My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Doctor Web’s annual virus activity review for 2017

December 29, 2017

In the context of information security, the past year will be remembered for such notable events as global attacks of encryption worms WannaCry, NePetya and BadRabbit, and also for a large number of Linux Trojans for so-called “Internet of things”. This year is also marked by the spreading of malicious scripts over numerous websites. These scripts were designed to mine cryptocurrency.

In spring 2017, Doctor Web security analysts researched a new backdoor for macOS. It was one of the few malicious programs for the Apple OS added to virus databases this year. During the past 12 months, new banking Trojans also emerged. They were designed to steal money from the accounts of clients of financial organizations: one of such malicious programs, Trojan.PWS.Sphinx.2, Doctor Web security specialists examined in February, and another—Trojan.Gozi.64—in November 2017.

Fraudsters showed high activity over the past year: Doctor Web regularly reported on revealing new schemes aimed at tricking Internet users. This past March, network fraudsters tried defrauding money from owners and administrators of various Internet resources. They created approximately 500 fraudulent webpages for this purpose. In their spam emails, cybercriminals tried to pass as “Yandex” employees and “RU-Center”. They also came up with a fraudulent scheme that required a victim to input their personal pension account number (SNILS). Additionally, in July, the Government Services Portal of the Russian Federation ( was compromised. Unknown fraudsters injected potentially dangerous code into the Portal’s pages. This vulnerability was soon eliminated by the Portal’s administration.

2017 was also uneasy for owners of Android mobile devices. Over the summer, Doctor Web security analysts examined a multifunctional Android Trojan that gained control over a device and stole confidential information from customers of financial and credit organizations. A game with an embedded loader Trojan was quickly detected on Google Play. More than a million users had downloaded it. Over the course of the year, Doctor Web specialists detected Android Trojans pre-installed in factory firmware on mobile devices, as well as many other malicious programs and riskware for this platform.

Principal trends of the year

  • The emergence of dangerous encryption worms capable of distributing themselves without user intervention
  • A spike in the number of Linux Trojans for the “Internet of things”
  • The spreading of dangerous malicious programs for Android

Most notable events of 2017

Encoder Trojans, which encrypt files and demand a ransom for their restoration, were usually spread as one or another “useful” tools or via malicious mailings. In addition, most often cybercriminals did not attach to emails an encryption Trojan itself but rather a small loader Trojan, which downloaded and launched an encoder upon an attempt to open an attachment. At the same time, worms capable of independently spreading across the network were not previously used to encrypt files. They had quite different malicious functions. Early in the year, Doctor Web specialists examined one of the representatives of a class of these malicious programs. The first encoder, which combined the capabilities of an encryption and network worm, was Trojan.Encoder.11432. It became widely known as WannaCry.

Mass spreading of this malicious program started around 10 a.m. on May 12, 2017. In order to infect other computers, the worm used a vulnerability in the SMB protocol (MS17-10), and under its threat were both local network hosts and computers on the Internet with random IP addresses. The worm consisted of several components, and the encoder was just one of them.

screenshot Encoder11432 #drweb

Trojan.Encoder.11432 encrypted files using a random key. In addition, the Trojan contained a special decoding module that allowed users to decode several files for free in a demo mode. It is notable that randomly selected files were encrypted using an entirely different key, so their restoration did not guarantee the rest of the data would be successfully decoded. A detailed examination of this encoder was published on our website in May 2017.

Shortly thereafter another outbreak occurred of the encryption worm, dubbed NePetya, Petya.A, ExPetya and WannaCry-2 by various sources (it received these names due to its similarity to the Petya Trojan—Trojan.Ransom.369,— which was spread earlier). NePetya was added to the Dr.Web virus databases under the name Trojan.Encoder.12544.

