PRINCIPAL TRENDS IN NOVEMBER
- Unwanted Android adware activity
- Detection of a new dangerous Trojan for iOS
News of Doctor Web
RSS: Dr Web CureIt
http://news.drweb.com/rss/get/?c=5&lng=en
Publisher: Doctor Web
News of Doctor Web
Doctor Web news - News of Doctor Web
Malware installs unwanted applications on OS X
Wed, 09 Dec 2015 10:26:50 -0500
December 9, 2015
Like other modifications of this malware, Adware.Mac.Tuguu.1 can covertly install various additional programs (usually useless, but sometimes even malicious) to user’s Mac computer. The commercial interest of cybercriminals is to get money for every successful installation of such applications.
Adware.Mac.Tuguu.1 is distributed under the guise of free programs for OS X. Once launched, this dangerous application reads the content of the ".payload” configuration file located in the same folder as the setup file of the application. Then it detects the address of the command and control server (C&C server) and modifies it. Using an encrypted request, Adware.Mac.Tuguu.1 refers to the C&C server for the list of additional programs that the user will be prompted to install. The server response is also encrypted and contains several fields that determine what applications should be installed to the user’s Mac. Judging from inner numeration used by the installer, there are 736 programs. Every program has its own conditional “rate” for Adware.Mac.Tuguu.1. It means that due to the limited maximum number of applications that can be installed at a time, the installer, using specific algorithm, tries to create an optimal list of compatible software with the highest “rate”.
Before the installation, Adware.Mac.Tuguu.1 checks if the offered programs are compatible with each other. For example, it will not install the MacKeeper application along with the MacKeeper Grouped application. What is more, Adware.Mac.Tuguu.1 tries to make sure that such software was not installed earlier. Then, before the end of its operation, it checks that the installation was completed successfully.
The dialog of Adware.Mac.Tuguu.1 has the Custom Installation mode, which shows check boxes that allow to refuse all the additional software. That is why, this malicious program cannot be labeled as a Trojan. However, Adware.Mac.Tuguu.1 is a typical adware that is quite able to “litter” the operation system with useless software taking advantage of the user’s carelessness. Dr.Web Anti-virus for OS X can detect and remove this program, so it does not pose any threat to Dr.Web users.
Control Service updated in Dr.Web 11.0
Tue, 08 Dec 2015 11:58:56 -0500
December 8, 2015
In particular, it resolves an issue involving a false license block notification being displayed.
The update will be downloaded and installed automatically.
Dr.Web Virus-Finding Engine updated
Sun, 06 Dec 2015 20:00:00 -0500
December 7, 2015
New features:
- Upgraded heuristic analysis routines for RTF files;
- Improved MIME analyser performance;
- RAR 5.0 and ACE 2.0 support;
- Enhanced malware detection.
Fixes:
- Issues involving the following unpackers: DMG, HFS, DBX, MSI, NSIS, TCompress, CHM, .NET and UPX/ELF.
- PDF, RTF and FLY-CODE analysis issues.
The update will be downloaded and installed automatically.
Dr.Web Enterprise Agent for Windows setup in Dr.Web Enterprise Security Suite 10.0 updated
Sun, 06 Dec 2015 19:00:00 -0500
December 7, 2015
In particular, it resolves an issue that might prevent Dr.Web Agent from being installed on a PC remotely.
The update will be downloaded and installed automatically.
Rekoobe Trojan threatens Linux users
Thu, 03 Dec 2015 10:48:52 -0500
December 3, 2015
It should be noted that the first modifications of Linux.Rekoobe.1 were intended to infect Linux devices with the SPARC architecture. However, virus makers have apparently decided to modify the Trojan in order to make it compatible with Intel-based computers. Doctor Web specialists registered the samples of Linux.Rekoobe.1 for 32-bit, as well as for 64-bit Intel-compatible Linux system.
Linux.Rekoobe.1 uses an encrypted configuration file. Once the file is read, the Trojan periodically refers to the C&C server to receive commands. Under specific circumstances, the connection to the server is established via a proxy server. The malware extracts the authorization data from its configuration file. All the sent and received information is split into separate blocks. Every block is encrypted and contains its own signature.
To verify encrypted data from the C&C server, Linux.Rekoobe.1 applies a rather complicated procedure. Nevertheless, Linux.Rekoobe.1 can execute only three commands such as: to download or upload files, to send the received commands to the Linux interpreter, and to transmit the output to the remote server—thus, cybercriminals are able to interact with the compromised devise remotely.
The signatures of all the known Linux.Rekoobe.1 samples have been added to Dr.Web virus databases. Therefore, users of Dr.Web for Linux are under reliable protection.
