PRINCIPAL TRENDS IN NOVEMBER
- Unwanted Android adware activity
- Detection of a new dangerous Trojan for iOS
December 9, 2015
Like other modifications of this malware, Adware.Mac.Tuguu.1 can covertly install various additional programs (usually useless, but sometimes even malicious) to user’s Mac computer. The commercial interest of cybercriminals is to get money for every successful installation of such applications.
Adware.Mac.Tuguu.1 is distributed under the guise of free programs for OS X. Once launched, this dangerous application reads the content of the ".payload” configuration file located in the same folder as the setup file of the application. Then it detects the address of the command and control server (C&C server) and modifies it. Using an encrypted request, Adware.Mac.Tuguu.1 refers to the C&C server for the list of additional programs that the user will be prompted to install. The server response is also encrypted and contains several fields that determine what applications should be installed to the user’s Mac. Judging from inner numeration used by the installer, there are 736 programs. Every program has its own conditional “rate” for Adware.Mac.Tuguu.1. It means that due to the limited maximum number of applications that can be installed at a time, the installer, using specific algorithm, tries to create an optimal list of compatible software with the highest “rate”.
Before the installation, Adware.Mac.Tuguu.1 checks if the offered programs are compatible with each other. For example, it will not install the MacKeeper application along with the MacKeeper Grouped application. What is more, Adware.Mac.Tuguu.1 tries to make sure that such software was not installed earlier. Then, before the end of its operation, it checks that the installation was completed successfully.
The dialog of Adware.Mac.Tuguu.1 has the Custom Installation mode, which shows check boxes that allow to refuse all the additional software. That is why, this malicious program cannot be labeled as a Trojan. However, Adware.Mac.Tuguu.1 is a typical adware that is quite able to “litter” the operation system with useless software taking advantage of the user’s carelessness. Dr.Web Anti-virus for OS X can detect and remove this program, so it does not pose any threat to Dr.Web users.
December 8, 2015
In particular, it resolves an issue involving a false license block notification being displayed.
The update will be downloaded and installed automatically.
December 7, 2015
The update will be downloaded and installed automatically.
December 7, 2015
In particular, it resolves an issue that might prevent Dr.Web Agent from being installed on a PC remotely.
The update will be downloaded and installed automatically.
December 3, 2015
It should be noted that the first modifications of Linux.Rekoobe.1 were intended to infect Linux devices with the SPARC architecture. However, virus makers have apparently decided to modify the Trojan in order to make it compatible with Intel-based computers. Doctor Web specialists registered the samples of Linux.Rekoobe.1 for 32-bit, as well as for 64-bit Intel-compatible Linux system.
Linux.Rekoobe.1 uses an encrypted configuration file. Once the file is read, the Trojan periodically refers to the C&C server to receive commands. Under specific circumstances, the connection to the server is established via a proxy server. The malware extracts the authorization data from its configuration file. All the sent and received information is split into separate blocks. Every block is encrypted and contains its own signature.
To verify encrypted data from the C&C server, Linux.Rekoobe.1 applies a rather complicated procedure. Nevertheless, Linux.Rekoobe.1 can execute only three commands such as: to download or upload files, to send the received commands to the Linux interpreter, and to transmit the output to the remote server—thus, cybercriminals are able to interact with the compromised devise remotely.
The signatures of all the known Linux.Rekoobe.1 samples have been added to Dr.Web virus databases. Therefore, users of Dr.Web for Linux are under reliable protection.
December 2, 2015
In particular, a LuaUpdater issue involving the appearance of an unnecessary system reboot prompt following the installation of additional components that use the Dr.Web Net-filtering Service has been resolved. Also eliminated was an updating defect involving a proxy server that used DIGEST authentication.
A configuration script problem that interfered with the installation of removable media drivers when first connecting them to a PC has also been eliminated.
The update will be downloaded and installed automatically.
December 2, 2015
The update delivers cutting-edge Dr.Web technologies to enhance system security, without requiring users to upgrade their anti-virus software manually.
The update will be automatically downloaded by the anti-viruses, but applying it will require a system reboot.
Enjoy your updated Dr.Web products!
