Subscribe: News of Doctor Web
http://news.drweb.com/rss/get/?c=5&lng=en
Preview: News of Doctor Web

All the news



Doctor Web news - All the news



 



Doctor Web detected a Trojan that is incapable of decrypting files

Mon, 16 Apr 2018 00:00:00 GMT

April 16, 2018 Doctor Web specialists analyzed the new encryption Trojan. In most cases, decrypting files corrupted by the encoder is impossible due to the cybercriminals’ error. The new encryption Trojan was dubbed Trojan.Encoder.25129. The preventive protection of Dr.Web Anti-virus automatically detects it as DPH:Trojan.Encoder.9. Once launched, the Trojan checks the user’s location based on the infected device’s IP address. Cybercriminals designed the malicious program so that it does not encrypt files if the device is located in Russia, Belarus and Kazakhstan, or if the Russian language and Russian regional parameters are set in the system preferences. However, the encoder encrypts all files regardless of the IP address’s geographical location due to the code error. Trojan.Encoder.25129 encrypts the content of the current user’s folders, Windows Desktop, the AppData and LocalAppData system folders. The encryption is processed using the AES-256-CBC algorithms. The encrypted files are appended the extension “.tron”. Files that exceed 30,000,000 bytes (about 28.6 MB) are not encrypted. Once the encryption is over, the %ProgramData%\\trig file is created and the “123” value is written into it (if this file already exists, the encryption is not performed). The Trojan then sends a request to the iplogger website. The website address is hardcoded into the program’s body. The malicious program then displays a window with ransom demands. The size of the ransom that cybercriminals demand differs from 0.007305 to 0.04 Btc. Once the HOW TO BUY BITCOIN button is clicked, the Trojan displays a window with instructions on how to buy the Bitcoin cryptocurrency: In spite of cybercriminals’ claims that victims can restore the encrypted files, it is impossible in most cases due to the code error. The encoder does not pose any threat to Dr.Web users. The preventive protection of our anti-virus products successfully detects and removes the Trojan. At the same time, Doctor Web specialists encourage users to make timely backups of their most valuable data. Use Data Loss Prevention to protect your files from encryption ransomware Configure protection from encryption ransomware Video about configuration What to do if... Free decryption Category “Encrypt everything” More about this Trojan #Trojan.Encoder #malicious_softwatre #ransom #Trojan[...]



Doctor Web: a Trojan on Google Play subscribes users to paid services

Mon, 16 Apr 2018 00:00:00 GMT

April 16, 2018 Doctor Web virus analysts have detected a Trojan Android.Click.245.origin on Google Play. When ordered by cybercriminals, it loads websites where users are tricked into subscribing to paid content services. In some cases the subscription is executed automatically when users click on a fake “download program” button. Cybercriminals distributed Android.Click.245.origin on behalf of developer Roman Zencov and disguised the Trojan as popular applications. Among them, the Miraculous Ladybug & Cat Noir game that has not been released on Android yet, the GetContact app for making calls and storing telephone numbers that became famous in the early spring, and the virtual assistant, Alice, embedded in Yandex applications, which is not available as a separate app yet. One of the Trojan programs was in the top 30 new popular apps on Google Play. Doctor Web specialists have informed Google about the Android.Click.245.origin, and it was deleted from Google Play. Over 20,000 users downloaded fake applications. None of these programs had useful functions. Their only goal was to load webpages on the command of cybercriminals. The pages of malicious applications found on Google Play are displayed below: Once launched, Android.Click.245.origin establishes a connection with the command and control server and waits for the task. Depending on the IP address of the connected device, the Trojan gets a link to a particular website that must be loaded. The malicious program follows this link and displays a specific page using WebView. If the device is connected to the Internet via Wi-Fi, the user is invited to download an application by clicking the corresponding button. For example, if a victim runs the fake virtual assistant program, Alice, a file called “Alice Yandex.apk” is prepared for downloading. When attempting to download the file, the user is asked to enter his phone number for some authorization or download confirmation. Upon entering the phone number, the user receives a confirmation code that must be entered on the website to complete the “download”. The victim is then subscribed to a paid service rather than getting the intended program. If the infected device is connected to the Internet via a mobile connection, the website loaded by the Trojan makes several redirections. Android.Click.245.origin then finally opens the website in Google Chrome. On this loaded page, the user is invited to click “Continue” to download a file. He is then redirected to another website where the download is supposed to start. Upon clicking “Start download”, the victim is automatically subscribed to one of the expensive services requiring daily payment using the Wap-Click technology. In addition, access to services like that is granted without having to enter a phone number or receiving a confirmation code via SMS. If the Trojan does not get the task, it downloads several pictures from the Internet and displays them on the screen. Subscription to unwanted services is one of the most popular and well known source of illegal income for cybercriminals. However, subscribing to such premium services via Wap-Click is especially dangerous because the user is not informed about new subscriptions in any way. Dishonest content providers often use this scheme to trick people into subscribing. To save money, smartphone and tablet owners should be careful when browsing websites and not click any suspicious links or buttons. Users should also install software distributed only by known and reliable developers and use anti-virus. Dr.Web for Android has successfully detected all known modifications of Android.Click.245.origin, so the Trojan does not pose any threat to our users. More about this Trojan #Android, #Google_Play, #mobile, #paid_subscription, #fraud Your Android needs protection Use Dr.Web Free download [...]



