My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

October surge of fake anti-viruses and other malicious trends of the past month

November 2, 2009

As the IT industry has been gaining its momentum following the relative calmness of the summer, so the enthusiasm and creativeness of virus makers have increased. Luckily the last month neither brought devastating epidemics nor spawned an exceptionally vile piece of malware. However, certain observations made by virus analysts in October are still worth considering. In particular, the review provides a description of several fake anti-viruses, malicious attachments and bogus web-sites created in thousands on the daily basis.

Fake anti-viruses – absolute leaders

Take a look at the malware top twenty of October and you will see that variations of Trojan.Fakealert account for almost half of them apparently showing that virus makers consider such programs the most reliable tool for gaining profit.

In first two weeks of October the number of detections of fake anti-viruses registered by Doctor Web exceeded 2.5 million per 24 hours. Now it has dropped to 1 million but the figure is still quite impressive. Yet it should be noted that new modifications of Trojan.Fakealert have the same interface as their predecessors described in the September review from Doctor Web.

Why do users install such programs onto their machines? Tricks adopted by virus makers to encourage users to do so vary depending on the target group. In October fake anti-viruses most commonly spread as install.exe files placed in a ZIP-archive offered as an e-mail software update (a victim received a message from an administrator of the mail server) or as an update for Microsoft Outlook. Such files were also spread in supposed copyright violation warnings that informed a victim that content he or she downloaded from the Internet was protected by the copyright. An attached archive was said to contain a log of the user’s activities for the last six months. It was not the first time when cyber criminals assumed the role of copyright protectors. However, claiming that the file containing a modification of Trojan.Fakealert was a curing utility capable of neutralizing a Conficker (Win32.HLLW.Shadow.based as classified by Dr.Web) was something they had never done before.

Another technique for spreading fake alert malware took advantage of the wide popularity of the Outlook Web Access interface. People using the service received a link to a page with the look and feel very similar to those of OWA’s where they were prompted to download a file supposedly containing new settings for their e-mail account.

Password stealers try hard to keep up with fake anti-viruses

Malicious programs that steal account information have become one of the most severe threats to users in October.

Trojan.PWS.Panda.122 remains the most notable representative of this type of malware. This Trojan specializes in stealing passwords for various online services. The list of such services is retrieved by the program from malicious web-sites and items on the list can change from time to time.

Authors of numerous modifications of Trojan.PWS.Panda.122 took the most creative approaches to spread the Trojan on computers of victims. Here means of transport were not limited to spam messages with links to malicious web-sites. In first two weeks of October Trojan.PWS.Panda.122 was “offered” to users as an update for Microsoft Outlook. The design of spam messages and web-sites was identical to the design used to spread earlier modifications of the Trojan in June 2009.

After that cyber criminals switched to sending e-mails supposedly from the Internal Revenue Service of the United States. In many cases Yahoo! Geoicities was used to host malicious web-sites. Recipients of such messages were offered to look through their tax statements on the IRS web-site (a bogus web-resource) where a user downloaded the malicious program disguised as the tax information file.

Finally the last week of October saw a mailing supposedly from Federal Deposit Insurance Corporation yet also aiming to spread Trojan.PWS.Panda.122. A user was informed that his bank became bankrupt and he needed to download his personal FDIC insurance file to check his due compensation amount. The file was surely nothing more than another password stealer.

Trojan.PWS.LDPinch was another password stealer found in large numbers in the wild in October. However, download links for this piece of malware were spread mainly among Russian users of instant messaging services.

Have you entered the recipient address correctly?

Numerous modifications of Trojan.Botnetlog.11 and Trojan.BhoSpy.97 have been spreading over the Internet for several months using forged messages from such renown transportation services as DHL and UPS. Such e-mails came as notifications of delivery failures occurred due to a non-existent recipient address.

Trojan.Botnetlog.11 is capable of exploiting known system vulnerabilities. Once installed and launched it tries to connect to a malicious server to receive further instructions and download additional software components. A special algorithm is used by virus makers to encrypt the code of Trojan.Botnetlog.11 executed in a compromised system.

Trojan.BhoSpy.97 is installed in a system as Internet Explorer’s plugin. Apart from downloading (the main feature of the program) it can also detect system files after receiving a corresponding command from the server and therefore render the system non-operational.

In last days of October Trojan.Botnetlog.11 was spread using messages supposedly from the Facebook administration team. Such a message informed a user about the upcoming introduction of a new login system and offered updating his/her account. The account update link provided in the message directed the user to a bogus web-site where he/she downloaded the malicious program disguised as an updating utility.

Windows lockers become more user-friendly?

Malicious programs that make a system inaccessible for a user and demand a ransom to unlock it were also found in the wild in October. Under the Dr.Web classification the common name of such programs is Trojan.Winlock. However, many species of the malware discovered in the last month displayed a system locked message that occupied only a part of the screen leaving the remaining space to a victim to run and use other programs while earlier modifications of the Trojan made working in a compromised system impossible.

If the system isn't locked completely, the victim can take emergency measures, find files of the Trojan program and submit them for analysis to a virus laboratory.

