Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Your tickets

Profile

Doctor Web’s December 2017 virus activity review

December 29, 2017

The last month of this year is marked by an emergence of a new backdoor for computers and devices running Microsoft Windows. In December, Doctor Web analysts also determined that cybercriminals started hacking websites using a Linux Trojan Linux.ProxyM. Over the course of the month Dr.Web virus databases were updated with the signatures of new malicious programs for Android.

Principal trends of December

  • A new Trojan for Linux
  • Website hacking using a Linux Trojan
  • Distribution of new malicious programs for Android

Threat of the month

In December, virus analysts examined another representative of the Anunak Trojan family capable of executing the commands of cybercriminals on an infected computer. A new backdoor has been developed to work on 64-bit Windows versions and was dubbed BackDoor.Anunak.142. The Trojan can perform the following actions on an infected computer:

More information about this malicious program can be found in the news article published on our website.

According to Dr.Web Anti-virus statistics

According to Dr.Web Anti-virus statistics

Trojan.Starter.7394
A Trojan whose main purpose is to launch in an infected system with an executable file possessing a specific set of malicious functions.
Trojan.Encoder.11432
An encryption worm known as WannaCry.
Trojan.Zadved
This Trojan displays fake search results in the browser window and imitates pop-up messages from social networking sites. In addition to this, the malware can replace advertisements displayed on different Internet resources.
JS.BtcMine.2
A JavaScript designed to stealthily mine cryptocurrencies (mining).
Trojan.BPlug
These plug-ins for popular browsers display annoying advertisements to users browsing webpages.

According to Doctor Web’s statistics servers

According to Doctor Web’s statistics servers

JS.BtcMine.2
A JavaScript designed to stealthily mine cryptocurrencies (mining).
JS.Inject
A family of malicious JavaScripts. They inject malicious script into the HTML code of webpages.
Trojan.Inject
A family of malicious programs that inject malicious code into the processes of other programs.
Trojan.Starter.7394
A Trojan whose main purpose is to launch in an infected system with an executable file possessing a specific set of malicious functions.
Trojan.PWS.Stealer
A family of Trojans designed to steal passwords and other confidential information stored on an infected computer.
Trojan.DownLoader
A family of malicious programs designed to download other malware to the compromised computer.

Statistics concerning malicious programs discovered in email traffic

Statistics concerning malicious programs discovered in email traffic

Trojan.DownLoader
A family of malicious programs designed to download other malware to the compromised computer.
JS.Inject
A family of malicious JavaScripts. They inject malicious script into the HTML code of webpages.
JS.DownLoader
A family of malicious JavaScripts. They download and install malicious software on a computer.
VBS.DownLoader
A family of malicious files written in VBScript scripts. They download and install malicious software on a computer.
JS.BtcMine.2
A JavaScript designed to stealthily mine cryptocurrencies (mining).

Encryption ransomware

Encryption ransomware

In December, cases involving the following ransomware modifications were registered by Doctor Web’s technical support service:

Dangerous websites

During December 2017, 241,274 URLs of non-recommended websites were added to Dr.Web database.

November 2017December 2017Dynamics
+331,895+241,274-27.3%

Linux malware

Linux.ProxyM has been known to virus analysts since May 2017. This is a quite simple malicious program that launches a SOCKS proxy server on an infected device. Cybercriminals use it to send up to 400 spam messages from each infected host, and quickly started distributing phishing email messages, in particular on behalf of DocuSign, which allowed them to work with electronic documents. Thus, cybercriminals collected the account data of its users.

screenshot Linux.ProxyM #drweb

In December, using a proxy server implemented in a Trojan, cybercriminals made numerous attempts at hacking websites. They used SQL injections (an injection of a malicious SQL code into a request to a website database), XSS (Cross-Site Scripting)—an attack method that involves adding a malicious script to a webpage, which is then executed on a computer when this page is opened, and Local File Inclusion (LFI)—an attack method that allows cybercriminals to remotely read files on an attacked server using specially generated commands. More information about this incident can be found in a review published by Doctor Web.

Malicious and unwanted programs for mobile devices

In December, Android.BankBot.243.origin and Android.BankBot.255.origin were detected on Google Play. They stole the login credentials of client accounts in credit organizations. A similar Trojan was also distributed outside the official Android software catalog. It was dubbed Android.Packed.15893. Also in December, the Dr.Web virus database was updated with Android.Spy.410.origin, which spied on Italian users.

Among the most noticeable December events related to mobile malware are the following:

Find out more about malicious and unwanted programs for mobile devices in our special overview.

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2018

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040