Dr.Web Security Space for Android updated to version 12.2

Thu, 12 Apr 2018 00:00:00 GMT

April 12, 2018

Russian anti-virus company Doctor Web has updated Dr.Web Security Space for Android to version 12.2. The update makes the application compatible with Android 8.1 and below and delivers feature upgrades and fixes for known defects.

Dr.Web Security Space 12.1 for Android should be used on devices running Android 4.0-4.3; the features found in version 12.2 are only available under Android 4.4 and later.

Upgrades in version 12.2:

  • The Anti-theft locks the device if the SIM card is changed but the device is not rebooted.
  • Firewall exceptions for applications.
  • Faster scanning.
  • The Security Auditor can detect vulnerability CVE-2017-0752.

Fixes

  • An issue that could interfere with Dr.Web license activation.
  • Application UI tweaks (including the build for Android TV).
  • The cause behind the scanner terminating abnormally during 7z archive scanning;
  • Minor tweaks related to the application's operation in the centralised protection mode as part of Dr.Web Enterprise Security Suite.

The Dr.Web software will be updated automatically under Android 4.4 and later. If you disabled automatic updating on your device, go to Google Play, select the Dr.Web Security Space or Dr.Web Security Space Life icon in the application list, and tap "Update”.

To perform an update via Doctor Web's site, download the updated distribution. If you enable the settings option “New application version”, a new version notification will be displayed whenever the virus databases have been updated. You can start the download directly from this dialog box.

Dr.Web Security Space for Android is available free of charge to Dr.Web Security Space and Dr.Web Anti-virus license owners. The new version of Dr.Web for Android is also available as part of Dr.Web Mobile Security Suite (for business) and the Dr.Web Anti-virus service (for the Dr.Web Premium and Dr.Web Mobile subscription packages).




Dr.Web Light for macOS updated to version 11.1.0

Tue, 10 Apr 2018 00:00:00 GMT

April 10, 2018

Russian anti-virus company Doctor Web has updated its Dr.Web Light for macOS product to version 11.1.0. The update improves the application's compatibility with upcoming versions of macOS.

To update Dr.Web Light for macOS to version 11.1.0, go to the Mac App Store and in the Update section, click Update next to the product name. Dr.Web Light for macOS users can update the product free of charge.

Please note that Dr.Web Light for macOS has a limited set of features. To fully protect your Mac, use Dr.Web for macOS.

#update #Dr.Web #macOS




Doctor Web: more than 78,000,000 rubles of Sberbank’s clients are under threat

Thu, 05 Apr 2018 00:00:00 GMT

April 5, 2018 Doctor Web virus analysts have detected the spreading of Android.BankBot.358.origin, which is aimed at Sberbank’s clients. This malicious program steals bank card information, cashes out accounts, blocks infected devices and demands a ransom. Android.BankBot.358.origin could cause a loss of over 78,000,000 rubles. Dr. Web has known of Android.BankBot.358.origin since the end of 2015. Virus analysts have determined that new modifications of Android.BankBot.358.origin are designed to attack Russian Sberbank clients and have already infected more than 60,000 mobile devices. However, virus writers spread numerous different versions of this malicious application, so the number of victims can be significantly higher. In total, cybercriminals could steal more than 78,000,000 rubles from the bank accounts of infected devices. Cybercriminals could also steal over 2,700,000 rubles from mobile phone accounts. The following figures show the administration panel sections of Android.BankBot.358.origin with information on infected devices and statistics on one of the detected botnets: This banking Trojan is distributed by fraudulent SMS messages that can be sent by cybercriminals and the malicious program itself. The messages are mostly sent on behalf of Avito.ru users. These SMS messages invite the victim to follow the link and supposedly become familiar with the reply to the posted ad. For example, the following text is popular: “Good day, are you interested in an exchange?”. In addition, sometimes mobile device owners receive fake notifications about loans, mobile transfers and credited funds to a bank account. Below you can see examples of phishing messages that have been sent in the administration panel of the Trojan’s server and sent upon the cybercriminals’ command: When following the link from such message, the victim sees the cybercriminals’ website, from which a mobile device downloads a malicious APK file. To make it more convincing, cybercriminals use the real Avito label in Android.BankBot.358.origin, increasing the possibility of a successful Trojan installation upon its download. Some of the banker’s modifications can be distributed as other programs - for example, software for operation with the Visa and Western Union payment systems. Upon the first launch, Android.BankBot.358.origin requests access to the device administrator rights and persists until a user gives up and grants it all the required privileges. After obtaining all the necessary privileges, the Trojan displays a fake message about an installation error and deletes its icon from the list of programs on the home screen. Essentially, Android.BankBot.358.origin tries to hide itself on a smartphone or a tablet. If a user later tries to remove the banker from the list of administrators, Android.BankBot.358.origin activates a self-protection function and shuts down the respective system settings window. In addition, some Trojan versions also install their own lock screen PIN codes. After infecting a device, Android.BankBot.358.origin establishes a connection with the command and control server, informs it of the successful infection and waits for further instructions. The Trojan’s main goal is to steal money from Sberbank’s Russian-speaking clients. The main attack vector is phishing. Cybercriminals send the Trojan a command to block an infected device with a window with a fraudulent message. It imitates the appearance of Sberbank Online, the remote banking and payment system, and is displayed to all users no matter whether they are Sberbank or another financial organization’s clients. This message notifies clients of a received money transfer in the amount of 10,000 rubles. To receive the money, the smartphone or tablet owner is invited to provide full b[...]



