Add to the library

EN RU CN DE EN ES FR JP PL UA

January 2017 virus activity review from Doctor Web

January 31, 2017

In the first month of 2017, Doctor Web security researchers detected a worm that infects archives and deletes other malicious applications. They also detected several thousand Linux devices infected with a new Trojan. Also in January, a significant number of new malicious programs for Android were added to the Dr.Web virus databases. One such Trojan infiltrated Play Store with a module that downloaded various applications from Google Play. Another belongs to the banking Trojan family: cybercriminals made its source code public so Doctor Web security researchers are anticipating a major, imminent distribution of bankers created on the basis of this threat.

Principal trends in January

Threat of the month

Typically Trojans are called worms when they can distribute themselves on their own without user intervention but are not capable of infecting executable files. In January, Doctor Web security researchers detected a new worm – BackDoor.Ragebot.45. It receives commands via the IRC (Internet Relay Chat) text-messaging protocol, and once it has infected a computer, it runs an FTP server. The Trojan uses this server to download its copy onto the attacked computer.

screen BackDoor.Ragebot.45 #drweb

The worm connects to other network computers via the remote access system to the Virtual Network Computing (VNC) by searching for passwords in the dictionary. If the hack is successful, the Trojan establishes a VNC connection with the remote computer. Then it sends keystroke signals, which allow it to start the CMD and execute the code needed to download its copy via the FTP protocol. Thus the worm is automatically distributed.

In addition, BackDoor.Ragebot.45 can search for and infect RAR archives on removable devices and copy itself to the folders of numerous programs. However, its main feature is its capability to search for other Trojans in the system when commanded by cybercriminals, shut down their processes, and delete their executable files. More information on this Trojan and how it works can be found in a review published by Doctor Web.

According to statistics collected by Dr.Web CureIt!

According to statistics collected by Dr.Web CureIt! January, 2017 #drweb

According to Doctor Web statistics servers

According to Doctor Web statistics servers January, 2017 #drweb

Statistics concerning malicious programs discovered in email traffic

Statistics concerning malicious programs discovered in email traffic January, 2017 #drweb

According to Dr.Web Bot for Telegram data

According to Dr.Web Bot for Telegram data January, 2017 #drweb

Encryption ransomware

Encryption ransomware January, 2017 #drweb

In January, Doctor Web’s technical support was most often contacted by victims of the following modifications of encryption ransomware:

Dr.Web Security Space 11.0 for Windows
protects against encryption ransomware

This feature is not available in Dr.Web Anti-virus for Windows.

Data Loss Prevention
Preventive ProtectionData Loss Prevention

More information

During January 2017, 223,127 URLs of non-recommended websites were added to Dr.Web database.

December 2016January 2017Dynamics
+ 226,744+ 223,127-1.59%

Non-recommended websites

Linux malware

The spread of Linux malware on a large scale does not happen that often; however, it was detected by Doctor Web security researchers in January 2017. The Trojan in question was Linux.Proxy.10, whose purpose is to run a SOCKS5 proxy server on an infected device. Such infected devices are used by cybercriminals to ensure their online anonymity. According to Doctor Web security researchers, as of January 24, 2017, the number of infected Linux devices was running into the several thousands.

Linux.Proxy.10 is distributed by logging into vulnerable devices with a predetermined login and password combination: users with such account details are usually created by other Linux Trojans (or they are installed on the device by default). That means that Linux.Proxy.10 mainly attacks devices that are already infected with other malicious software. Detailed information regarding this malware can be found in a review published by Doctor Web.

Moreover, yet another Linux.Lady was detected — Linux.Lady.4. In this version of the Trojan, cybercriminals deleted the function for downloading and running the cryptocurrency mining application and added the capability to attack Redis network-attached storage. In addition, the Trojan has an additional module that can use RPC (Remote Procedure Call) to communicate with remote servers, send them information about the infected system, and execute shell commands.

Malicious and unwanted programs for mobile devices

In the first month of 2017, Doctor Web security researchers detected the Trojan Android.Skyfin.1.origin which infiltrated the Play Store running process and stealthily downloaded Google Play applications, artificially increasing their popularity. Later, security researchers detected Android.BankBot.149.origin, an Android banker whose source code was published online by cybercriminals. Another Android banker detected in January was dubbed Android.BankBot.140.origin. It was distributed as the game Super Mario Run, which is not yet available for Android devices. Also in the last month, a new ransomware Trojan was detected in Google Play; dubbed Android.Locker.387.origin, it blocked smartphones and tablets.

The most notable January events related to mobile malware include:

Find out more about malicious and unwanted programs for mobile devices in our special overview.

Learn more with Dr.Web

Virus statistics Virus descriptions Virus monthly reviews