The page may not load correctly.
April 3, 2017
The beginning of spring was marked by intense activity on the part of cybercriminals involved in Internet scams and the distribution of malicious software. Moreover, in March a Trojan for Linux, designed to mount DDoS attacks, was detected. On Google Play, Doctor Web security researchers detected a program with an embedded module that displayed annoying ads on screens of Android devices. At least 50 million users have already installed this application. In addition, during the first month of spring, numerous potentially dangerous Internet resources were added to the database of non-recommended websites.
Linux malware usually downloads other Trojans onto an infected device, sets up a proxy server, or mounts DDoS attacks. A Trojan detected by Doctor Web security researchers in March that was subsequently named Linux.DDoS.117 executes that last task.
This malicious program has versions for the following architectures: Intel x86, M68K, MIPS, MIPSEL, SPARC, SH4, Power PC, and ARM. Once launched, Linux.DDoS.117 waits for an Internet connection, and when one appears, it sends the attackers information about the infected device. The Trojan can receive commands and execute them using the command interpreter SH. With the help of a special command, cybercriminals send the name of the attacked host and the duration data of the DDoS attack to the Trojan. More detailed information about Linux.DDoS.117 can be found in the technical description of this malicious program.
In March, Doctor Web’s technical support was most often contacted by victims of the following modifications of encryption ransomware:
At the beginning of March, a user of the bleepingcomputer.com forum published a link to the list of private keys used by the Dharma ransomware Trojan. According to Doctor Web classification, this is Trojan.Encoder.3953. This is already the second case of the private keys for this encoder being leaked. Once encrypted by this Trojan, files are appended with a suffix containing an email address of the cybercriminals and the following extensions: .xtbl, .CrySiS, .crypted, .crypt or .lock. Thanks to the fact that the keys were leaked, Doctor Web security researchers—as early as March 2—were able to develop a decryption method for files encrypted by Trojan.Encoder.3953.
Also in March, Doctor Web’s specialists created a decryption algorithm for data encrypted by Trojan.Encoder.10465. The malicious program is written in Delphi and appends the extension .crptxxx to infected files. For more information about this encoder and recommendations as to what its victims can do, please refer to this article.
This feature is not available in Dr.Web Anti-virus for Windows.
|Data Loss Prevention|
|February 2017||March 2017||Dynamics|
|+ 134,063||+ 223,173||+ 66.46%|
In March, Doctor Web security researchers detected more than 500 fraudulent websites aimed at owners and administrators of Internet resources. Many of them received an email claiming to be from Yandex with an offer to improve their website rankings in Internet search results. It contained a link to a page containing a payment form for the offered service.
This offer was common fraud: after paying, victims did not get what was promised. Cybercriminals created more than 500 such pages and distributed them over several leased online media sites.
In March, Doctor Web specialists found a new advertising module on Google Play that was dubbed Adware.Cootek.1.origin. It was embedded in a program called TouchPal, which operates as an on-screen keyboard. After this application was installed, Adware.Cootek.1.origin displayed several types of annoying advertisements; for example, it created unremovable widgets and embedded banners in the lock screen. In addition, it displayed ads on mobile devices right after they were unlocked.
The most noticeable March event related to mobile malware:
Find out more about malicious and unwanted programs for mobile devices in our special overview.