March 2, 2011

The main malicious trends of the previous months persisted in February. Windows blockers and banking password stealers, where the latter ones worked together with fake anti-viruses, constituted a large portion of malicious traffic.

Windows blockers

The idea of extortionist Trojan horses blocking access to Windows has turned out to be a long-lasting one. During its evolution virus makers tried several money transfer options and technological solutions, some rather unexpected, including blocking the loading of Windows from the Master Boot Record.

Several Trojan.Winlockprograms featuring different block screen designs were discovered in February 2011. Apart from their new appearance, the blockers employed new tricks, making their analysis more difficult, and used more complex encryptors to disguise their executables. One such encryptor, popular with Trojan.Winlock writers, adds a specific icon into the executable making it easier to distinguish visually:

Since the scheme's implementation is so simple and efficient, blockers are unlikely to dwindle away. On the contrary, more sophisticated variations of this ransomware are likely to be discovered in the nearest future.

Encoders

Encoders were another type of ransomware that came into the spotlight in February. The author of Trojan.Encoder changed the encryption algorithm several times, but the number of corresponding Trojan horse modifications found in the wild didn't change. Doctor Web develops and maintains decoding utilities, enabling users to regain access to files compromised by Trojan.Encoder.

Bank account theft

A handful of account money stealers similar to the notorious Trojan.PWS.Panda, a.k.a. Zeus, entered February 2011’s malicious “top 10”. All these programs are modifications of the same viral prototype. The Trojan horse uses a comprehensive list of addresses of online banking systems. They include Russian, Italian, American, and German systems:

• libertyreserve.com
• perfectmoney.com
• laiki.com
• bankofcyprus.com
• commbank.com.au
• suncorpbank.com.au
• stgeorge.com.au
• online.westpac.com.au
• anz.com
• sparkasse.de
• commerzbanking.de
• finanzportal.fiducia.de
• deutsche-bank.de
• targobank.de
• postbank.de
• csebo.it
• poste.it
• gruppocarige.it
• cedacri.it
• payment.ru
• ibank.alfabank.ru
• chase.com
• capitalone.com

Some Trojan horses of this family are detected by Dr.Web as Trojan.DownLoader2. Their additional payload includes downloading fake anti-viruses (Trojan.FakeAlert) and backdoors.

Mobile platforms

February saw a significant increase from January in the number of Trojan horses for Android. Android.SmsSend are written in Java, and their only feature is sending paid short messages at short codes such as 6008.

Only one sample of the Trojan horse was detected in January, but in February this figure increased to six which would suggest that it is only a matter of time before more dangerous and complex Trojan horses for this platform emerge.

Other threats

Other notable threats include new modifications of Win32.Virut and variations of mail worms Win32.HLLM.NetSky and Win32.HLLM.MyDoom, traditionally found in large numbers in mail traffic.

Developers of the Trojan.WinSpy botnet updated components of their bot software twice in February. Changes delivered with the updates mainly concerned encryption routines for the sfcfiles.dll file.

The virus analysts also noted reduced activity of worms spread over removable data storage devices (Win32.HLLW.Autorunner).

Viruses detected in February in mail traffic

Viruses detected in February on users' computers