April 2, 2013
According to statistics collected with Dr.Web CureIt!, Trojan.Hosts programs were the most common threats detected in March 2013. The hosts file containing DNS server IP addresses has been compromised 186,496 times which constitutes over 10% of the detected threat total.
More details about this threat can be found in a Doctor Web publication. One of the most common ways to spread these Trojans is through compromised sites: criminals use a special shell to modify the .htaccess file and then add a malicious script handler into the site's code. As a result, site visitors get a web page that contains links to a variety of malicious applications. Backdoors and downloader Trojans provide an alternative way to spread these programs. Trojan.Hosts.6815 is the most popular version in this malicious family.
In early 2013, Trojan.Hosts’ rate of spread reached epidemic proportions, with over 9,500 infections detected daily by Dr.Web. The outbreak remained at its peak from January till mid-February. A slight decline was observed in early March, but after two weeks the number of infections started to grow again. The infection’s growth rate is illustrated in the graph below.
The worm Win32.HLLW.Phorpiex.54 is another common threat worth mentioning. This malware spreads with spam or replicates itself to removable data storage devices and provides criminals with unauthorized access to a compromised system.
A fake installer detected by Dr.Web anti-virus software as Trojan.SMSSend.2363 ranks fourth in the statistics. It is followed by BackDoor.IRC.NgrBot.42 and Win32.HLLP.Neshta. March’s top 20 threats, according to statistics gathered by Dr.Web CureIt!, are listed in the table below:
At the end of 2012, Doctor Web's analysts speculated that the botnet consisting of machines infected with Win32.Rmnet.12 would get bigger. As of December 2012, the total number of infected machines was 6.5 million, and by March 27, 2013, it reached 8,593,330, an increase of two million over the first three months of 2013. Thus, in January, the average daily growth of the Win32.Rmnet.12 botnet was about 15-25 thousand infected computers, and in February and March it was roughly 20-22 thousand machines. The botnet’s growth rate is illustrated in the chart below.
The file infector Win32.Rmnet.12 can perform backdoor tasks upon a corresponding command from a remote server. In addition, it can steal passwords stored by popular FTP clients. The stolen information can be used to mount network attacks or infect sites. The virus can embed content into loaded web pages (i.e., make web injections), redirect a browser to a site specified by criminals, and send user information submitted via web forms to remote hosts. Like other file infectors, Win32.Rmnet.12 can self-replicate.
A botnet comprised of machines infected with Win32.Rmnet.16 — another file infector in the Win32.Rmnet — is growing too. In December, it included 259,458 infected hosts, and at the end of March, the number reached 262,083. In three months, it increased by only 2,625 nodes. The average daily growth totalled 20-30 infections. Follow the botnet’s growth rate in the chart below.
In January 2013, Doctor Web warned users about the malware BackDoor.Finder (mainly spread in the U.S.) which replaces search results in the following browsers: Microsoft Internet Explorer, Mozilla Firefox, Maxtron, Google Chrome, Safari, Opera, Netscape and Avant. To date, 5,422 bots have connected to control servers hijacked by Doctor Web. The botnet growth rate is as follows:
The threat of the month
March also saw a large number of encryption Trojans, particularly Trojan.ArchiveLock.20 which places files into password-protected WinRAR archives. Earlier the Trojan targeted only Russian users, but in March multiple incidents involving the program were registered in European countries such as France and Spain. In the short period from March 23 to 26, 150 Italian users whose systems were compromised by the malware contacted Doctor Web's technical support and that number is rising.
To spread the Trojan, attackers launch a brute force attack on a target machine via RDP. When launched in an infected system, it uses the console version of WinRAR to place files on the compiled list into password-protected, self-extracting archives and employs a special utility to delete original files, after which they simply can't be restored.
More information about this malware can be found in a review published at Doctor Web's site.
In some cases, Doctor Web's analysts can restore files compressed by Trojan.ArchiveLock.20. If your files have been compromised by the Trojan, submit a request for curing via Doctor Web's site.
Advertising Trojan for Mac OS X
Adware for Windows is a common phenomenon, but such applications have recently been appearing for other platforms, in particular, Mac OS X. Trojan.Yontoo.1 is one of them.
This program is spread under the guise of video codecs, media players, video quality enhancement programs or download accelerators. On an infected Mac, Trojan.Yontoo.1 installs browser plugins for Safari, Google Chrome and Mozilla Firefox.
The plugin downloads a special file to embed advertising content under third-party affiliate programs into web pages loaded by users and transmits information about sites visited to a remote server. You can learn more about this threat from an analytical review published at Doctor Web's site.
Threats to Android
March turned out to be rich in Android viral events. A primitively designed Trojan dubbed Android.Biggboss was added to the Dr.Web virus database in the beginning of the month. This malware is embedded into other applications by criminals and spreads from sites hosting Android software catalogues. This Trojan targets users in India. When installed on a mobile device, Android.Biggboss loads as a system service at startup and displays a dialogue box informing the user that they have received an important message from an HR department. If the user agrees to view the message, the Trojan uses a browser to load an image containing a fake message from an HR department within the company TATA India Limited, which has nothing to do with the real TATA corporation. The message includes a tempting job description and prompts the user to transfer a certain amount of money to the criminals' account to hold the job for them.
Trojan spyware programs designed to steal contact information on Android devices belonging to Japanese users were also found in large numbers in March. Dr.Web named them Android.EmailSpy.2.origin, Android.EmailSpy.3.origin and Android.EmailSpy.4.origin. As usual, they spread under the guise of various harmless applications such as media players, emulators and X-ray camera apps.
When launched, these programs imitate program initialization and then display an error message or notify the user that a requested operation can't be performed. At the same time, the Trojans collect information from the user's address book and covertly send this data to a remote server.
It should be noted, that some versions of these malicious programs can send short messages to numbers found in the address book. Such messages contain links to download the Trojans and thus accelerate their spread.
Also discovered in March were several new versions of Android.SmsSend as well as commercial spyware, Android.Recon.3.origin and Program.Childtrack.1.origin in particular.
Malicious files detected in mail traffic in March
|01.03.2013 00:00 - 31.03.2013 23:00|
Malicious files detected on user computers in March
|01.03.2013 00:00 - 31.03.2013 23:00|
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.