November 1, 2012
Various Trojan.Mayachok modifications lead among the threats detected by Dr.Web CureIt!, while BackDoor.IRC.NgrBot.42 files downloaded by the program are the most frequently found malignant files on disks. Java Runtime Environment Exploit.CVE2012-1723.13 ranks second, and Trojan.Mayachok.17994 is in third place, yet the absolute leader of the summer’s rankings, Trojan.Mayachok.1, has shifted to fourth position. Also detected in relatively large numbers were Trojan.SMSSend, Win32.HLLP.Neshta (a file infector in existence since 2005), Trojan.Mayachok.17986, the polymorphic file infector Win32.Sector.22, BackDoor.IRC.NgrBot.146, and BackDoor.Butirat.201. The top ten programs most frequently detected by Dr.Web CureIt! are listed in the table below.
October threats are shown by class in the following diagram:
Doctor Web continues to monitor changes in the number of bots in the most active botnets. The notorious Backdoor.Flashback.39 botnet, comprised of infected computers running Mac OS X, shrank very little to 105,730 hosts on October 30, compared with 109,372 bots known to be operational on September 30. While the Backdoor.Flashback.39 botnet ceased to grow, owners of Apple-compatible computers are apparently in no hurry to check their computers with an anti-virus to finally get rid of the Trojan.
As expected, in early October the Win32.Rmnet.12 botnet exceeded the five million mark, and by the end of the month, it reached five and a half million infected hosts, thus beating its own September growth-rate record. The botnet’s growth is illustrated on the graph below:
It's already been mentioned that the file infector Win32.Rmnet.12 is mostly spreading on machines in Southeast Asia, but an infected 132,445 machines, which constitute 2.39% of the botnet’s size, reside in Russia.
The Win32.Rmnet.12 botnet also continues to grow slowly—its progression is illustrated in the diagram below. On October 30, 2012, its total number of bots reached 254,838, which is 16,373 bots more than at the beginning of the month.
Early October was marked by a mass distribution via Skype of messages containing the link to a malignant file, created with the Google URL shortener. Users who clicked on the link were prompted to download a zip archive containing BackDoor.IRC.NgrBot.146. The malicious program that sent such messages via Skype was added to the Dr.Web database as Trojan.Spamlink.1.
Threats to Android
In terms of threats to Android, October 2012 was relatively calm. Several entries for Android.SmsSend programs were added to the Dr.Web virus databases during the month. Note that these Trojans send highly chargeable SMS messages and subscribe device owners to various services whose fees are credited from their account.
An entry for Trojan Android.FakeLookout.1.origin, which is spread via Google Play as a software update, was also added to the virus databases. This malware gained access to SMS messages and various files stored on a memory card and sent the data to a remote server. Despite the potential risk for personal information, the Trojan is not a serious threat to Android users, because at the time of its removal from Google Play, the number of its installations had not exceeded 50.
The threat of the month: Trojan.GBPBoot.1
Trojan.GBPBoot.1 turned out to be one of the most unusual malware found in October by Doctor Web's virus analysts.
As far as its malicious payload is considered, Trojan.GBPBoot.1 doesn't stand out among malicious programs. It downloads and launches various executable files in an infected system. Otherwise, the Trojan has no other harmful capabilities. However, this Trojan is unusual primarily because it strongly resists attempts to remove it.
When the Trojan infects a system, its first module modifies the master boot record on the hard disk and then writes—at the end of an appropriate partition (outside the file system)—the malicious installer code, its automatic restore module, an archive containing the explorer.exe file, and configuration data. The Trojan main file is implemented as a library registered on an infected computer as a system service.
If for any reason the malicious service file is deleted (for example, by anti-virus software), the self-restore routine springs into action. The malicious MBR code written by the Trojan checks whether the malignant service file is present on the hard drive. Both NTFS and FAT32 are supported. If the file is not found, Trojan.GBPBoot.1 replaces the file explorer.exe with its file that incorporates the self-restoring mechanism. The file is run at Windows’ startup. When launched, the malicious explorer.exe again initiates an infection, and then restores and launches the original explorer.exe. Thus, a simple scan of the system by various anti-virus programs may not lead to the expected result, since the Trojan is able to repair itself in the protected system.
Other threats in October
In early October, Doctor Web's analysts registered the spread of Trojan.Proxy.23012 which is designed to send spam. Detailed information about this threat can be found in a review published on news.drweb.com.
Another review was devoted to a Trojan-Downloader that spread intensively in October via the peer-to-peer network created with Trojan.PWS.Panda.2395. This malicious program employs a peculiar infection mechanism, described in detail at www.drweb.com.
Malicious files detected in mail traffic in Oktober
|01.10.2012 00:00 - 31.10.2012 23:00|
Malicious files detected on user computers in Oktober
|01.10.2012 00:00 - 31.10.2012 23:00|
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.