May 2010 saw another outbreak of Windows blockers (Trojan.Winlock, Trojan.AdultBan) where many modifications of the Trojan didn’t demand from users to send short messages. New types of Trojan.Encoder programs in their turn brought “fun” to a number of careless users. New bootkits were discovered through the month and Doctor Web introduced a corresponding curing procedure in a timely manner. And fake anti-viruses (Trojan.Fakealert) went down in Doctor Web’s statistics.
New wave of blockers
Starting from May 14 Doctor Web’s statistics server registered a number of detections of Windows blockers per 24 hours that exceeded an average figure. In four subsequent days the number exceeded a 24 hour average of last months several times but on May 18 it reached 215000 (Trojan.Winlock and Trojan.AdultBan) while the average figure is 1500. The high detections figures persisted till the end of May.
Despite the fact that the surge in spreading of Trojan.Winlock programs occurred in the second half of the month, the total number of their detections in May reached 920000 thus beating the previous record set in January 2010. The detections graph below illustrates the trend in spreading of Windows blockers.
Blockers that do not require an SMS ransom
Since May 7 Doctor Web’s technical support service started receiving requests regarding blockers of Windows that instructed users to pay a ransom over payment terminals rather than by means of an SMS. In May criminals tried a variety of payment systems to get ransoms through including WebMoney, RBKMoney and Wallet One. Such blockers as well as their standard modifications are detected by Dr.Web anti-viruses as Trojan.Winlock programs.
However, in last days of the month users were typically offered to transfer money to the account of a mobile phone user. It is worth mentioning that criminals change accounts regularly making it harder for law enforcement agencies to find them.
Trojan.Winlock programs of the new type informed users that their unblocking code would be found on a bill printed by the terminal once the required amount was acquired. However, some terminals were unable to process such requests and print such information. Moreover, criminals may not bother themselves with implementing printing codes on bills and only want to get as much money as possible.
Such malicious programs added to the already existing variety of Windows blockers made their number even higher. As criminals switched to electronic payment systems from SMS to receive money from users, they no longer faced difficulties caused by joint efforts of mobile operators, aggregators and law enforcement agencies.
Doctor Web publishes unlock codes on its Dr.Web Unlocker site as new modifications of Windows blockers are discovered. On this web-site users may also find passwords for decryption of files compromised by some modifications of Trojan.Encoder.
Below you can find a gallery of screenshots that show what most notable Windows blockers found on user machines in May look like.
Trojan.Winlock gallery
New bootkits
In May Doctor Web’s developers also discovered such new bootkits (a type of rootkits capable of modifying a disks’ boot sector and therefore launch before an operating system) as Trojan.Alipop and Trojan.Hashish. The first one targeted mainly Chinese users and was used to generate fake website hits. The second boot-virus was designed to launch any components that a cyber-criminal considered necessary in the system. Currently Trojan.Hashish includes malicious objects belonging to the Win32.HLLC.Asdas family of programs that display banners in browser windows. The bootkit is also capable of infecting executable files.
Doctor Web’s virus analysts promptly implemented a curing algorithm for the new bootkits in the Dr.Web scanner for Windows. At present there are few anti-virus makers that create curing procedures against such malicious programs while addressing such issues in a timely manner is the quality possessed even by fewer. Many anti-viruses available at the market are unable to cure a bootkit that compromised the system where the anti-virus runs. Meanwhile, alternative system cleaning techniques can be hard to implement for an ordinary user.
Fake anti-viruses dwindle
Even though the number of detections of Trojan.Fakealert tended to go down through May, it only meant that criminals decided to reach a greater efficiency through quality rather than quantity. Guides for neutralization of fake-anti-viruses published on European anti-malware resources are getting more complex. But criminals also make use of such guides and subsequent versions of fake anti-viruses provide users with new challenges. This arms race is somewhat similar to activities related to spreading and neutralizing Windows blockers in the Russian segment of the Internet.
Below you can find another gallery of screenshots showing most common fake anti-viruses of the past month.
Trojan.Fakealert gallery
Encoders
Several new modifications of Trojan.Encoder programs that encrypt user data and their construction kits appeared in May. From May 15 till 17 a surge in spreading of encoders was detected. Such programs based on the same engine and offered victims to contact criminals over ICQ or send a paid SMS. Their average number of detections in 24 hours reached 1300 – 1900 during those days while normally the average figure doesn’t exceed 500.
Some Trojan.Encoder modifications were designed specifically to discredit Doctor Web. They set compromised systems to use Dr.Web icons to display encrypted files and Dr.Web was used by virus makers as a title of their programs in texts shown to victims.
«Doctor Web recommends users to stay vigilant and contact Doctor Web’s virus laboratory if they have any problems with enconder Trojans. Measures implemented by Doctor Web to aid users against such programs drove criminals to such attempts to damage reputation of Doctor Web.
The share of malicious programs among all programs scanned with Dr.Web software in May2010 went down significantly both in mail traffic and among files on user machines. The cause behind such a decline can be a lower number of fake anti-viruses (they left the malware TOP20 in mail traffic) as well as lower activity of largest botnets.
Malicious files detected in mail traffic in May
01.05.2010 00:00
- 01.06.2010 00:00
1
Trojan.Botnetlog.zip
112576 (22.36%)
2
Win32.HLLM.MyDoom.54464
95952 (19.05%)
3
Trojan.Winlock.1651
49108 (9.75%)
4
Win32.HLLW.Shadow.based
43598 (8.66%)
5
Trojan.DownLoad.37236
19956 (3.96%)
6
Win32.HLLW.Autoruner.4360
16815 (3.34%)
7
BackDoor.Siggen.17777
14187 (2.82%)
8
Trojan.Oficla.45
12008 (2.38%)
9
Trojan.MulDrop.64815
8296 (1.65%)
10
JS.Click.136
6842 (1.36%)
11
BAT.Lucky.2671
6301 (1.25%)
12
Win32.HLLW.Kati
6181 (1.23%)
13
Win32.HLLM.Netsky.18401
6056 (1.20%)
14
Trojan.MulDrop.55238
5556 (1.10%)
15
Win32.HLLM.Netsky.35328
5447 (1.08%)
16
Win32.HLLM.Netsky.based
5314 (1.06%)
17
Win32.HLLM.Netsky
4859 (0.96%)
18
Trojan.DownLoad1.55035
4034 (0.80%)
19
Exploit.PDF.820
3936 (0.78%)
20
Trojan.DownLoad1.54042
3928 (0.78%)
Total scanned:8,016,805,833
Infected:503,569 (0.00628%)
Malicious files detected on user machines in May
01.05.2010 00:00
- 01.06.2010 00:00
1
Trojan.PWS.Webmonier.364
3224492 (13.66%)
2
ACAD.Pasdoc
741227 (3.14%)
3
Win32.HLLW.Shadow
664019 (2.81%)
4
Win32.HLLM.Dref
659756 (2.80%)
5
VBS.Sifil
507591 (2.15%)
6
Win32.HLLP.Neshta
370930 (1.57%)
7
Trojan.WinSpy.641
364950 (1.55%)
8
Win32.HLLP.Jeefo.36352
323031 (1.37%)
9
Win32.HLLW.Shadow.based
318348 (1.35%)
10
Trojan.Winlock.1678
306182 (1.30%)
11
Win32.HLLW.Autoruner.21042
243231 (1.03%)
12
Win32.HLLW.Gavir.ini
222372 (0.94%)
13
Trojan.Winlock.1686
191359 (0.81%)
14
Win32.HLLW.Autoruner.5555
170284 (0.72%)
15
Trojan.DownLoad.32973
165409 (0.70%)
16
Win32.HLLP.PissOff.36864
156540 (0.66%)
17
Trojan.Inject.8798
132271 (0.56%)
18
Trojan.Winlock.1793
122261 (0.52%)
19
Win32.Virut.5
113156 (0.48%)
20
DDoS.Pamela
110075 (0.47%)
Total scanned:855,347,743,950
Infected:23,604,815 (0.00276%)
View the article
