March 1, 2010
Windows blockers
Joint efforts of Doctor Web, law enforcement organizations, telecom operators, short number aggregators and wide public awareness of the Trojan.Winlock problem allowed reducing the number of infected machines to figures comparable to the number registered when the epidemics began in November 2009. While in January the number of detections of Trojan.Winlock registeredper day could exceed 100 000, in February the figure dropped to several thousands per twenty-four hours.
In spite of the sharp decline, dozens of thousands of users in Russia and Ukraine fall victims of the Trojan on a daily basis.
In the last two weeks of February a new browser blocking extortion scheme became widely popular. Going to a malicious web-page brought up a pop-up window that wouldn’t close unless an “activation code” was entered. The code is provided for a paid SMS. Even though this problem can be solved quite easily (stop the browser process using the task manager or force a system reboot), the number of people fallen victims of this scheme still increases among users of Windows as well as among people that use Mac OS.
Fake anti-viruses
In February cyber-criminals more often resorted to fraud schemes involving sites promoting fake anti-viruses to Internet users from Russian and other CIS countries. Links to such sites are spread over e-mail, compromised ICQ accounts and using contextual advertising on web search results pages and in social networks. Access to such web-sites is blocked by the Dr.Web Parental control.
 |
 |
Along with online fake anti-viruses Russian users were sometimes offered a customary Trojan.Fakealert. In such cases they were persuaded to download and install a fake anti-virus that imitated a scanning procedure and after that offered a user to send a paid short message.
 |
 |
Even though Trojan.Fakealert target group included Russian-speaking users, the highest number of victims of the fraud was found among speakers of English. Trojan.Fakealert offers a victim to pay 50 U.S. dollars for the fake anti-virus with a credit card. The offer to purchase a full version of the supposed anti-virus can be displayed in a browser window as well as using the fake anti-virus’s interface. Statistics regarding Trojan.Fakealert for the last six months shows a rapid growth in number of samples of the malware found in the wild started in October 2009. Doctor Web’s statistics server registers a huge number of detections of fake anti-viruses by Dr.Web solutions every 24 hours. And the top 20 of most widely spread malicious programs in February included 8 modifications of Trojan.Fakealert.
 |
 |
New Internet fraud scheme
A new fraud scheme used for money laundering lures users into giving away their mobile phone numbers in order to subscribe to a certain service. An SMS reply provides a would-be subscriber with an activation code where the contents usually have nothing to do with the topic to which the web-site is related. By entering the code a user signs up for a service. The service fee is debited from the user’s account on a daily basis without any warning. The withdrawn amount is small, so a user may fail to notice that something is wrong right away. Besides, terminating such a subscription may be difficult and require a paid SMS to be sent.
 |
 |
The number of malicious programs in e-mail traffic increased four times in February compared to the previous month. This dramatic surge was mainly caused by a growing number of fake anti-viruses and their downloaders in e-mail attachments. The number of malicious files among all files scanned on user machines increased by 24% in February thus reaching the figure registered in December 2009.
Malicious programs detected in mail traffic in February
| 01.02.2010 00:00 – 01.03.2010 00:00 | ||
| 1 | Trojan.DownLoad.37236 | 13268129 (12.99%) |
| 2 | Trojan.DownLoad.47256 | 9134010 (10.07%) |
| 3 | Trojan.DownLoad.41551 | 8884635 (9.80%) |
| 4 | Trojan.MulDrop.40896 | 6453617 (7.12%) |
| 5 | Trojan.Fakealert.5115 | 6387160 (7.04%) |
| 6 | Trojan.Botnetlog.zip | 5901875 (6.51%) |
| 7 | Trojan.Packed.683 | 5227906 (5.76%) |
| 8 | Trojan.Fakealert.5238 | 4784832 (5.28%) |
| 9 | Trojan.DownLoad.50246 | 3684616 (4.06%) |
| 10 | Trojan.Fakealert.5825 | 3130816 (3.45%) |
| 11 | Trojan.Fakealert.5437 | 2289040 (2.52%) |
| 12 | Trojan.Fakealert.5356 | 2074904 (2.29%) |
| 13 | Trojan.Fakealert.5784 | 1794312 (1.98%) |
| 14 | Trojan.PWS.Panda.122 | 1683685 (1.86%) |
| 15 | Trojan.Fakealert.5229 | 1668784 (1.84%) |
| 16 | Trojan.Fakealert.5457 | 1462032 (1.61%) |
| 17 | Trojan.Siggen.18256 | 1388200 (1.53%) |
| 18 | Trojan.MulDrop.46275 | 1329338 (1.47%) |
| 19 | Win32.HLLM.MyDoom.54464 | 1180755 (1.30%) |
| 20 | Trojan.Proxy.7778 | 915616 (1.01%) |
| Total scanned: | 30,893,462,045 |
| Infected: | 90,692,324 (0.294%) |
Malicious programs detected on user machines in February
| 01.02.2010 00:00 – 01.03.2010 00:00 | ||
| 1 | VBS.Redlof | 4183128 (21.44%) |
| 2 | Trojan.DownLoader.based | 3130742 (16.05%) |
| 3 | Trojan.AuxSpy.111 | 1182739 (6.06%) |
| 4 | Win32.HLLW.Gavir.ini | 949089 (4.86%) |
| 5 | Win32.Dref | 790282 (4.05%) |
| 6 | Trojan.WinSpy.440 | 633507 (3.25%) |
| 7 | Trojan.AuxSpy.137 | 560187 (2.87%) |
| 8 | Win32.HLLW.Shadow.based | 349694 (1.79%) |
| 9 | VBS.Generic.548 | 347960 (1.78%) |
| 10 | VBS.Sifil | 259869 (1.33%) |
| 11 | Trojan.DownLoad.32973 | 251364 (1.29%) |
| 12 | Win32.Alman.1 | 240227 (1.23%) |
| 13 | Win32.HLLW.Shadow | 240103 (1.23%) |
| 14 | Trojan.Packed.666 | 187657 (0.96%) |
| 15 | JS.Redirector.based.1 | 182715 (0.94%) |
| 16 | Trojan.Packed.19647 | 166247 (0.85%) |
| 17 | Win32.HLLW.Autoruner.2536 | 160988 (0.83%) |
| 18 | Win32.HLLW.Autoruner.5555 | 145973 (0.75%) |
| 19 | BackDoor.IRC.Sdbot.4590 | 114824 (0.59%) |
| 20 | Trojan.Fraudster.48 | 101890 (0.52%) |
| Total scanned: | 95,717,237,918 |
| Infected: | 19,509,126 (0.0172%) |