Components updated in Dr.Web 11.0
Tue, 01 Dec 2015 19:00:00 -0500
December 2, 2015
In particular, a LuaUpdater issue involving the appearance of an unnecessary system reboot prompt following the installation of additional components that use the Dr.Web Net-filtering Service has been resolved. Also eliminated was an updating defect involving a proxy server that used DIGEST authentication.
A configuration script problem that interfered with the installation of removable media drivers when first connecting them to a PC has also been eliminated.
The update will be downloaded and installed automatically.
Dr.Web Security Space, Dr.Web Anti-virus, and components in Dr.Web for MS Exchange and Dr.Web for IBM Lotus Domino 10.0 will be updated to version 11.0 automatically
Tue, 01 Dec 2015 19:00:00 -0500
December 2, 2015
The update delivers cutting-edge Dr.Web technologies to enhance system security, without requiring users to upgrade their anti-virus software manually.
The update will be automatically downloaded by the anti-viruses, but applying it will require a system reboot.
Enjoy your updated Dr.Web products!
Android adware, Trojan for iOS, and other mobile security events of November 2015
Tue, 01 Dec 2015 05:15:37 -0500
December 1, 2015
| Read the full review |
November 2015 mobile malware review from Doctor Web
Tue, 01 Dec 2015 05:24:31 -0500
December 1, 2015
Number of entries for malicious and unwanted software targeting Android OS in Dr.Web virus database
| October 2015 | November 2015 | Dynamics |
|---|---|---|
| 15,135 | 16,070 | +6.18% |
Mobile threat of the month
In November, Doctor Web security researches detected an unwanted Android application designed for mobile advertising—Adware.AnonyPlayer.1.origin. It was distributed by virus makers with the help of Android.Spy.510 and was disguised as a program that should supposedly ensure a user`s anonymity. Once installed, Adware.AnonyPlayer.1.origin prompts the victim to allow it the use of Accessibility Service. If the malware gets such privileges, it immediately starts to monitor all the launched programs on the device. In case the Trojan does not find a program on a special list, Adware.AnonyPlayer.1.origin shows an advertisement on top of the opened application. It should be noted that the module starts performing its malicious activities not right after the installation but some time later. As a result, the user may think that it is the launched application that is responsible for annoying notifications, while Adware.AnonyPlayer.1.origin is clear of suspicion. You can find more information about this incident by referring to the review published by Doctor Web.
The number of entries for unwanted adware in Dr.Web virus database
| October 2015 | November 2015 | Dynamics |
|---|---|---|
| 230 | 242 | +5.22% |
Android ransomware
In November, security researchers detected a huge number of dangerous malicious programs for Android devices which block mobile system running and demand a ransom to unlock the device.
The number of entries for Android ransomware in Dr.Web virus database
| October 2015 | November 2015 | Dynamics |
|---|---|---|
| 524 | 588 | +12.21% |
Banking Trojans for Android
Last month, cybercriminals were still trying to steal money from mobile devices users` bank accounts by employing various banking Trojans. In November, Doctor Web security researchers detected five new malicious programs of the Android.Banker family, as well as three new Android.Banker modifications.
The number of entries for banking Trojans of the Android.Banker family in Dr.Web virus database
| October 2015 | November 2015 | Dynamics |
|---|---|---|
| 301 | 305 | +1.33% |
The number of entries for banking Trojans of the Android.BankBot family in Dr.Web virus database
| October 2015 | November 2015 | Dynamics |
|---|---|---|
| 148 | 151 | +2% |
SMS Trojans
Among the detected malicious Android applications, a large number of SMS Trojans were found. Such Trojans are dangerous, because they covertly send text messages to short premium numbers and subscribe mobile operators’ clients to chargeable services.
The number of entries for SMS Trojans of the Android.SmsSend family in the Dr.Web virus database
| October 2015 | November 2015 | Dynamics |
|---|---|---|
| 6,185 | 6,884 | +11.3% |
Protect your Android device with Dr.Web now
Trojans for iOS
In November, Doctor Web specialists detected one of IPhoneOS.Trojan.XcodeGhost modifications that was added to Dr.Web virus database as IPhoneOS.Trojan.XcodeGhost.8. This malware can gather confidential data about the compromised iOS device, display fake dialog windows in order to carry out phishing attacks, and automatically open links specified by virus makers.