As its predecessor WannaCry, the encryption worm Trojan.Encoder.12544 was used for distributing the vulnerability in the SMB protocol. However, in this case it did not take long to determine the distribution source of the worm. It was an updated module of the program M.E.Doc designed for inputting of tax reports in Ukraine. That is why Ukrainian users and organization were the first victims of Trojan.Encoder.12544. Doctor Web specialists examined in detail the program M.E.Doc and decided one of its components contained a full-featured backdoor, which was capable of collecting authorization credentials to access mail servers, loading and launching any applications on a computer, and executing arbitrary commands in a system, and also sending files from a computer to a remote server. NePetya used this backdoor, just as at least one encryption Trojan did before.

screenshot petya #drweb

Research of Trojan.Encoder.12544 showed that this encoder was not intended for decrypting corrupted files. Additionally, it had a rather wide variety of malicious functions. To intercept account data of Windows users, it used Mimikatz tools. It utilized this information (and also several other methods) to spread across a local network. To infect accessed computers, Trojan.Encoder.12544 used a program for remote control called PsExec or a standard console tool Wmic.exe for calling objects. In any case, the encoder damaged a boot record of the disk С: (Volume Boot Record, VBR) and replaced an original Windows boot record (MBR) with its own, while encrypting the original MBR and moving to another sector of the disk.

screenshot nepetya #drweb

In June, Doctor Web published a detailed research report on the encryption worm Trojan.Encoder.12544.

In October, one more encoder worm was detected. It was dubbed Trojan.BadRabbit. Known samples of the Trojan were spread as a program with an installer icon for Adobe Flash. Architecturally, BadRabbit was similar to its two predecessors. It also consisted of several components: a dropper, an encoder, and a network worm. It also contained a built-in decryptor. Moreover, a portion of its code was clearly adopted from Trojan.Encoder.12544. However, this encoder had one distinguishing trait: once launched, it checked an attacked computer for two anti-viruses—Dr.Web and McAfee—and, in case of their detection, it skipped the first encryption stage. Apparently, it attempted to avoid early detection.

screenshot badrabbit #drweb

For more information about this malicious program, refer to the news article published by Doctor Web.

Virus situation

According to data obtained using the Doctor Web statistics servers, in 2017 users’ computers were most often infected with scripts and malicious programs designed to download other Trojans from the Internet and also to install dangerous and unwanted applications. Compared to the previous year, adware has almost disappeared from these statistics.

According to Doctor Web’s statistics servers

A family of malicious JavaScripts. They inject a malicious script into the HTML code of web pages.
A family of malicious JavaScripts. They download and install malicious software on a computer.
A family of installers of unwanted and malicious applications.
A family of malicious programs designed to download other malware to the compromised computer.
A family of malicious programs that inject malicious code into the processes of other programs.
A family of malicious programs designed to download other malware to the compromised computer.

There is a similar situation with analysis of email traffic. However, besides loaders, there are also Trojans designed to steal passwords and other confidential information.

Statistics concerning malicious programs discovered in email traffic

A family of malicious JavaScripts. They download and install malicious software on a computer.
A family of malicious JavaScripts. They inject malicious script into the HTML code of webpages.
A family of installers of unwanted and malicious applications.
A family of Trojans designed to steal passwords and other confidential information stored on an infected computer.
A family of malicious programs designed to download other malware to the compromised computer.
A family of downloader Trojans that exploit vulnerabilities in office applications. Designed for downloading other malware to a compromised computer.
A family of malicious files written in PowerShell scripts. They download and install malicious software on a computer.
A family of malicious programs that inject malicious code into the processes of other programs.

Encryption ransomware

It is safe to say that 2017 was the year of encoding worms. It was exactly in 2017 when encryption ransomware learned how to massively spread across a network without any actions from users. This resulted in several outbreaks. In the past 12 months, Doctor Web technical support received around 18,500 requests from users who suffered from acts of encryption ransomware. Starting in May, the amount of requests began gradually reducing. In comparison with the start of the year, by the end of 2017 the amount had been reduced by half.

Encryption ransomware

According to statistics, the Trojan that most often penetrated computers was Trojan.Encoder.858, the second place went to Trojan.Encoder.3953, and the third most “popular” encoder was Trojan.Encoder.567.

The most common ransomware programs in 2017:

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies