Перейти к содержимому


Фото
- - - - -

The endless story of Trojan.Encoder, fake anti-viruses on the offensive and other malicious trends of September 2009


  • Please log in to reply
Нет ответов в данной теме

#1 News Robot

News Robot

    Creator of the News

  • Dr.Web Staff
  • 7 933 Сообщений:

Отправлено 05 Октябрь 2009 - 03:00

October 5, 2009


September is the time when children get back to their computers to do their homework and adults return from holiday trips to their office desks. As the number of Internet users increases, so does the number of viral threats and victims of a cyber fraud or virus attack. Increased activity of Trojan.Encoder that encrypted data in compromised systems, fake anti-viruses and social networking account crack guides became the most notable events of the past month. Doctor Web presents its review of these events and other malicious trends of September.



Another Trojan.Encoder surge

In September Doctor Web registered an increased number of Russian users that fell victims of Trojan.Encoder that encrypted users’ documents and demanded a ransom for decryption. The demanded amount of money increased, however, transferring the money never guaranteed that a victim would receive a decryption tool or that such a tool would actually work. Every day dozens of users get help from Doctor Web to restore their encrypted files.


The last week saw three new modifications of the Trojan.Encoder featuring new encryption keys and different cyber criminal's contact information. Doctor Web promptly provided users with decryption utilities for each of them. . However, the most interesting modification of this piece of ransomware turned out to be the latest one. It added the drweb extension to encrypted files. Obviously successful neutralisation of the ransomware by Dr.Web anti-viruses drove its author towards playing a mean trick on Doctor Web by using its brand as a part of a filename.


Doctor Web analysts also got hold of a link to a malicious site maintained by the author of the late Trojan.Encoder modifications. It should be noted that the cyber-criminal adopted images of a spider and doctor to trick users into thinking that he was in some way related to Doctor Web which certainly is not true. Apparently such a design aims to confuse users and discredit Doctor Web.



The criminal does its best to present himself as a good doer that helps people to restore their data. His web-site provides users with a demonstration video showing how the utility a user is offered to pay for works.



Отправленное изображение


Based on available information we can suggest that there is only one man behind the extortion of money from users whose documents have been encrypted.




Some anti-viruses are good, others aren’t


Fake anti-viruses have been a cause of problems and worries to many users worldwide. Various techniques ranging from traditional spam mailings and up to special advertisement web-sites were adopted to trick users into downloading and installing such programs.



Trojan.Fakealert.5115 was one of fake anti-viruses found in large numbers on the Internet reaching its highest detection figure on September 27 when 800 000 detections of this malicious program were registered by Doctor Web statistics servers.



Отправленное изображение


As Trojan.Fakealert.5115 is launched, an infection alert appears in the notification area and a user is prompted to download special software to avoid possible data losses. A user has to click on the message to allow “Windows” to download required software automatically.



Отправленное изображение


After that other components of the Trojan.Fakealert.5115 detected by Dr.Web as Trojan.Fakealert.4709 and Trojan.Fakealert.5112 are downloaded from servers set up by cyber criminals. Another visual manifestation of Trojan.Fakealert.5115 is a window of a fake anti-virus product called Antivirus Pro 2010.




Отправленное изображениеОтправленное изображение

New modifications of this fake anti-virus – Trojan.Fakealert.5229 and Trojan.Fakealert.5238 – have been registered recently. Unlike other variations of the fake anti-virus, Trojan.Fakealert.5229 reboots a compromised system during its operation.


Trojan.Fakealert.5238 in its turn displays a modified Windows Security Centre window informing a user that his computer is supposedly protected by Antivirus Pro 2010 but the user needs to purchase a license.


Отправленное изображение

Pressing a purchase button directs a user to a fraudulent web-site where the victim can buy this rather costly software dummy. As usual the "fully-functional" anti-virus turns out to be a piece of code that does nothing.


Отправленное изображение

Fake anti-viruses have been bringing a significant profit to their authors but number of such programs increased notably in the last month.



Someone wants to crack a social networking web-site?

One of virus makers made an unusual proposition to potential victims. On his web-page he described a method that would enable users to gain access to registered user accounts of a Russian social networking web-site and at the same time protect their own accounts from unauthorized access.


Отправленное изображение

To achieve a desired result one had to modify his hosts file thus removing the necessity for malware to perform the operation.


Naturally, the method never brought would-be hackers a success. But in case of a failure the cyber-criminal also offered users to download a program that would perform all required actions automatically. Yet downloading and running the application would lead to disappointment once again. And it is hardly surprising since the program is a piece of malware detected by Dr.Web anti-viruses as Trojan.DownLoad.47503.


Statistics show that hundreds of users decided on joining the ranks of hackers. This malicious program can still be found in the wild with the highest number of detections registered on September 28.


Отправленное изображение


Trojan.Winlock once again. Now over ICQ together with the pinch

A new Trojan.Winlock modification – Trojan.Winlock.252 – and Trojan.PWS.LDPinch.1941 were spread using ICQ in the last September week.


