Dr.Web Released May 2012 Virus Activity Review
OREANDA-NEWS. June 14, 2012. May 2012 was a fairly quiet month in terms of information security with no serious outbreaks registered. Nevertheless, the number of Trojan encoder victims among European users is increasing, and new threats to Android are emerging. Trojan.Matsnu.1, which encrypts files found on disks and notifies a user that their system has been blocked, became the threat of the month. A large number of systems worldwide were compromised by this Trojan horse.
According to statistics gathered by Dr.Web CureIt!, Trojan.Mayachok.1, which mimics the pages of the most popular sites, topped the list of major threats. It made up 3.73% of the total number of malware detections. Such high popularity is quite understandable. The program spreads via false file-sharing services under the guise of drivers and useful applications as well as in spam mailings. Trojan.Mayachok.1 brings a good profit to its makers by requiring users to pay for access to a particular site. To do so, the fraud victim has to enter into a corresponding field their mobile phone number and a code received in a reply SMS. Thus the user is subscribed to a pseudo service, and the service fee is debited from their account on a monthly basis. This is an incomplete list of online resources whose pages can be replaced by this Trojan horse: youtube.com, vkontakte.ru, vk.com, odnoklassniki.ru, and my.mail.ru.
Keeping pace with Trojan.Mayachok.1 was Trojan.Carberp (1.3% of detections), which targets online banking users. Various malicious downloaders—Trojan.SMSSend malware (1.5%), Trojan.Hosts (about 0.5%), and numerous IRC bots—were also found in relatively large numbers.
If we compare these statistics with those for the previous month, we can see that the number of infections by Trojan.Mayachok.1 increased by 1.36%. In May, detections of this malware increased by 10,500. Yet the number of Trojan.Carberp detections decreased almost by a quarter. Incidents involving systems getting infected by Trojan.Hosts malware, which modify the Windows/System32/Drivers/etc/hosts file containing DNS server addresses, increased insignificantly. Trojan.Hosts.5858 is one of the most popular malware variations; its mass distribution outside was mentioned in one of our recent news posts.
The Trojan is spread via the BackDoor.Andromeda botnet. When trying to visit a popular online resource, such as Facebook, Google, Yahoo, etc., a browser in the infected system is automatically redirected to a webpage specially created by attackers to display a message in German stating that Internet access has been blocked. To resolve the issue, the user is prompted to provide virus writers with their banking card details.
The number of other threats detected in the past month remained the same.
The malicious script Trojan.SMSSend.2856, which redirects browsers to bogus sites, became the leader among malware found in mail traffic. Other malicious programs found in mailings include Trojan.Mayachok.1 and Trojan.Carberp. The Win32.HLLW.Shadow worm (also known as Kido) is often found in e-mail attachments—this program can download a variety of applications from remote servers, and install and run them on the compromised machine. Various Trojan downloaders and the rootkit Trojan.NtRootKit.6725 are also often attached to messages. It should be noted that, compared with April 2012, the volume of malicious attachments in e-mail messages decreased slightly, while the malware enclosed with e-mails remained the same.
Discovered in early April by Doctor Web's virus analysts, the BackDoor.Flashback.39 botnet encompassed more than 800,000 Apple computers running Mac OS X. It still exists, although the total number of infected machines has decreased markedly and is still declining. At the beginning of May, the number of bots in the network declined to 529,355. As of May 24, the network consisted of 331,992 infected hosts, while the average daily number of new joiners was 110. This figure was also going down steadily through the month. The below graph shows how the total number of BackDoor.Flashback.39 bots changed through May 2012.
In April, Doctor Web reported the discovery of a large botnet created by hackers using the Win32.Rmnet.12 file infector: even then it encompassed more than a million infected computers located mostly in the Middle East and
As of May 29, 2012, the Win32.Rmnet.12 botnet was comprised of 2,641,855 infected machines—that is, it managed to double in size over the last month. The virus's spreading geography didn't change much: the countries most exposed to infection still include
The graph clearly shows that the average daily number of newly infected machines joining the botnet is about 25,000, and the botnet continues to grow very rapidly.
A similar situation exists with respect to another botnet, which is closely monitored by Doctor Web's virus analysts—the Win32.Rmnet.16 botnet. In early May, we reported that the number of infected hosts (as of May 11. 2012) reached 55,310, and the largest share of them was located in the
It clearly indicates that new infected machines appear on the Win32.Rmnet.16 network at a varying rate, but their total number, however, is gradually increasing.
The threat of the month: Trojan.Matsnu.1
A large number of systems around the world were compromised by this Trojan horse: numerous requests for technical support came to Doctor Web from many European countries, especially from
Written in Assembly, the Trojan is distributed as a zipped executable file attached to e-mail spam messages with the subject mentioning the name of the recipient. If the user opens the archive and runs the application, the Trojan encrypts files found on disks and shows a message saying that the system is blocked or has been infected with an encoder Trojan. Criminals ask users not to turn off the computer to avoid data loss. Virus writers prompt victims to use one of the most common European payment systems to pay to get their files restored.
While displaying the message, the Trojan also stands by for commands from a remote control center. Trojan.Matsnu.1 can receive the following directives:
System kill (delete all files on hard drives)
Download a specified program from a bogus site and run it
Download other images to show in a dialog box
Save a downloaded file on the disk and run it as a background process
Decrypt files (a decryption key is received from the criminals' site along with the directive)
Encrypt the files again using a newly generated key
Update the control server list
Update the Trojan main module
Given the wide range of options available with the Trojan payload, it is virtually impossible to underestimate its harmful potential. A large number of users in Europe and
Threats to Android
The last month of spring was also marked by the emergence of new threats to Google Android. In early May, we warned users about Trojan horses that pose a threat to rooted phones. These malicious programs utilize the nesting doll principle which is when a modified application incorporates an encrypted apk file. Trojans install a downloader that can retrieve and run other applications on the infected device.
In addition, a malignant application for Android dubbed Android.Proxy.1.origin was discovered in May. It spreads under the guise of a system upgrade from compromised sites. The Trojan runs a simple proxy server on the infected device, thus providing hackers with unauthorized access to private networks to which the device is connected. Trojan downloading starts automatically when one visits a compromised site with an embedded hidden IFRAME, however, the user must install the application for the mobile device to get infected.
Windows lockers and encoders
A significant portion of requests from users received by Doctor Web's technical support service in May concerned blocker programs — 21.2% of the total. This number decreased slightly compared with April; the number of requests for the decryption of files compromised by Trojan.Encoder programs went down, too, and reached 0.71%. Requests concerning other virus threats in the past month amounted to 5.3% of the total.