My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

May 2013 virus activity review from Doctor Web

June 3, 2013

In early May, a dangerous Trojan was discovered that can replace pages loaded in the browser. Another malicious program, also added to the virus database in May, attacked users on Facebook, Google Plus and Twitter. At the end of the month, Doctor Web analysts hijacked another command-and-control (C&C) server of the botnet Rmnet and discovered that two mew malicious components of the file infector were being distributed in the zombie network. Also found were new malicious objects (mainly spyware) targeting Android.


According to statistics collected by Dr.Web CureIt!, Trojan.Hosts.6815 was the undisputed leader in terms of number of infections (2.53% of the total). It was followed by Trojan.Mods.1 which replaces the content of web pages loaded in the browser—a detailed review of this threat can be found on Doctor Web's site. In the past month, Dr.Web CureIt! found 15,830 copies of the Trojan, which is 1.95% of the total number of identified threats. Trojan.Mayachok programs were often detected in RAM, and BackDoor.IRC.NgrBot.42 and Trojan.Redirect malware were also discovered frequently on infected PCs. The twenty most common threats in May, according to information collected by Dr.Web CureIt!, are listed in the table below.



Currently, Doctor Web's analysts control two subnets of the botnet which was created with the file infector Win32.Rmnet.12. Each subnet has its own C&C server. In May, the number of active bots in one of the Win32.Rmnet.12 subnets reached 619,346, while another grew as large as 459,524 infected hosts, with 116,617 bots joining the first one and 143,554 zombies connecting to the second one in the last ten days. The average daily number of bots connecting to each of the networks is 14,000 and 11,000 infected hosts, respectively. This is how the botnets grew from May 19 till May 29:

Yet the botnet Win32.Rmnet.16 is growing at a very slow rate: as few as 181 infected hosts joined it in the period between May 19 and May 29, and the total number of nodes in the network was 5,220. Thus, we can conclude that today the file infector Win32.Rmnet.16 does not pose a serious epidemiological threat.

In early April 2013, Doctor Web reported athat it had managed to hijack a C&C server belonging to the botnet created with the malicious program BackDoor.Bulknet.739. Designed to send bulks of spam, this program is mostly spread on machines located in Italy, France, Turkey, the USA, Mexico and Thailand. If, at the beginning of April, only about 7,000 infected computers connected to this C&C server, by the end of May, the number of active bots grew to 17,242. Botnet growth from May 19 to May 29 can be traced in the chart below.

At the end of May, Doctor Web's analysts gained control over another Rmnet C&C server. They discovered that two new malware modules, both dubbed Trojan.Rmnet.19, were spread between nodes connected to the subnet. One of them is designed to detect virtual machine software on an infected computer, and the other one allows criminals to disable the following anti-viruses in a compromised system: Microsoft Security Essential, Norton Antivisus, Eset NOD32, Avast, Bitdefender, and AVG. To end anti-virus processes, the component emulates user actions, namely clicking on the appropriate icons. As of May 29, 20,235 active bots were connected to the C&C server, and from May 19 to May 29, 8,447 newly infected machines registered on the server controlled by Doctor Web's analysts. The process is illustrated in the diagram below.

More detailed information about this threat can be found in the news story published by Doctor Web.

Despite the fact that the botnet BackDoor.Flashback.39, comprised of Macs, was discovered more than a year ago, this botnet continues to operate today. Currently it consists of 65,987 infected machines.

In February 2013, Doctor Web reported the discovery of the Linux.Sshdkit which targets Linux servers. The malware is a library file available for 32- and 64-bit versions of Linux distributions. After successful installation, the Trojan injects its code into the process sshd and uses this process’s authorization routines. Once a user enters their login and password, the Trojan sends this information to a remote server.

Doctor Web's analysts used a sinkhole to hijack one Linux.Sshdkit control server and thus confirmed that the Trojan transmits stolen logins and passwords to remote hosts. In May 2013, the Trojan sent access data for 562 infected Linux servers to criminals. Some of these servers belong to major hosting providers.

Threat of the month: Trojan.Facebook.311

Users of social networking sites have repeatedly been targeted by cybercriminals and malware distributors. For example, in mid-May virus analysts registered the mass distribution of Trojan.Facebook.311 malware, implemented as a JavaScript plugin for Google Chrome and Mozilla Firefox. To spread the malignant plugin, the criminals created a web page on which users were prompted to download the application installer under the guise of a video security update.

Once the installation is completed and a browser is launched, Trojan.Facebook.311 tries to download a configuration file that contains the set of commands the hackers need. Then the malicious browser plug-ins wait for the user to authenticate on a social networking site, and start performing a variety of actions on their behalf. These actions include updating the user’s status, marking a post with "like", posting messages on the wall, sending private messages, etc. This malware works not only on Facebook but also interacts with Twitter and Google Plus—in particular, it can send spam. A more detailed review of this threat can be found on Doctor Web's site.

Skype attack

On May 23, numerous online media outlets reported the massive distribution of spam via Skype, predominantly targeting Russian users. Criminals lured users into downloading a malicious program that could send messages via various IM messengers.

The signature of Trojan.SkypeSpam.11 was added to the Dr.Web virus databases on May 22.

Threats to Android

Android saw another rough period in May. Doctor Web's analysts recorded the emergence of several malicious spy programs that steal confidential information on compromised devices.

In particular, Android.Pincer.2.origin, found in the middle of the month, turned out to be a rather dangerous Trojan. It’s designed to intercept incoming short messages and forward them to a remote server. Makers of Android.Pincer.2.origin also implemented the feature that enables the malware to track messages sent from a specific number. To use it, they send it the appropriate command in a short message. Distributed as a security-certificate installer, the malware poses a severe threat to Android devices because it can intercept messages containing sensitive information such as mTAN codes. More information about this threat can be found in the relevant publication on Doctor Web's site.

Also found in May was a Trojan stealing confidential information from Japanese Android users. Similar to its predecessors, the program dubbed Android.AccSteal.1.origin spread as an application from the Adult category. When launched, it sent the following information to a remote server: the Google Mail account name, the device's IMEI and model as well as the subscriber's mobile phone number.

It's worth mentioning that unlike other similar programs, the Trojan does perform the tasks expected of the application: it displays adult videos but only if the device is connected to the Internet, and notifies users to that effect. Given that Android.AccSteal.1.origin is spread from a site that imitates the now outdated look and feel of Google Play, the criminals must be trying to do their best not to raise users' suspicions while maintaining relatively high efficiency in collecting their personal data.

Criminals didn't pass by Chinese users either. Android.Roids.1.origin was a spy program distributed via Chinese forums as a system utility. It can transmit to the remote server a substantial volume of personal information, including the list of installed applications, information on SMS correspondence and calls, address book contacts, and еру list of files stored on the memory card. The Trojan can also record phone calls and acquire a device's GPS coordinates.

Malicious files detected in mail traffic in May

 01.05.2013 00:00 - 30.05.2013 18:00 

Malicious files detected on user computers in May

 01.05.2013 00:00 - 30.05.2013 18:00 

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments