Malware (malware)

Malicious software includes network worms, classic file viruses, Trojans, hacker utilities, and other programs that deliberately harm the computer on which they run, or other computers on the network.

Regardless of the type, malware can cause significant damage by implementing any threats to information - threats of violation of integrity, privacy, and accessibility.

Types of malware

Network worms

Main article: Networm

This category includes programs that distribute their copies over local and/or global networks for the purpose of:

• Penetrating remote computers
• Run your copy on a remote computer
• further propagation to other computers on the network.

For their distribution, network worms use a variety of computer and mobile networks: e-mail, instant messaging systems, file-sharing (P2P) and IRC networks, LAN, data exchange networks between mobile devices (phones, pocket computers), etc.

Most known worms are distributed as files: an attachment to an email, a link to an infected file on some web or FTP resource in ICQ and IRC messages, a file in the P2P exchange directory, etc.

Some worms (called "file-free" or "packet" worms) spread as network packets, penetrate directly into the computer's memory and activate their code.

Various methods are used to penetrate remote computers and run their copy of the worm: social engineering (for example, the text of an email calling for the attached file to be opened), flaws in the network configuration (for example, full-access copy to disk), errors in the security services of operating systems and applications.

Some worms also have the properties of other types of malicious software. For example, some worms contain Trojan functions or are able to infect executable files on a local disk, that is, they have the property of a Trojan program and/or a computer virus.

Classic computer viruses

Main article: Computer virus

This category includes programs that distribute their copies to the resources of the local computer in order to:

• Then run your code at any user action.
• further embedding into other computer resources.

Unlike worms, viruses do not use network services to penetrate other computers. A copy of the virus enters remote computers only if the infected object is activated on another computer for some reason that does not depend on the functionality of the virus, for example:

• When the available disks are infected, the virus penetrates the files located on the network resource.
• the virus copied itself to removable media or infected files on it;
• the user sent an email with an infected attachment.

Some viruses contain properties of other types of malicious software, such as a backdoor procedure or a Trojan component for destroying information on disk.

Trojans

Main article: Trojans

This category includes programs that carry out various unauthorized actions by the user: collecting information and transferring it to an attacker, destroying or malicious modification of it, disrupting the health of the computer, using computer resources for unseemly purposes.

Certain categories of Trojans damage remote computers and networks without disrupting the health of the infected computer (for example, Trojans developed for massive DoS attacks on remote network resources).

Hacker utilities and other malware

This category includes:

• Automation utilities for creating viruses, worms, and Trojans (designers)
• software libraries designed to create malware;
• hacker utilities for hiding the code of infected files from antivirus scanning (file ransomware);
• "evil jokes" that make it difficult to work with a computer;
• programs that inform the user knowingly false information about their actions in the system;
• other programs that in one way or another intentionally cause direct or indirect damage to this or remote computers.

Stalker Software (spyware)

Main article: Stalker Software (spyware)

Bootkit

Main article: Bootkit (Bootkit)

Botnet

Main article: Botnet

Usage models

Ransomware Viruses (ransomware)

Main article: Ransomware ransomware ransomware viruses (ransomware)

Hidden mining (Cryptojacking)

Main article: Hidden mining (Cryptojacking, cryptojacking)

Malware History

2023

Infostilers hacked almost 10 million devices around the world

In 2023, information dealers hacked almost 10 million devices around the world and on average stole 50.9 pairs of logins and passwords from each infected device - this is almost 510 million compromised user accounts. From this data array, attackers choose the most interesting domains and names that can be used to attack a compromised company. Successful actions of infostilers are helped by the users themselves, who often use the same passwords to services, including corporate applications and devices. Angara Security announced this on April 2, 2024.

Cyber ​ ​ fraudsters are interested in stealing as many accounts as possible, Angara Security notes. The functionality of malicious programs is configured to effectively steal data from the browser, including auto-fill fields, data from instant messengers (for example, Telegram and Discord), crypto wallets, application applications (mail, RDP or FTP clients, and so on), the contents of the clipboard and can even intercept keystrokes. The Steeler operates in the background, so the victim may not even guess what is being attacked in real time.

The more data a steeler steals, the more effective it is considered, said Lada Antipova, an incident response expert at Angara Security. - Therefore, when developing malware, attackers try to use a distribution scenario in which the maximum number of devices will be infected. Such scenarios include distribution through mailings, infected pirated software, SEO poisoning ("poisoning" of search results and raising a malicious site in search results) and malvertising (using advertisements to distribute malware).

To protect against infostilers, experts recommend adhering to the basic rules. cyber security It is important not to download files from untrusted resources or follow unknown links to third-party sites. Using anti-virus software signature databases with regular updates and workstation validation is also an important step.

To strengthen protection, it is recommended to use different passwords for different services and change them periodically. Using password managers will help you create more secure credentials. Two-factor authentication is also an effective way to secure your account data.

It is necessary to avoid storing passwords and bank card data in the browser or open text files. To work with sensitive information, it is recommended to use incognito mode in the browser, which will ensure the confidentiality of the web browsing session.

It is important for companies to monitor shadow platforms to detect compromised accounts in a timely manner and prevent risks. It is also recommended to implement comprehensive solutions to improve the level of cybersecurity.

Fake copies of Telegram with a built-in virus hit the official Google and Samsung app stores. They are downloaded by users around the world

On August 30, 2023, Eset, a company specializing in information security issues, announced that fake Telegram and Signal applications with built-in spyware are distributed through the official Google Play and Samsung Galaxy Stores, as well as specialized websites. Dangerous programs were downloaded by thousands of users around the world. Read more here.

Wikipedia has become a tool to mask the malicious WikiLoader

On August 1, 2023, it became known that cybersecurity researchers from Proofpoint discovered malicious software WikiLoader, which is a bootloader that is actively being developed and uses several mechanisms to avoid detection.

According to experts, WikiLoader has already been recorded in several campaigns since December 2022. And the main goal of these malicious operations was Italian organizations.

WikiLoader is distributed through various vectors, including documents with macros - PDFfiles containing links to payloads written in, JavaScript as well as through attachments OneNote with embedded executable files.

The main task of WikiLoader is to load the payload of the second stage. According to experts, quite often the second stage of infection brings with it one of the variations of the Ursnif malware.

The bootloader is called WikiLoader because it sends HTTPS a request to wikipedia.com and checks if the response contains the line "The Free." According to Proofpoint, this trick is used to evade the automated analysis environment. However, this is just one of many features designed to keep malware in the shadows ON.

The first stage of WikiLoader is highly obfuscated. Most call instructions are replaced by a combination of push/jmp instructions to recreate return actions without having to explicitly use a return instruction. This approach causes detection problems in common analysis tools such as IDA Pro and Ghidra. In addition to these features, WikiLoader also uses indirect system calls in an attempt to bypass EDR solutions and intercepts in an isolated environment, explained in Proofpoint.

Malware also uses packaged bootloaders, a very common tactic used by attackers to avoid detection and analysis.

Proofpoint has discovered at least three different variations of WikiLoader, which hints at active malware development. The authors strive to make their creation more complex, and the payload more difficult for researchers to extract and analyze.

The latest version of WikiLoader, discovered on July 11, 2023, uses sophisticated data encryption methods, hidden ways to control the system, retrieves files through an encrypted protocol and carefully disguises its actions.

Experts warn that malware can become a useful tool for initial access brokers (IABs), which can use it to deliver any other malware during their attacks.

{{quote 'author = concluded Ошибка цитирования Отсутствует закрывающий тег </ref>.|Organizations should ensure that macros are disabled by default for all employees, block embedded external files from running in OneNote documents, and ensure that JavaScript files are opened in a notebook or similar application by configuring default file extension associations through Group Policy settings,}}

Hackers have learned to remotely install a virus on USB flash drives connected to a computer

In early June 2023, specialists from the Check Point Incident Response Team (CPIRT) reported the results of an investigation into a cyber incident in a European hospital. It showed that malicious activity was most likely not targeted, but was simply collateral damage from self-spreading Camaro Dragon malware that entered the system via USB drives. Read more here.

DoubleFinger loader hides styler in PNG files and replaces cryptocurrency wallet interface

Kaspersogo Lab experts have discovered a multi-stage DoubleFinger bootloader that delivers the GreetingGhoul styler to users' computers in Europe, the United States and Latin America. The attack begins with the victim opening a malicious PIF attachment in an email, launching the first stage of the DoubleFinger bootloader. This became known on June 13, 2023.

The first stage is a modified espexe.exe file (Microsoft Windows Economic Service Provider application), which executes malicious shellcode responsible for loading a PNG image from the Imgur service. The image uses a steganographic technique to hide the encrypted payload, which triggers a four-step compromise chain that executes GreetingGhoul on the infected host.

A feature of GreetingGhoul is the use Microsoft Edge WebView2 of fake overlays on top of legitimate cryptocurrency wallets to steal accounts data entered by unsuspecting users. In addition, DoubleFinger also delivers Remcos RAT, a commercial that has been trojan used by attackers to attack and the European the Ukrainian organize in recent months.

A study of DoubleFinger and GreetingGhoul malware indicates a high level of technical training for their creators, who are able to develop powerful malware comparable to APT threats. A layered bootloader that uses shellcodes and steganography, uses Windows COM interfaces for hidden execution, and uses the Process Doppelgänging method to integrate into distant processes, demonstrates a high level of thoughtfulness and complexity of the attack. In addition, the use of the Microsoft WebView2 runtime to create fake interfaces for cryptocurrency wallets is another indicator of the advanced tactics used in this attack^[1].

How cybercriminals bypass antiviruses using Google services

On May 22, 2023, information security specialists from Check Point Software Technologies released the results of an analysis of the GuLoader malware, which operates Google cloud services in the process. Read more here.

Semiconductor materials maker Applied Materials lost $250 million due to ransomware virus attack on supplier

On February 16, 2023, Applied Materials, a semiconductor materials company, reported a loss of $250 million due to a cyber attack on one of its suppliers. Read more here.

Hackers have learned to spread viruses in empty images

On January 19, 2023, information security specialists from Avanan reported a new type of cyber attack. Attackers distribute malicious software in empty images.

As the investigation showed, cybercriminals send an email to the victim on behalf of the DocuSign service: the recipient is invited to view and sign a document. Moreover, the DocuSign link leads to the legal page of the service, which can mislead the user.

However, along with the DocuSign link, the potential victim receives an HTM attachment, which serves to organize the attack. It contains an SVG image encoded with a Base64. Experts say that in fact this is an empty picture with active content inside. In fact, Javascript code is integrated into the image, which automatically redirects the user to a malicious link. This technique allows you to bypass traditional security systems like VirusTotal. After going to a malicious site, the recipient of the letter risks becoming a victim of various fraudulent schemes, for example, aimed at stealing personal information or money. Attacks of this type are aimed at both ordinary users and small and medium-sized businesses.

Malicious content is inside the image. When a user clicks on an attachment, they are automatically redirected to a fraudulent URL. Most security services are helpless against these attacks, Avanan said in a study.

In order not to fall for the trick of cybercriminals, experts recommend that users be careful about any emails containing HTML or HTM attachments. Administrators of corporate computer networks can implement blocking of such attachments.^[2]

Hackers began using pirated CIA spyware

On January 10, 2023, Netlabs announced that unknown attackers had created a new malware based on the Hive spy kit used by the CIA to steal certain data. Read more here.

Hackers began using the popular ChatGPT neural network to create viruses

On January 6, 2023, Check Point Research released the results of a study that suggests that attackers, including novice hackers and people without any programming experience, are using the advanced ChatGPT neural network to create malicious code. Read more here.

2022

Cobalt Strike quietly spreads through 3 bootloaders

Palo Alto Unit 42 researchers described 3 Cobalt Strike bootloaders, each loading different types of implants - SMB Beacon, Beacon DLL and Cobalt Strike stager. This became known on December 6, 2022.

Cobalt Strike is a penetration test framework that allows you to deliver and control a payload to a victim's computer. Attackers can use Cobalt Strike to deploy Advanced Persistent Threat (APT) attacks against your^[3] organization].

SMB Beacon (KoboldLoader)

To bypass sandboxes that only intercept high-level user mode functions, it invokes built-in API functions. To complicate analysis, it performs functions using a hash instead of using simple text strings.

KoboldLoader creates a child process of the Windows tool "sethc.exe," then creates a new partition and maps the decrypted Cobalt Strike beacon loader to it. The Cobalt Strike loader is finally executed by calling RtlCreateUserThread.

DLL Beacon (MagnetLoader)

MagnetLoader simulates a legitimate Windows library. All exported MagnetLoader functions call the same main subroutine. malware When a function is called, the DLL entry point is launched, in which the malicious ON one loads the original mscms.dll library and allows all spoofable functions.

The Cobalt Strike beacon loader is decrypted into the memory buffer and started using the callback parameter of the Windows API function "EnumChildWindows." Malware can abuse this parameter to indirectly call the address through the callback function and hide the flow of execution.

Stager (LithiumLoader)

LithiumLoader is distributed through a legitimate FortiClient VPN installation package created by an attacker and presented by VirusTotal as "FortiClientVPN_windows.exe". Since the file is signed, it is not detected by antivirus software.

The installer is a self-extracting RAR archive containing the following files:

When the installer starts, all files are automatically placed in the local folder "% AppData%" and both executables are launched. During the execution of the FortiClient VPN installer, the WinGup tool additionally loads the malicious libcurl.dll library, importing some functions from the legitimate copy of the libcurl library.

When compiling the LithiumLoader library, a malicious script of one of the functions is injected into the legitimate library. This function then runs the shellcode of the Cobalt Strike stager indirectly via the "EnumSystemGeoID" callback function. The shell code of the Cobalt Strike stager is borrowed from Metasploit and is the reverse payload of ^[4] HTTP shell^[5].

Attackers pass off malicious Android applications as job search programs

On November 21, 2022, the company Dr.Web"" announced the spread of malicious applications for that OS Android attackers pass off as job search programs. With their help swindlers , they can collect personal information victims, as well as deceive them to steal money from them. More like that. here

Erbium steals credit card and crypto wallet details

Erbium malware spreads under the guise of cheats for games. This became known on September 27, 2022.

Erbium is a malware provided as a service (Malware-as-a-Service), which for a small fee ($100 per month or $1000 per year) offers customers the functionality of an advanced infostiler. Researchers from the Cluster25 team were the first to report the malware, and analysts from Cyfirma provided more information on how it spreads in their report.

Like other information dealers, Erbium steals data stored in web browsers (based on Chromium or Gecko): passwords, cookies, credit card data and autocomplete. In addition, the malware tries to intercept data from a large set of cryptocurrency wallets installed in web browsers as extensions.

However, hackers have few hot crypto wallets, so they also target cold ones: Exodus, Atomic, Armory, Bitecoin-Core, Bytecoin, Dash-Core, Electrum, Electron, Coinomi, Ethereum, Litecoin-Core, Monero-Core, Zcash and Jaxx.

Of the additional features of Erbium:

• Able to steal two-factor authentication codes from Trezor Password Manager, EOS Authenticator, Authy 2FA and Authenticator 2FA;
• Knows how to take screenshots;
• Intercepts Steam and Discord tokens;
• Composes a "portrait" of the host based on the collected data.

All data is transferred to the C&C operator server through the built-in API. Attackers can analyze the collected information on the Erbium dashboard.

Researchers from Cluster25 reported that attacks using Erbium occur around the world: in, USA, France Colombia,,,,, and Spain Italy. India Vietnam Malaysia

Experts warn that in the future the malware will be spread not only through cheats and pirated games. Users are advised not to download pirated software and scan all downloaded files using antivirus^[6].

SharkBot 2.25 malware returned to Google Play

An updated version of the SharkBot malware is back in. Google Play Store The malware bank data targets users who install seemingly harmless ones applications that are actually droppers for SharkBot. This became known on September 7, 2022. More. here

Dozens of malware distribution apps removed from Google Play again

Google Play applications Dozens spreading malware have been removed from the again. ON This became known on July 19, 2022. More. here

Kaspersky Lab discovered a difficult-to-detect SessionManager backdoor

Experts Kaspersky Lab"" discovered a difficult-to-detect SessionManager backdoor. It allows you to access corporate To IT infrastructure and perform a wide range of malicious actions: read corporate, mail spread malicious ON and remotely manage infected. Kasperskog servers Lab announced this on July 1, 2022.

Attackers inject malware remotely in the form of a module for Microsoft IIS, a set of web services that includes the Exchange mail server. Any employee of the company encounters the operation of this server when using Microsoft corporate mail. To spread SessionManager and other malicious IIS modules, attackers exploit the ProxyLogon vulnerability.

According to Kaspersky Lab, the first attacks using SessionManager were recorded at the end of March 2021. Victims are predominantly government bodies and non-profit organizations in Africa, South Asia, Europe and the Middle East, as well as in Russia. By early July 2022, the backdoor was found on 34 servers in 24 companies. SessionManager often goes unnoticed, as it is poorly detected by most well-known online scanners.

The ProxyLogon vulnerability in the server, which became publicly known in early 2021 Microsoft Exchange , gave attackers another vector for attacks that they actively use, including downloading backdoors in the form of IIS web server modules. With the help of one of these malware, SessionManager, attackers get update-resistant, long-term and successfully hidden access to corporate, "said To IT infrastructureDenis Legezo a leading expert on cyber security Kaspersky Lab.

Activity of Linux malware XorDDos increased by 254%

On May 20, 2022, it became known that Microsoft researchers noticed a surge in XorDDos activity over the past six months.

As reported, XORDDoS was first seen in 2014. This is a Linux malware that formed a botnet for massive DDoS attacks on gaming and educational sites. XorDDos can obfuscate its activities, which helps to bypass rule-based detection mechanisms and search for malicious files by hash. Also, the malware uses methods of effective protection, which allows you to get away from penalties. Over the past six months, Microsoft experts have noted a 254% increase in activity related to XorDDos.

Basically, XorDDos is distributed by brute force. SSH It uses a shell script to enumerate the combinations of credentials on thousands. servers

^{Graph of XorDDos-related activity growth. Photo: securitylab.ru.}

Microsoft experts have identified two methods for initially accessing XorDDos to victims' systems:

• The first method is to copy a malicious ELF file to the temporary file store/dev/shm, and then execute it.
• The second method is to execute a bash script that performs a sequence of actions through the command line.

XorDDos uses various mechanisms to pin victims to systems, including init and cron scripts, setting the system startup level by default, and using simlinks that point to scripts that must be executed at the desired system startup level.

The report concluded that XorDDos is a universal Trojan capable of infecting various architectures of Linux systems. Its SSH brute-force is a relatively simple but effective attack to gain root access in the victim's system. In addition, the malware is able to install rootkits and embed other malicious payloads into the attacked system^[7]

Scammers distribute infostiler under the guise of Windows 11 update

On April 19, 2022, it became known that cybercriminals they were distributing fake updates Windows 11 containing, malware which steals from data (browser credentials, -), cookiefiles system files cryptocurrency and wallets.

Harmful the campaign for mid-April 2022 is still active. Malware spreads ON through the so-called "poisoning" of search results for promotion in the search results of sites where 11 can allegedly be downloaded Windows. These sites are still working. Their design uses the official Microsoft logo and favicons, and there is also a Download Now button.

If the user logs into the site via a direct connection - the download is available via Tor and VPN, he will receive an ISO file with an infostiler inside.

Specialists of the information security company CloudSEK called the malware Inno Stealer, since it uses the Windows Inno Setup installer. According to them, the malware code is not similar to the code of known malware and has not yet been downloaded to Virus Total.

The bootloader file on Delphi is a Windows 11 setup executable. After startup, it deletes the temporary is-PN131.tmp file and creates a.TMP file, where it writes 3078 KB of data.

Using CreateProcess Windows API, the malware creates processes, ensures consistency on the system and injects four files. Two of them are Windows Command Script scripts for disabling registry security, adding exceptions to Defender, uninstalling security solutions, and deleting shadow volumes.

The third file is a command execution utility that works with the highest system privileges. The fourth file is the VBA script required to run dfl.cmd.

At the second stage of infection, a file with the.SCR extension is loaded into the C :\Users\\AppData\Roaming\Windows11InstallationAssistant directory. It is an agent for unpacking the infostiler.

Using PowerShell commands, all stolen data is copied, encrypted and transmitted to a C&C server (windows-server031.com) controlled by the attackers. ^[8]11^[9]

Android malware Octo allows you to remotely control your device

On April 11, 2022, it became known that ThreatFabric specialists discovered another version bank ON of Android Octo, which is an evolved ExoCompact, a malware based on trojan Exo that disappeared cybercriminal from the scene in 2018. More. here

2021

77% of detected malware was delivered by email

On February 20, 2022, HP Inc. announced the release of the HP Wolf Security Threat Insights Report, which analyzed the 2021 cyber attacks that occurred in the IV quarter . After studying the threats that managed to bypass security systems and reached the end devices of users, HP Wolf Security specialists drew conclusions about the methods of attacks used by cybercriminals.

According to the company, the HP Wolf Security research group discovered a wave of add-on attacks, with which Excel attackers distribute malicious code and gain access to devices and networks in order to then kidnap data enterprises or individuals. The number of attackers using malicious Microsoft Excel add-in files (.xll) to infect their victims' systems has increased by almost 7 times compared to last quarter. Such attacks turned out to be very dangerous, because to start the malware ON , you just need to click on the one sent by the cybercriminal. to the file The team also found in " Darknet advertizing droppers" (.xll file delivery and launch software) and entire software creation kits that make it easier to run similar campaigns for inexperienced attackers.

During the recent spam QakBot campaign, attackers distributed Excel files through compromised ones. accounts email Criminals intercepted e-mails and sent fake response messages with an attached malicious Excel file (.xlsb). After delivery to the victim's device, QakBot is embedded in processes OS to thus avoid detection. Malicious Excel (.xls) files were also used to distribute the Ursnif banking Trojan to Italian-speaking enterprises and organizations state in the sector through spam. At the same time, the attackers posed the Italian as employees of the BRT courier service. Emotet malware campaigns now also use Excel instead of or files. JavaScript Word

Other notable threats identified by HP Wolf Security specialists include the following:

• Possible return of TA505. HP specialists discovered the MirrorBlast phishing campaign, in which hackers used the same tactics, methods and procedures as TA505, a group of attackers known for massive campaigns sending malicious spam and monetizing access to infected systems using ransomware. The campaign targets organizations and uses the FlawedGrace Remote Access (RAT) Trojan.
• A fake gaming platform that distributes malicious RedLine code. HP specialists discovered a fake website with a Discord client infected with RedLine code that stole user data.
• Hackers' use of unusual file types still circumvents security systems. Aggah, a group of cybercriminals, selects Korean-speaking organizations as victims and uses malicious PowerPoint add-in files (.ppa) disguised as orders from customers to infect systems with remote access Trojans. Attacks through the distribution of infected PowerPoint files are a very unpopular choice and account for only 1% of malware.

Using standard software features for criminal purposes is a common tactic for attackers to avoid detection - as is using unusual file types that are able to "leak" through mail gateways without finding themselves. Security departments should not rely solely on intrusion detection technologies - it is important to monitor threats closely and update your protection accordingly. So, given the surge in the spread of malicious.xll files that we are seeing, we strongly recommend that network administrators configure email gateways to block incoming.xll attachments, making exceptions only for add-ins from trusted partners, or completely disable Excel add-ins. Attackers constantly find tools to avoid detection. That is why it is important that enterprises build and adjust their security systems depending on the threat landscape and on the business needs of their users. Attackers actively use attack methods such as intercepting correspondence in e-mail, which makes it even more difficult for users to distinguish colleagues and partners from criminals. comments Alex Holland, Senior Malware Analyst at HP Wolf Security Threat Research Group, HP Inc

The findings presented in the report are based on the results of an analysis of many millions of end devices running HP Wolf Security software. This software from HP monitors malware by opening downloadable files on isolated micro-virtual machines (micro-VMs) to learn the mechanics of infection.

Other key findings of the study include the following:

• 13% of isolated malicious scripts sent by email bypassed at least one security scanner on the mail gateway.
• In an attempt to infect the computers of organizations, attackers used 136 different file extensions.
• 77% of detected malware was delivered by e-mail, with only 13% of them downloading from the Internet.
• The most common attachments used to deliver malware were documents (29%), archives (28%),.exe files (21%), and spreadsheets (20%).
• The most common phishing decoys were letters related to the New Year or business transactions, for example, with topics such as "Order," "2021/2022," "Payment," "Purchase," "Request" and "Account."

Low-level attackers can conduct covert attacks and sell access to organized groups of cybercriminals who use ransomware in their activities. As a result, this leads to large-scale attacks that can disable IT systems and lead to a shutdown of the entire organization. Organizations should focus on reducing the surface of attacks and ensuring the rapid recovery of their systems if they are compromised. This means following the principles of Zero Trust and introducing strict identification systems, granting minimal privileges to users and isolating devices, starting from the hardware level. commented on Dr. Eun Pratt (Ian Pratt), Global Head of Personal System Security, HP Inc

Explosive growth of attacks on Linux OS

In 2021, malware activity ON Linux increased by 35% compared to 2020. This is due to the growing popularity of low-cost devices internet of things with poor protection, which hackers break and combine in. botnets Most actively in 2021 they used software the XorDDoS, Mirai and Mozi families. This became known on January 18, 2022.

Experts explain such rapid growth primarily by the rapid spread of inexpensive IoT devices. According to the information security company Intezer, for the most part, weak protection and a considerable number of firmware vulnerabilities that manufacturers are in no hurry to close. For example, at the beginning of 2020, about 57% of such devices were subject to attacks of varying severity (statistics from Palo Alto Networks March 2020). How much their number has grown in less than two years is unknown.

Internet of Things devices running Linux are easy prey for attackers, and their massive compromise could jeopardize the integrity of critical Internet services. According to CrowdStrike forecasts, by the end of 2025, more than 30 billion such devices will be connected to the Internet, which is only in the hands of cybercriminals.

The most common malware families under Linux were XorDDoS, Mirai and Mozi. According to the Crowdstrike report, at the end of 2021, they accounted for about 22% of all recorded attacks on Linux systems.

According to Crowdstrike experts, hackers attack Linux devices and, in particular, IoT devices not only to carry out DDoS attacks with their help. They use botnets for their other criminal purposes as well.

In particular, botnets assembled from various Linux devices are often adapted to send spam and mining cryptocurrencies. Also, individual devices can be operated as command servers for managing botnets^[10].

Hacker programs have fallen in price on the black market

In early July 2021, it became known about a decrease in the black market cost of hacker programs (the so-called exploits) used to search for vulnerabilities in systems from different manufacturers. This trend was reported by Trend Micro, a company specializing in creating information security products.

According to Kommersant, citing a Trend Micro study, prices for vulnerabilities in Zyxel products fell from $20,000 to $2,000 in six months. In general, over two years, the prices and assortment of hacker tools have decreased several times.

One of the reasons for this trend is due to Bug Bounty programs, which launch large companies to search for vulnerabilities in their products for money. In Russia, such bonus programs by July 2021 operate in Yandex, Kaspersky Lab, VKontakte, Tinkoff Bank, Ozon and Azbuka Vkusa. As rewards began to rise, not only "white" hackers, but also their colleagues who found themselves on the other side of the law joined the search and sale of vulnerabilities.

Thanks to the launch of Bug Bounty in the IT company, identifying vulnerabilities has become an official type of earnings, this allowed a large number of participants to enter the segment, including not only white hackers, said Igor Bederov, founder of Internet-Search, speaking about the reasons for reducing the cost of exploits.

The cost of the exploit on the hacker forum depends on whether the vulnerability is known and when it was fixed, says Anton Yudakov, operations director of the Solar JSOC cyber attack center at Rostelecom-Solar. According to him, initially information about the vulnerability can cost thousands and even hundreds of thousands of dollars, but as soon as the vendor releases the patch, the price drops sharply.^[11]

XLoader software for $49 can steal information from Mac

A team Check Point of Research (CPR) researchers on July 22, 2021 reported another type of malware ON that evolved to steal information users. MacOS This strain was called "XLoader" - it came from the Formbook malware family. The latter were mainly intended for users, but Windows disappeared from sale in 2018. In 2020, Formbook was renamed XLoader. More. here

150 thousand Android users have contracted a dangerous virus through link reduction services

On July 21, 2021, an international developer anti-virus ON Eset shared the results of a security study of services to reduce URL addresses. The services themselves are mostly safe for users, but advertisement they turned out to be a source of malware.

From January 1 to July 1, 2021, ESET experts recorded the download of more than 150 thousand copies of the FakeAdBlocker virus to Android devices. The most affected countries were Russia, Kazakhstan and Ukraine. All infections occurred as a result of clicking on advertising links from URL reduction services.

By clicking on a malicious link, users set themselves to smartphones invisible, but very dangerous. application Once on the device, FakeAdBlocker downloads a variety of bank trojans (, Cerberus Ginp, TeaBot), and also runs unwanted processes in the background.

One of the most unpleasant functions of the virus is associated with the "capture" of the calendar on a smartphone. The program fills the calendar with events leading to other malicious resources - full-screen advertising, adult content, fake threat messages, etc.

It is extremely difficult to prosecute link reduction services. Mass infection through legal link reduction services has become possible due to the imperfection of the used pay-per-click business model. Short URL services act as intermediaries between buyers and advertisers. The advertiser pays to display the ad on the website, with some of this payment going to the party that created the shortened link. Often, the address reduction service itself is not responsible for the delivered advertising content and officially warns about this in privacy policies, explained the head of ESET Threat Intelligence, Alexander Pirozhkov:

ESET specialists have prepared instructions for removing Android/FakeAdBlocker from an infected device. To to identify remove the virus, including its dynamically downloaded ad, ON you must first find it among the installed applications by going to Settings, and then to Applications. Since malware you don't have an app icon or name, it's easy to spot. Tap once to select, then click the Remove/Uninstall button and confirm your request to remove the risk.

In Russia, every tenth organization - subject of CII is infected with malware

According to a study by the Center for Countering Cyber ​ ​ Attacks Solar JSOC of Rostelecom-Solar, one in ten Russian organizations from among the subjects of critical information infrastructure (CII) has already been compromised by various families of malware. This was reported on June 2, 2021 in Rostelecom. In addition, some of the vulnerabilities that experts find in KII objects, although they were published 10 years ago, have not yet been closed. Thus, even low-skilled hackers can successfully attack most of the country's critical infrastructures. Read more here.

In December 2019, Rostelecom announced the launch of a network of sensors and traps (honeypots) on its infrastructure for early detection of attacks. During the analysis of data from sensors, the Solar JSOC CERT team noted the greatest activity of four types of malware: Glupteba, PonyStealer, Trojan-Spy.Win32.Windigo and NjRAT. Glupteba's main goals are to steal user data and extract cryptocurrency, while the malware carefully hides traces of its presence. PonyStealer is a botnet known since 2011 and designed to steal account passwords and other sensitive information. Trojan-Spy.Win32.Windigo sends spam, theft of confidential data and clickfrod. NjRAT (aka Bladabindi) is a 2012 Trojan used by attackers for remote administration.

This virus software, despite its modernity, carries significant risks for the company. If a professional group wants to develop its attack, it is enough for it to acquire access to compromised nodes on the darknet. Further, with the help of modern tools, it will be able to gain much deeper access to infrastructure and affect the continuity of business processes, as well as steal confidential corporate information or money.

"Compliance with cyber hygiene - whether it's fixing" holes "in the perimeter of an organization or covering infrastructure with protective equipment - is not an easy but critical task. Indeed, in the current paradigm of interaction between the cybercriminal community, even the forgotten old HPE can be outbid by a professional group and used in the development of a complex targeted attack, "said Vladimir Dryukov, director of the Solar JSOC Cyber ​ ​ Attack Center for Rostelecom-Solar.

Check Point Research finds dangerous dropper in 10 Google Play apps

On March 12, 2021 Check Point , it announced that its Check Point Research division had discovered Google Play in the Store a dropper, a malware created to deliver other malware to a ON victim's device. "Clast82," as the researchers called it, launches, malware which allows to the hacker access bank to applications to the victim and full control. smartphone The researchers found Clast82 in 10 "useful" apps, such as those with a function or VPN screen recordings. More. here

2020: Malware is the main vector of cyber attacks on Russian companies in the first half of the year

On August 28, 2020, analysts at Angara Professional Assistance, a service provider of replicated cybersecurity services for Angara, shared the results of a study of information security events for the first half of 2020. According to the study, in January-June 2020, the main vectors of attacks on the information systems of Russian companies fell on infection with malicious software (HPE, 28%), exploitation of vulnerabilities (12%) and delivery of HPE through e-mail (i.e. phishing, 7%). Read more here.

2019

The number of users attacked by password theft programs increased by 72%

According to statistics Kaspersky Lab"," in 2019, the number of users attacked by theft programs in the world increased significantly passwords- by 72%. This was Kaspersky announced on January 28, 2020. In total, the company's products repelled such attacks on devices of almost two million users. Read more here.

Check Point: Malicious spam campaigns use Greta Thunberg's name

On January 15, 2020, Check Point Research published the Global Threat Index report with the most active threats in December 2019. For three months now, the Emotet Trojan has been in the lead. Basically, Emotet is distributed through spam mailings, which use current topics in the headlines. In December, for example, there were such topics: "Support Greta Thunberg - Time Person of the Year 2019" and "Christmas Party!."

Emails in both campaigns contained a malicious Microsoft Word document that, when opened, tried to download Emotet to the victim's computer. In the future, ransomware and other malicious campaigns can spread through Emotet.

In December, the use of remote implementation of commands also increased significantly: to the protocol HTTP 33% of organizations worldwide were subjected to this. When successfully used, the vulnerability was a boat network. DDoS The malicious file used in to the attack also contained a number of links to payloads exploiting vulnerabilities in smart devices. In the future, these devices merged into. Potentially botnets vulnerable were devices from such manufacturers as,, and. D-Link Huawei RealTek

"Over the past three months, the main threats have been universal multipurpose malware, such as Emotet and xHelper. They give cybercriminals many opportunities to monetize attacks, as they can be used to spread ransomware or spread new spam campaigns. The goal of criminals is to penetrate and gain a foothold in as many organizations and devices as possible so that subsequent attacks are more profitable and destructive. It is therefore very important that organizations inform their employees about the risks of opening and downloading email attachments, clicking on links that do not come from a reliable source, " noted' Vasily Diaghilev, Head of Check Point Software Technologies Russia and CIS

The most active malicious ON in December 2019 in: Russia

1. XMRig is open source software discovered in May 2017. Used to mine Monero cryptocurrency.
2. Agent Tesla is an advanced RAT. AgentTesla has been infecting computers since 2014, acting as a keylogger and kidnapper. passwords The malicious program is able to track and collect data victims entered from the keyboard, take screenshots and extract credentials related to various programs installed on the victim's computer (including, and Google Chrome). Mozilla Firefox Microsoft Outlook
3. Emotet is an advanced self-propagating modular Trojan. Emotet was once an ordinary banking Trojan, and has recently been used to further spread malware and campaigns. The functionality allows you to send phishing emails containing malicious attachments or links.

The most active malware in December 2019 in the world:

1. Emotet is an advanced self-propagating modular Trojan. In December, Emotet affected 13% of organizations worldwide, up from 9% in November
2. XMRig is open source software.
3. Trickbot is one of the dominant banking Trojans, which is constantly complemented by new capabilities, functions and propagation vectors. Trickbot is a flexible and customizable malware that can be distributed as part of multi-purpose campaigns.

The most active mobile threats of December 2019:
xHelper and Guerrilla lead the mobile malware rankings.

1. xHelper is a malicious Android app, active since March 2019, used to download other malicious apps and display ads. The application is able to hide itself from user and mobile antivirus programs and reinstall itself if the user deletes it.
2. Guerilla is an Android clicker that can interact with a remote control server, download additional malicious plugins, and aggressively wind up ad clicks without the user's consent or knowledge.
3. Hiddad - Modular backdoor for Android, which provides superuser rights for downloaded malware, and also helps to inject it into system processes. It can access key security details built into the OS, allowing it to obtain sensitive user data.

The most common vulnerabilities of December 2019:
Remote implementation of HTTP commands has become the most common vulnerability affecting 33% of organizations worldwide. Vulnerabilities "remote execution of MVPower DVR code" and "disclosure of information in the Git store on the web server" in second and third place affected 32% and 29% of organizations, respectively.

1. Implement commands remotely using HTTP. Attackers remotely exploit this vulnerability by sending a special request to the victim. Successful exploitation will allow an attacker to execute arbitrary code on the victim's device.
2. Execute the MVPower DVR code remotely. There is a remote code execution vulnerability in MVPower DVR devices. An attacker could exploit this vulnerability to execute arbitrary code on a vulnerable router using a specially crafted request.
3. Disclose the information in the Git store on the web server. A vulnerability was discovered in Git Repository that could lead to the disclosure of account information.

Check Point Research: The most active cyber threats of October

On November 28, 2019, Check Point Software Technologies released the Global Threat Index report with the most active cyber threats of October 2019. Experts note that cryptominers dropped out of the first line in the ranking of the most active malware for the first time in almost two years.

Cryptomainer activity has continued to fall since 2018, when it was at its peak. The researchers recalled that in January and February 2018, this type of malware affected the activities of more than 50% of organizations worldwide. A year later - in January 2019 - its activity fell to 30%, and in October 2019, the actions of cryptominers affected only 11% of companies in the world.

The most active malware in October was the Emotet botnet, which a month earlier ranked fifth and affected 14% of organizations in the world. At the end of the month, the botnet spread Halloween-timed spam. The subject of the emails included congratulations ("Happy Halloween") and invitations to the holiday ("Halloween Party Invitation"), inside which contained a malicious file.

"The impact of cryptomainers on organisations worldwide decreased by almost 70% during 2019. However, in Russia, cryptomainer Cryptoloot still ranks first in the ranking, affecting just over 15% of organizations, " noted' Vasily Diaghilev, Head of Check Point Software Technologies Russia and CIS

The most active malware in October 2019 in Russia: In Russia, the first place is still occupied by the cryptominer

1. Cryptoloot is a cryptominer that uses CPU or GPU power and existing resources for crypto mining - adding transactions to the blockchain and issuing a new currency. Competitor Coinhive.
2. Emotet is an advanced self-propagating modular Trojan. Emotet was once an ordinary banking Trojan, and has recently been used to further spread malware and campaigns. The updated functionality allows you to send phishing emails containing malicious attachments or links.
3. XMRig is open source software first discovered in May 2017. Used to mine Monero cryptocurrency.

The most active malicious ON in October 2019 in the world: For the first time in almost two years, cryptominers have emerged from among the most active malware. This month, Emotet ranked first in the Global Threat Index, attacking 14% of organizations in the world. In second place was XMRig, whose attacks fell on 7% of companies in the world. Trickbot closed the top three dangerous malware with a coverage of 6%.

1. Emotet is an advanced self-propagating modular Trojan. Emotet was once an ordinary banking Trojan, and has recently been used to further spread malware and campaigns. The new functionality allows you to send phishing emails containing malicious attachments or links.
2. XMRig is open source software first discovered in May 2017. Used to mine Monero cryptocurrency.
3. Trickbot is one of the dominant banking Trojans, which is constantly complemented by new capabilities, functions and propagation vectors. Trickbot is a flexible and customizable malware that can be distributed as part of multi-purpose campaigns.

The most active mobile threats of October 2019: In October, the most common mobile threat was the Guerrilla Trojan, followed by Lotor and Android Bauts in the ranking.

1. Guerilla is an Android clicker that can interact with a remote control server, download additional malicious plugins, and aggressively wind up ad clicks without the user's consent or knowledge.
2. Lotoor is a program that exploits vulnerabilities in the Android operating system to gain privileged root access on compromised mobile devices.
3. AndroidBauts is an ad software designed for Android users that filters IMEI, IMSI, GPS location and other device information and allows you to install third-party applications on mobile devices.

The most common vulnerabilities of October 2019: The most common vulnerability in October 2019 was SQL injection - it affected more than a third (36%) of organizations around the world. The second and third places are occupied by the HeartBleed error in OpenSSL TLS DTLS software (33%) and remote execution of MVPower DVR code (32%), respectively.

1. SQL injection - inserts SQL code into the input data from the client to the page using a vulnerability in the application software.
2. HeartBleed error in OpenSSL TLS DTLS software (CVE-2014-0160; CVE-2014-0346) - there is a vulnerability in OpenSSL that allows you to disclose the contents of memory on a server or on a connected client. The vulnerability is related to an error in the processing of Heartbeat TLS/DTLS packets.
3. Execute the MVPower DVR code remotely. There is a remote code execution vulnerability in MVPower DVR devices. An attacker could exploit this vulnerability to execute arbitrary code on a vulnerable router using a specially crafted request.

Raccoon malware infected more than 100 thousand devices

On October 25, 2019, it became known that a malicious ON called Racoon, created to steal, is information quickly gaining popularity among cybercriminals. According to a team of researchers from Cybereason Nocturnus, in just a few months, the malware infected hundreds of thousands of devices around the world, stealing data credit cards victims, credentials email , etc.

Malware is not complex or innovative, but malware-to-service (MaaS) distribution provides cybercriminals with a quick and easy way to make money. Raccoon is already among the top ten most mentioned malware on the darknet.

Based on logs put up for sale in the underground community, Raccoon infected more than 100,000 endpoints worldwide in a few months. Any criminal can easily deal with him, regardless of the level of technical skills. Moreover, the Raccoon team is constantly working to improve it and provide responsive support. This gives people a quick and easy way to make money without investing much or having deep technical knowledge, researchers at Cybereason reported.

Researchers first discovered Raccoon in April 2019. Malware written in the language C++ uses several potential delivery methods, including sets of exploits (including Fallout and RIG), as well as phishing attacks malware distributed as part of legitimate software packages from "dubious" websites.

After installation, Raccoon checks the systems for information information about credit cards, cryptocurrency wallets,, passwords emails, cookies and data from popular browsers ones (including saved credit card information, - URL addresses, usernames and passwords), and then sends them to the operator.

Presumably, the malware was developed by Russian-speaking attackers. Initially, it was sold exclusively on |Russian-speaking forums, but now it is also offered on English-speaking^[12]

Russian companies attack viruses under the guise of accounting documents

On October 24, 2019, it became known that Russian companies began to massively face viruses that spread under the guise of accounting documents. Read more here.

Botnet blackmailing victims through intimate photos or videos revealed

On October 17, 2019, it became known that as part of a five-month research project, the team of researchers at Check Point Research, a division of Check Point Software Technologies Ltd., revealed the work of a malware that sends sextortion letters to its victims. Read more here.

Kaspersky Lab has discovered a tool for interfering with the encryption process

On October 9, 2019, Kaspersky Lab"" reported that it had discovered a malicious Reductor tool that allows you to replace the random number generator used to enciphering data transmit them from browser to HTTPS sites.

This opens up the possibility for attackers to secretly monitor their actions in the browser from the user. In addition, the found modules included remote administration functions, which makes the capabilities of this software almost unlimited.

With the help of this tool, attackers carried out cyber espionage operations at diplomatic missions in the CIS countries, mainly monitoring user traffic.

The malware is installed mainly either using the COMPfun malware, previously identified as the Turla cyber group tool, or through the substitution of "pure" software during the download from a legitimate resource to the user's computer. This most likely means that attackers have control over the victim's network channel.

