Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to the news list

Russian Windows blockers, European “bankers”, and other threats of June 2010

July 2, 2010

Windows blockers remain a major virus threat in Russia. In June, malicious programs demanding that users refill cell phone account balances belonging to criminals constituted 30 percent of Windows blockers incidences. Regular visitors to social networking web sites were also targeted. Visitors who attempted to log on to favourite sites received messages informing them that their accounts had been suspended, and that to unfreeze them, they needed to send paid text messages. Meanwhile, banking Trojans attacked European bank customers, forcing them to surrender their TAN codes to cyber criminals. Such codes are used by some banks for one-time transaction authorizations. However, sometimes even such extreme precautions on the part of banks can’t prevent cyber criminals from inflicting damage.

Windows blockers countermeasures

While Windows blockers continued to terrorize users, Doctor Web did its best to help those whose systems were compromised by malicious programs of this type.

In January 2010, Doctor Web launched its Dr.Web Unlocker web site. The site includes web forms offering unblocking codes for certain phone numbers and text messages displayed by Trojans. Later an unlock code generator was also introduced. The site is updated on a regular basis to address the latest trends in the development of system blocking malware.

In addition, since June 23, 2010, Doctor Web has made its support service available free of charge to every user (regardless of the anti-virus involved) whose system has been blocked by a Windows blocker program and who can’t get help at the unlocker site. To further fight the outbreak, Doctor Web cooperates with law enforcement agencies and provides up-to-date information to the widest audience possible about the current status of the epidemic, including prevention and curing techniques.

During June, Doctor Web’s statistics server registered over 420,000 instances of detection of Windows blockers, down from the previous month’s figure of 940,000+. Most of these programs were detected by Dr.Web anti-viruses as Trojan.Winlock, Trojan.Adultban, and Trojan.Packed.20343.

By the end of June, Trojans demanding cell phone balance refills as ransom amounted to 30 percent of all blockers. Doctor Web's analysts studied numerous cases of systems being infected by such programs and concluded that, in most cases, users wouldn’t receive unlock codes even if they paid the ransom. Once again the facts confirm this rule: no matter how desperate you are, never give money to criminals!.

Below is a gallery of screenshots showing June’s most common Windows blockers.

Social networking web sites – an attraction for criminals

Many users contacting Doctor Web’s technical support service in June were unable to visit social networking and free e-mail service web sites. When trying to load web pages, users got messages informing them that their accounts had been suspended for spamming, and that to continue they would have to send paid text messages. Dr.Web software detected the malicious programs responsible for such messages as Trojan.Hosts.

Reports received at the end of June indicated new modifications to Trojan.Hosts’ demand to refill cell phone balances, demands similar to those made by Windows blockers.

Because Trojan.Hosts and Trojan.Winlock are parts of schemes with similar mechanisms for converting acquired funds into actual money, Doctor Web also helps those whose support requests concern such viruses.

Internet banking users in danger

European bank customers who make wide use of Internet banking, particularly those of Volksbank Austria and German Postbank, became the primary targets of malware in Europe. Banks use TAN codes to achieve better security for online transactions. Each transaction has its own unique TAN code which allows customers to carry out transactions without disclosing their individual PIN codes. But cyber criminals have found a loophole: Users whose computers were infected by malicious programs like Trojan.PWS.Banker or Trojan.PWS.Bancos are prompted to enter TAN codes whenever they try to use an Internet banking system. Codes submitted by users get into the hands of criminals.

The Trojans were able to detect a browser used to access an Internet-banking web site and sprang into action only if the browser was Internet Explorer, demonstrating once again that users of other browsers are better protected from threats lurking on the Internet.

ПGeneral trends of June include the still active Oficla botnet, with four modifications of Trojan.Oficla found among the top 20 malware threats most frequently detected in e-mail. Intruders also often resorted to malicious scripts detected by Dr.Web anti-viruses as JS.Redirector.based.3. Embedded in HTML documents attached to spam messages, they redirect users to web sites that spread malware or to advertisements that typically promote pharmaceutical products.

Malicious files detected in mail traffic in June

01.06.2010 00:00 - 01.07.2010 00:00

1

Trojan.DownLoad1.58681

94881 (10.75%)

2

Trojan.Oficla.38

90647 (10.27%)

3

Trojan.Winlock.1651

73241 (8.30%)

4

Trojan.Oficla.zip

53192 (6.03%)

5

JS.Redirector.based.3

49394 (5.60%)

6

Trojan.Oficla.45

36125 (4.09%)

7

Trojan.Inject.8798

32974 (3.74%)

8

Win32.HLLW.Shadow.based

31944 (3.62%)

9

Trojan.Botnetlog.zip

28964 (3.28%)

10

Trojan.Packed.20425

22365 (2.53%)

11

Trojan.DownLoad1.62000

22311 (2.53%)

12

Trojan.Click1.10425

22229 (2.52%)

13

Win32.HLLW.Kati

16839 (1.91%)

14

Trojan.Inject.8874

12293 (1.39%)

15

Trojan.DownLoader.origin

10000 (1.13%)

16

Trojan.Siggen1.41503

9198 (1.04%)

17

Trojan.Oficla.33

7436 (0.84%)

18

Trojan.Packed.436

6902 (0.78%)

19

Win32.HLLW.Shadow.6

6765 (0.77%)

20

Win32.HLLW.Autoruner.4360

5299 (0.60%)

Total scanned:13,188,581,400
Infected:847,004 (0.0642%)

Malicious files detected on user machines in June

01.06.2010 00:00 - 01.07.2010 00:00

1

Trojan.Inject.8798

1265565 (13.62%)

2

Trojan.Siggen1.37243

678958 (7.31%)

3

ACAD.Pasdoc

672529 (7.24%)

4

Trojan.Packed.20343

301736 (3.25%)

5

Trojan.Siggen1.51699

280021 (3.01%)

6

Win32.HLLW.Gavir.ini

279207 (3.01%)

7

Win32.HLLW.Shadow

263432 (2.84%)

8

Win32.HLLW.Shadow.based

263423 (2.84%)

9

Trojan.Siggen1.40023

227444 (2.45%)

10

Trojan.AuxSpy.229

217638 (2.34%)

11

Win32.HLLP.Jeefo.36352

214459 (2.31%)

12

Win32.HLLP.Neshta

214243 (2.31%)

13

VBS.Sifil

207502 (2.23%)

14

Trojan.DownLoad.32973

205901 (2.22%)

15

Trojan.WinSpy.641

198304 (2.13%)

16

Win32.HLLW.Autoruner.5555

125789 (1.35%)

17

Adware.OSSProxy

96510 (1.04%)

18

Win32.HLLM.Generic.440

84592 (0.91%)

19

BackDoor.IRC.Sdbot.4590

72811 (0.78%)

20

VBS.Autoruner.8

63321 (0.68%)

Total scanned:64,422,986,656
Infected:9,288,857 (0.0144%)

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments