The main topic of the month was the Activity
Win32.Induc - a virus that infects the Delphi development environment. Not having a pronounced malicious functionality, this virus, however, is fraught with very enticing for potential intruders.
Along with last month's programming environments virus writers continue to use the power of social networks and tested social engineering techniques. Used and new schemes for the spread of malware and spam - in particular with the selection captcha via infected users to authenticate to various Web resources. Also, the "left side" the growing popularity of VoIP-telephony - malefactors have wrapped this tendency against users.
Delphi and other programming environments under attack For several months applies
Win32.Induc - a virus that infects system installed version with Delphi 4th through 7th inclusive. It modifies one of the libraries are used in the assembly of projects. Thus, each program is developed in a modified version of the virus Delphi, already infected
Win32.Induc. This virus does not cause visible harm to the infected system - the only one of its malicious functions is self-propagation. But in the future, nothing prevents criminals use this method to spread malicious programs. Despite the "harmlessness"
Win32.Induc The company "Doctor Web" sees it as a potential threat, and today offers its treatment.
Win32.Induc I could disperse widely, as received by the user with a reliable legal programs developed in the infected Delphi environment. Because of this, after adding
Win32.Induc in the majority of the virus database antivirus vendors work of these programs it blocked that cause inconvenience for both users and developers. However, after adding a record to enable treat infected
Win32.Induc the files in the virus database vendors of IT security, it was observed a sharp decline in the activity of this malicious program.
In August, it was also found similar malware,
ACAD.Siggen . Unlike
Win32.Induc It is distributed as a module implemented in Visual Lisp development environment that is used in computer-aided design of Autodesk AutoCAD.
ACAD.Siggen infects AutoCAD-files opened in an infected system, because it is run simultaneously with AutoCAD.
Foreign social networks: a paradise for virus writers In view of the continuing growth of the popularity of microblogging service Twitter and known foreign social networking site Facebook continues to attract criminals. Unfortunately, unsuspecting users with respect to messages containing tempting offers to visit external resources is still high.
It has long been well-known family of viruses
Win32.HLLW.Facebook in August 2009 to offer users "work" for cybercriminals very sophisticated way. The virus, as previously, the user attracts by a variety of posts in social networks on the dummy resource that looks very similar to a legitimate, which is loaded with supposedly codec to view the video. If the user runs the downloaded executable file, there is an infection. In this interesting new trend in deceit technologies. As you know, many web-services protect their own resources from automatic registration of users, as well as the distribution on behalf of spam messages. To this end, various techniques are used which allow to confirm that the message it sends people, not robot software.
To check the most often used captcha - the mechanism by which the user must enter a randomly generated sequence of characters, which is represented as an image.
The latest versions of the worm
Win32.HLLW.Facebook there was a curious unit
Win32.HLLW.Facebook.194 Which selects captcha efforts of the affected user. The purpose of this module - to force the user to enter the "right" combination of characters entered and send the result to a malicious server. After the introduction captcha job received from a remote server on the infected computer pops up a window with input field, and the operation of the system at this moment blokiruetsya.Blagodarya user actions deceived attackers are able to create accounts on various web services with the purpose of sending spam and phishing new messages.
Another tool misuse of social networks have become the control commands to the botnet in the messages of one of the microblogging service Twitter accounts. Teams were coded references bit.ly (service links the reduction), which led to malicious components resources. After clicking on these links infected computer received commands via RSS-Feed a corresponding account on the Twitter messages. A similar scheme used
Trojan.PWS.Finanz.410 .
Masking of control commands to the botnet was seen on another microblogging service - Jaiku. The technology used is the same - a coded message in the form of shortened links leading to malware, and receive control commands occurs via RSS-Feed.
For such schemes intruders attractive, primarily under the masking ability legitimate network traffic and detection complexity. The same Twitter allows you to create private accounts, the content of which is available to a limited number of users that can complicate detection of such accounts and timely blocking.
Update update discord. The threat for Mozilla Firefox users Topic dummy sites continues to malware
Adware.FF.1 - advertising module delivering trouble fans of the Mozilla Firefox browser.
In modern conditions, when the attackers are constantly discovering vulnerabilities in popular software, these programs are forced manufacturers regularly release updates and persistently offer them to their users. Many have become accustomed to a large number of the proposed operating system updates, antivirus, browsers, even text editors. Attackers have decided to take advantage of frequent updates from Adobe -
Adware.FF.1 distributed under the guise of false upgrade to the program Adobe Flash Player. And the resource from which there was the spread of the malware that looks very similar to the original site of Adobe. In addition, the domain name is a dummy site is also designed to lull users. Links to some of its sections are the original resource. The very same ad unit
Adware.FF.1 after starting lzheobnovleniya installs a plugin for the Mozilla Firefox browser. Its task is the substitution of the content in the Google search engine.
"Relatives" of the virus,
Adware.FF.3 In order not to cause suspicion of users, in its installer contains more original installer Adobe Flash Player.
Virus complete Virus writers are not the first time use the increased interest in the release of new versions of those or other popular programs. So, with the release of the office suite from Apple -
iWorks'09 - actively disseminate distribution containing the Trojan from the family
Mac.Iservice . At this time virus writers have decided to take advantage of the increased attention to the Mac OS X Snow Leopard. Facts known to spread through the popular torrent trackers infected distribution of the OS, containing virus family
Mac.DnsChange , When activated on a computer implemented DNS-requests a substitution in the course of the user with a browser.
Telephony service on Cybercrime Another important event that took place at the end of August 2009 - the appearance of Trojan-Trojan.SkypeSpy concept, which aims to - capture audio stream from the popular Skype program. In this case, the intercepted calls are recorded directly to your mp3-file. source codes
Trojan.SkypeSpy It became public, which may entail the emergence of many new modifications of this troyatsa. However, the specialists of "Doctor Web" suggest that their distribution will be of rather local in nature, rather than a mass - due to the fact that commercially viable is the interception of communications in a business environment with the purpose of espionage, rather than pervasive "surveillance" for Skype users.
This program proves once again that any technology or service that received the mass distribution, attract the attention of cyber criminals.
"Receipt" Botnet Since August 2009, there was a Trojan activity
Trojan.Botnetlog.11 Which spreads under the guise of e-mail "receipts".
For the user to open this "receipt", the letter reported that he allegedly sent e-mail message, but because of incorrectly specified address, it can not be delivered. The letter attached ZIP-file, which is defined as a Dr.Web
Trojan.Botnetlog.11 .
Notable is the fact that practically every new users to the mailing list comes a modified version of the Trojan uses a specific packer. But Dr.Web technologies allow automatic adding new options sent by the virus laboratory
Trojan.Botnetlog.11 That significantly increases the quality of the user protection against this type of threat.
Later versions of the malware detected by Dr.Web as the
Trojan.DownLoad.45107 .
Phishing site complete In August 2009, received widespread form of phishing, in which form, designed to fill the user private data, is applied in the HTML-format directly to the phishing email. This file, which was conceived fraud, the user must open the browser. Next, he must complete the form and press the confirmation button. When this data is sent to a prepared server.
This scheme greatly simplifies the organization of fraud, because It does not require creating bogus sites that may be soon closed. Also, there is the complexity of the closure of the servers that get collected private data users, as show server involvement in this scheme is more complicated than using a classic phishing. A similar scheme was used in August against the users of the payment system PayPal and USAA Bank.
A slightly different scheme was used in the phishing mailing supposedly from the administration Yandex.Dengi system. The letter was created in HTML-format, his body was placed button, clicking on which the user is taken to a phishing site. The code script that is executed when you press the button, link shortening service used again.
Cases of classical phishing attacks were observed with respect to the customers of banks Ally Bank, Bank of America, Chase Bank, Key Bank, SunTrust Bank, as well as in relation to the participants of the online auction eBay and PayPal users of the payment system.
findings Win32.Induc Which has become the main event of the month viral, has generated a lot of discussion on whether or not to detect and treat the virus without causing any apparent harm need.
Win32.Induc It should be treated as distribution methods attackers can use in the future when creating malware.
The focus of virus writers remain and foreign social networks. Cybercriminals are developing new, more sophisticated schemes of their use. An example of this is the management of botnet via RSS-Feed from Twitter-account. Alas, largely into the hands of cybercriminals continues to play a naive users of social networks.
Interesting scheme used by hackers to forcing users to enter captcha. It seems that such a scheme will meet again and again, because protection against automatic registration captcha is used everywhere, and automatic selection methods perfected by virus writers.
Availability source
Trojan.SkypeSpy It lets talk about the probability of occurrence of new malicious programs that use this scheme to intercept Skype conversations of users and transfer them to a malicious server. Ordinary users Skype is threatened to a lesser extent than those who use this means of communication for conducting important negotiations.