April 2, 2014
According to data collected in March 2014 with Dr.Web CureIt!, Trojan.Packed.24524, which installs adware and riskware in compromised systems, was the most frequent "guest" on user PCs. The advertising Trojans— Trojan.InstallMonster.51 and Trojan.LoadMoney.15 — ranked second and third respectively, with another advertising piece of malware — Trojan.LoadMoney.1 — following close behind. Also detected in March were several Trojan.BPlugprograms. These are implemented as browser plug-ins that display ads in loaded webpages or promote various bogus sites. The twenty Trojans most frequently detected in March by Dr.Web CureIt! are listed in the table below:
The botnet comprised of Windows machines compromised by the file infector Win32.Rmnet.12 has been growing steadily. In March, the average number of bots in its first subnet, which is being monitored by Doctor Web's security researchers, reached 244,430. The second subnet grew somewhat more slowly in March: its average number of bots was 157,343. The number of machines on which Dr.Web software detected Trojan.Rmnet.19 also declined slightly. At the end of March, it reached 2,066—457 fewer PCs than in the previous month.
Meanwhile, the number of Macs infected with the Trojan BackDoor.Flashback.39 fluctuating: in March, the average number of machines in that botnet was 25,912. It should be noted that all the computers that contacted the command and control server in the past month had already been infected earlier.
Other threats in March
In early March, Doctor Web's security researchers reported the discovery of Trojan.Skimer.19, a threat that compromises ATMs.
Once an ATM's OS is infected, Trojan.Skimer.19 monitors EPP (Encrypted Pin Pad) keystrokes for a specific input combination that will help it become activated and then execute whatever command an intruder enters via the EPP. The commands include the following:
- Save the log files onto the card's chip; decrypt PIN codes.
- Remove the Trojan library and log files; "cure" the host file; reboot the system (criminals issue commands twice to infected ATMs; both are issued within a ten-second interval).
- Display statistical information including the number of transactions, banking cards, intercepted encryption keys, etc.
- Delete all the log files.
- Reboot the system.
- Read the executable from the card's chip to update the Trojan.
Also in March, Doctor Web's virus analysts examined the program Trojan.Rbrute, which is designed to crack Wi-Fi-router access passwords through brute force attacks and to switch out the DNS server addresses in the settings of these compromised devices. The Trojan can also execute two commands: 1) perform a network scan according to a specified range of IP addresses and 2) mount a dictionary attack. These commands are unrelated and can be performed by the Trojan separately.
Attackers have been using this malware to spread the file infector Win32.Sector. To learn more about how this malicious program operates and spreads, please refer to the corresponding informational material that has been published on our site.
The first month of spring was stressful for Android. In early March cybercriminals launched the commercial distribution of a new Trojan, dubbed Android.Dendroid.1.origin. This malware, which can be embedded into any harmless Android app, enables attackers to carry out a number of illegal actions on an infected mobile device: intercept calls and SMS messages, get information about the current location of the device, gain access to the phone book and browsing history, activate the device's camera and microphone and send short messages. Android.Dendroid.1.origin is sold on underground hacker forums, which once again indicates that the market for illegal services for the Android is growing.
Android.Backdoor.53.origin was discovered by Doctor Web's security researchers in mid-March. It should be noted that in order to spread this program, the criminals behind it modified Webkey, a legitimate application that lets users control their mobile devices remotely. Unlike the original version, the compromised application doesn't have a GUI and after installation hides its presence in the system by removing its icon from the main screen. When launched, Android.Backdoor.53.origin sends the device's ID to a remote server, signalling that the infection was initiated successfully. Consequently, the intruders can get full control over the device and gain access to the personal data and hardware features.
At month’s end, Doctor Web's analysts discovered an entire group of Android.DownLoader programs primarily targeting devices in China. On compromised mobile devices, these Trojans can download and install other malicious programs, as well as a number of legitimate applications, to generate a profit from the programs’ illegal promotion. These Trojans can be particularly dangerous, because if root access is available in a system, the downloaded programs can be installed without user consent. The malware can also generate a lot of traffic which can result in financial losses for subscribers whose service packages do not include unlimited Internet connectivity. More information about this incident can be found in a related news publication.
Also in March, the definitions for several Trojans that covertly mine some cryptocurrencies were added to the Dr.Web virus database. These malicious programs were distributed by criminals in modified versions of popular applications and sprang into action whenever the infected mobile device was in standby mode. Ultimately, these Trojans can not only significantly shorten battery life, but can also make users uncomfortable due to the increased heat generated by the device's constantly engaged components, activity that may, in turn, adversely affect their lifespan. Furthermore, because these Trojans actively use Internet connections, many subscribers may experience financial losses. Dr.Web for Android detects these threats as members of the Android.CoinMine family.
Compared with the previous month, in March, the number of unwanted SMS messages spreading malicious programs for Android in South Korea increased by 113.3%. In total, Doctor Web's specialists registered 192 incidents involving SMS spam spreading such Trojans. Android.Spy.64.origin (86 incidents), Android.SmsSpy.53.origin (26 incidents), Android.SmsSpy.78.origin (18 incidents), Android.Spy.40.origin (13 incidents) as well as Android.MulDrop.14.origin (12 incidents) and Android.SmsSpy.65.origin (10 incidents).
Malicious files detected in mail traffic in March
|01.03.2014 00:00 - 31.03.2014 23:00|
Malicious files detected on user computers in March
|01.03.2014 00:00 - 31.03.2014 23:00|
Learn more with Dr.Web
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.