OREANDA-NEWS. December 13, 2010. In November cyber-criminals demonstrated even greater creativity than before. As a result, anti-virus vendors and users were confronted with new fraud techniques involving bootkit technologies. New modifications of encoder Trojans targeted European users. Criminals seeking the biggest gains attacked online banking systems.

Windows boot blocker

As soon as Trojan.MBRlock.1 appeared in the wild in November, it was employed by cyber-fraudsters. This malicious program is unlike any other malware used to implement fraud schemes.

It bypasses the UAC protection mechanism, so its installation goes unnoticed by users. Once installed, the Trojan writes its code into the MBR and into other nearby disk sectors.

The code, written to the MBR, loads information from the neighbouring disk sectors. The result is a message to users demanding that they pay USD 100 to unlock their systems.

The message also informs a user that all of the files located on all of the computer's disks are encrypted. This is not true.

In any event curing the Trojan-compromised system can't be done from inside the system since it wouldn't boot.

Entering a correct password restores the MBR after which the installed operating system boots normally.

Currently several modifications of Trojan.MBRlock.1 are known, but Dr.Web detects them as the same piece of malware.

To cure the system, enter an ekol or jail unlock code. If neither works, contact the free Doctor Web technical support service for victims of cyber-fraud.

Certain modifications of Trojan.MBRlock.1 had been detected by the Dr.Web heuristic analyzer as MULDROP.Trojan before a corresponding entry was added to the Dr.Web virus database. Dr.Web users were protected from the Trojan even when no virus definitions for this malicious program were available.

New Trojan encoder

Encoder Trojans drew the public's attention once again in November. This time criminals targeted European users.

Trojan.Encoder.88 uses the AES-256 encryption algorithm to encrypt documents in many popular formats which complicates decryption. The resulting number exceeds the number that ends in 77 zeros.

A unique encryption key is generated for each compromised machine. It is encrypted using the RSA algorithm and saved to a disk as a text file.

Origins Tracing technology enabled Dr.Web to detect Trojan.Encoder.88 as Trojan.Encoder.origin even before an entry for this program was added to the database.

Fraud in November: winlocks returned

In November the free technical support service received around 4,700 requests from cyber-fraud victims which constituted 42% of all requests. The daily average of requests amounted to 146 which exceeded the October figure by one third.

Trojan.Winlock became the most widely spread malicious program used for fraud (73% of all requests). A significant number of fraud incidents were related to Trojan.Hosts that blocked access to popular web resources.

Criminals also changed routines for converting their profit into actual money. Malicious programs demanding that users send paid short messages were less popular in November, and the number of requests related to such programs reached only 31% of the total. Meanwhile the option that involves paying criminals via terminals became more appealing to fraudsters (60% of all requests).

Banking Trojans on the offensive

November saw the emergence of new Trojans targeting users of online banking systems, both individuals and businesses.

In particular, several modifications of Trojan.PWS.Ibank.213 were added to the Dr.Web virus database.

Variations of the Trojan serve as containers of malicious payloads. Their most harmful feature is their ability to disable security software components. The Trojan can detect whether it is being launched in a virtual environment where it can be safely analyzed. Disabling the system restore service is also among its malicious capabilities.

To collect the information required to access bank accounts online, the Trojan intercepts certain system routines as well as functions of online banking systems, and stores information entered by a user with a keyboard. The fact that Trojan.PWS.Ibank.213 can communicate with a remote server, and download and launch executable files, shows that systems compromised by this program become nodes of a botnet.

November 2010 showed that criminals can make use of various malicious programs to accomplish a wide variety of tasks. When it comes to neutralizing them, anti-viruses capable of protecting a system from all kinds of malware and of curing it proved to be the most efficient. Yet, it is users who still remain the weakest element of the computer defense system. Doctor Web would like to emphasize once again that following basic information security rules dramatically reduces the probability of system infection.

Viruses detected in e-mail traffic in November

 01.11.2010 00:00 - 01.12.2010 00:00 

1

Trojan.DownLoader.62844

887472 (16.61%)

2

Trojan.DownLoad1.58681

560304 (10.49%)

3

Trojan.Packed.20878

409498 (7.67%)

4

Win32.HLLW.Texmer.51

386408 (7.23%)

5

Win32.HLLM.Netsky.18401

317070 (5.93%)

6

Trojan.Oficla.zip

296642 (5.55%)

7

Win32.HLLM.MyDoom.33808

270438 (5.06%)

8

Trojan.Packed.20312

246743 (4.62%)

9

Trojan.DownLoad.41551

231569 (4.33%)

10

Trojan.Oficla.38

139866 (2.62%)

11

Win32.HLLM.Netsky.35328

121814 (2.28%)

12

Trojan.AVKill.2788

103700 (1.94%)

13

Win32.HLLM.Beagle

98470 (1.84%)

14

Trojan.PWS.Panda.114

90471 (1.69%)

15

W97M.Killer

74444 (1.39%)

16

Trojan.DownLoader1.17157

65832 (1.23%)

17

Trojan.PWS.Panda.387

49461 (0.93%)

18

Trojan.Oficla.73

49351 (0.92%)

19

Trojan.Oficla.48

49342 (0.92%)

20

Trojan.Botnetlog.zip

41304 (0.77%)

Total scanned:

40,984,945,769

Infected:

5,342,395

Viruses detected on user machines in November

 01.11.2010 00:00 - 01.12.2010 00:00 

1

Win32.HLLP.Neshta

7665428 (24.91%)

2

Win32.HLLP.Whboy.45

6184396 (20.09%)

3

Trojan.DownLoader.42350

2364188 (7.68%)

4

Win32.HLLP.Novosel

1644766 (5.34%)

5

Win32.HLLP.Rox

1177270 (3.82%)

6

Trojan.Click.64310

727694 (2.36%)

7

ACAD.Pasdoc

610404 (1.98%)

8

Win32.HLLM.Dref

520690 (1.69%)

9

Exploit.Cpllnk

413622 (1.34%)

10

VBS.Redlof

320729 (1.04%)

11

Trojan.WinSpy.925

284258 (0.92%)

12

Win32.HLLW.Shadow.based

278980 (0.91%)

13

Trojan.PWS.Ibank.238

252705 (0.82%)

14

HTTP.Content.Malformed

244692 (0.80%)

15

Trojan.MulDrop1.48542

183156 (0.60%)

16

Trojan.Click1.6029

180330 (0.59%)

17

Win32.Sector.22

142436 (0.46%)

18

Win32.HLLW.Kati

121106 (0.39%)

19

Trojan.DownLoad.32973

114280 (0.37%)

20

Win32.HLLW.Autoruner.5555

100817 (0.33%)

Total scanned:

92,810,136,138

Infected:

30,778,334