November 2015 virus activity review from Doctor Web
Dr.Web Security Space 11.0 for Windows
Mon, 30 Nov 2015 10:25:58 -0500
November 30, 2015
November 2015 will be memorable due to the spread of Linux.Encoder.1, the encryption ransomware for Linux systems. This encoder is far from being the first that posed a threat to Linux users. Already in August 2014, Doctor Web announced about Trojan.Encoder.737 capable to encrypt files stored on Synology NAS servers. What is more, before the spread of Linux.Encoder.1, at least two modifications of this malware were found. Nevertheless, it was Linux.Encoder.1 whose malicious activity was more widespread. According to Google data, this encoder has managed to infect more than 3,000 websites worldwide.
PRINCIPAL TRENDS IN NOVEMBER
- More than 3,000 computers infected by the hazardous Linux.Encoder.1
- Spread of malware that gets unauthorized access to a compromised computer
- New malware for Microsoft Windows and Android
Threat of the month
The Linux.Encoder.1 distributors` main targets were the owners of websites created using WordPress and Magento content management systems (CMS). During attacks, virus makers exploited an unidentified vulnerability. Experts say that the encoder does not need root privileges—www-data privileges (that is, it is run under the same user as Apache itself runs) are quite enough. As of November 12, Linux.Encoder.1 has presumably infected more than 2,000 websites, which can be judged from search results if the name of the file with cybercriminals` demands is entered into the Google search bar. However, by the 24th of November the number of compromised websites exceeded 3,000.
The encoder runs on the server with an attacked website, using a shell script previously injected in the CMS. With the help of the same script, hackers plant another file, which is, in fact, a dropper for Linux.Encoder.1, on the server. It is assumed that upon a command from cybercriminals, the dropper identifies the operating system architecture (32-bit or 64-bit), extracts from the body a corresponding sample of encryption ransomware, runs it, and then initiates its own removal. Once launched on the attacked server, the Trojan encrypts all files in directories for which it has write-access permissions. After that, the malicious program saves the README_FOR_DECRYPT.txt file containing decryption instructions and cybercriminals' demands on the server disk. If, by some chance, the Trojan acquires more elevated privileges, its malicious activities will not be limited to the web server directory only.
A website can be infected because of several reasons: incorrect settings by the website administrators, late installation of CMS security updates, and usage of outdated CMS versions and hacked commercial WordPress and Magento commercial elements and modules, etc.
Due to the fact that the code of Linux.Encoder.1 has a number of significant flaws, data encrypted by the Trojan can be decrypted. You can get more familiar with the features of this malware by referring to the review or detailed research of this Trojan published by Doctor Web.
According to the statistics gathered by Dr.Web CureIt!
Trojan.Crossrider1.42770, Trojan.Crossrider1.50845
Trojans designed to display various advertisements.Trojan.DownLoad3.35967
A Trojan that can download other malicious programs from the Internet and install them on the infected computer.Trojan.LoadMoney
A family of downloader programs generated by servers belonging to the LoadMoney affiliate program. These applications download and install unwanted software on the victim's computer.Trojan.Siggen6.33552
This malicious program is designed for installation of other malware.
According to Doctor Web statistics servers
Trojan.InstallCube
A family of downloader programs designed to install unwanted and useless applications on the user’s computer.Trojan.Installmonster
A family of malicious programs created using the Installmonster affiliate program. These programs install various unwanted software on the victim's computer.Trojan.Siggen6.33552
A malicious program designed to install other dangerous software on the infected computer.Trojan.DownLoad3.35967
A Trojan that can download other malicious programs from the Internet and install them on the infected computer.Trojan.Zadved
This Trojan displays fake search results in the browser window and imitates pop-up messages from social networking sites.
Statistics concerning malicious programs discovered in email traffic
Trojan.InstallCube
A family of downloader programs designed to install unwanted and useless applications on the user’s computer.Trojan.Encoder.567
A malicious program belonging to the family of encryption ransomware Trojans that encrypt files and demand a ransom for decryption of compromised data. This program can encrypt important user files, for example, of the following types: .jpg, .jpeg, .doc, .docx, .xls, xlsx, .dbf, .1cd, .psd, .dwg, .xml, .zip, .rar, .db3, .pdf, .rtf, .7z, .kwm, .arj, .xlsm, .key, .cer, .accdb, .odt, .ppt, .mdb, .dt, .gsf, .ppsx, .pptx.Trojan.PWS.Stealer
A family of Trojans designed to steal passwords and other confidential information stored on the infected computer.W97M.DownLoader.726
A downloader Trojan that exploits vulnerabilities in office applications and can download other malicious programs to the compromised computer.
Botnets
Doctor Web security researchers continue to monitor a botnet created by cybercriminals using the Win32.Rmnet.12 file infector. The average daily activity of the botnet`s two subnets in November is shown in the following graphs:
Rmnet is a family of viruses spread without any user intervention. They can embed content into loaded webpages (this theoretically allows cybercriminals to get access to the victim's bank account information), steal cookies and passwords stored by popular FTP clients, and execute other commands issued by cybercriminals.