March 2018 virus activity review from Doctor Web

Tue, 03 Apr 2018 00:00:00 GMT

April 3, 2018 In March, Doctor Web specialists detected and examined numerous new malicious programs. Mass phishing mailing was detected at the beginning of the month. It was performed on behalf of Mail.Ru. Researchers also examined several new Trojans of a large family of malicious programs Trojan.LoadMoney. In mid-March, a dangerous Trojan called Trojan.PWS.Stealer.23012 was detected. It stole files and other confidential information from infected devices. Security researchers also detected a whole range of malicious programs for Google Android in March. Principal Trends in March Mass mailing of phishing email messages Distribution of new representatives of the family Trojan.LoadMoney Emergence of a dangerous Trojan capable of stealing confidential information Threat of the month Distribution of Trojan.PWS.Stealer.23012 started on March 11, 2018. Cybercriminals posted links to the Trojan in the comments section of YouTube. Many such videos show use of fraudulent game tutorial methods (so-called “cheats”) that involve special applications. Cybercriminals try to pass the Trojan off as such applications and other useful tools. The Trojan collects Cookie files on an infected computer in addition to login credentials from several popular browsers, makes a screenshot and copies files from the Windows Desktop. The stolen information is then sent to the cybercriminals’ server along with data on the location of the infected device. For more information on the operation of Trojan.PWS.Stealer.23012, refer to this article published on our website. According to Dr.Web Anti-virus statistics Trojan.Starter.7394 A Trojan whose main purpose is to launch in an infected system with an executable file possessing a specific set of malicious functions. Trojan.Inject A family of malicious programs that inject malicious code into the processes of other programs. Trojan.Zadved This Trojan displays fake search results in the browser window and imitates pop-up messages from social networking sites. In addition to this, the malware can replace advertisements displayed on different Internet resources. Trojan.Moneyinst.520 A malicious program that installs various software, including other Trojans, on a victim's computer. Trojan.Encoder.11432 A network worm that launches a dangerous ransomware Trojan on a victim’s computer. It is also known as WannaCry. According to Doctor Web’s statistics servers BackDoor.Meterpreter.56 A representative of the malware family that allows cybercriminals to remotely control an infected computer and send it various commands. JS.Inject A family of malicious JavaScripts. They inject malicious script into the HTML code of webpages. BackDoor.IRC.Bot.4771 A representative of the malware family that allows cybercriminals to remotely control an infected computer and send it various commands. The Trojan is controlled via the IRC (Internet Relay Chat) text-messaging protocol. Trojan.Encoder.11432 A network worm that launches a dangerous ransomware Trojan on a victim’s computer. It is also known as WannaCry. JS.DownLoader A family of malicious JavaScripts. They download and install malicious software on a computer. Statistics concerning malicious programs discovered in email traffic JS.Inject A family of malicious JavaScripts. They inject malicious script into the HTML code of webpages. Trojan.Encoder.24788 A malicious program belonging to the family of encryption ransomware Trojans that encrypt files and demand a ransom to decrypt compromised data. Java.Jrat.58 Malware that controls computers remotely (Remote Access Tools, RAT). This malicious program is written in Java. Trojan.PWS.Stealer A family of Trojans designed to steal passwords and other confidential information stored on an infected computer. Encryption ransomware In March, Doctor Web’s technical support was most often contacted by victims of the following modifications to encryption ransomwa[...]



A phishing mailing, dangerous spyware and other events of March 2018

Tue, 03 Apr 2018 00:00:00 GMT

April 3, 2018

Doctor Web presents its March 2018 virus activity review. At the beginning of the month, cybercriminals were busy sending spam email messages with a link to a fake Mail.Ru website, trying to steal user accounts. Virus analysts also examined new representatives of the Trojan.LoadMoney family that downloaded other malicious programs on computers. At the end of the month, a dangerous Trojan was detected. It stole files and other confidential information from infected Windows devices. For more information about these and other events, go to our review.

Go to the review



March 2018 mobile malware review from Doctor Web

Tue, 03 Apr 2018 00:00:00 GMT

April 3, 2018 In March, Doctor Web published examination results for Android.Triada.231, which cybercriminals injected into the firmware of dozens of Android smartphone models. Virus analysts also detected numerous malicious programs on Google Play. Among them was Android.BankBot.344.origin, the Android banker designed to steal money from Russian users. Trojans from the Android.Click were also detected. They can load and display any webpage. Also in March, Doctor Web specialists found new banking Trojans created on the basis of the source code of Android.BankBot.149.origin. PRINCIPAL TRENDS IN MARCH Detection of a dangerous Trojan in the firmware of dozens of models of Android mobile devices Detection of malicious programs on Google Play The emergence of new banking Trojans Mobile threat of the month Over the past month, Doctor Web reported the detection of Android.Triada.231 in the firmware of more than 40 models of Android devices. This malicious program, known since 2017, infects the processes of all running applications and can covertly perform various actions upon a cybercriminal’s command. For instance, it can install and remove software. After Doctor Web specialists informed developers of the mobile devices infected by the Trojan, some of the companies quickly released firmware updates that removed Android.Triada.231. According to statistics collected by Dr.Web for Android Android.HiddenAds.253 Android.HiddenAds.246.origin Trojans designed to display unwanted ads on mobile devices. They are distributed under the guise of popular apps by other malicious programs, which sometimes covertly install them in the system directory. Android.Mobifun.4 A Trojan designed to download other Android applications. Android.RemoteCode.117.origin A Trojan that downloads and launches various program modules, including malicious ones. Android.Packed.15893 Detection for Android Trojans protected by a program packer. Adware.Adtiming.1.origin Adware.Adpush.601 Adware.Jiubang.2 Unwanted program modules incorporated into Android applications and designed to display obnoxious ads on mobile devices. Tool.SilentInstaller.1.origin Tool.SilentInstaller.6.origin Riskware designed to silently launch applications without the user’s action. Banking Trojans At the beginning of March, Doctor Web virus analysts detected Android.BankBot.344.origin on Google Play. It was distributed as a universal application for operation with online banking systems of several Russian financial organizations. The malicious program suggested to a potential victim logging into their account by filling in login credentials or by registering with their bank card information. All input information was then sent to cybercriminals. Afterwards they could steal money from the users’ accounts. More information about this malware can be found in the corresponding review published by Doctor Web. In mid-March, Doctor Web specialists reported on new Android bankers created with the use of the source code of Android.BankBot.149.origin. One of them was dubbed Android.BankBot.325.origin. This Trojan tracks the launch of banking programs and software for operation with social networks and cryptocurrencies, and displays fraudulent authorization forms on top of their windows. After users input logins, passwords and other confidential information, Android.BankBot.325.origin sends it to cybercriminals. In addition, virus writers used the Trojan for cyber espionage and remote access to infected devices. Trojans on Google Play In March, Doctor Web specialists detected more than 70 programs with Trojans of the Android.Click family on Google Play. Malicious applications, which were named Android.Click.415, Android.Click.416 and Android.Click.417, were spread under disguise of popular software, inside fake games, in various recipe collections and knitting guidebooks. Upon the c[...]



A Trojan in Android smartphone firmware, malicious programs on Google Play and other events in our March 2018 mobile virus activity review

Tue, 03 Apr 2018 00:00:00 GMT

April 3, 2018

Doctor Web presents its March 2018 overview of malware for mobile devices. Over the past month, Doctor Web specialists have reported on a dangerous Trojan injected into the firmware of more than 40 smartphone models. Additionally, more malicious applications were detected in March on Google Play. Banking Trojans were also spread during the past month.

Go to the review



Dr.Web for macOS updated to version 11.0.4

Tue, 03 Apr 2018 00:00:00 GMT

April 3, 2018

Doctor Web has updated its Dr.Web for macOS to version 11.0.4. The update delivers a fix for an identified problem.

Specifically, it eliminates an issue that prevented exclusion path information from being transmitted if a scan was being initiated remotely in Dr.Web Enterprise Security Suite 10.1.

To update the anti-virus to version 11.0.4, users need to download the new distribution at ( https://download.drweb.com/?lng=en ).

#Dr.Web #macOS #update




Components updated in Dr.Web 11.0 for Unix Mail Servers and in Dr.Web Anti-virus 11.0 for Linux

Thu, 29 Mar 2018 10:10:43 GMT

March 29 , 2018

Russian anti-virus company Doctor Web has updated the drweb-maild module (11.0.5-1803212111) in Dr.Web 11.0 for Unix Mail Servers and in Dr.Web Anti-virus 11.0 for Linux. The update delivers a feature upgrade for the module.

Specifically, drweb-maild’s routines related to logging information about threats in emails have been upgraded.

The component is updated via the Dr.Web repository.

#update #Dr.Web #UNIX #Linux




Components updated in Dr.Web 11.0 for Windows, Dr.Web KATANA 1.0, Dr.Web Enterprise Security Suite 10.0 and 10.1, Dr.Web AV-Desk 10.0 and 10.1, Dr.Web 11.0 for MS Exchange, Dr.Web 11.0 for Microsoft ISA Server and Forefront TMG, and Dr.Web 11.0 for IBM Lotus Domino

Wed, 28 Mar 2018 00:00:00 GMT

March 28, 2018

Russian anti-virus company Doctor Web has updated the anti-exploit module Dr.Web Shellguard (11.01.13.03260), Dr.Web Anti-rootkit API (11.1.21.201803260), and the self-defence module Dr.Web Protection for Windows (11.01.18.03230) in a number of Dr.Web products. The update resolves known issues and delivers minor upgrades.

Changes made to the anti-exploit module in Dr.Web 11.0 for Windows, Dr.Web KATANA 1.0, Dr.Web Enterprise Security Suite 10.0 and 10.1, and Dr.Web AV-Desk 10.0 and 10.1:

  • An issue causing false positives to occur when TrustView-protected office applications were being launched has been eliminated.

Changes made to the anti-rootkit module in Dr.Web 11.0 for Windows, Dr.Web Enterprise Security Suite 10.0 and 10.1, and Dr.Web AV-Desk 10.0 and 10.1:

  • A problem that could cause a system crash (BSOD) while disk boot sectors were being checked during a custom scan has been corrected.

The update will be performed automatically; however, a system reboot will be required.




Doctor Web: new Trojan distributed via YouTube

Fri, 23 Mar 2018 00:00:00 GMT

March 23, 2018

Doctor Web is warning users about the spreading of a dangerous Trojan designed to steal files and other confidential information from infected devices. By using such data leak, cybercriminals can get access to user accounts on social network sites and other online services.

Malicious program dubbed Trojan.PWS.Stealer.23012 is written in Python, and it infects computers running Microsoft Windows OS. Trojan distribution started on March 23, 2018 and continues to this day. Cybercriminals publish links to the malicious program in the comments section of YouTube videos, a popular web resource. A lot of these videos focus on cheating methods in games (so called “cheats”) using special applications. Cybercriminals try to pass the Trojan off as such programs and useful utilities. Links lead to the Yandex.Disk servers. To persuade users to click the link, videos contain comments clearly written by using fake accounts. When clicking the link, victims download a self-unpacking RAR archive containing the Trojan on their computers.

(image)

An example of the link to a malicious file published in the comments section of the video.

Once launched on an infected computer, it collects the following information:

  • cookies stored by the Vivaldi, Chrome, YandexBrowser, Opera, Kometa, Orbitum, Dragon, Amigo, and Torch browsers;
  • saved logins/passwords from the same browsers;
  • screenshot.

It also copies files with “.txt”, “.pdf”, “.jpg”, “.png”, “.xls”, “.doc”, “.docx”, “.sqlite”, “.db”, “.sqlite3”, “.bak”, “.sql”, “.xml” extensions from Windows Desktop.

Trojan.PWS.Stealer.23012 saves all gathered information in the C:/PG148892HQ8 folder. It then packs all data into the spam.zip archive, which is sent to the cybercriminal’s server along with the data on an infected device location.

Doctor Web virus analytics found several modifications to the Trojan. Some of them were detected as Trojan.PWS.Stealer.23198. Dr.Web anti-virus products successfully detect all known modifications to this malicious program, so they do not pose any threat to our users.

More about this Trojan

#cookies #malware #screenshot #Trojan



Components updated in Dr.Web KATANA 1.0

Thu, 22 Mar 2018 09:48:58 GMT

March 22, 2018

Russian anti-virus company Doctor Web has updated the following in Dr.Web KATANA 1.0: Dr.Web Anti-rootkit API (11.1.20.201803140), the self-protection module Dr.Web Protection for Windows (11.01.17.03020), the Dr.Web Sysinfo (11.1.8.201802260) module, the Dr.Web Thunderstorm Cloud Client SDK (11.0.5.01150) module, Lua-script for dwprot (KATANA) (1.0.1.03131), and the katana-service module (11.1.8.03130). The components have been updated to the current versions being used in Dr.Web 11.0 applications for Windows. The update also makes the application compatible with Windows 10 Redstone 4.

The heuristic protection and detection routines have been upgraded for the anti-rootkit module.

The update also delivers minor tweaks for the other components.

The update will be performed automatically; however, a system reboot will be required.




Doctor Web: banking Trojan Android.BankBot.149.origin has become a rampant tool of cybercriminals