{{quote 'author = says Kurt Baumgartner, Kaspersky Lab's leading antivirus expert|This is the first time we have encountered this kind of malware that allows us to bypass encryption in the browser and go unnoticed for a long time. The level of its complexity suggests that the creators of Reductor are serious professionals. Often such malware is created with the support of the state. However, we do not have evidence that Reductor is relevant to any particular cyber group. We remind all companies dealing with confidential data to regularly check the degree of security of the corporate IT infrastructure, }}

To avoid infection, Kaspersky Lab recommends:

• Regularly audit the security of the corporate IT infrastructure;
• install a reliable security solution with a web threat protection component that allows you to recognize and block threats that try to penetrate the system through encrypted channels, for example Kaspersky Security for Business, as well as an enterprise-level solution that detects complex threats at the network level at an early stage, for example Kaspersky Anti Targeted Attack Platform;
• Connect the SOC command to the threat communication system so that it has access to information about emerging and existing threats, techniques and tactics used by attackers;
• regularly conduct trainings on improving the digital literacy of employees.

AgentTesla keylogger has intensified in Russia

On August 22, 2019, Check Point Software Technologies released the Global Threat Index report with the most active threats in July 2019. Researchers warn about the spread of malware in Russia - AgentTesla.

AgentTesla is an advanced RAT, translated as "Remote Access Trojan" or "remote control."

AgentTesla has been infecting computers since 2014, acting as a keylogger and kidnapper. passwords The malicious program is able to track and collect data victims entered from the keyboard, take screenshots and extract credentials related to various programs installed on the victim's computer (including, and Google Chrome). Mozilla Firefox Microsoft Outlook

In Russia, AgentTesla began to spread in mid-June, and became significant in July - researchers noted several large email campaigns that sent phishing emails with malicious content. As a rule, phishing emails imitated those messages that are often sent during the vacation period: information about booking and buying air tickets, bills for them.

"Attackers are trying to quickly exploit new vulnerabilities. Therefore, it is very important that companies have reliable protection even against such threats, " noted' Vasily Diaghilev, Head of Check Point Software Technologies Russia and CIS

The most active malware in Russia in July 2019, according to Check Point Software Technologies:

1. Cryptoloot is a cryptominer that uses CPU or GPU power and existing resources for crypto mining - adding transactions to the blockchain and issuing currency. Competitor Coinhive.
2. XMRig - Open source software first discovered in May 2017. Used to mine Monero cryptocurrency.
3. Dorkbot is an IRC-based worm designed to remotely execute code by its operator, as well as download additional malware to an infected system.

The most active mobile threats of July 2019:

1. Lotoor - a program that exploits vulnerabilities operating system Android in to gain privileged root access on compromised mobile devices
2. AndroidBauts - advertizing ON designed for Android users, which filters, IMEI IMSI, location GPS and other device information and allows you to install third-party on applications mobile devices.
3. Piom is advertising software that monitors user behavior on the Internet and shows unwanted advertisements based on user actions on the Internet.

The most common vulnerabilities of July 2019:

1. SQL injection - inserts SQL code into the input data from the client to the page using a vulnerability in the application software.
2. HeartBleed error in OpenSSL TLS DTLS software (CVE-2014-0160; CVE-2014-0346) - there is a vulnerability in OpenSSL that allows you to disclose the contents of memory on a server or on a connected client. The vulnerability is related to an error in the processing of Heartbeat TLS/DTLS packets.
3. Execute the MVPower DVR code remotely. There is a remote code execution vulnerability in MVPower DVR devices. An attacker could exploit this vulnerability to execute arbitrary code on a vulnerable router using a specially crafted request.

In June, researchers noted the leading position of SQL injection methods in the ranking of threats (46% of organizations around the world).

Emotet's biggest botnet halted activity in June

On July 16, 2019, it was reported that the research team at Check Point Research, a division of Check Point Software Technologies, a worldwide provider of cybersecurity solutions, released the Global Threat Index report with the most active threats in June 2019. Researchers report that Emotet (the largest botnet for July 2019) is not yet operational - almost the entire month of June, there have been no unknown campaigns. During the first half of 2019, Emotet was in the top 5 malware programs worldwide and distributed through large-scale spam campaigns.

Check Point researchers believe Emotet's infrastructure could be disabled for maintenance and upgrade. It is possible that once its servers are restarted, Emotet will be reactivated with advanced threat capabilities.

Emotet is a banking Trojan that has been in use since 2014. However, since 2018, we have seen its use as a botnet in major campaigns to spread spam and other malware. Despite the fact that its infrastructure was inactive for most of June 2019, the botnet hit the fifth line of the world malware rating. This position shows how actively it is used by attackers, and it is likely that it will reappear with added functions. Once Emotet hits the victim's computer, the botnet can use the device to further spread spam campaigns, download other malware (such as Trickbot, which in turn infects the entire hosting network with the infamous Ryuk ransomware), and spread to other resources on the network. 'comments Nikita Durov, CTO of Check Point Software Technologies in Russia and CIS '

The most active malware in June 2019 *:

* Arrows show change of position from previous month

• ↑ XMRig - Open source software first discovered in May 2017. Used to mine Monero cryptocurrency.
• ↑ Jsecoin is a JavaScript miner that can run mining right in the browser in exchange for ad display, in-game currency and other incentives.
• ↓ Cryptoloot is a cryptominer that uses CPU or GPU power and existing resources for crypto mining - adding transactions to the blockchain and issuing currency. Competitor Coinhive.

In Russia, the three most famous cryptominers - Cryptoloot, XMRig and Jsecoin continue to lead the ranking of malware. In June, Cryptoloot attacked 11% of organizations in Russia, XMRig and Jsecoin, respectively - 9% and 7% of Russian companies.

The most active mobile threats of June 2019:

Lotoor continues to lead the ranking of malware for mobile devices. It is followed by Triada and Ztorg - a young malware on the top list.

• 1. Lotoor is a program that exploits vulnerabilities operating system Android in to gain privileged root access on compromised mobile devices
• Triada is a modular Android backdoor that provides superuser privileges for downloaded malware, and also helps inject it into system processes. Triada has also been spotted spoofing URLs uploaded to the browser.
• Ztorg - Ztorg Trojans receive advanced attachments on Android devices and install themselves in the system directory. The malware can also install any other application on the device.

The most common vulnerabilities of June 2019:

In June, researchers noted the leading position of methods -injections in the SQL ranking of threats (52% of organizations around the world). Vulnerability OpenSSL TLS in DTLS Heartbeat and CVE-2015-8562 ranked second and third, respectively, affecting 43% and 41% of organizations worldwide.

• ↑ SQL injection (several ways to use it) - inserting SQL code into the input data from the client to the page using a vulnerability in the application software.
• ↑ HeartBleed error ON in OpenSSL TLS DTLS (CVE-2014-0160; CVE-2014-0346) - there is a vulnerability in OpenSSL that allows you to disclose the contents of memory on a server or on a connected client. The vulnerability is related to an error in the processing of Heartbeat TLS/DTLS packets.
• ↑ Remote code execution in the Joomla (CVE-2015-8562) system - there is a vulnerability in the Joomla system that opens up the possibility of remote code execution for attackers. A remote access attacker can exploit this vulnerability by sending a malicious request to the victim. Successful exploitation of this vulnerability can lead to arbitrary code execution on the attacked site.

The Global Threat Impact Index and ThreatCloud Map are developed by ThreatCloud intelligence, the largest collaborative cybercrime network that provides threat and attack trend data from a global network of threat sensors. Containing more than 250 million addresses analyzed to detect bots, more than 11 million malware signatures and more than 5.5 million infected sites, the ThreatCloud database continues to identify millions of malware every day.

"Agent Smith" for Android quietly infected about 25 million devices

On July 11, 2019, it was reported that a team of researchers at Check Point Research, a division of Check Point Software Technologies, a provider of cybersecurity solutions around the world, discovered mobile malware that quietly infected about 25 million devices. Under the guise of a hidden app linked to Google, the malware exploits known Android vulnerabilities and automatically replaces installed apps with malicious versions unnoticed by the user.

The malware, which has been dubbed "Agent Smith," uses access to device resources to run ads for financial gain, but can easily be used for far more dangerous purposes such as stealing credentials and wiretapping. This activity of Agent Smith resembles previous malicious campaigns such as Gooligan, Hummingbad and CopyCat.

The malware invisibly attacks user-installed applications, so it is difficult for ordinary Android users to deal with such threats on their own. A combination of advanced threat prevention and threat analysis techniques while simultaneously using cyberhygiene is the best defense against aggressive attacks by mobile malware such as Agent Smith. In addition, users should only download apps from trusted app stores to reduce the risk of infection. Third-party app stores often fail to comply with all security measures that are necessary to block downloaded ads.

Smith's agent was downloaded by users from the popular unofficial 9Apps app store. Agent Smith was intended mainly for users who speak Russian, Hindi, Arabic, and Indonesian. So far, the main victims are in India, although other Asian countries such as Pakistan and Bangladesh have also been affected. There was also a marked number of infected devices in the UK, Australia and the US. Thanks to the close cooperation of Check Point and Google, at the time of publication in the Play Store there were no malicious applications left.