The botnet, which was created using the Win32.Sector file injector, is still active. Its average daily activity can be seen in the following picture:
The malware can perform the following actions:
- Download various executable files via P2P networks and run them on infected machines.
- Inject its code into running processes.
- Prevent some anti-viruses from operating and block access to the websites of their respective developers.
- Infect files on local disks, removable media (where the malware creates the autorun.inf file during the infection process), and in shared folders.
Last month, DDoS attacks mounted using Linux.BackDoor.Gates.5 In November, the number of such attacks continued to go down. The amount of compromised websites decreased by 27.9% and was estimated 3,641. Thus, China was ranked first, while the United States took the second place.
Encryption ransomware
The most common ransomware programs in November 2015
Doctor Web technical support receives decryption requests not only from Russian users but also from foreign ones. Doctor Web helps users from European countries decrypt information. In November, Doctor Web technical support received a number of decryption requests from website owners who encountered Linux.Encoder.1. It should be noted that all the known utilities, used to decrypt files compromised by Linux.Encoder.1, do not delete the shell script from the infected server—thus, cybercriminals can use it later to reinfect the system. That is why Doctor Web technical support specialists help all website owners remove additional malicious programs from their systems and protect their machines from future possible attacks carried out using this script.
Dr.Web Security Space 11.0 for Windows
protects against encryption ransomware
This feature is not available in Dr.Web Anti-virus for Windows
| Data Loss Prevention | |
|---|---|
 |  |
Linux
Linux.Encoder.1 is far from being the only encoder that poses a threat to Linux users. Information security researchers detected at least two representatives of this malware family that came into light before Linux.Encoder.1. However, for a long time this particular modification did not fall under the scrutiny of security researchers.
In particular, the new Trojan named Linux.Encoder.2 differs from its counterparts by employing another pseudorandom number generator and encrypts files using the OpenSSL library (not PolarSSL, like Linux.Encoder.1). Moreover, encryption is performed in the AES-OFB-128 mode with context reinitialization every 128 bytes, that is every 8 AES blocks. Also in Linux.Encoder.2 there are a number of other significant changes from the alternative execution of this encoder. For more details about this malware, refer to the review.
Moreover, in November Doctor Web security researchers detected Linux.Sshcrack.1 that cracks a login and password combination using a special dictionary (brute-force technique) to get unauthorized access to various devices.
Other malicious applications
In mid-November Doctor Web specialists examined a whole pack of malicious programs distributed by cybercriminals. The pack disguised as an RTF document was named BackDoor.RatPack. Once the document was opened, a malicious file was decrypted and saved to the victim's computer. It should be noted that the file, which is, in fact, an installer, has a valid digital signature (like almost any other file from BackDoor.RatPack).
Once launched, the installer scans the system for virtual machines, monitoring programs, and debuggers. Then it initiates a search for online banking applications of several Russian financial organizations. The installer payload bears a modification of a shareware program called Remote Office Manager—Doctor Web security researchers have detected at least three versions of this program that differ in configuration settings. By intercepting a number of system functions, the malicious program is able to conceal the tool's shortcuts in the Windows taskbar and notification area preventing the user from detecting the presence of the program. One can assume that cybercriminals employ BackDoor.RatPack to steal banking information and other confidential data by remotely controlling the compromised machine. For more information about this incident refer to the review published by Doctor Web.
Dangerous websites
During November 2015, 670,545 URLs of non-recommended websites were added to Dr.Web database.
| October 2015 | November 2015 | Dynamics |
|---|---|---|
| + 264,970 | + 670,545 | + 153 % |
Malicious and unwanted programs for Android
November appeared to be rather calm for mobile devices users. Nevertheless, in November cybercriminals were still trying to infect tablets and smartphones. However, all the detected malicious and unwanted programs were immediately added to Dr.Web virus database. In particular, Doctor Web security researchers detected the Android adware that was installed by a Trojan and showed annoying notifications on top of applications launched by a user. Moreover, during the whole month, Android devices were attacked by ransomware programs, banking Trojans, SMS Trojans and other dangerous applications. Besides, in November security researchers detected yet another Trojan modification which infected iOS devices.
Among the most noticeable November events related to mobile malware we can mention
- Detection of an unwanted Android application which displayed advertisements on top of applications launched by a user
- Detection of new Trojans for iOS systems
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Learn more with Dr.Web
Virus statistics Virus descriptions Virus monthly reviews Laboratory-live