May 2010 saw another outbreak of Windows blockers (Trojan.Winlock, Trojan.AdultBan) where many modifications of the Trojan didn’t demand from users to send short messages. New types of Trojan.Encoder programs in their turn brought “fun” to a number of careless users. New bootkits were discovered through the month and Doctor Web introduced a corresponding curing procedure in a timely manner. And fake anti-viruses (Trojan.Fakealert) went down in Doctor Web’s statistics.

New wave of blockers

Starting from May 14 Doctor Web’s statistics server registered a number of detections of Windows blockers per 24 hours that exceeded an average figure. In four subsequent days the number exceeded a 24 hour average of last months several times but on May 18 it reached 215000 (Trojan.Winlock and Trojan.AdultBan) while the average figure is 1500. The high detections figures persisted till the end of May.

Despite the fact that the surge in spreading of Trojan.Winlock programs occurred in the second half of the month, the total number of their detections in May reached 920000 thus beating the previous record set in January 2010. The detections graph below illustrates the trend in spreading of Windows blockers.

Blockers that do not require an SMS ransom

Since May 7 Doctor Web’s technical support service started receiving requests regarding blockers of Windows that instructed users to pay a ransom over payment terminals rather than by means of an SMS. In May criminals tried a variety of payment systems to get ransoms through including WebMoney, RBKMoney and Wallet One. Such blockers as well as their standard modifications are detected by Dr.Web anti-viruses as Trojan.Winlock programs.

However, in last days of the month users were typically offered to transfer money to the account of a mobile phone user. It is worth mentioning that criminals change accounts regularly making it harder for law enforcement agencies to find them.

Trojan.Winlock programs of the new type informed users that their unblocking code would be found on a bill printed by the terminal once the required amount was acquired. However, some terminals were unable to process such requests and print such information. Moreover, criminals may not bother themselves with implementing printing codes on bills and only want to get as much money as possible.

Such malicious programs added to the already existing variety of Windows blockers made their number even higher. As criminals switched to electronic payment systems from SMS to receive money from users, they no longer faced difficulties caused by joint efforts of mobile operators, aggregators and law enforcement agencies.

Doctor Web publishes unlock codes on its Dr.Web Unlocker site as new modifications of Windows blockers are discovered. On this web-site users may also find passwords for decryption of files compromised by some modifications of Trojan.Encoder.

Below you can find a gallery of screenshots that show what most notable Windows blockers found on user machines in May look like.

Trojan.Winlock gallery

New bootkits

In May Doctor Web’s developers also discovered such new bootkits (a type of rootkits capable of modifying a disks’ boot sector and therefore launch before an operating system) as Trojan.Alipop and Trojan.Hashish. The first one targeted mainly Chinese users and was used to generate fake website hits. The second boot-virus was designed to launch any components that a cyber-criminal considered necessary in the system. Currently Trojan.Hashish includes malicious objects belonging to the Win32.HLLC.Asdas family of programs that display banners in browser windows. The bootkit is also capable of infecting executable files.

Doctor Web’s virus analysts promptly implemented a curing algorithm for the new bootkits in the Dr.Web scanner for Windows. At present there are few anti-virus makers that create curing procedures against such malicious programs while addressing such issues in a timely manner is the quality possessed even by fewer. Many anti-viruses available at the market are unable to cure a bootkit that compromised the system where the anti-virus runs. Meanwhile, alternative system cleaning techniques can be hard to implement for an ordinary user.

Fake anti-viruses dwindle

Even though the number of detections of Trojan.Fakealert tended to go down through May, it only meant that criminals decided to reach a greater efficiency through quality rather than quantity. Guides for neutralization of fake-anti-viruses published on European anti-malware resources are getting more complex. But criminals also make use of such guides and subsequent versions of fake anti-viruses provide users with new challenges. This arms race is somewhat similar to activities related to spreading and neutralizing Windows blockers in the Russian segment of the Internet.

Below you can find another gallery of screenshots showing most common fake anti-viruses of the past month.

Trojan.Fakealert gallery

Encoders

Several new modifications of Trojan.Encoder programs that encrypt user data and their construction kits appeared in May. From May 15 till 17 a surge in spreading of encoders was detected. Such programs based on the same engine and offered victims to contact criminals over ICQ or send a paid SMS. Their average number of detections in 24 hours reached 1300 – 1900 during those days while normally the average figure doesn’t exceed 500.

Some Trojan.Encoder modifications were designed specifically to discredit Doctor Web. They set compromised systems to use Dr.Web icons to display encrypted files and Dr.Web was used by virus makers as a title of their programs in texts shown to victims.

«Doctor Web recommends users to stay vigilant and contact Doctor Web’s virus laboratory if they have any problems with enconder Trojans. Measures implemented by Doctor Web to aid users against such programs drove criminals to such attempts to damage reputation of Doctor Web.

The share of malicious programs among all programs scanned with Dr.Web software in May2010 went down significantly both in mail traffic and among files on user machines. The cause behind such a decline can be a lower number of fake anti-viruses (they left the malware TOP20 in mail traffic) as well as lower activity of largest botnets.

Malicious files detected in mail traffic in May

Malicious files detected on user machines in May