Mail traffic is still dominated by malware for Microsoft Office

On April 30, 2019, Dr.Web Antivirus provided an overview of virus activity for April 2019. The company recorded a 39.44% decrease in unique threats compared to last month, and the total number of detected threats decreased by 14.96%. Mail traffic is still dominated by malware that exploits vulnerabilities in Microsoft Office programs. The trend of the last month also continues the statistics on malware and unwanted software: most of the detected threats are accounted for by malicious extensions for browsers, unwanted and advertising programs.

The number of malicious and inappropriate sites increased by 28.04%. Doctor Web specialists warned users about compromising the official website of the popular video and sound processing software. Hackers replaced the download link, and along with the editor, users downloaded the dangerous banking Trojan Win32.Bolik.2, as well as the Steeler.PWS.Stealer (KPOT Stealer). Such Trojans are designed to perform web injections, intercept traffic, keylogging and steal information from bank-client systems of various credit institutions. In addition, later hackers replaced Win32.Bolik.2 with another malware - one of the variants of Trojan.PWS.Stealer (KPOT Stealer).

This Trojan steals information from browsers, Microsoft accounts, various instant messengers and other programs.

This month's threats:

• Adware.Softobase.12

Installer that distributes legacy software. Changes browser settings.

• Adware.Ubar.13

Torrent client that installs unwanted software on the device.

• Trojan.Starter.7394

A Trojan designed to run other malware on a device.

• Adware.Downware.19283

The installer is usually distributed with pirated content. During installation, can change browser settings and install other unwanted programs.

• Exploit.ShellCode.69

Malicious Microsoft Office Word document. Exploits the CVE-2017-11882 vulnerability.

• Exploit.Rtf.CVE2012-0158

A modified Microsoft Office Word document that exploits a CVE2012-0158 vulnerability to execute malicious code.

• JS.DownLoader.1225

A family of malicious scripts written in JavaScript. Other malware is downloaded and installed on the computer.

• Trojan.Encoder.26375

Representative of the family of ransomware Trojans. Encrypts files on a computer and demands a ransom from the victim for decryption.

• W97M.DownLoader.2938

A family of bootloader Trojans that exploit office applications vulnerabilities. Designed to download other malicious programs to the attacked computer.

In April, the Doctor Web technical support service was most often contacted by users affected by the following ransomware Trojans:

• Trojan.Encoder.858 — 17.95%
• Trojan.Encoder.18000 — 14.65%
• Trojan.Encoder.11464 — 7.69%
• Trojan.Archivelock — 5.49%
• Trojan.Encoder.567 — 3.85%
• Trojan.Encoder.11539 — 3.85%
• Trojan.Encoder.25574 — 2.75%

During April 2019, 345,999 Internet addresses were added to the database of inappropriate and malicious sites.

March 2019	April 2019	Dynamics
+ 270 227	+ 345 999	+ 28.04%

Dr.Web spoke about the dangerous Trojan Android.InfectionAds.1, which exploited several critical vulnerabilities in the Android OS. Thanks to them, he could infect apk files, as well as install and uninstall programs on his own.

Within a month, malware such as bootloader Trojans and clickers, as well as login and password thieves from Instagram accounts named Android.PWS.Instagram.4 and Android.PWS.Instagram.5 were identified in the Google Play catalog.

In addition, users of Android smartphones and tablets were threatened by banking Trojans - for example, the latest versions of Android.Banker.180.origin, as well as other malicious applications.

2018

33% of organizations around the world were attacked by mobile malware

On January 30, 2019, it became known that Ltd. released Check Point Software Technologies the first part of the 2019 Security Report, which reveals the main trends and methods malware that Check Point researchers observed in 2018. According to the document, 33% of organizations around the world were attacked by mobile malware, ON with three main threats directed at. In OS Android 2018, there were several cases when mobile was malware pre-installed on devices, and applications available in stores applications actually turned out to be hidden malware. More. here

Every fourth attacked user in the world has encountered mobile "porn crawlers"

In 2017, 25% * of mobile users who encountered various malware were attacked by malware that disguised itself as adult content in one form or another. In total, more than 1.2 million people were affected by such threats. Kaspersky Lab experts came to this conclusion by analyzing cyber threats for visitors to porn sites and applications. In total, during their research, analysts discovered 23 families of mobile malware that hide their real functions behind adult materials.

Faced with a malicious porn application, the user in almost half of the cases (46%) risks getting a so-called clicker - a program that "blames" advertising pages or issues a WAP subscription, thus withdrawing money from a mobile account. The second most common threat in this case is the banking Trojans - 24% of those attacked faced them. Ransomware accounts for a relatively small percentage of infections (6.5%), but their hit on the device is often accompanied by user intimidation. For example, the malware blocks the screen, showing an alert about the detection of illegal content (most often child pornography) - with the help of this deception, attackers are trying to force their victims to pay a ransom.

You can avoid infection with malware masquerading as porn content using the same basic rules of safe behavior: use only verified sites, do not download mobile applications from third-party unofficial sources (no matter how tempting they may seem), do not buy hacked accounts from porn sites and, of course, use a reliable security solution.

2017

Business faced an increase in the number of ransomware and attacks on IoT devices

Trend Micro on September 13, 2017 published an information security report for the first half of 2017, The Cost of Compromise. The report highlights key cyber threats that continue to challenge the development of the information technology industry. The business has faced an increase in ransomware, an increase in corporate mail fraud (BEC), attacks on IoT devices, and cyber propaganda.

So, in the first half of 2017, Trend Micro recorded more than 82 million attacks using ransomware, as well as more than 3 thousand attempts to carry out fraud using corporate mail (BEC). All this proves the need to prioritize measures to respond to emerging threats. Despite the growing level of investment in information security, Forrester according to the company's latest analytical report, insufficient funds are still allocated to combat the increasing number of corporate cyber threats.

In addition, since the beginning of 2017:

• Trend Micro Smart Protection Network blocked more than 38 billion threats, most of which were malicious emails.
• Zero Day Initiative specialists have discovered 382 new vulnerabilities in the software solutions of popular vendors.
• About 28 new families of ransomware were discovered. At the same time, WannaCry ransomware alone was able to infect an unprecedented number of computers - 300 thousand in 150 countries.

In April and June 2017, ransomware attacks WannaCry Petya and disrupted the activities of thousands of companies from various industries around the world. The total amount of losses from these attacks, including the subsequent decrease in performance and the cost of eliminating the consequences, according to various estimates amounted to about $4 billion. In addition, according to data, FBI fraud using corporate mail cost companies $5.3 billion, all this in the first half of 2017.

Between January and June 2017, there was an increase in the number of attacks on IoT devices, as well as the spread of cyber propaganda. Together with the Milan Technical University (Politecnico di Milano), Trend Micro demonstrated the vulnerability of industrial robots to the actions of hackers. Such attacks as a result can result in serious financial losses and a decrease in productivity.

Thus, unprotected connected devices put smart production at risk: only one Persirai botnet, discovered by Trend Micro in April 2017, attacked more than 1,000 IP cameras connected to the network, while more than 120 thousand cameras were found vulnerable to malware attacks.

In addition, the number of cases of using social media to distribute cyber propaganda has increased. Thanks to tools that are available in underground markets, the spread of fake news or negative media coverage can lead to serious financial losses for companies whose reputation and brand can suffer from cyber propaganda.

Companies need to prioritize budget allocation for protection, since the cost leaks sometimes significantly exceeds the financial capabilities of the business, Max Cheng "said Max Cheng, CIO of Trend Micro. - A key theme this year is still a large number cyber attacks on businesses around the world. The trend is likely to remain the same in the second half of 2017. All this happens against the background of the fact that companies cease to treat cybersecurity only as information protection, and consider this as an investment in their future.

Group-IB discovered a new malware for Android, invisible to antiviruses

The company's early detection system for cyber threats Group-IB has recorded the active spread of a new malware that works under. OS Android Virus uses data from the phone book of an infected subscriber, and antivirus does not ON detect the program as malicious. Many Android phone users have received MMS messages from someone on their contact list over the past week with a link. At the beginning of the message, the virus substituted the name from the notebook of the infected person (see the picture below).

When clicking on the link, the user saw the inscription "Dear user, you have received an mms photo. You can see it at the link below. " Clicking on the "View" button downloaded malware with the.APK extension to the device. Also, the attackers carefully accompanied the spam with the instruction "During installation, click SETTINGS - > Allow installation from unknown sources - > OK."

Mechanism of operation of the virus

Once on the device, the malware sends itself to the victim's contact lists. In parallel, she makes a request for the victim's SMS banking number, finds out the account balance and transfers money to accounts controlled by the attackers. At the same time, incoming SMS messages are intercepted, as a result of which the victim does not suspect that they are withdrawing money from her, even if the SMS write-off notification function is connected, Group-IB noted.

Also, the functionality of the program includes showing the so-called "web fakes" - browser windows that are visually similar to the authorization windows of banking applications. By entering bank card details into them, the victim sent them to the attackers directly. In some cases, the malware could also block the phone.