December 1, 2015
Read the full review |
December 1, 2015
October 2015 | November 2015 | Dynamics |
---|---|---|
15,135 | 16,070 | +6.18% |
In November, Doctor Web security researches detected an unwanted Android application designed for mobile advertising—Adware.AnonyPlayer.1.origin. It was distributed by virus makers with the help of Android.Spy.510 and was disguised as a program that should supposedly ensure a user`s anonymity. Once installed, Adware.AnonyPlayer.1.origin prompts the victim to allow it the use of Accessibility Service. If the malware gets such privileges, it immediately starts to monitor all the launched programs on the device. In case the Trojan does not find a program on a special list, Adware.AnonyPlayer.1.origin shows an advertisement on top of the opened application. It should be noted that the module starts performing its malicious activities not right after the installation but some time later. As a result, the user may think that it is the launched application that is responsible for annoying notifications, while Adware.AnonyPlayer.1.origin is clear of suspicion. You can find more information about this incident by referring to the review published by Doctor Web.
The number of entries for unwanted adware in Dr.Web virus database
October 2015 | November 2015 | Dynamics |
---|---|---|
230 | 242 | +5.22% |
In November, security researchers detected a huge number of dangerous malicious programs for Android devices which block mobile system running and demand a ransom to unlock the device.
The number of entries for Android ransomware in Dr.Web virus database
October 2015 | November 2015 | Dynamics |
---|---|---|
524 | 588 | +12.21% |
Last month, cybercriminals were still trying to steal money from mobile devices users` bank accounts by employing various banking Trojans. In November, Doctor Web security researchers detected five new malicious programs of the Android.Banker family, as well as three new Android.Banker modifications.
The number of entries for banking Trojans of the Android.Banker family in Dr.Web virus database
October 2015 | November 2015 | Dynamics |
---|---|---|
301 | 305 | +1.33% |
The number of entries for banking Trojans of the Android.BankBot family in Dr.Web virus database
October 2015 | November 2015 | Dynamics |
---|---|---|
148 | 151 | +2% |
Among the detected malicious Android applications, a large number of SMS Trojans were found. Such Trojans are dangerous, because they covertly send text messages to short premium numbers and subscribe mobile operators’ clients to chargeable services.
The number of entries for SMS Trojans of the Android.SmsSend family in the Dr.Web virus database
October 2015 | November 2015 | Dynamics |
---|---|---|
6,185 | 6,884 | +11.3% |
In November, Doctor Web specialists detected one of IPhoneOS.Trojan.XcodeGhost modifications that was added to Dr.Web virus database as IPhoneOS.Trojan.XcodeGhost.8. This malware can gather confidential data about the compromised iOS device, display fake dialog windows in order to carry out phishing attacks, and automatically open links specified by virus makers.
November 30, 2015
November 2015 will be memorable due to the spread of Linux.Encoder.1, the encryption ransomware for Linux systems. This encoder is far from being the first that posed a threat to Linux users. Already in August 2014, Doctor Web announced about Trojan.Encoder.737 capable to encrypt files stored on Synology NAS servers. What is more, before the spread of Linux.Encoder.1, at least two modifications of this malware were found. Nevertheless, it was Linux.Encoder.1 whose malicious activity was more widespread. According to Google data, this encoder has managed to infect more than 3,000 websites worldwide.
The Linux.Encoder.1 distributors` main targets were the owners of websites created using WordPress and Magento content management systems (CMS). During attacks, virus makers exploited an unidentified vulnerability. Experts say that the encoder does not need root privileges—www-data privileges (that is, it is run under the same user as Apache itself runs) are quite enough. As of November 12, Linux.Encoder.1 has presumably infected more than 2,000 websites, which can be judged from search results if the name of the file with cybercriminals` demands is entered into the Google search bar. However, by the 24th of November the number of compromised websites exceeded 3,000.
The encoder runs on the server with an attacked website, using a shell script previously injected in the CMS. With the help of the same script, hackers plant another file, which is, in fact, a dropper for Linux.Encoder.1, on the server. It is assumed that upon a command from cybercriminals, the dropper identifies the operating system architecture (32-bit or 64-bit), extracts from the body a corresponding sample of encryption ransomware, runs it, and then initiates its own removal. Once launched on the attacked server, the Trojan encrypts all files in directories for which it has write-access permissions. After that, the malicious program saves the README_FOR_DECRYPT.txt file containing decryption instructions and cybercriminals' demands on the server disk. If, by some chance, the Trojan acquires more elevated privileges, its malicious activities will not be limited to the web server directory only.
A website can be infected because of several reasons: incorrect settings by the website administrators, late installation of CMS security updates, and usage of outdated CMS versions and hacked commercial WordPress and Magento commercial elements and modules, etc.
