In April 2010 cyber-criminals focused on new SMS fraud schemes. This time they targeted users of torrent trackers and file sharing resources whom they tried to lure to fake web-sites supposedly providing such services. April also saw discovery of new malicious programs targeting smart phones while fake anti-viruses maintained their leadership among malware found in e-mail traffic.
Fake torrent-trackers and file sharing sites
Doctor Web’s virus analysts uncovered an entire network of fake torrent-trackers and file sharing resources located in different parts of the globe and yet targeting Russian-speaking users. Criminals exploited wide popularity of such resources and carelessness of many people who search for necessary information using search engines and posted links to music, books, moves and other contents on such web-sites.
Fake torrent-trackers and file sharing resources appeared at the top of search results lists returned to users by search engines. Apparently criminals performed search engine optimization and perform other preliminary activities to improve efficiency of their schemes.
A user obtaining a download link on such a web-site downloaded a 16 megabyte executable file instead of a supposed archive with desired content. Dr.Web detects such files as Tool.SMSSend.2.
Launching the file brings up a window prompting the user to send several paid short messages that will allow him to gain access to a downloaded archive. In truth such malicious files do not contain any useful data. Similar schemes are known to target users from other countries where instead of an SMS would-be victims are offered to use their credit cards to pay for their downloads before they actually download anything.
Currently Doctor Web’s statistics server registers around 6 000 instances of detection of Tool.SMSSend.2 per 24 hours.
Copyright protection virus
Apart from techniques listed above criminals also attempted to intimidate torrent users.Trojan.Fakealert.14886 (as classified by Doctor Web) spread in quite large numbers over the Internet in April. In an infected system the Trojan displayed a message warning a victim that illegally obtained content protected by copyright was detected on the computer which would result in prosecution.
A new modification of Trojan.Winlock that warned a user of his violation of copyright law also emerged in April. It offered users to send a paid SMS-message in order to continue downloading files via torrent through a backup communication channel.
Fake anti-viruses
Fake anti-viruses enhanced with new or updated look and feel continued there broad-scale offensive in English-speaking countries. Their spreading techniques didn’t change while the number of their detections registered by Doctor Web’s statistics server declined and reached 750 000 against an approximate 1 000 000 in March.
Trojan.Fakealert gallery
Windows blockers
The rate of spreading of Trojan.Winlock in Russia also went down in April and reached 720 instances of detection per 24 hours compared with 1 300 registered in March. However, the number of new modifications of Trojan.Winlock increased. Doctor Web’s technical support received requests related to such Trojans on a daily basis.
Trojan.Winlock gallery
Dialler for smart phones
Virus analysts registered spreading of the WinCE.Dialer.1 malicious program, that targeted pocket PCs running Windows Mobile. Once installed, it started making calls at paid phone numbers registered in different countries.
The program springs into action in 48 hours following a successful infection of the system. WinCE.Dialer.1 spreads as a supposed game for pocket PCs.
The share of malicious programs in e-mail traffic scanned by Dr.Web software in April 2010 increased by 28 %. The share of malicious files among all files scanned on user machines increased by 2.12. The figures show that in April criminals mainly focused on spreading malware over infected web-sites, using PDF, Flash and browser exploits and other techniques rather than e-mail.
Malware detected in mail traffic in April
01.03.2010 00:00 - 01.04.2010 00:00
1
Trojan.DownLoad.41551
11193316 (13.64%)
2
Trojan.DownLoad.37236
9927963 (12.10%)
3
Trojan.DownLoad.47256
7320678 (8.92%)
4
Trojan.Botnetlog.zip
5865274 (7.15%)
5
Trojan.MulDrop.40896
5147022 (6.27%)
6
Trojan.Fakealert.5115
5100040 (6.22%)
7
Trojan.Packed.683
4148051 (5.06%)
8
Trojan.Fakealert.5238
3808296 (4.64%)
9
Trojan.DownLoad.50246
2921645 (3.56%)
10
Trojan.Fakealert.5825
2484216 (3.03%)
11
Trojan.Fakealert.5437
1834890 (2.24%)
12
Trojan.Fakealert.5356
1659867 (2.02%)
13
Trojan.Fakealert.5784
1445121 (1.76%)
14
Trojan.Fakealert.5229
1338146 (1.63%)
15
Trojan.PWS.Panda.122
1332036 (1.62%)
16
Trojan.Fakealert.11956
1267041 (1.54%)
17
Trojan.Fakealert.5457
1162458 (1.42%)
18
Trojan.Siggen.18256
1106066 (1.35%)
19
Trojan.Packed.19694
1099122 (1.34%)
20
Trojan.MulDrop.46275
1058813 (1.29%)
Total scanned:
17,689,058,602
Infected:
82,042,532 (0.464%)
Malicious files detected on user machines in April
01.04.2010 00:00
- 01.05.2010 00:00
1
Win32.HLLW.Shadow
834227 (2.84%)
2
Trojan.AuxSpy.187
829685 (2.82%)
3
VBS.Sifil
525939 (1.79%)
4
Trojan.Starter.516
438173 (1.49%)
5
ACAD.Pasdoc
419684 (1.43%)
6
Win32.HLLW.Gavir.ini
364819 (1.24%)
7
Win32.HLLW.Shadow.based
339566 (1.16%)
8
Trojan.DownLoad.32973
330055 (1.12%)
9
Trojan.AuxSpy.111
283554 (0.97%)
10
Trojan.AntiAV.6
231204 (0.79%)
11
Win32.HLLW.Autoruner.9410
170593 (0.58%)
12
Win32.Dref
162827 (0.55%)
13
IRC.Apulia.1215
155887 (0.53%)
14
BackDoor.Tdss.2459
153602 (0.52%)
15
Trojan.PWS.GoldSpy.3382
148201 (0.50%)
16
Win32.HLLW.Autoruner.5555
143042 (0.49%)
17
HTTP.Content.Malformed
132141 (0.45%)
18
Win32.Alman.1
119085 (0.41%)
19
Win32.HLLW.Share
102652 (0.35%)
20
Trojan.PWS.Siggen.2674
85937 (0.29%)
Total scanned:
77,991,983,505
Infected:
22,880,659 (0.0293%)
View the article
