The page may not load correctly.
May 31, 2017
The most notable event of May 2017 was the mass distribution of the malicious program WannaCry, which is detected by Dr.Web Anti-virus as Trojan.Encoder.11432. This worm was distributed independently, infecting network nodes via an SMB protocol vulnerability. It then encrypted the files on the computers of its victims and demanded a ransom for their decryption. Moreover, in May, Doctor Web specialists examined a complicated multi-component Linux Trojan written in Lua. A new backdoor for macOS was also detected.
The malicious program widely known as WannaCry was covered by many media outlets. This dangerous application is a network worm that infects computers running Microsoft Windows. It started being spread around 10 a.m. on May 12, 2017. The worm contains an encryption Trojan as its payload. Dr.Web Anti-virus detects all the worm’s components as Trojan.Encoder.11432.
Once launched, the worm registers itself as a system service and starts querying network nodes in the local network and on the Internet that have random IP addresses. If a connection is successfully established, the worm attempts to infect these computers. If it manages to infect them, the worm launches an encryption Trojan, which uses a random key to encrypt the files on the computers. While in operation, Trojan.Encoder.11432 deletes shadow copies and disables the system restore function. The Trojan creates a separate list of files, which are encrypted with a different key: the malicious program can decrypt these files for its victim for free. As these test files and all the other files on the computer are encrypted with different keys, the computer’s owner has no guarantee that their files will be decrypted successfully even if they pay the ransom. Detailed information regarding this Trojan can be found in a review and in a detailed technical description of the worm.
In May, Doctor Web’s technical support was most often contacted by victims of the following modifications of encryption ransomware:
This feature is not available in Dr.Web Anti-virus for Windows.
|Data Loss Prevention|
During May 2017, Doctor Web added 1,129,277 URLs into the Dr.Web database of non-recommended sites.
|April 2017||May 2017||Dynamics|
|+ 568,903||+ 1,129,277||+ 98.5%|
At the beginning of May, Doctor Web detected a Trojan that was being distributed via links in comments left by cybercriminals on the official “Doctor Web” group page of the “VK” social network. In their messages, the crooks offered users the opportunity to download free license keys for the Dr.Web anti-virus; however, anyone who followed the link would actually end up downloading Trojan.MulDrop7.26387 onto their computer.
This malicious program can execute various commands issued by cybercriminals: for example, it can change the Windows Desktop wallpaper, open and close the optical disk drive, swap the functions of mouse keys, play a specific phrase using a voice synthesizer and speakers, and even display frightening videos. For more information, refer to this article published on our website.
In May, Doctor Web specialists examined a multi-component Linux Trojan written in Lua. This malicious program, which was dubbed Linux.LuaBot, consists of 31 Lua scripts and can infect not only computers but also other “smart” devices: network storages, routers, set-top boxes, IP cameras, etc. The Trojan generates a list of IP addresses to attack and then attempts to establish a connection with remote devices via this list and sign in by brute-force login using a special vocabulary. If successful, it downloads its own copy on the infected computer and launches it.
This Trojan is in fact a backdoor; in other words it executes commands issued by cybercriminals. In addition, this Trojan launches a web server on the infected device. This server allows cybercriminals to load different files. Doctor Web’s specialists have collected statistics on the unique IP addresses of devices infected with Linux. LuaBot—they are shown in the following diagram.
The last spring month of 2017 was marked by the distribution of a backdoor for macOS. The Trojan has been added to the Dr.Web virus databases under the name Mac.BackDoor.Systemd.1. The backdoor can execute the following commands:
More information about this malicious program can be found in an article published by Doctor Web.
In May, Android.RemoteCode.28 was detected on Google Play. It downloaded other programs and shared information with the command and control server. Applications that conceal Android.Spy.308.origin were also detected in the catalog. This Trojan downloaded and ran additional program modules and displayed ads. This past month, cybercriminals distributed Android.BankBot.186.origin as MMS messages. This banking Trojan stole money from user accounts.
Among the most notable May events related to mobile malware, we can mention the following:
Find out more about malicious and unwanted programs for mobile devices in our special overview.
© Doctor Web
2003 — 2022
Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies
Doctor Web in social networksLink accounts