Due to the fact that the code of Linux.Encoder.1 has a number of significant flaws, data encrypted by the Trojan can be decrypted. You can get more familiar with the features of this malware by referring to the review or detailed research of this Trojan published by Doctor Web.
Doctor Web security researchers continue to monitor a botnet created by cybercriminals using the Win32.Rmnet.12 file infector. The average daily activity of the botnet`s two subnets in November is shown in the following graphs:
Rmnet is a family of viruses spread without any user intervention. They can embed content into loaded webpages (this theoretically allows cybercriminals to get access to the victim's bank account information), steal cookies and passwords stored by popular FTP clients, and execute other commands issued by cybercriminals.
The botnet, which was created using the Win32.Sector file injector, is still active. Its average daily activity can be seen in the following picture:
The malware can perform the following actions:
Last month, DDoS attacks mounted using Linux.BackDoor.Gates.5 In November, the number of such attacks continued to go down. The amount of compromised websites decreased by 27.9% and was estimated 3,641. Thus, China was ranked first, while the United States took the second place.
Doctor Web technical support receives decryption requests not only from Russian users but also from foreign ones. Doctor Web helps users from European countries decrypt information. In November, Doctor Web technical support received a number of decryption requests from website owners who encountered Linux.Encoder.1. It should be noted that all the known utilities, used to decrypt files compromised by Linux.Encoder.1, do not delete the shell script from the infected server—thus, cybercriminals can use it later to reinfect the system. That is why Doctor Web technical support specialists help all website owners remove additional malicious programs from their systems and protect their machines from future possible attacks carried out using this script.
This feature is not available in Dr.Web Anti-virus for Windows
Data Loss Prevention | |
---|---|
Linux.Encoder.1 is far from being the only encoder that poses a threat to Linux users. Information security researchers detected at least two representatives of this malware family that came into light before Linux.Encoder.1. However, for a long time this particular modification did not fall under the scrutiny of security researchers.
In particular, the new Trojan named Linux.Encoder.2 differs from its counterparts by employing another pseudorandom number generator and encrypts files using the OpenSSL library (not PolarSSL, like Linux.Encoder.1). Moreover, encryption is performed in the AES-OFB-128 mode with context reinitialization every 128 bytes, that is every 8 AES blocks. Also in Linux.Encoder.2 there are a number of other significant changes from the alternative execution of this encoder. For more details about this malware, refer to the review.
Moreover, in November Doctor Web security researchers detected Linux.Sshcrack.1 that cracks a login and password combination using a special dictionary (brute-force technique) to get unauthorized access to various devices.
In mid-November Doctor Web specialists examined a whole pack of malicious programs distributed by cybercriminals. The pack disguised as an RTF document was named BackDoor.RatPack. Once the document was opened, a malicious file was decrypted and saved to the victim's computer. It should be noted that the file, which is, in fact, an installer, has a valid digital signature (like almost any other file from BackDoor.RatPack).
Once launched, the installer scans the system for virtual machines, monitoring programs, and debuggers. Then it initiates a search for online banking applications of several Russian financial organizations. The installer payload bears a modification of a shareware program called Remote Office Manager—Doctor Web security researchers have detected at least three versions of this program that differ in configuration settings. By intercepting a number of system functions, the malicious program is able to conceal the tool's shortcuts in the Windows taskbar and notification area preventing the user from detecting the presence of the program. One can assume that cybercriminals employ BackDoor.RatPack to steal banking information and other confidential data by remotely controlling the compromised machine. For more information about this incident refer to the review published by Doctor Web.
During November 2015, 670,545 URLs of non-recommended websites were added to Dr.Web database.
October 2015 | November 2015 | Dynamics |
---|---|---|
+ 264,970 | + 670,545 | + 153 % |
November appeared to be rather calm for mobile devices users. Nevertheless, in November cybercriminals were still trying to infect tablets and smartphones. However, all the detected malicious and unwanted programs were immediately added to Dr.Web virus database. In particular, Doctor Web security researchers detected the Android adware that was installed by a Trojan and showed annoying notifications on top of applications launched by a user. Moreover, during the whole month, Android devices were attacked by ransomware programs, banking Trojans, SMS Trojans and other dangerous applications. Besides, in November security researchers detected yet another Trojan modification which infected iOS devices.
Among the most noticeable November events related to mobile malware we can mention
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Virus statistics Virus descriptions Virus monthly reviews Laboratory-live