Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Doctor Web’s September 2016 virus activity review

September 30, 2016

In September 2016, Doctor Web’s analysts examined several malicious programs for Linux. The month began with the discovery of a Trojan written in the Rust language, and then a Trojan designed to carry out DDoS attacks was found. Some time later, the whole family of DDoS Trojans for Linux was investigated by security researchers, together with a malware program for Android capable of performing injections into system processes.

PRINCIPAL TRENDS IN SEPTEMBER

  • The emergence of a Linux Trojan written in Rust
  • Distribution of new Linux Trojans designed to carry out DDoS attacks
  • The emergence of a Trojan for Android capable to perform injections into system processes

Threat of the month

Trojans designed to carry out DDoS attacks is nothing new. Some of them can infect computers running not only Microsoft Windows but also Linux. Linux.Mirai is one of them.

The first version of Linux.Mirai appeared in May 2016 and was added to the Doctor Web virus database under the name Linux.DDoS.87. This Trojan, designed to carry out DDoS attacks, can work with the SPARC, ARM, MIPS, SH-4, M68K architectures and Intel x86 computers. It also shares a few features with the Linux.BackDoor.Fgt family, one of whose representatives we described in 2014. Once launched on an infected computer, Linux.DDoS.87 searches the memory for the processes of other Trojans and terminates them. Linux.DDoS.87 can launch the following DDoS attacks:

August 2016 began with the discovery of a new version of this dangerous Trojan, which was dubbed Linux.DDoS.89. It shares many of its predecessor’s features, although there are some notable differences from Linux.DDoS.87. For example, the newer version has another procedure for launching the Trojan and the mechanism for protecting itself from being self-removed. Moreover, HTTP flood attacks are no longer carried out. Finally, Linux.DDoS.89 includes a new component—the telnet scanner that is designed to search for vulnerable computers on the Internet and connect to them using the telnet protocol.

In the end of September, one more representative—Linux.Mirai—was discovered by Doctor Web’s specialists. The Trojan has learned how to turn off the watchdog timer (which protects against system hangs and reboots), and once again it is carrying out HTTP flood attacks. For more information about this family of Linux Trojans, refer to the review.

According to statistics collected by Dr.Web CureIt!

According to statistics collected by Dr.Web CureIt! 09.2016 #drweb

According to Doctor Web’s statistics servers

According to Doctor Web’s statistics servers 09.2016 #drweb

Statistics concerning malicious programs discovered in email traffic

Statistics concerning malicious programs discovered in email traffic 09.2016 #drweb

According to statistics collected by Dr.Web Bot for Telegram

According to statistics collected by Dr.Web Bot for Telegram 09.2016 #drweb

Encryption ransomware

Encryption ransomware 09.2016 #drweb

In September, cases involving the following ransomware modifications were registered by Doctor Web’s technical support service:

Dr.Web Security Space 11.0 for Windows
protects against encryption ransomware

This feature is not available in Dr.Web Anti-virus for Windows.

Data Loss Prevention
Preventive ProtectionData Loss Prevention

Dangerous websites

During September 2016, 298,985 URLs of non-recommended websites were added to Dr.Web database.

August 2016September 2016Dynamics
+245,394+298,985+21.8%

Non-recommended websites

Linux

Doctor Web’s specialists have discovered a new Linux Trojan written in the Rust programming language. The Trojan has been named Linux.BackDoor.Irc.16. It is a typical backdoor program that executes commands issued by cybercriminals via the IRC (Internet Relay Chat) protocol. For more information about this Trojan, refer to the news article.

Some time later, yet another Linux Trojan was detected—Linux.DDoS.93. The Linux.DDoS.93 is designed to carry out DDoS attacks and can execute the following commands:

You can learn more about Linux.DDoS.93 in the news article published by Doctor Web.

Malicious and unwanted programs for mobile devices

In September, Doctor Web analysts have detected, within the Android.Xiny family, new species of Trojans designed to download and install various programs without user knowledge. These Trojans can now infect the processes of system applications and run malicious plugins.

Among the most notable September events related to mobile malware:

Find out more about malicious and unwanted programs for mobile devices in our special overview.

Learn more with Dr.Web

Virus statistics Virus descriptions Virus monthly reviews

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040