An ICQ user received a message prompting him to follow a link to look at a photograph. Following the link resulted in downloading of the lock.ex file compressed with a viral packer. This file stored four other files in the compromised system: explorerr.ex, svcoost.ex, 43.jpg, а также 154.bat The bat file was used to remove the dropper. Explorer.ex is detected by Dr.Web anti-viruses as Trojan.PWS.LDPinch.4308 compressed with + FSG packer. When extracted, the object is detected as Trojan.PWS.LDPinch.1941 while the svcoost.ex file is defined as Trojan.Winlock.252. Spreading of a Trojan.Winlock program together with a “pinch” makes the threat even more dangerous because a compromised system will not simply be blocked but also all passwords found on the computer will be stolen.




Mail viruses persist

Currently Trojan.DownLoad.47256 is the most frequently detected malware in e-mail traffic. The peak of its outbreak has already passed however, Doctor Web’s statistics servers still register hundreds of thousands of Trojan.DownLoad.47256 detections.


Отправленное изображение

In terms of statistics Trojan.Packed.2915 is not very far behind Trojan.DownLoad.47256 . Trojan.Packed.2915 came as a replacement of Trojan.Botnetlog (see the August review from Doctor Web) spread with messages supposedly sent by DHL Express.


Отправленное изображение

As before every new mailing came with a new modification of the Trojan. A Trojan.Packed.2915 signature created by Doctor Web’s analysts enables Dr.Web anti-viruses to detect even new modifications of the Trojan that have not been studied in the virus laboratory.


The outbreak of Trojan.Packed.2915 reached its maximum on September 25. Now it is likely to decline but the number of detections is still measured in dozens of thousands per day.


Отправленное изображение

In the face of the wide spreading of ransomware Doctor Web doesn't recommend users to get in contact with cyber criminals, let alone transferring money to their accounts. Instead contact Doctor Web’s specialists. In most cases they will be able to help restore a system or encrypted data. E-mail remains one of the main malware distribution channels so Doctor Web once gain strongly advices against opening files attached to e-mails from unfamiliar senders. It is also not recommended to adopt hacking and cracking methods described on certain web-sites because such actions can compromise security of a system and endanger your information as well as violate a law.



Viruses detected in e-mail traffic in September




01.09.2009 00:00 - 01.10.2009 00:00


1
Trojan.DownLoad.47256
4208589 (61.34%)


2
Trojan.Fakealert.5115
927637 (13.52%)


3
Trojan.Packed.2915
514717 (7.50%)


4
Trojan.DownLoad.5637
181751 (2.65%)


5
Win32.HLLM.MyDoom.33808
170029 (2.48%)


6
Win32.HLLM.Beagle
146890 (2.14%)



7
Trojan.Packed.2788
113316 (1.65%)


8
Win32.HLLM.Netsky.35328
84013 (1.22%)


9
Win32.HLLM.Netsky.based
70553 (1.03%)


10
Trojan.Botnetlog.11
67909 (0.99%)


11
W97M.Godzilla
61111 (0.89%)



12
Win32.HLLM.MyDoom.54464
50964 (0.74%)


13
Trojan.MulDrop.19648
36837 (0.54%)


14
Win32.HLLM.Perf
32354 (0.47%)


15
Win32.Sector.28480
30066 (0.44%)


16
Win32.HLLM.MyDoom.based
24638 (0.36%)



17
Trojan.Fakealert.5229
15730 (0.23%)


18
Win32.HLLM.Netsky
12506 (0.18%)


19
BackDoor.Gladrac
10804 (0.16%)


20
Trojan.DownLoad.16849
9195 (0.13%)



Total scanned:12,475,886,574
Infected:6,861,469 (0.05%)


Viruses detected on user machines in September




01.09.2009 00:00 - 01.10.2009 00:00


1
Trojan.DownLoad.47256
7851901 (36.17%)


2
Trojan.Fakealert.5115
1709557 (7.87%)


3
Win32.HLLW.Gavir.ini
1091500 (5.03%)


4
Win32.HLLW.Shadow.based
552387 (2.54%)


5
Win32.Alman.1
453996 (2.09%)


6
Win32.HLLM.Beagle
399883 (1.84%)



7
JS.Nimda
381940 (1.76%)


8
Trojan.DownLoad.5637
366191 (1.69%)


9
DDoS.Kardraw
338885 (1.56%)


10
Trojan.Recycle
332882 (1.53%)


11
Win32.HLLM.Netsky.35328
306700 (1.41%)



12
VBS.Sifil
296165 (1.36%)


13
Win32.Sector.17
275083 (1.27%)


14
Win32.HLLW.Autoruner.5555
273128 (1.26%)


15
Trojan.AuxSpy.4
234102 (1.08%)


16
Trojan.MulDrop.16727
212213 (0.98%)



17
Win32.HLLW.Texmer.43
207238 (0.95%)


18
Trojan.Packed.2788
194328 (0.90%)


19
Win32.Virut.14
193677 (0.89%)


20
Win32.HLLM.Netsky.based
179267 (0.83%)



Total scanned:845,578,747,316
Infected:21,708,714 (0.00%)


View the article


Читают тему: 0

0 пользователей, 0 гостей, 0 скрытых