Tue, 20 Mar 2018 01:00:00 GMT

March 20, 2018 Doctor Web discovered the Trojan Android.BankBot.149.origin back in January 2016. After the attackers published the source code of this banking Trojan, virus writers have created a number of new modifications on its basis, which are actively developing to this day. Some of them have turned into multifunctional malicious programs, capable of stealing usernames and passwords for applications used for working with cryptocurrencies, as well as spying on users. At the time it appeared, Android.BankBot.149.origin was a banking Trojan with a typical set of functions. The Trojan showed phishing windows that have been used to steal the usernames and passwords of accounts of online banking systems of various credit organizations, have been stealing information about bank cards, and have also been able to intercept incoming SMS to gain access to one-time passwords for money transfer confirmations. When the source code of this malware became available to everyone, the virus writers began creating a number of similar Trojans on its basis. At the same time, criminals actively distributed them through Google Play. Among these banking Trojans have been Android.BankBot.179.origin, Android.BankBot.160.origin, Android.BankBot.163.origin, Android.BankBot.193.origin and Android.Banker.202.origin, which virus writers disguised as innocuous and useful applications. Another Trojan, which code has been used by cybercriminals, has been added to the Dr.Web virus database as Android.BankBot.250.origin. Trojan is also known as Anubis. Doctor Web virus analysts have found out the first versions of this malicious program in November 2017. These modifications of the Trojan were copying the capabilities of Android.BankBot.149.origin almost completely.The banking Trojan has been able to perform the following actions: sending SMS messages with the given text to the number specified in the command; executing USSD requests; sending copies of SMS messages stored on the device to the managing server; receiving information about applications installed; showing dialog boxes with the text specified in the command; requesting additional work permits; showing push notifications whose contents are specified in the command; showing a push-notifications whose contents are set in the Trojan's code; blocking the screen of the device window WebView, which showed the content received from the server web page; sending all the numbers from the contact list to the server; sending SMS messages to all numbers from the contact list; accessing information about device and its location; requesting access to accessibility features (Accessibility Service); learning the IP address of an infected smartphone or tablet; cleaning up its configuration file and stopping own work. On the pictures below the example of the Android.BankBot.250.origin Trojan’s control panel is displayed: However, with the appearance of Android.BankBot.250.origin updates, its functionality expanded gradually. One of the Trojan’s new versions, named Android.BankBot.325.origin, contains the possibility of remote access to infected devices. As a result, the banking Trojan could work as a remote administration utility or RAT (Remote Administration Tool). One of its new features is the ability to view a list of files that have been stored in the memory of infected smartphones or tablets, downloading any of the files to the management server, as well as deleting them. In addition, the Trojan was able to monitor everything that was happening on the screen, making screenshots and sending them to criminals. By the command of virus writers Android.BankBot.325.origin was also able to listen to its surroundi[...]



Components updated in Dr.Web 11.0 products for UNIX

Mon, 19 Mar 2018 09:46:30 GMT

March 19, 2018

Russian anti-virus company Doctor Web has updated drweb-esagent_11.0.5-1803141314, drweb-configd (11.0.6-1803051755) and drweb-libzypp (11.0.5-1712081357) in Dr.Web Anti-virus 11.0 for Unix Mail Servers, Dr.Web 11.0 for Unix Server, Dr.Web Anti-virus 11.0 for Internet Gateways Unix and Dr.Web Anti-virus 11.0 for Linux. The update resolves known software issues.

Specifically, it eliminates a drweb-esagent issue that prevented exclusion path information from being transmitted if a scan was being initiated remotely in Dr.Web Enterprise Security Suite 10.1.

Furthermore, it resolves a drweb-configd problem that could occur if certain settings were being changed via the console utility drweb-ctl cfset.

The drweb-libzypp module has received an optimised component updating routine for run packages. The routine is utilised in systems where the zypper package manager is used.

The component is updated via the Dr.Web repository.

#update #Dr.Web #UNIX #Linux



Anti-rootkit module updated in numerous Dr.Web products

Wed, 14 Mar 2018 00:00:00 GMT

March 14, 2018

Russian anti-virus company Doctor Web has updated Dr.Web Anti-rootkit API (11.1.20.201803140) in Dr.Web 11.0 for Windows, Dr.Web Enterprise Security Suite 10.0 and 10.1, Dr.Web AV-Desk 10.0 and 10.1, Dr.Web 11.0 for MS Exchange, Dr.Web 11.0 for Microsoft ISA Server and Forefront TMG, and Dr.Web 11.0 for IBM Lotus Domino. The update makes the solutions compatible with KB4088875 and KB4088876 updates from Microsoft and resolves known issues.

Changes made to Dr.Web Anti-rootkit API:

  • A Dr.Web license validation issue has been eliminated. The problem had emerged on computers running Windows 7 (x86) and Windows 8.1 (x86) after updates KB4088875 and KB4088876 had been installed on the machines.
  • Also resolved was an issue causing preventive protection false positives to occur if Dr.Web was being used alongside Lenovo Vantage.
  • A defect involving the Preventive Protection's svchost.exe-related false positives has been corrected.

