The page may not load correctly.
October 30, 2015
October proved to be a quiet month in terms of information security events. However, over the course of the second autumn month, a number of popular Internet resources still fell victim to attacks of cybercriminals—the hacked websites were used to distribute a dangerous program disguised as an anti-virus utility created by a well-known developer. Moreover, October witnessed emergence of new Trojans for Android and iOS—in particular, Android.BankBot.80.origin that was spread as an official online banking application of a Russian financial organization and IPhoneOS.Trojan.YiSpecter.2 designed to display advertisements and stealthily download other programs to compromised devices.
In the middle of October, Doctor Web security researchers registered several cases of websites being hacked by cybercriminals. Among those resources was a webpage dedicated to one popular Russian TV series. If the user opened the link to the website from Google search results, and if certain conditions were met, a new tab with a webpage opened in the browser window. A special malicious script incorporated into that webpage by cybercriminals prevented the user from closing it. If the victim pressed any key or clicked anywhere in the window, an annoying dialog was displayed prompting the victim to install a browser extension supposedly created by an anti-virus developer.
The extension detected by Dr.Web as Trojan.BPLug.1041 serves the purpose of injecting arbitrary content into webpages browsed by the user. Moreover, on all websites, the malicious program blocks third-party advertisements from any domains, except for those listed in the configuration file. If the user logs in to the Odnoklassniki (“Одноклассники”) social networking website, Trojan.BPLug.1041 will try to provide a certain application with access to the API of this website on behalf of the user. As a result, the victim's data can be used to promote groups, send spam messages, and influence some poll results. For more information regarding this malicious program, refer to the news article published by Doctor Web.
Doctor Web security researchers continue to monitor botnets created by cybercriminals using the Win32.Rmnet.12 file infector. The average daily activity of these botnets is shown in the following graphs:
Rmnet is a family of viruses spread without any user intervention. They can embed content into loaded webpages (this theoretically allows cybercriminals to get access to the victim's bank account information), steal cookies and passwords stored by popular FTP clients, and execute other commands issued by cybercriminals.
The botnet consisting of computers infected with Win32.Sector is also still active. Its average daily activity can be seen in the following picture:
The malware can perform the following actions:
In October, cybercriminals controlling the Linux.BackDoor.Gates.5 botnet became considerably less active—in comparison with the previous month, the number of attacked IP addresses decreased by 33.29 per cent and was estimated 5,051. As before, most targets of the attacks were located in China, while the second and the third places were taken by France and the United States respectively.
The number of requests for decryption received by Doctor Web technical support service
The most common ransomware program in October 2015 was Trojan.Encoder.567.
This feature is not available in Dr.Web Anti-virus for Windows
|Data Loss Prevention
During October 2015, 264,970 URLs of non-recommended websites were added to Dr.Web database.
Online stores selling some strange items or goods of questionable quality can be usually found among Internet resources added by Doctor Web analysts to the database of non-recommended websites over the course of a month. From time to time such websites become main “heroes” of news articles issued by our company, as resourceful fraudsters never cease to amaze security researchers constantly coming up with various mind-blowing ideas for new products. Read about threads protecting from evil eye, lip enhancers, and other “magical” goods sold in online stores in the news article published by Doctor Web.
In October, cybercriminals continued to target mobile devices' users. In particular, at the beginning of the month, security researchers detected a new Trojan for iOS—at that, this malicious program could be installed on smartphones and tablets with or even without “jailbreak”. Moreover, yet another Trojan managed to bypass Google protection mechanisms and get into Google Play. In the middle of the month, Doctor Web specialists registered a new case of Android firmware being infected with a malicious application and, some time later, detected a new banking Trojan designed to steal money from owners of smartphones and tablets.
Among the most noticeable events related to mobile malware we can mention