists will do their best to recover the encrypted data.
September 27, 2016
This malicious program (dubbed
- UDP flood;
- UDP flood over GRE;
- DNS flood;
- TCP flood (several types);
- HTTP flood.
The maximum uptime of
August 2016 began with the discovery of a new version of this dangerous Trojan. The new version, dubbed
September began with the discovery of an updated version of the Trojan dubbed
Some researchers have reported that if
To learn more about this Trojan family, download a PDF file of a detailed technical review prepared by Doctor Web's specialists.
September 21, 2016
Anti-virus specialists have been acquainted with the
Once saved to smartphones and tablets,
One of these upgraded Trojans examined by Doctor Web security researchers was named
Next, using the igpi module (dubbed
Once the zygote process is infected,
The igpi.jar module’s main job is to download cybercriminal-specified plug-ins and launch them in the infected environment. The module monitors a mobile device’s status and, when certain system events occur (e.g. home screen activity, change in network connection, charger usage, etc.), it connects to the command and control server and sends it the following information about the infected device:
- MAC address of the network adapter
- OS version
- Mobile device model;
- Current system language
- Application package name
Android.Xiny.60infects a Google Play process, it will download into it the software-installation module.
Android.Xiny.60infects a messenger, it will be able to intercept and send messages.
Android.Xiny.60infects a banking program’s process, it will launch the required plug-in and will then be able to steal confidential information, such as logins, passwords, credit card numbers, etc., and even covertly transfer money to cybercriminal-owned bank accounts.
Doctor Web's security researchers continue to monitor Trojans belonging to the
September 14, 2016
Once launched, the
When launched successfully, the Trojan creates two child processes. The first one exchanges data with a command and control server. The second one verifies the parent process is running in an infinite loop (if not, it launches it). The parent process then does the same for the child process—thus, the Trojan operates continuously on the infected machine.
- Update the malicious program
- Download and run the file specified in the command
- Remove itself
- Launch a UDP flood attack on a specified port
- Launch a UDP flood attack on a random port
- Launch a Spoofed UDP flood attack
- Launch a TCP flood attack
- Launch a TCP flood attack (random data up to 4096 B long is added to the packages)
- Launch an HTTP flood attack using GET requests
- Launch an HTTP flood attack using POST requests
- Launch an HTTP flood attack using HEAD requests
- Send HTTP requests with the parameters specified to 255 random IP addresses
- Terminate execution
- Send a PING command
When the Trojan receives the command to launch a DDoS attack or send random requests, it first shuts down all the child processes and then launches 25 new ones which subsequently carry out criminal-ordered attacks. The signature of
September 8, 2016
The Trojan can execute just four commands. It can connect to a specified chat channel; send cybercriminals information about an infected computer; send cybercriminals data about the applications running in a system; and delete itself from an infected machine.
Unlike the majority of its counterparts,
The signature for
August 29, 2016
The Trojan is notable for its ability to bypass the Windows protection system—Accounts Control (UAC). Information about this technology was first posted in an Internet blog on August 15. Just three days later, the first sample of this Trojan, which was subsequently named
First, a dropper, which saves an installer to the disk and runs it, and a BAT file, which is responsible for the dropper’s removal, are simultaneously launched. Then the installer connects to the command and control server to receive a configuration file which specifies an address for downloading the browser.
The browser, named Outfire, is a special build of Google Chrome. During installation, it registers itself in the Windows system registry, launches several system services, and creates tasks in the Windows Task Manager in order to load and install its updates. In addition, Outfire modifies the installed Google Chrome browser by removing or creating new shortcuts and copying current Chrome user account information into the new browser. Finally,
Once the installation is complete, the fake browser displays a home page which cannot be changed in the browser’s settings. In addition, it has a fixed extension designed to replace advertisements in browsed webpages and uses its own search engine, set by default—however, it can be changed in the application’s settings.
Dr.Web successfully detects and removes
August 19, 2016
The new Trojan, named
Today’s botnets can be divided into two types. Botnets of the first type use command and control (C&C) servers to receive instructions; and botnets of the second type transmit information from one infected machine directly to another and are called peer-to-peer (P2P) botnets.
The malware program receives directives over the HTTPS protocol and sends them to other botnet nodes, if necessary. When commanded by cybercriminals,
The Trojan uses a known vulnerability to hack websites built using Drupal. After performing a SQL injection, it logs itself into the system. If a site is hacked,