February 28, 2017
The last month of winter was marked by the emergence of a new banking Trojan that inherited fragments of the source code of another widespread banker family—Zeus (Trojan.PWS.Panda). This malware injects arbitrary content into user-loaded web pages and runs a VNC server on the infected computer. Also in February, Doctor Web security researchers detected a new Trojan for Linux. New entries were also added to the Dr.Web virus databases for Android.
Banking Trojans are considered one of the most dangerous types of malware programs since they are capable of stealing money directly from the bank accounts of their victims. The new banking Trojan examined by Doctor Web security researchers was dubbed Trojan.PWS.Sphinx.2. It performs web injections, i.e., it injects arbitrary content into user-loaded web pages. Thus, it can, for example, send cybercriminals user login credentials to access online banking services. The user enters this data into fake forms created by the Trojan. Below is an example of the code that Trojan.PWS.Sphinx.2 embeds in the pages of the bankofamerica.com website:
Furthermore, Trojan.PWS.Sphinx.2 can run a VNC server on an infected computer, and cybercriminals can use it to connect to the infected device and install digital certificates in the system for organizing attacks based on MITM (Man-in-the-middle) technology. The Trojan has a grabber—a module that intercepts and sends data entered by the user into various forms to a remote server. It is notable that the automatic launch of Trojan.PWS.Sphinx.2 is executed via a special PHP script. More information about this malicious program can be found in the corresponding review published by Doctor Web.
In February, Doctor Web’s technical support was most often contacted by victims of the following modifications of encryption ransomware:
This feature is not available in Dr.Web Anti-virus for Windows
|Data Loss Prevention|
During February 2017, 134,063 URLs of non-recommended websites were added to the Dr.Web database.
|January 2017||February 2017||Dynamics|
|+ 223,127||+ 134,063||-39.9%|
Trojans that infect Linux devices are no longer considered rare. However, in February Doctor Web security researchers detected an unusual malicious program. Once launched on a Microsoft Windows computer, it attempts to find and infect various Linux devices.
This Trojan was dubbed Trojan.Mirai.1. After downloading the list of IP addresses from its command and control server, it launches a scanner on the infected machine. The scanner that checks these addresses and attempts to log into them using the login and password combination indicated in the configuration file. While connecting to the Linux device via Telnet protocol, the Trojan downloads a binary file onto the compromised device, and this file subsequently downloads and launches Linux.Mirai. In addition, Trojan.Mirai.1 can execute cybercriminals’ commands and perform other malicious functions. For more information, refer to this news article.
Also in February, Doctor Web security researchers examined the Trojan Linux.Aliande.4. Written in the language Go, it is designed to hack into remote network server login systems by engaging in dictionary attacks (brute-force attacks). For its operation, Linux.Aliande.4 uses the list of IP addresses obtained from the command and control server. The SSH protocol is used to access the remote devices. The Trojan sends the list of successfully generated login and password combinations to the cybercriminals.
In February, Android.Click.132.origin was detected. It was spread via Google Play. This malicious program covertly opened websites and could independently tap on advertisements. Cybercriminals were remunerated for that activity.
The most noticeable February event related to mobile malware:
Find out more about malicious and unwanted programs for mobile devices in our special overview.