The page may not load correctly.
April 30, 2015
At the beginning of April, Doctor Web security researchers finished their examination of the dangerous multicomponent banking Trojan named Trojan.Dridex.49. This malware has a component that generates configuration required for the Trojan's functioning and launches the Trojan. It also includes the engine and additional modules. The Trojan's special feature is the use of a P2P protocol for establishing connection to the server.
Depending on the specified parameters, Trojan.Dridex.49 embeds itself in processes of Explorer (explorer.exe) or web browsers (chrome.exe, firefox.exe, iexplore.exe). All information transmitted between the server and the Trojan is encrypted. The Trojan can have one of the following roles on the infected computer:
In other words, the Trojan.Dridex.49 botnet uses the following scheme for message exchange: bot → node → admin node → other admin nodes → command and control server. For security reasons, the Trojans exchange keys. The entire interaction pattern of the botnet is as follows:
The main purpose of Trojan.Dridex.49 is web injection; that is, injecting arbitrary content into web pages viewed by customers of financial organizations.
The Trojan can collect confidential data entered in web forms, which allows cybercriminals to get access to victims' bank accounts and steal their money. Doctor Web's security researchers have learnt about more than 80 bank websites and other Internet resources, where the Trojan can steal confidential data; among them are well-known financial organizations such as Royal Bank of Scotland, TCB, Santander, Bank of Montreal, Bank of America, HSBC, Lloyds Bank, Barclays and many more. The signature of Trojan.Dridex.49 has been added to virus databases; so, Dr.Web users are protected from this malware.
In April, 73 149 430 malicious programs and riskware were detected.
Doctor Web's security researchers continue to monitor the botnet created by criminals with the file infector Win32.Rmnet.12.
Rmnet is a family of viruses spread without any user intervention. They can embed content into loaded webpages (this theoretically allows cybercriminals to get access to the victim's bank account information) as well as steal cookies and passwords stored by popular FTP clients and execute other commands issued by cybercriminals.
The botnet consisting of computers infected with the Win32.Sector file virus is still active. This malware can perform the following actions:
The number of Apple computers infected with the BackDoor.Flashback.39 Trojan remains almost the same and equals about 25 000:
In April, cybercriminals intensified their attacks on Internet resources with the use of Linux.BackDoor.Gates.5. In comparison with the previous month, the number of attacked IP addresses increased by more than 48 per cent and was estimated 3320. Curiously, most targets of the attacks were located in the USA, but previously the country leading in the number of compromised resources was China. The image below provides information about the geographic distribution of the attacks.
The number of requests for decryption received by the Doctor Web technical support service
|March 2015||April 2015||Growth|
|2361||1359||- 42.4 %|
This feature is not available in Dr.Web Anti-virus for Windows
|Preventive protection||Data Loss Prevention|
In April, Doctor Web security researchers examined a new Trojan that can infect computers with Linux operating system — Linux.BackDoor.Sessox.1. Cybercriminals can control the backdoor by using the IRC (Internet Relay Chat) text-messaging protocol: the bot receives their commands from a chat running on the cybercriminals' server. To spread itself, the Trojan scans remote computers and searches for a vulnerability which allows starting a third-party script on an unprotected server. The script then installs a copy of the Trojan in the infected system.
The Trojan can launch an attack by sending repeating GET requests to the website specified by cybercriminals.
Learn more about Linux.BackDoor.Sessox.1.
At the beginning of the month, Doctor Web security researches detected targeted mass mailing to work and personal email addresses of Russian defense enterprises employees. The mass mailing distributed a dangerous Trojan.
Upon receiving a command from cybercriminals, this malicious program, named BackDoor.Hser.1, can send the remote server a list of active processes running on the infected computer, as well as download and launch another malicious program, open the command console and execute input/output redirection to the cybercriminals’ server, which allows cybercriminals to get control over the infected computer. Find out more about the incident in this news item.
Another malicious program, named VBS.BackDoor.DuCk.1, was also examined in April. This malware can execute cybercriminals’ commands and send the remote server screenshots made on the infected computer. This backdoor is able to check the infected computer for virtual environment and anti-virus programs. News item about this dangerous Trojan was published on the Doctor Web's site.
During April 2015, 129,199 URLs of non-recommended sites were added to Dr.Web database.
|March 2015||April 2015||Growth|
|74 108||129 199||+ 74.3%|
In April, cybercriminals continued their attacks on users of Android devices. Thus, this month was rich in virus events. Among the most noticeable events related to malicious and unwanted programs for Android we can mention
Find out more about malicious and unwanted programs for Android in our special overview.
© Doctor Web
2003 — 2023
Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies
Doctor Web in social networksLink accounts