Notable spam messages of October

Several spam mailings of the last month stood out of the endless stream of spam. In a mailing spreading Trojan.PWS.Panda.122 the malicious program was attached as an executable. It is hard to guess what virus makers wanted to achieve by attaching the Trojan undisguised. However, such messages also reached their recipients without any problems. At the same time Trojan.Packed.683 was attached to messages as a password-protected archive, something virus analysts haven’t seen for quite a while. However, this mailing didn’t last long and the same archive file was attached to all messages.

Virus-free cyber-fraud

There have been a growing number of cases of cyber-fraud that doesn’t involve malware lately. Even though such schemes don’t cause any damage to your information, it still may be a good idea to learn about them to ensure that you won't fall a victim of such a trick that may have dismal consequences.

There are several tricks to lure a user into sending his money to a cyber-criminal.

The most common means of the virus-free fraud is s web-site that offers a user to obtain information about short messages, incoming and outgoing calls of another user of a mobile phone. The only information one has to submit is the target phone number. To gain the victim’s confidence, the person is shown information about the region and the service provider of the target service subscriber. This information can be easily deduced using the phone number but it adds to the credibility of the web-site in the eyes of a gullible user, Transferring money for the promised service will never provide a victim with the information he or she seeks to obtain. Moreover, such a possibility if existed would most probably violate laws of your country.

Another virus-free technique exploits interest of users in sound drugs. For a moderate fee a user downloads audio files that when played are supposed to cause effects similar to those of real drugs. As a rule the victim doesn’t receive any files at all or gets a headache instead of a kick.

Sound drug web-sites are advertised using legal and well-known services such as Google AdWord as well as by illegal means. Last days saw massive advertisement of sound drugs through compromised accounts of social networking web-sites.

So in October e-mail, bogus web-sites, instant messaging and social networking services remained the main malware spreading channels and the key tools in implementation of cyber-fraud schemes. Cyber-criminals are combining different fraud techniques to achieve their goals and deceive their victims by means of confidence tricks or exploiting their lack of competence. Once again Doctor Web reminds users that the best way to stay protected from such threats is installing a reliable anti-virus and keeping it up to date. At the same time in the face of spam mailings a good anti-spam solution will save your money and time by filtering out dangerous messages before you open them. Yet you also need to remain vigilant, follow basic security rules and never hesitate to consult professionals in cause you have any doubts.

Viruses detected in e-mail traffic in October

 01.10.2009 00:00 - 01.11.2009 00:00 
1Trojan.DownLoad.4725610750198 (21.85%)
2Trojan.Fakealert.51157452584 (15.15%)
3Trojan.Fakealert.52385346181 (10.87%)
4Trojan.Packed.29152474234 (5.03%)
5Win32.HLLM.Netsky.353282248095 (4.57%)
6Trojan.DownLoad.372362078358 (4.22%)
7Trojan.Fakealert.52291961846 (3.99%)
8Trojan.Fakealert.53561821482 (3.70%)
9Trojan.DownLoad.502461724409 (3.51%)
10Trojan.Fakealert.54371570923 (3.19%)
11Trojan.Packed.6831347946 (2.74%)
12Trojan.Fakealert.58251164324 (2.37%)
13Win32.HLLM.MyDoom.338081137315 (2.31%)
14Win32.HLLM.Beagle1109455 (2.26%)
15Trojan.DownLoad.5637895101 (1.82%)
16Trojan.Fakealert.5457868063 (1.76%)
17Trojan.Fakealert.5784650010 (1.32%)
18Win32.HLLM.Netsky.based593596 (1.21%)
19Trojan.Fakealert.5311593453 (1.21%)
20W97M.Godzilla499719 (1.02%)

Total scanned:80,506,872,758
Infected:49,195,078 (0.06%)

Viruses detected on user machines in October

 01.10.2009 00:00 - 01.11.2009 00:00 
1Trojan.DownLoad.472566767108 (17.74%)
2Trojan.Fakealert.52385646226 (14.80%)
3Trojan.Fakealert.51155035344 (13.20%)
4Trojan.Fakealert.52292455376 (6.44%)
5VBS.Sifil1169118 (3.07%)
6Win32.HLLM.Netsky.35328709710 (1.86%)
7Win32.HLLW.Shadow.based680072 (1.78%)
8Win32.HLLM.Beagle673072 (1.76%)
9JS.Nimda657868 (1.72%)
10BackDoor.IRC.Sdbot.5190608800 (1.60%)
11Trojan.DownLoad.5637590821 (1.55%)
12Win32.HLLW.Gavir.ini579411 (1.52%)
13Trojan.MulDrop.16727562342 (1.47%)
14Win32.HLLM.Netsky.based550754 (1.44%)
15Win32.Alman.1542423 (1.42%)
16Win32.HLLM.MyDoom.49416950 (1.09%)
17Win32.Sector.17370738 (0.97%)
18Win32.Virut.14345415 (0.91%)
19W97M.Thus339490 (0.89%)
20Trojan.Recycle328507 (0.86%)

Total scanned:208,184,957,146
Infected:38,139,894 (0.02%)

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments