Subscribe: Virus alerts
http://news.drweb.com/rss/get/?c=9&lng=en
Preview: Virus alerts

Virus alerts



Doctor Web news - Virus alerts



 



Doctor Web detected a Trojan that is incapable of decrypting files

Mon, 16 Apr 2018 00:00:00 GMT

April 16, 2018 Doctor Web specialists analyzed the new encryption Trojan. In most cases, decrypting files corrupted by the encoder is impossible due to the cybercriminals’ error. The new encryption Trojan was dubbed Trojan.Encoder.25129. The preventive protection of Dr.Web Anti-virus automatically detects it as DPH:Trojan.Encoder.9. Once launched, the Trojan checks the user’s location based on the infected device’s IP address. Cybercriminals designed the malicious program so that it does not encrypt files if the device is located in Russia, Belarus and Kazakhstan, or if the Russian language and Russian regional parameters are set in the system preferences. However, the encoder encrypts all files regardless of the IP address’s geographical location due to the code error. Trojan.Encoder.25129 encrypts the content of the current user’s folders, Windows Desktop, the AppData and LocalAppData system folders. The encryption is processed using the AES-256-CBC algorithms. The encrypted files are appended the extension “.tron”. Files that exceed 30,000,000 bytes (about 28.6 MB) are not encrypted. Once the encryption is over, the %ProgramData%\\trig file is created and the “123” value is written into it (if this file already exists, the encryption is not performed). The Trojan then sends a request to the iplogger website. The website address is hardcoded into the program’s body. The malicious program then displays a window with ransom demands. The size of the ransom that cybercriminals demand differs from 0.007305 to 0.04 Btc. Once the HOW TO BUY BITCOIN button is clicked, the Trojan displays a window with instructions on how to buy the Bitcoin cryptocurrency: In spite of cybercriminals’ claims that victims can restore the encrypted files, it is impossible in most cases due to the code error. The encoder does not pose any threat to Dr.Web users. The preventive protection of our anti-virus products successfully detects and removes the Trojan. At the same time, Doctor Web specialists encourage users to make timely backups of their most valuable data. Use Data Loss Prevention to protect your files from encryption ransomware Configure protection from encryption ransomware Video about configuration What to do if... Free decryption Category “Encrypt everything” More about this Trojan #Trojan.Encoder #malicious_softwatre #ransom #Trojan[...]



Doctor Web: a Trojan on Google Play subscribes users to paid services

Mon, 16 Apr 2018 00:00:00 GMT

April 16, 2018 Doctor Web virus analysts have detected a Trojan Android.Click.245.origin on Google Play. When ordered by cybercriminals, it loads websites where users are tricked into subscribing to paid content services. In some cases the subscription is executed automatically when users click on a fake “download program” button. Cybercriminals distributed Android.Click.245.origin on behalf of developer Roman Zencov and disguised the Trojan as popular applications. Among them, the Miraculous Ladybug & Cat Noir game that has not been released on Android yet, the GetContact app for making calls and storing telephone numbers that became famous in the early spring, and the virtual assistant, Alice, embedded in Yandex applications, which is not available as a separate app yet. One of the Trojan programs was in the top 30 new popular apps on Google Play. Doctor Web specialists have informed Google about the Android.Click.245.origin, and it was deleted from Google Play. Over 20,000 users downloaded fake applications. None of these programs had useful functions. Their only goal was to load webpages on the command of cybercriminals. The pages of malicious applications found on Google Play are displayed below: Once launched, Android.Click.245.origin establishes a connection with the command and control server and waits for the task. Depending on the IP address of the connected device, the Trojan gets a link to a particular website that must be loaded. The malicious program follows this link and displays a specific page using WebView. If the device is connected to the Internet via Wi-Fi, the user is invited to download an application by clicking the corresponding button. For example, if a victim runs the fake virtual assistant program, Alice, a file called “Alice Yandex.apk” is prepared for downloading. When attempting to download the file, the user is asked to enter his phone number for some authorization or download confirmation. Upon entering the phone number, the user receives a confirmation code that must be entered on the website to complete the “download”. The victim is then subscribed to a paid service rather than getting the intended program. If the infected device is connected to the Internet via a mobile connection, the website loaded by the Trojan makes several redirections. Android.Click.245.origin then finally opens the website in Google Chrome. On this loaded page, the user is invited to click “Continue” to download a file. He is then redirected to another website where the download is supposed to start. Upon clicking “Start download”, the victim is automatically subscribed to one of the expensive services requiring daily payment using the Wap-Click technology. In addition, access to services like that is granted without having to enter a phone number or receiving a confirmation code via SMS. If the Trojan does not get the task, it downloads several pictures from the Internet and displays them on the screen. Subscription to unwanted services is one of the most popular and well known source of illegal income for cybercriminals. However, subscribing to such premium services via Wap-Click is especially dangerous because the user is not informed about new subscriptions in any way. Dishonest content providers often use this scheme to trick people into subscribing. To save money, smartphone and tablet owners should be careful when browsing websites and not click any suspicious links or buttons. Users should also install software distributed only by known and reliable developers and use anti-virus. Dr.Web for Android has successfully detected all known modifications of Android.Click.245.origin, so the Trojan does not pose any threat to our users. More about this Trojan #Android, #Google_Play, #mobile, #paid_subscription, #fraud Your Android needs protection Use Dr.Web Free download [...]



Doctor Web: more than 78,000,000 rubles of Sberbank’s clients are under threat

Thu, 05 Apr 2018 00:00:00 GMT

April 5, 2018 Doctor Web virus analysts have detected the spreading of Android.BankBot.358.origin, which is aimed at Sberbank’s clients. This malicious program steals bank card information, cashes out accounts, blocks infected devices and demands a ransom. Android.BankBot.358.origin could cause a loss of over 78,000,000 rubles. Dr. Web has known of Android.BankBot.358.origin since the end of 2015. Virus analysts have determined that new modifications of Android.BankBot.358.origin are designed to attack Russian Sberbank clients and have already infected more than 60,000 mobile devices. However, virus writers spread numerous different versions of this malicious application, so the number of victims can be significantly higher. In total, cybercriminals could steal more than 78,000,000 rubles from the bank accounts of infected devices. Cybercriminals could also steal over 2,700,000 rubles from mobile phone accounts. The following figures show the administration panel sections of Android.BankBot.358.origin with information on infected devices and statistics on one of the detected botnets: This banking Trojan is distributed by fraudulent SMS messages that can be sent by cybercriminals and the malicious program itself. The messages are mostly sent on behalf of Avito.ru users. These SMS messages invite the victim to follow the link and supposedly become familiar with the reply to the posted ad. For example, the following text is popular: “Good day, are you interested in an exchange?”. In addition, sometimes mobile device owners receive fake notifications about loans, mobile transfers and credited funds to a bank account. Below you can see examples of phishing messages that have been sent in the administration panel of the Trojan’s server and sent upon the cybercriminals’ command: When following the link from such message, the victim sees the cybercriminals’ website, from which a mobile device downloads a malicious APK file. To make it more convincing, cybercriminals use the real Avito label in Android.BankBot.358.origin, increasing the possibility of a successful Trojan installation upon its download. Some of the banker’s modifications can be distributed as other programs - for example, software for operation with the Visa and Western Union payment systems. Upon the first launch, Android.BankBot.358.origin requests access to the device administrator rights and persists until a user gives up and grants it all the required privileges. After obtaining all the necessary privileges, the Trojan displays a fake message about an installation error and deletes its icon from the list of programs on the home screen. Essentially, Android.BankBot.358.origin tries to hide itself on a smartphone or a tablet. If a user later tries to remove the banker from the list of administrators, Android.BankBot.358.origin activates a self-protection function and shuts down the respective system settings window. In addition, some Trojan versions also install their own lock screen PIN codes. After infecting a device, Android.BankBot.358.origin establishes a connection with the command and control server, informs it of the successful infection and waits for further instructions. The Trojan’s main goal is to steal money from Sberbank’s Russian-speaking clients. The main attack vector is phishing. Cybercriminals send the Trojan a command to block an infected device with a window with a fraudulent message. It imitates the appearance of Sberbank Online, the remote banking and payment system, and is displayed to all users no matter whether they are Sberbank or another financial organization’s clients. This message notifies clients of a received money transfer in the amount of 10,000 rubles. To receive the money, the smartphone or tablet owner is invited to provide full bank card information: its number, holder’s name, expi[...]



Doctor Web: new Trojan distributed via YouTube

Fri, 23 Mar 2018 00:00:00 GMT

March 23, 2018

Doctor Web is warning users about the spreading of a dangerous Trojan designed to steal files and other confidential information from infected devices. By using such data leak, cybercriminals can get access to user accounts on social network sites and other online services.

Malicious program dubbed Trojan.PWS.Stealer.23012 is written in Python, and it infects computers running Microsoft Windows OS. Trojan distribution started on March 23, 2018 and continues to this day. Cybercriminals publish links to the malicious program in the comments section of YouTube videos, a popular web resource. A lot of these videos focus on cheating methods in games (so called “cheats”) using special applications. Cybercriminals try to pass the Trojan off as such programs and useful utilities. Links lead to the Yandex.Disk servers. To persuade users to click the link, videos contain comments clearly written by using fake accounts. When clicking the link, victims download a self-unpacking RAR archive containing the Trojan on their computers.

(image)

An example of the link to a malicious file published in the comments section of the video.

Once launched on an infected computer, it collects the following information:

  • cookies stored by the Vivaldi, Chrome, YandexBrowser, Opera, Kometa, Orbitum, Dragon, Amigo, and Torch browsers;
  • saved logins/passwords from the same browsers;
  • screenshot.

It also copies files with “.txt”, “.pdf”, “.jpg”, “.png”, “.xls”, “.doc”, “.docx”, “.sqlite”, “.db”, “.sqlite3”, “.bak”, “.sql”, “.xml” extensions from Windows Desktop.

Trojan.PWS.Stealer.23012 saves all gathered information in the C:/PG148892HQ8 folder. It then packs all data into the spam.zip archive, which is sent to the cybercriminal’s server along with the data on an infected device location.

Doctor Web virus analytics found several modifications to the Trojan. Some of them were detected as Trojan.PWS.Stealer.23198. Dr.Web anti-virus products successfully detect all known modifications to this malicious program, so they do not pose any threat to our users.

More about this Trojan

#cookies #malware #screenshot #Trojan



Doctor Web: banking Trojan Android.BankBot.149.origin has become a rampant tool of cybercriminals

Tue, 20 Mar 2018 01:00:00 GMT

March 20, 2018 Doctor Web discovered the Trojan Android.BankBot.149.origin back in January 2016. After the attackers published the source code of this banking Trojan, virus writers have created a number of new modifications on its basis, which are actively developing to this day. Some of them have turned into multifunctional malicious programs, capable of stealing usernames and passwords for applications used for working with cryptocurrencies, as well as spying on users. At the time it appeared, Android.BankBot.149.origin was a banking Trojan with a typical set of functions. The Trojan showed phishing windows that have been used to steal the usernames and passwords of accounts of online banking systems of various credit organizations, have been stealing information about bank cards, and have also been able to intercept incoming SMS to gain access to one-time passwords for money transfer confirmations. When the source code of this malware became available to everyone, the virus writers began creating a number of similar Trojans on its basis. At the same time, criminals actively distributed them through Google Play. Among these banking Trojans have been Android.BankBot.179.origin, Android.BankBot.160.origin, Android.BankBot.163.origin, Android.BankBot.193.origin and Android.Banker.202.origin, which virus writers disguised as innocuous and useful applications. Another Trojan, which code has been used by cybercriminals, has been added to the Dr.Web virus database as Android.BankBot.250.origin. Trojan is also known as Anubis. Doctor Web virus analysts have found out the first versions of this malicious program in November 2017. These modifications of the Trojan were copying the capabilities of Android.BankBot.149.origin almost completely.The banking Trojan has been able to perform the following actions: sending SMS messages with the given text to the number specified in the command; executing USSD requests; sending copies of SMS messages stored on the device to the managing server; receiving information about applications installed; showing dialog boxes with the text specified in the command; requesting additional work permits; showing push notifications whose contents are specified in the command; showing a push-notifications whose contents are set in the Trojan's code; blocking the screen of the device window WebView, which showed the content received from the server web page; sending all the numbers from the contact list to the server; sending SMS messages to all numbers from the contact list; accessing information about device and its location; requesting access to accessibility features (Accessibility Service); learning the IP address of an infected smartphone or tablet; cleaning up its configuration file and stopping own work. On the pictures below the example of the Android.BankBot.250.origin Trojan’s control panel is displayed: However, with the appearance of Android.BankBot.250.origin updates, its functionality expanded gradually. One of the Trojan’s new versions, named Android.BankBot.325.origin, contains the possibility of remote access to infected devices. As a result, the banking Trojan could work as a remote administration utility or RAT (Remote Administration Tool). One of its new features is the ability to view a list of files that have been stored in the memory of infected smartphones or tablets, downloading any of the files to the management server, as well as deleting them. In addition, the Trojan was able to monitor everything that was happening on the screen, making screenshots and sending them to criminals. By the command of virus writers Android.BankBot.325.origin was also able to listen to its surroundings using the built-in microphone. Therefore, the Trojan could be used for cyber espionage. The following images display the section of the administration panel of the Trojan's management server where the criminals were able to give the Trojan a corresponding command: At[...]



Doctor Web: cybercriminals use fake popular Android applications for phishing

Tue, 13 Mar 2018 15:21:19 GMT

March 13, 2018 Doctor Web specialists found new Android Trojans on Google Play. The Trojans were distributed under the guise of popular apps. These fake apps can load and display any web pages at the cybercriminals’ command. This feature can be used to perform phishing attacks. The detected programs have the same names and similar icons as popular applications. Doctor Web security researches have found fake QIWI app software (Russian payment service provider), Sberbank Online, Odnoklassniki and VK (popular social networks), and NTV (Russian television channel). Below, you can see how cybercriminals trick potential victims. In the left illustration you can see the fake application page, which can be easily found on Google Play. In the right illustration, you can see the genuine software page. Every time the fake applications are launched, they connect with the command and control server. The server responds with the “none” parameter, or sends the web link specified by cybercriminals. When the parameter is received, the malicious programs extract several images from their resources and show them to users. If the malicious programs receive the web link from the C&C server, they load the web page and display it. The page is then opened via WebView directly in the applications. Users do not see the link to the target Internet address. That said, the contents of the demonstrated web pages can vary. For example, smartphone users can see fake login forms of online banking systems or social networks. This puts Android smartphones and tablets owners at risk of phishing attacks. This feature poses a serious threat, so this software has been added to the Dr.Web virus database as Android.Click.415. Apart from the mentioned Trojans, Doctor Web security researchers detected more than 70 similar programs. Over 270,000 users have downloaded them. Fake games, recipes collections, and knitting manuals can be found among these applications. Some of them really perform the named functions. However, like the Android.Click.415 Trojan they also can receive links to any web pages from the C&C server. Then, they load and show these web pages to the users. These programs are also added to Dr.Web virus database. They are detected as Android.Click.416 and Android.Click.417. Moreover, while functioning, various modifications of malicious applications constantly show advertisements on the mobile device screen. At least four software developers distributed the Trojans: Tezov apps, Aydarapps, Chmstudio, and SVNGames. Doctor Web security analysts have notified Google about all detected malicious applications. However, at the moment of the publication of this news, the applications still were available for downloading. Doctor Web reminds users that it is necessary to pay attention on the software developer name even if you install the application from such dependable sources as Google Play. Cybercriminals can copy the apps’ appearance and use similar names to make users install fake apps that can be found easily in the software distribution services. Dr.Web anti-virus products for Android detect and delete all known modifications of Android.Click.415, Android.Click.416, and Android.Click.417. So, these Trojans do not pose any threat to our users. More about the Android.Click.415 Trojan More about the Android.Click.416 Trojan More about the Android.Click.417 Trojan Your Android needs protection Use Dr.Web Free download The first Russian Anti-virus for Android More than 135 million downloads on G[...]



Doctor Web: new downloader Trojans operate on the sly

Tue, 06 Mar 2018 18:11:20 GMT

March 6, 2018

Doctor Web virus analysts have examined some Trojans belonging to a known Trojan.LoadMoney malware family. These Trojans can download other dangerous applications on infected computers.

The Trojan.LoadMoney malware family has been well known since 2013, and new representatives of this family appear regularly. One of these Trojans is Trojan.LoadMoney.3209. It contains two Internet addresses, which are used to download and launch other malware. At the time of the research, the Trojan downloaded an identically encrypted file from both addresses and saved it in a temporary folder under a random name. This file was also loaded onto the memory after it was deleted and again saved in a temporary folder, also under a random name. Finally, this executable file was read into memory and then launched. The original file was deleted.

One of the files that Trojan.LoadMoney.3209 downloads is detected as Trojan.LoadMoney.3558. This malicious program is more complicated. Trojan.LoadMoney.3558 acts as the main system infector and uses a freely distributed utility cURL for downloading files. This utility allows it to interact simultaneously with multiple Internet servers by using several different protocols. The Trojan decrypts and saves them to a disk. For downloading files to an infected computer with a cURL, Trojan.LoadMoney.3558 uses the Windows Task Scheduler. The Trojan contains four encrypted addresses of Internet resources, one of which is used to operate with the cURL utility; other addresses are used to download the executable file, named Trojan.LoadMoney.3263, which is launched covertly. Upon launching, the original file, Trojan.LoadMoney.3263, is deleted.

After downloading, the Trojan extracts the executable file, restores its header, saves it to a temporary folder, and then launches the executable file. The specified file is detected by Dr.Web as Trojan.Siggen7.35395. Because virus writers have not implemented any visual effects in the malicious code, all the mentioned Trojans do not manifest themselves in the infected system, so detecting their malicious activity is not easy.

Doctor Web virus analysts continue to examine this family of malicious programs and dangerous files. As we receive more news about this family, we will continue to inform our readers. Dr.Web anti-virus products securely protect against all known representatives of the Trojan.LoadMoney family, so they do not pose a threat to our users.

More about this Trojan

#mining #Trojan



Doctor Web detects an Android Trojan on Google Play designed to attack Russian banks’ clients

Mon, 05 Mar 2018 13:36:08 GMT

March 2, 2018 Doctor Web virus analysts found a Trojan on Google Play distributed under the guise of a banking application that provides access to the online-banking services of various credit organizations. This malicious application is designed to steal login credentials and other confidential information from Russian users. The Trojan, dubbed Android.BankBot.344.origin was hidden in an application called “VSEBANKI – Vse banki v odnom meste” (ALLBANKS – all banks in one place). Cybercriminals uploaded it to Google Play on February 25, and less than 500 mobile users actually downloaded the app. The authors also took the trouble to add fake reviews on behalf of the “lucky” users. Doctor Web specialists informed Google about the Trojan, and it was quickly deleted from Google Play. The design of the Trojan distributed on Google Play under the guise of a banking application. Android.BankBot.344.origin is a modification of Android.BankBot.336.origin, a malicious program that was detected on February and was also distributed via Google Play. Unlike the previous version that attacked Ukrainian users, the updated Trojan is designed for Russian banks’ clients. Similar to the previous modification, cybercriminals pass Android.BankBot.344.origin off as the application, which supposedly provides online access to financial services of various credit organizations. In fact, the claimed functionality didn’t exist. The list of Russian banks which online accounts the user can supposedly access via the application. The Trojan invited users to sign into an existing mobile banking account using their logins and passwords or to input bank card information. Once victims input confidential data, the program sent it to cybercriminals. As a result, they could steal mobile users’ money. Like the previous Trojan’s version, Android.BankBot.344.origin was able to intercept incoming SMS messages. An example of phishing input form. Login credentials are requested to get access to online banking of one of the credit organizations. An example of phishing input form. A user is invited to sign in and input their bank card information. Doctor Web highly recommends that users install only the official applications of credit organizations when using online banking systems. Dr.Web for Android successfully detects all known modifications of Android.BankBot.344.origin, so they do not pose any threat to our users. More about this Trojan #Android, #Google_Play, #banking_Trojan Your Android needs protection Use Dr.Web Free download The first Russian Anti-virus for Android More than 135 million downloads on Google Play alone Free for users of Dr.Web home products [...]



Doctor Web: over 40 models of Android devices delivered already infected from the manufacturers

Thu, 01 Mar 2018 07:00:00 GMT

March 1, 2018 In the middle of 2017, Doctor Web analysts discovered a new Trojan Android.Triada.231 in the firmware of some cheap models of Android devices. Since this detection, the list of infected devices has been constantly increasing. At the moment, the list contains over 40 models. Doctor Web specialists have monitored the Trojan’s activity and now we can publish the results of this investigation. Android.Triada.231—one of the dangerous Android.Triada Trojans. These Trojans infect the process of an important Android system component, Zygote. This process is used to launch all applications. Once the Trojans inject into this module, they penetrate other running applications. In doing so, they obtain the ability to carry out various malicious activities without a user’s intervention: they covertly download and launch software. The key feature of Android.Triada.231 is that cybercriminals inject this Trojan into the libandroid_runtime.so system library. They do not distribute the Trojan as a separate program. As a result, the malicious application penetrates the device firmware during manufacture. Users receive their devices already infected from the box. In the past summer, following detection of Android.Triada.231, Doctor Web security researchers notified manufacturers who produced infected devices. However, new smartphones models continue getting infected with this malware. For example, it was detected on the Leagoo M9 smartphone that was announced in December 2017. Additionally, our analysts’ research showed that the Trojan’s penetration into firmware happened at request of the Leagoo partner, the software developer from Shanghai. This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation. Unfortunately, this controversial request did not evoke any suspicions from the manufacturer. Ultimately, Android.Triada.231 got to the smartphones without any obstacles. The analysis of this application showed it is signed with the same certificate as Android.MulDrop.924. Doctor Web previously wrote about this Trojan in 2016. We can presume the developer that requested adding the additional program into the mobile operating system image can be connected expressly or implicitly with the distribution of Android.Triada.231. At the moment, security researchers have detected Android.Triada.231 in the firmware of over 40 Android device models: Leagoo M5 Leagoo M5 Plus Leagoo M5 Edge Leagoo M8 Leagoo M8 Pro Leagoo Z5C Leagoo T1 Plus Leagoo Z3C Leagoo Z1C Leagoo M9 ARK Benefit M8 Zopo Speed 7 Plus UHANS A101 Doogee X5 Max Doogee X5 Max Pro Doogee Shoot 1 Doogee Shoot 2 Tecno W2 Homtom HT16 Umi London Kiano Elegance 5.1 iLife Fivo Lite Mito A39 Vertex Impress InTouch 4G Vertex Impress Genius myPhone Hammer Energy Advan S5E NXT Advan S4Z Advan i5E STF AERIAL PLUS STF JOY PRO Tesla SP6.2 Cubot Rainbow EXTREME 7 Haier T51 Cherry Mobile Flare S5 Cherry Mobile Flare J2S Cherry Mobile Flare P1 NOA H6 Pelitt T1 PLUS Prestigio Grace M5 LTE BQ-5510 Strike Power Max 4G (Russia) This is not a comprehensive list. The number of infected smartphones models could be much bigger. Such widespread distribution of Android.Triada.231 shows that many Android device manufacturers pay little attention to security questions and penetration of the Trojan code into system components. This can be due to error or malicious intent and is likely common practice. Dr.Web for Android detects all possible modifications to Android.Triada.231. To find out whether your mobile device is infected, scan it completely. With root privileges, Dr.Web Security Space for Android can neutralize Android.Triada.231 by curing an infected system component. If[...]



February 2018 mobile malware review from Doctor Web

Wed, 28 Feb 2018 03:00:00 GMT

February 28, 2018 In February, Doctor Web security researchers detected a miner Trojan that infects different Android devices with the debugging mode enabled. Additionally, in the past month, a Trojan Android.BankBot.336.origin posed a threat to users. This Trojan steals confidential information and money from bank accounts. PRINCIPAL TRENDS IN FEBRUARY Distribution of a miner Trojan that infects some Android devices Distribution of a new banking Trojan Mobile threat of the month In February, a Trojan Android.CoinMine.15 became widespread. Cybercriminals used the Trojan to mine the Monero cryptocurrency. This malware is designed as a worm and can infect Android smartphones, tablets, TVs, routers, and media players connected to the network. The infection is possible only when the devices have the Android Device Bridge debugging mode enabled (ADB). In cases of successful infection, one of the Trojan’s components tries to detect the next device and install the Trojan’s copy on it. According to statistics collected by Dr.Web for Android Android.RemoteCode.121.origin Android.RemoteCode.117.origin Trojans that download and launch various program modules, including malicious ones. Android.HiddenAds.253 Android.HiddenAds.222.origin Adware Trojans spread under the guise of benign software by other malicious programs that, in some instances, covertly install the Trojans in the system directory. Android.Mobifun.4 A Trojan that downloads other malware applications. Adware.Adpush.601 Adware.Jiubang.2 Adware.Jiubang.1 Adware.Leadbolt.12.origin Unwanted program modules incorporated into Android applications and designed to display obnoxious ads on mobile devices. Tool.SilentInstaller.1.origin Riskware designed to silently launch application without the users’s intervention. Banking Trojan Over the past month, a Trojan Android.BankBot.336.origin was detected on Google Play. Cybercriminals distributed it as a universal application designed to work with various Internet banking systems. This malicious program steals logins and passwords from user accounts, as well as information about bank cards. After these actions, the Trojan covertly transfers funds from user bank accounts to cybercriminals. Virus makers continue to refine their malicious programs for Android and distribute them via known and innovative methods. That said, various Trojans can still be found on Google Play. To protect smartphones, tablets, and other devices from such threats we recommend that you install Dr.Web anti-virus products for Android. Your Android needs protection Use Dr.Web Free download The first Russian Anti-virus for Android More than 135 million downloads on Google Play alone Free for users of Dr.Web home products [...]



About 8% of Android smart TVs and devices are vulnerable to a new miner. Doctor Web describes how you can protect yourself.

Thu, 08 Feb 2018 02:00:00 GMT

February 8, 2018 A few days ago a blog from a Chinese information security company published information on the spread of the Trojan Android.CoinMine.15 also known as ADB.miner. According to Chinese researchers, the Trojan spread very fast at the peak of its activity; the number of infected devices doubled every day. Doctor Web specialists believe the majority of infected devices are smart TVs, because they usually have a constant Internet connection using ADB. This Android Trojan designed to mine the Monero (XMR) cryptocurrency can infect other devices without any user involvement. The Android.CoinMine.15 malware infects Android devices with an open port 5555, which is used by the interface of the Android Debug Bridge (ADB). Not only smart TVs, but smart phones, tablets, set-top boxes, routers, media players and receivers can be infected, i.e. all devices that use network debugging. The single-board computer Raspberry Pi 3 with Android is another vulnerable device. The Trojan is distributed in the following way: the droidbot.apk application along with the files nohup, sss and bot.dat are installed on a compromised host using another infected device. The sss file is then run using the nohup utility. During its operation the file acts as a daemon. Following that, it extracts other Trojan components from bot.dat, including a JSON configuration file, miner applications (for 32-bit and 64-bit OS versions) and a copy of the droidbot Trojan program. Once launched, droidbot generates a random IP address and tries to connect to the port 5555 in an infinite loop. If successful, the Trojan attempts to infect the detected device using the ADB debugger’s interface. In a separate thread, Android.CoinMine.15 launches a miner application designed to mine the Monero (XMR) cryptocurrency. Infection by such malicious programs may lead to a significant reduction in the device performance, overheating and rapid battery draining. The ADB debugger is disabled by default in Android. However, some vendors enable it anyway. Additionally, ADB can by enabled by a user purposefully. Developers often use the debugging mode. According to statistics collected by Dr.Web for Android, the Android Debug Bridge is enabled on 8% of devices protected by our antivirus. As long as this setting poses a potential threat, Security Auditor, a special Dr.Web component, warns users that the debugger is enabled and offers to disable it. Dr.Web specialists recommend all users of Android devices scan their operation systems for riskware. To do so, you can purchase Dr.Web Security Space for Android with Security Auditor on our website or on Google Play. If USB debugging is not used on your device, it is better to disable it. Dr.Web for Android products successfully detect and remove Android.CoinMine.15; and, therefore, this malicious program poses no threat to Dr.Web users. More about this Trojan #Android #mining #cryptocurrencies Your Android needs protection! Use Dr.Web Free download First version of Dr.Web for Android released Over 135 million downloads—just from Google Play! Available free of charge for users who purchase Dr.Web home products [...]



Doctor Web warns of a new encryption ransomware

Mon, 05 Feb 2018 16:51:58 GMT

February 5, 2018

Encryption ransomware that encrypts files on an infected device and demands a ransom for their decryption still poses a serious threat. Doctor Web is warning users about the spreading of yet another such encryption ransomware.

The Trojan, the creators of which dubbed it “GandCrab!”, has been added to the Dr.Web virus databases under the name Trojan.Encoder.24384. It appends the extension *.GDCB to encrypted files. Currently, two versions of this encoder are known.

Once launched on an attacked device running Microsoft Windows, Trojan.Encoder.24384 can collect information on launched processes of anti-viruses. It then performs a check to prevent the repeated launch and kills programs’ processes according to the cybercriminals’ list. The encoder installs its copy on a disk and modifies the Windows system registry branch to provide its automatic launch.

The Trojan encrypts the contents of the fixed, removable and network disks, excluding a range of folders that include service and system ones. Each disk is encrypted in a separate thread. When the encryption is completed, the Trojan sends the data on the amount of encrypted files and the encryption time to the server.

The Trojan uses the command and control server, the domain name of which is not resolved by standard methods. To obtain the IP address of this server, the encryption ransomware executes the command “nslookup” and searches necessary information in its output.

Currently, decrypting files encrypted with Trojan.Encoder.24384 is impossible. Doctor Web again reminds its users the most reliable method for saving their files is timely backing up all important data. Moreover, it is advisable to use external data carriers to store the backup copies.

Use Data Loss Prevention to protect your files from encryption ransomware

More  about encryption ransomware What to do if... Free decryption Category “Encrypt everything”

More about this Trojan




January 2018 virus activity review from Doctor Web

Wed, 31 Jan 2018 14:17:30 GMT

January 31, 2018 The beginning of 2018 was marked by the detection of several Android games on Google Play that contained an embedded Trojan. This Trojan downloaded and launched malicious modules on infected devices. Virus analysts also examined several miner Trojans that infected Windows servers. They all used a vulnerability in the software Cleverence Mobile SMARTS Server. Principal trends in January The detection of a dangerous Android Trojan on Google Play Distribution of new versions of miner Trojans that infect Windows servers Threat of the month The Cleverence Mobile SMARTS Server is a complex of applications for automizing shops, warehouses, various facilities and productions. Doctor Web analysts detected a 0-day vulnerability in these programs back in July 2017 and informed software developers about it. Soon they released a security update for their product. However, by no means had all administrators installed these updates, which left cybercriminals the possibility to continue hacking vulnerable servers. For this purpose, cybercriminals send a special request to a vulnerable server, which results in executing the command contained in this request. The attackers created a new user with administrator privileges in the system and employed this user account to get unauthorized access to the server via the RDP protocol. In some cases, cybercriminals use the Process Hacker tool to shut down the processes of anti-viruses running on the server. Once they obtain access to the system, they install the Trojan miner on it. The miner used by the cybercriminals is constantly updated. Initially, they used several Trojan modifications added to the Doctor Web virus database as Trojan.BtcMine.1324, Trojan.BtcMine.1369 and Trojan.BtcMine.1404. Later this list was updated with Trojan.BtcMine.2024, Trojan.BtcMine.2025, Trojan.BtcMine.2033, and the most up-to-date version is Trojan.BtcMine.1978. The Trojan is launched as a critically important process. If one tries to shut down this process, Windows performs an emergency shutdown and displays the “blue screen of death” (BSOD). After it is launched, the miner attempts to shut down processes and delete the services of several anti-viruses. Cybercriminals use Trojan.BtcMine.1978 to mine cryptocurrencies Monero (XMR) and Aeon. Dr.Web specialists recommend that all security updates for the Cleverence Mobile SMARTS Server released by the developers be installed. For more information about this incident, refer to the review published on our website. According to Dr.Web Anti-virus statistics Trojan.Moneyinst.520 A malicious program that installs various software, including other Trojans, on a victim's computer. Trojan.Starter.7394 A Trojan whose main purpose is to launch in an infected system with an executable file possessing a specific set of malicious functions. Trojan.BPlug These plug-ins for popular browsers display annoying advertisements to users browsing webpages. Trojan.DownLoad A family of malicious programs designed to download other malware to the compromised computer. Trojan.Zadved This Trojan displays fake search results in the browser window and imitates pop-up messages from social networking sites. In addition to this, the malware can replace advertisements displayed on different Internet resources. According to Doctor Web’s statistics servers JS.BtcMine.7, JS.BtcMine.2 A JavaScript designed to stealthily mine cryptocurrencies (mining). JS.Inject A family of malicious JavaScripts. They inject a malicious script into the HTML code of web pages. JS.DownLoader A family of malicious JavaScripts. They download and install malicious software on a computer. Trojan.PWS.Stealer A family of Trojans designed to steal passwords and other co[...]



January 2018 mobile malware review from Doctor Web

Wed, 31 Jan 2018 01:00:00 GMT

January 31, 2018 In January 2018, Doctor Web virus analysts found approximately three dozen games containing a Trojan on Google Play. It covertly downloaded and launched malicious modules that performed various malicious actions. In addition, in the past month, owners of smartphones and tablets were under a threat of yet another Android banker designed to steal confidential information and money. Also in January, the Dr.Web virus database was updated with entries for detection of several spyware. Among the distributed malicious programs, was a new miner Trojan that used the computing power of infected mobile devices to mine the Monero cryptocurrency. PRINCIPAL TRENDS IN JANUARY The detection of numerous games with an embedded Trojan on Google Play The spreading of malicious programs that spied on mobile device owners The detection of a new Android banker that stole money from users The spreading of a new mining Trojan Mobile threat of the month In January, Doctor Web specialists detected almost 30 games with the embedded Android.RemoteCode.127.origin on Google Play. It was part of a special framework for extending an application’s functionality. Android.RemoteCode.127.origin covertly downloaded and launched additional modules that performed various actions. For example, they loaded websites and clicked on their links and ads, simulating user actions. For more information regarding this Trojan, refer to this news article. According to statistics collected by Dr.Web for Android Android.DownLoader.573.origin A malicious program that downloads other Trojans and also unwanted software. Android.HiddenAds.171.origin Android.HiddenAds.253 Android.HiddenAds.222.origin Trojans designed to display unwanted ads on mobile devices. They are distributed under the guise of popular apps by other malicious programs, which sometimes covertly install them in the system directory. Android.RemoteCode.117.origin A Trojan that downloads and launches various program modules, including malicious ones. Adware.Jiubang.2 Adware.Jiubang.1 Adware.Allinone.1.origin Adware.Adviator.6.origin Adware.Leadbolt.12.origin Unwanted program modules incorporated into Android applications and designed to display obnoxious ads on mobile devices. Banking Trojan Over the past month, cybercriminals spread a banking Trojan Android.BankBot.250.origin that displayed phishing input windows for login credentials and sent them the input confidential information. It could intercept SMS with verification codes, covertly confirm money transfers to cybercriminals’ accounts, and also perform other operations in online banking systems. Spyware In January, the Dr.Web virus database was updated with new entries for detecting several spyware. One of them was the Android.Spy.422.origin, also known as Dark Caracal. Cybercriminals used this malicious program for cyber espionage. Android.Spy.422.origin stole SMS messages, tracked phone calls, stole photos, web browser history and saved bookmarks, recorded the environment using a built-in microphone from an infected mobile device and performed a range of other actions. Other spyware were new modifications of a malicious program Android.Spy.410.origin, which had been known to Doctor Web specialists since December 2017. It tracks correspondence in popular messengers such as Telegram, WhatsApp, Skype and others. It also intercepts SMS messages and phone calls, and steals photos. Android miner Among the malicious programs for Android detected in January was a mining Trojan dubbed Android.CoinMine.8. Cybercriminals spread it as games and programs available for free download from a website. Actually, all these applications were the Trojan that used infected devic[...]



A vulnerability in Cleverence Mobile SMARTS Server is used to mine cryptocurrencies

Wed, 24 Jan 2018 02:00:00 GMT

January 24, 2018 In July 2017, Doctor Web specialists detected a 0-day vulnerability in the Cleverence Mobile SMARTS Server server applications. Program developers released an update to fix this vulnerability. However, cybercriminals still use it to mine cryptocurrencies. Applications of the Cleverence Mobile SMARTS Server family are created for automizing shops, warehouses, various facilities and productions. They are designed to operate on a PC with Microsoft Windows OS. In July 2017, Dr.Web specialist detected a critical vulnerability in one of the Cleverence Mobile SMARTS Server components. Cybercriminals used it for unauthorized access to servers and to install Trojans of the Trojan.BtcMine family designed to mine cryptocurrencies. We immediately informed the software developers of this vulnerability. First, cybercriminals used several versions of the miner detected by Dr.Web as Trojan.BtcMine.1324, Trojan.BtcMine.1369 and Trojan.BtcMine.1404. Cybercriminals send a special request to the server where the Cleverence Mobile SMARTS Server software runs, which results in executing the command contained in this request. The attackers use the command to create a new user with administrator privileges in the system and employ this user account to get unauthorized access to the server via the RDP protocol. In some cases, cybercriminals use the Process Hacker tool to shut down the processes of anti-viruses running on the server. Once they obtain access to the system, they install the Trojan miner on it. This Trojan is a dynamic library. Cybercriminals save it to a temporary folder and then run it. The malicious program replaces one of the legitimate Windows system services selecting a “victim” by a number of parameters and deletes the original service file. The malicious service then gets a number of system privileges and sets a critical flag for its process. Then the Trojan saves the files required for its operation to the disk and starts mining cryptocurrencies using the hardware of the infected server. Although developers of Cleverence Mobile SMARTS Server released a timely update which closed the software vulnerability, numerous server administrators do not hurry to install it, and cybercriminals take advantage of them. The virus writers continue to install miner Trojans, which are constantly modified, on the hacked servers. Starting from late November 2017, cybercriminals started using a brand new Trojan, modified up to now. This malicious program was dubbed Trojan.BtcMine.1978. It is designed to mine the cryptocurrencies Monero (XMR) and Aeon. The miner is launched as a critically important process with a displayed name “Plug-and-Play Service”. If one tries to shut down this process, Windows performs an emergency shutdown and displays the “blue screen of death” (BSOD). Once launched, Trojan.BtcMine.1978 tries to delete the services of Dr.Web anti-viruses, Windows Live OneCare, Kaspersky Anti-virus, ESET Nod32, Emsisoft Anti-Malware, Avira, 360 Total Security and Windows Defender. Then the miner searches for the launched processes of anti-virus programs on the attacked computer. If it is successful, the Trojan decrypts, saves to a disk and runs a driver used to make attempts at closing these processes. Dr.Web successfully detects and blocks the Process Hacker driver used by Trojan.BtcMine.1978. This driver was added to the Dr.Web virus databases as a hacktool. Once it obtains a list of ports from its own configuration, Trojan.BtcMine.1978 searches a network for a router. Then, using the UPnP protocol, it redirects the TCP port of the router to ports from the obtained list and connects to them waiting for connections via the HTTP pro[...]



Doctor Web detects infected games on Google Play with more than 4,500,000 downloads

Tue, 16 Jan 2018 02:00:00 GMT

January 16, 2018 Doctor Web virus analysts have found several games on Google Play that contain Android.RemoteCode.127.origin. It covertly downloads and launches additional modules that perform various malicious actions. For example, they simulate user actions by covertly opening websites and clicking on their items. Android.RemoteCode.127.origin is a part of a framework (SDK, Software Development Kit) called 呀呀云 (Ya Ya Yun). Developers use it to extend the functionality of their applications. Particularly, it allows gamers to maintain communication with each other. However, besides the indicated possibilities, the platform performs the Trojan’s functions. It covertly downloads malicious modules from a remote server. Once the programs with the embedded SDK are launched, Android.RemoteCode.127.origin makes a request to the command and control (C&C) server. As a response, it can receive a command to download and launch malicious modules capable of many actions. Doctor Web specialists intercepted and inspected one such module, and dubbed it Android.RemoteCode.126.origin. Once launched, it connects to its C&C server and receives a link to download an allegedly benign image. In fact, this graphic file conceals another Trojan module, which is an updated version of Android.RemoteCode.126.origin. Virus analysts have already encountered this method of masking malicious objects in images (steganography). For example, it was applied by the Trojan detected in 2016 and dubbed Android.Xiny.19.origin. Once decrypted and launched, a new version of the Trojan module (detected by Dr.Web as Android.RemoteCode.125.origin) begins operating simultaneously with an old one, duplicating its functions. This module then downloads another image with a hidden malicious component. It was named Android.Click.221.origin. Its main purpose is to covertly open websites and click on their items, such as links and banners. To do that, Android.Click.221.origin downloads a script from the address indicated by the C&C server. The Trojan provides the script with the possibility to perform various actions on a webpage, including simulating clicks on indicated items. Thus, if the Trojan’s task includes following links and advertisements, cybercriminals profit from inflating website traffic stats and clicking on banners. However, it is not the only functionality of Android.RemoteCode.127.origin, because virus writers are capable of creating additional Trojan modules that will perform other malicious actions. For example, display phishing windows to steal login credentials, show advertising, and also covertly download and install applications. Doctor Web specialists found 27 games on Google Play that used Trojan SDK. More than 4,500,000 mobile device owners downloaded them. The applications with embedded Android.RemoteCode.127.origin are listed in the table below: Program nameApplication package nameVersion Hero Missioncom.dodjoy.yxsm.global1.8 Era of Arcaniacom.games37.eoa2.2.5 Clash of Civilizationscom.tapenjoy.warx0.11.1 Sword and Magiccom.UE.JYMF&hl1.0.0 خاتم التنين - Dragon Ring (For Egypt)com.reedgame.ljeg1.0.0 perang pahlawancom.baiduyn.indonesiamyth1.1400.2.0 樂舞 - 超人氣3D戀愛跳舞手遊com.baplay.love1.0.2 Fleet Glorycom.entertainment.mfgen.android1.5.1 Kıyamet Kombat Arenacom.esportshooting.fps.thekillbox.tr1.1.4 Love Dancecom.fitfun.cubizone.love1.1.2 Never Find Me - 8v8 real-time casual gamecom.gemstone.neverfindme1.0.12 惡靈退散-JK女生の穿越冒險com.ghosttuisan.android0.1.7 King of Warship: National Herocom.herogames.gplay.kowglo1.5.0 King of Warship:Sail and Shootcom.herogames.gplay.ko[...]



Doctor Web’s annual virus activity review for 2017

Fri, 29 Dec 2017 07:00:00 GMT

December 29, 2017 In the context of information security, the past year will be remembered for such notable events as global attacks of encryption worms WannaCry, NePetya and BadRabbit, and also for a large number of Linux Trojans for so-called “Internet of things”. This year is also marked by the spreading of malicious scripts over numerous websites. These scripts were designed to mine cryptocurrency. In spring 2017, Doctor Web security analysts researched a new backdoor for macOS. It was one of the few malicious programs for the Apple OS added to virus databases this year. During the past 12 months, new banking Trojans also emerged. They were designed to steal money from the accounts of clients of financial organizations: one of such malicious programs, Trojan.PWS.Sphinx.2, Doctor Web security specialists examined in February, and another—Trojan.Gozi.64—in November 2017. Fraudsters showed high activity over the past year: Doctor Web regularly reported on revealing new schemes aimed at tricking Internet users. This past March, network fraudsters tried defrauding money from owners and administrators of various Internet resources. They created approximately 500 fraudulent webpages for this purpose. In their spam emails, cybercriminals tried to pass as “Yandex” employees and “RU-Center”. They also came up with a fraudulent scheme that required a victim to input their personal pension account number (SNILS). Additionally, in July, the Government Services Portal of the Russian Federation (gosuslugi.ru) was compromised. Unknown fraudsters injected potentially dangerous code into the Portal’s pages. This vulnerability was soon eliminated by the Portal’s administration. 2017 was also uneasy for owners of Android mobile devices. Over the summer, Doctor Web security analysts examined a multifunctional Android Trojan that gained control over a device and stole confidential information from customers of financial and credit organizations. A game with an embedded loader Trojan was quickly detected on Google Play. More than a million users had downloaded it. Over the course of the year, Doctor Web specialists detected Android Trojans pre-installed in factory firmware on mobile devices, as well as many other malicious programs and riskware for this platform. Principal trends of the year The emergence of dangerous encryption worms capable of distributing themselves without user intervention A spike in the number of Linux Trojans for the “Internet of things” The spreading of dangerous malicious programs for Android Most notable events of 2017 Encoder Trojans, which encrypt files and demand a ransom for their restoration, were usually spread as one or another “useful” tools or via malicious mailings. In addition, most often cybercriminals did not attach to emails an encryption Trojan itself but rather a small loader Trojan, which downloaded and launched an encoder upon an attempt to open an attachment. At the same time, worms capable of independently spreading across the network were not previously used to encrypt files. They had quite different malicious functions. Early in the year, Doctor Web specialists examined one of the representatives of a class of these malicious programs. The first encoder, which combined the capabilities of an encryption and network worm, was Trojan.Encoder.11432. It became widely known as WannaCry. Mass spreading of this malicious program started around 10 a.m. on May 12, 2017. In order to infect other computers, the worm used a vulnerability in the SMB protocol (MS17-10), and under its threat were both local network hosts and computers on th[...]



Doctor Web’s December 2017 virus activity review

Fri, 29 Dec 2017 13:04:35 GMT

December 29, 2017 The last month of this year is marked by an emergence of a new backdoor for computers and devices running Microsoft Windows. In December, Doctor Web analysts also determined that cybercriminals started hacking websites using a Linux Trojan Linux.ProxyM. Over the course of the month Dr.Web virus databases were updated with the signatures of new malicious programs for Android. Principal trends of December A new Trojan for Linux Website hacking using a Linux Trojan Distribution of new malicious programs for Android Threat of the month In December, virus analysts examined another representative of the Anunak Trojan family capable of executing the commands of cybercriminals on an infected computer. A new backdoor has been developed to work on 64-bit Windows versions and was dubbed BackDoor.Anunak.142. The Trojan can perform the following actions on an infected computer: Download files from a specific remote server; Upload files to a remote server; Launch a file on an infected device; Execute commands in the cmd.exe console; Redirect traffic between ports; Download and install its own modules. More information about this malicious program can be found in the news article published on our website. According to Dr.Web Anti-virus statistics Trojan.Starter.7394 A Trojan whose main purpose is to launch in an infected system with an executable file possessing a specific set of malicious functions. Trojan.Encoder.11432 An encryption worm known as WannaCry. Trojan.Zadved This Trojan displays fake search results in the browser window and imitates pop-up messages from social networking sites. In addition to this, the malware can replace advertisements displayed on different Internet resources. JS.BtcMine.2 A JavaScript designed to stealthily mine cryptocurrencies (mining). Trojan.BPlug These plug-ins for popular browsers display annoying advertisements to users browsing webpages. According to Doctor Web’s statistics servers JS.BtcMine.2 A JavaScript designed to stealthily mine cryptocurrencies (mining). JS.Inject A family of malicious JavaScripts. They inject malicious script into the HTML code of webpages. Trojan.Inject A family of malicious programs that inject malicious code into the processes of other programs. Trojan.Starter.7394 A Trojan whose main purpose is to launch in an infected system with an executable file possessing a specific set of malicious functions. Trojan.PWS.Stealer A family of Trojans designed to steal passwords and other confidential information stored on an infected computer. Trojan.DownLoader A family of malicious programs designed to download other malware to the compromised computer. Statistics concerning malicious programs discovered in email traffic Trojan.DownLoader A family of malicious programs designed to download other malware to the compromised computer. JS.Inject A family of malicious JavaScripts. They inject malicious script into the HTML code of webpages. JS.DownLoader A family of malicious JavaScripts. They download and install malicious software on a computer. VBS.DownLoader A family of malicious files written in VBScript scripts. They download and install malicious software on a computer. JS.BtcMine.2 A JavaScript designed to stealthily mine cryptocurrencies (mining). Encryption ransomware In December, cases involving the following ransomware modifications were registered by Doctor Web’s technical support service: Trojan.Encoder.858 — 27.29% of requests; Trojan.Encoder.11539 — 12.55% of requests; Trojan.Encoder.3953 — 4.09% of requests; Trojan.Encoder.11464 — 3.41% of requests[...]



Doctor Web examines new backdoor for Windows

Fri, 22 Dec 2017 15:59:42 GMT

December 22, 2017

The Anunak backdoor family is a whole range of malicious programs capable of executing cybercriminals’ commands on an infected device. Doctor Web security specialists examined a new family representative. It infects 64-bit versions of Microsoft Windows and encrypts all data exchanged with the command and control server (C&C server).

The Trojan dubbed BackDoor.Anunak.142 exchanges information with its C&C server by generating encrypted packages. In addition, the header of each package and block of sent data are encrypted separately. This new backdoor can infect devices running on 64-bit Windows versions. There is also a 32-bit modification of this Trojan. It’s numerical order is 124.

BackDoor.Anunak.142 can perform the following actions on an infected device:

  • Download files from a specific remote server;
  • Upload files to a remote server;
  • Launch a file on an infected device;
  • Execute commands in the cmd.exe console;
  • Redirect traffic between ports;
  • Download and install its own modules.

A BackDoor.Anunak.142 signature is already in the Dr.Web virus databases; therefore, this malicious program poses no threat to our users.

More about the Trojan



Doctor Web warns of website hacking using the “Internet of things”

Thu, 07 Dec 2017 17:00:44 GMT

December 7, 2017 Doctor Web has already published an article on the Trojan Linux.ProxyM capable of infecting “smart” Linux devices. In September, cybercriminals used it to send spam, and lately they have been using it to hack websites. Linux.ProxyM is a malicious program for Linux which launches a SOCKS proxy server on an infected device. Cybercriminals can use it to anonymously perform destructive actions. The known assembly of this Trojan exists for devices possessing the following architectures: x86, MIPS, MIPSEL, PowerPC, ARM, Superh, Motorola 68000, and SPARC. It means Linux.ProxyM can infect almost any Linux device, including routers, set-top boxes, and other similar equipment. In September, Doctor Web security researchers learned cybercriminals used Linux.ProxyM to send over 400 spam messages per day from each infected device. Emails advertised adult content resources and questionable financial services. Soon cybercriminals began using the “Internet of things” to distribute phishing messages. The emails were supposedly sent on behalf of DocuSign—a service that allows users to download, view, sign and track the status of electronic documents. If a user followed a link in an email, they would land on a fake DocuSign website with an authorization form. After entering a password, a victim would be redirected to the real DocuSign authorization page, and the contents of the phishing form were then sent to the cybercriminals. In December, cybercriminals found another use for devices infected with Linux.ProxyM: they used the Trojan’s proxy server to preserve anonymity and made numerous attempts at hacking websites. Cybercriminals use various hacking methods. They are SQL injections (an injection of a malicious SQL code into a request to a website database), XSS (Cross-Site Scripting)—an attack method that involves adding a malicious script to a webpage, which is then executed on a computer when this page is opened, and Local File Inclusion (LFI). This kind of attack allows attackers to remotely read files on an attacked server using specially crafted commands. Among the attacked websites were game severs, forums and resources on other topics, including Russian websites. Doctor Web security analysts continue to monitor the Linux.ProxyM botnet activity. The chart with the number of registered Trojan attacks is presented below. Although Linux.ProxyM has only one function—a proxy server—cybercriminals continue finding new opportunities to use it for illegal actions and showing increasing interest in the “Internet of things”. More about the Trojan[...]