The update will be downloaded and installed automatically.




Dr.Web 11.0.3 for macOS released

Tue, 13 Mar 2018 10:13:02 GMT

March 13, 2018

Russian anti-virus company Doctor Web has released Dr.Web 11.0.3 for macOS. The update improves the application's compatibility with macOS High Sierra (10.13).

Specifically, it makes sure that the anti-virus works properly if any SKEL-related issues arise under macOS 10.13. SKEL, short for Secure Kernel Extension Loading, is a security feature.

To update the anti-virus to version 11.0.3, you need to download the new distribution.

#Dr.Web #macOS #update



Doctor Web: cybercriminals use fake popular Android applications for phishing

Tue, 13 Mar 2018 15:21:19 GMT

March 13, 2018 Doctor Web specialists found new Android Trojans on Google Play. The Trojans were distributed under the guise of popular apps. These fake apps can load and display any web pages at the cybercriminals’ command. This feature can be used to perform phishing attacks. The detected programs have the same names and similar icons as popular applications. Doctor Web security researches have found fake QIWI app software (Russian payment service provider), Sberbank Online, Odnoklassniki and VK (popular social networks), and NTV (Russian television channel). Below, you can see how cybercriminals trick potential victims. In the left illustration you can see the fake application page, which can be easily found on Google Play. In the right illustration, you can see the genuine software page. Every time the fake applications are launched, they connect with the command and control server. The server responds with the “none” parameter, or sends the web link specified by cybercriminals. When the parameter is received, the malicious programs extract several images from their resources and show them to users. If the malicious programs receive the web link from the C&C server, they load the web page and display it. The page is then opened via WebView directly in the applications. Users do not see the link to the target Internet address. That said, the contents of the demonstrated web pages can vary. For example, smartphone users can see fake login forms of online banking systems or social networks. This puts Android smartphones and tablets owners at risk of phishing attacks. This feature poses a serious threat, so this software has been added to the Dr.Web virus database as Android.Click.415. Apart from the mentioned Trojans, Doctor Web security researchers detected more than 70 similar programs. Over 270,000 users have downloaded them. Fake games, recipes collections, and knitting manuals can be found among these applications. Some of them really perform the named functions. However, like the Android.Click.415 Trojan they also can receive links to any web pages from the C&C server. Then, they load and show these web pages to the users. These programs are also added to Dr.Web virus database. They are detected as Android.Click.416 and Android.Click.417. Moreover, while functioning, various modifications of malicious applications constantly show advertisements on the mobile device screen. At least four software developers distributed the Trojans: Tezov apps, Aydarapps, Chmstudio, and SVNGames. Doctor Web security analysts have notified Google about all detected malicious applications. However, at the moment of the publication of this news, the applications still were available for downloading. Doctor Web reminds users that it is necessary to pay attention on the software developer name even if you install the application from such dependable sources as Google Play. Cybercriminals can copy the apps’ appearance and use similar names to make users install fake apps that can be found easily in the software distribution services. Dr.Web anti-virus products for Android detect and delete all known modifications of Android.Click.415, Android.Click.416, and Android.Click.417. So, these Trojans do not pose any threat to our users. More about the Android.Click.415 Trojan More about the Android.Click.416 Trojan More about the Android.Click.417 Trojan Your Android needs protection Use Dr.Web [...]



Anti-rootkit module updated in Dr.Web products

Tue, 06 Mar 2018 00:00:00 GMT

March 6, 2018

Russian anti-virus company Doctor Web has updated the Dr.Web Anti-rootkit API module (11.1.19.201803051) in Dr.Web 11.0 for Windows, Dr.Web Enterprise Security Suite 10.0 and 10.1, Dr.Web AV-Desk 10.0 and 10.1, Dr.Web 11.0 for MS Exchange and Dr.Web 11.0 for IBM Lotus Domino. The update delivers a fix for an identified problem.

Specifically, it eliminates an issue causing the Dr.Web Control Service to terminate abnormally during scans of running scripts when a pre-defined scan exception is in use.

The update will be downloaded and installed automatically.