The page may not load correctly.
January 29, 2016
The first month of 2016 saw the emergence of new various Trojans for Linux including yet another modification of a ransomware Trojan and a dangerous backdoor capable of screenshot taking, keylogging, and executing commands from cybercriminals. Besides, in January, security researchers detected a Trojan for Android pre-installed on the firmware of a smartphone produced by a well-known electronics manufacturer. Moreover, at the end of the month, Doctor Web security researchers detected various malware programs on Google Play.
At the end of January, Doctor Web specialists examined a multipurpose backdoor Trojan for Linux devices. It consists of a dropper and a payload that is responsible for executing main malicious functions. Once launched, the dropper displays the following dialog:
If the Trojan is successfully run, it extracts the backdoor—its main malicious component—from its body and saves it into some folder on the infected computer’s hard drive. In total, this module is capable to execute more than 40 commands. Among them are keylogging—recording of keystrokes on the infected device—and downloading and running of different software. Besides, it can also send file names in a specified directory and upload selected files to the server. In addition to this, the Trojan creates, removes, and renames files and folders, takes screenshots, executes the bash commands; and performs many other malicious functions. For more information about this dangerous Trojan, refer to the news article published by Doctor Web.
Doctor Web's security researchers continue to monitor the botnets created by criminals with the file infector Win32.Rmnet.12.
Rmnet is a family of viruses spread without any user intervention. They can embed content into loaded webpages (this theoretically allows cybercriminals to get access to the victim's bank account information), steal cookies and passwords stored by popular FTP clients, and execute other commands issued by cybercriminals.
The botnet consisting of computers infected with the Win32.Sector file virus is still active. This malicious program can perform the following actions:
Its average daily activity can be seen in the following picture:
This feature is not available in Dr.Web Anti-virus for Windows
|Data Loss Prevention
January 2016 turned out to be rather fruitful due to a record-breaking number of Trojans for Linux detected during this month. At the beginning of January, Doctor Web security researchers examined a new modification of Linux.Encoder.3. Virus makers have improved this version of the ransomware Trojan by fixing code mistakes that had been made previously. Nevertheless, some architectural features of Linux.Encoder.3 make it possible to decrypt corrupted files.
Linux.Encoder.3 does not require root privileges—web server privileges are enough for the Trojan to encrypt all files in the home directory of a website. A key feature of Linux.Encoder.3 lies in its capability to remember dates of files creation or modification that are then replaced with dates specified before the encryption. Moreover, cybercriminals have changed encryption algorithms used by the Trojan: every sample of this malicious program uses its unique encryption key created based on parameters of encrypted files and values generated randomly. For more information about this Trojan, refer to the review published by Doctor Web.
Shortly after that, Doctor Web specialists detected Linux.Ekoms.1, about which you can read in our news article. Every 30 seconds, Linux.Ekoms.1 takes a screenshot and saves it into a temporal folder in the JPEG format. The temporary folder is uploaded to the server in specified intervals. This malicious program can also send files from the infected machine to cybercriminals and download and save files received from them.
It should be noted that Trojan.Ekoms.1, a Windows version of Linux.Ekoms.1, was registered by Doctor Web in January. Once launched, it checks the %appdata% folder for specified executable files in order to prevent infections by other Trojans. Apart from screenshot taking, Trojan.Ekoms.1 creates a file with the .kkt extension that stores information on key strokes and a file that is appended with the .ddt extension and contains a list of files in folders. These two files are then sent to the server. It is noteworthy that these files are also mentioned in Linux.Ekoms.1, but the similar Trojan for Linux does not have a code responsible for their processing. Like the Trojan for Linux, Trojan.Ekoms.1 can record sound and save it in the WAV format. However, this function is not used in this modification as well. The Trojan has a valid digital signature registered to some company named “Issledovaniya i razrabotka”, and a root certificate is issued by Comodo.
At the end of January, several popular websites and blogs published information about an allegedly brand new Trojan for Linux—“TheMoon”. However, this Trojan dubbed Linux.Themoon.2 has been detected by Dr.Web for Linux since December 14, 2015. To learn more about technical details of this malicious program, refer to the review.
During January 2016, 625,588 URLs of non-recommended websites were added to Dr.Web database.
The previous month showed once again that cybercriminals do not intend to lose their interest in Android mobile devices. In particular, in mid-January, Doctor Web security researchers detected Android.Cooee.1, a dangerous Trojan designed to download and install various applications, on the Philips s307 firmware. At the end of the month, Doctor Web analysts found that more than 60 games on Google Play were affected by Android.Xiny.19.origin. This Trojan can covertly run apk files received from the server, download applications, and prompt a user to install various software. It also displays annoying advertisements.
Among the most noticeable January events related to mobile malware we can mention
Find out more about malicious and unwanted programs for mobile devices in our special overview.