January 31, 2017
In the first month of 2017, Doctor Web security researchers detected a worm that infects archives and deletes other malicious applications. They also detected several thousand Linux devices infected with a new Trojan. Also in January, a significant number of new malicious programs for Android were added to the Dr.Web virus databases. One such Trojan infiltrated Play Store with a module that downloaded various applications from Google Play. Another belongs to the banking Trojan family: cybercriminals made its source code public so Doctor Web security researchers are anticipating a major, imminent distribution of bankers created on the basis of this threat.
Typically Trojans are called worms when they can distribute themselves on their own without user intervention but are not capable of infecting executable files. In January, Doctor Web security researchers detected a new worm – BackDoor.Ragebot.45. It receives commands via the IRC (Internet Relay Chat) text-messaging protocol, and once it has infected a computer, it runs an FTP server. The Trojan uses this server to download its copy onto the attacked computer.
The worm connects to other network computers via the remote access system to the Virtual Network Computing (VNC) by searching for passwords in the dictionary. If the hack is successful, the Trojan establishes a VNC connection with the remote computer. Then it sends keystroke signals, which allow it to start the CMD and execute the code needed to download its copy via the FTP protocol. Thus the worm is automatically distributed.
In addition, BackDoor.Ragebot.45 can search for and infect RAR archives on removable devices and copy itself to the folders of numerous programs. However, its main feature is its capability to search for other Trojans in the system when commanded by cybercriminals, shut down their processes, and delete their executable files. More information on this Trojan and how it works can be found in a review published by Doctor Web.
In January, Doctor Web’s technical support was most often contacted by victims of the following modifications of encryption ransomware:
This feature is not available in Dr.Web Anti-virus for Windows.
|Data Loss Prevention|
|December 2016||January 2017||Dynamics|
|+ 226,744||+ 223,127||-1.59%|
The spread of Linux malware on a large scale does not happen that often; however, it was detected by Doctor Web security researchers in January 2017. The Trojan in question was Linux.Proxy.10, whose purpose is to run a SOCKS5 proxy server on an infected device. Such infected devices are used by cybercriminals to ensure their online anonymity. According to Doctor Web security researchers, as of January 24, 2017, the number of infected Linux devices was running into the several thousands.
Linux.Proxy.10 is distributed by logging into vulnerable devices with a predetermined login and password combination: users with such account details are usually created by other Linux Trojans (or they are installed on the device by default). That means that Linux.Proxy.10 mainly attacks devices that are already infected with other malicious software. Detailed information regarding this malware can be found in a review published by Doctor Web.
Moreover, yet another Linux.Lady was detected — Linux.Lady.4. In this version of the Trojan, cybercriminals deleted the function for downloading and running the cryptocurrency mining application and added the capability to attack Redis network-attached storage. In addition, the Trojan has an additional module that can use RPC (Remote Procedure Call) to communicate with remote servers, send them information about the infected system, and execute shell commands.
In the first month of 2017, Doctor Web security researchers detected the Trojan Android.Skyfin.1.origin which infiltrated the Play Store running process and stealthily downloaded Google Play applications, artificially increasing their popularity. Later, security researchers detected Android.BankBot.149.origin, an Android banker whose source code was published online by cybercriminals. Another Android banker detected in January was dubbed Android.BankBot.140.origin. It was distributed as the game Super Mario Run, which is not yet available for Android devices. Also in the last month, a new ransomware Trojan was detected in Google Play; dubbed Android.Locker.387.origin, it blocked smartphones and tablets.
The most notable January events related to mobile malware include:
Find out more about malicious and unwanted programs for mobile devices in our special overview.