"This threat is directed at Android OS users - customers of banks using SMS banking and users of mobile banking applications. It is characteristic that the antivirus programs installed on the phones of the victims did not detect the application as malicious (and continue not to detect it) at any stage of the virus. Antiviruses in this situation simply do not help, "said Rustam Mirkasymov, head of the dynamic analysis department of malicious code at Group-IB

.

LC: The number of malware for smart devices has doubled

The number of malware attacks on IoT devices exceeded seven thousand, with more than half of them appearing in the first six months of 2017. Such figures are cited by Kaspersky Lab experts. The company's analysts also note that there are now more than 6 billion Internet-connected devices operating around the world, and people are in serious danger. By hacking smart gadgets, attackers are able to spy on users, blackmail them, and use devices as an intermediary for committing crimes.

Kaspersky Lab specialists conducted an experiment and set up several traps ("honeypots") that imitated various smart devices. Experts recorded the first attempts to unplanned connection to them in a few seconds. During the day, several tens of thousands of appeals were registered. Among the devices from which experts observed attacks, more than 63% can be defined as IP cameras. About 16% were various network devices and routers. Another 1% fell on Wi-Fi repeaters, TV consoles, IP telephony devices, Tor output nodes, printers, smart home devices. The remaining 20% of devices could not be unambiguously identified.

If you look at the geographical location of devices from whose IP addresses experts saw attacks on honeypots, you can see the following picture: the top 3 countries included China (14% of attacking devices), Vietnam (12%) and Russia (7%).

The reason for the increase in the number of such attacks is simple: the Internet of Things today is practically not protected from cyber threats. The vast majority of devices run on Linux, making life easier for criminals: they can write one malware that will be effective against a large number of devices. In addition, most IoT gadgets do not have any security solutions, and manufacturers rarely release security updates and new firmware.

Chinese advertising agency spreads malware that infected 250 million devices

In May 2017, Check Point Software Technologies' Threat Intelligence team detected extreme Chinese malware campaign activity that has already affected more than 250 million computers worldwide. In every fourth Russian company (24.35%), at least one computer is infected. The distributed Fireball malware affects browsers, turning them into zombies. Fireball has two main functions: one is the ability to run any code and download any files to the victim's computer, and the other allows you to control the user's web traffic to generate advertising profits. Fireball is currently installing plugins and additional configurations to increase advertising traffic, but it can easily turn into a distributor of any other malicious software.

The campaign is run by Rafotech, the largest marketing agency based in Beijing. Rafotech uses Fireball to manage victims' browsers and change default search engines and start pages to fake search engines that simply redirect queries to yahoo.com or Google.com. Fake search engines are able to collect personal information of users. Fireball can also spy on victims, deliver any malware and run any malicious code on infected machines. Fireball hits the victim's computer, usually in conjunction with other software that the user downloads, often even without his consent. The scale of Fireball's spread is striking. According to analysts at Check Point, more than 250 million computers worldwide are infected: about 25.3 million in India (10.1%), 24.1 million in Brazil (9.6%), 16.1 million in Mexico (6.4%) and 13.1 million in Indonesia (5.2%). In the United States, about 5.5 million infections were detected (2.2%).

According to Check Point, the infection rate of corporate networks is even higher: about 20% of the total number of all corporate networks in the world. A significant number of infections in the United States (10.7) and China (4.7%), but the data for Indonesia (60%), India (43%) and Brazil (38%) are especially impressive.

Another indicator of high distribution is the popularity of fake Rafotech search engines. According to the Alexa analytics system, 14 of these fake search engines are among the 10,000 most popular websites, with some sometimes in the top 1,000 as well.

From a technical point of view, Fireball demonstrates a high degree of skill of its creators: it is able to avoid detection, contains a multi-level structure and flexible C&C, and in general is in no way inferior to other successful malware.

Rafotech does not admit to distributing fake search engines, however, on its website it declares itself a successful marketing agency, reaching 300 million users around the world, which roughly coincides with data on the number of infected machines.

The scale of Fireball's spread gives its moderators, Rafotech, virtually limitless power. The company can sell private information obtained from fake searches to fraudsters or business competitors of victims. It can also deliver any other malware to infected computers. We estimate that in the event Rafotech decides to fulfil this potential, one in five corporations in the world will be in serious danger. Damage can be done to critical organizations - from large service providers to infrastructure operators to healthcare facilities. Possible losses reach unthinkable proportions and could take years to recover.

Check Point Threat Index Data

Check Point Software Technologies found Hummingbad lost its lead on mobile malware for the first time since February 2016. Data provided in the Check Point Threat Index monthly report for January, produced by the Threat Ошибка цитирования Отсутствует закрывающий тег </ref>.

Hummingbad's place at the top of the ranking of the most popular mobile malware was taken by the modular backdoor for Android Triada. He grants the privileges of a super-user to a downloaded malware, helping him penetrate into system processes. In total, mobile malware accounts for 9% of all detected attacks. The leading position in the overall ranking is occupied by Kelihos, a botnet that is used to steal bitcoins - 5% of organizations around the world have suffered from it.

The rating data suggests that hackers continue to expand their arsenal of tools for targeted attacks on business. Threats are used at every stage of infection, including spam emails sent by bots that contain bootloaders, which in turn link "malware" to the victim's device.

The number of attacks on Russian companies dropped significantly in January: Russia dropped to 83rd place in the ranking of the most attacked countries, a month ago it was located in 55th place. The most active malware that attacked Russian organizations in January 2017 were Conficker, InstalleRex, Cryptowall, Bedep, Kotetaur, HackerDefender, Delf, Ramnit, Jeefo, Fareit.

Among the countries that attacked the most in January 2017, Paraguay, Uganda and Macedonia were noted. The most prosperous in terms of cybersecurity were Argentina, Montenegro and Barbados.

In total, Kelihos was the most active type of malware, infecting 5% of organizations around the world. It is followed by HackerDefender and Cryptowall, which account for 4.5% of the attacked companies.

The most active malware of January 2017:

• Kelihos - Botnet, which is used mainly to steal bitcoins and spam. It works through peer-to-peer communication, allowing each individual node to act as a Command & Control server.
• HackerDefender - A user rootkit for Windows can be used to hide files, processes and registration keys, as well as to use as a backdoor and port redirection program that works through ports opened by existing services. As a result, the hidden backdoor cannot be detected by traditional means.
• Cryptowall - An extortionate malware that began as a double of Cryptolocker, but eventually surpassed it. Cryptowall has become one of the most prominent ransomware. It is known due to the use of AES encryption and C&C communication through the Tor anonymizer. The malware is actively spreading through exploit whales, malicious ads and phishing campaigns.

The most active mobile malware:

• Triada - Modular backdoor for Android, which gives huge privileges to downloaded malware, as it helps them infiltrate system processes. Triada was also seen spoofing URLs loaded in the browser.
• Hummingbad - Android malware, which, using a reboot-resistant rootkit, installs fraudulent applications and, with minor modifications, can show additional malicious activity, including installing software keyboard spies, stealing credentials and bypassing encrypted email containers used by companies.
• Hiddad - Malware for Android, which repackages legitimate applications and then implements them in third-party stores. Its main function is to display ads, but it can also access key security settings built into the operating system, allowing an attacker to obtain sensitive user data.

2016: Malicious ads now target routers

It is difficult to surprise anyone with malicious advertising campaigns today, but Proofpoint has discovered a new trend in this area. Now attackers are not targeting users' browsers, but their routers. The final goal of the attackers is to inject advertising into each page that the infected victim will visit. Interestingly, this campaign is not aimed at IE users, as it happens most often, but at Chrome users (both desktop and mobile) ^[13][14].

Hackers act as follows: on legitimate sites, advertising spaces are bought to post ads. To do this, attackers use AdSupply, OutBrain, Popcash, Propellerads and Taboola ad networks. Malicious JavaScript code is embedded in the ad, which uses a WebRTC request to the Mozilla STUN server to find out the victim's local IP address. Based on this information, the malware determines whether the user's local network is controlled by any home router. If the answer is yes, the attack continues. If not, the user is shown regular, harmless advertising, and avoids trouble.

Router owners are shown not at all harmless ads. The ad redirects them straight to the exploit of the DNSChanger whale, which continues the attack. Using steganography, the attackers send the victim's router an image containing the AES key. Malicious advertising uses this key to decrypt further traffic received from DNSChanger. This is how attackers hide their operations from the attention of information security specialists.

The field for obtaining the AES key, DNSChanger gives the victim a list of the distinguishing features of 166 routers (including various models Linksys, Netgear, D-Link, Comtrend, Pirelli (Pirelli) and Zyxel), based on which the router type is installed, which is then transmitted to the attackers' control server. The server contains a list of vulnerabilities and hard-coded credentials from various devices, which are used to intercept control over the victim's router. Proofpoint experts note that in some cases (if the device model allows), attackers try to create an external connection to the administrative port of the router and take control directly.

If hackers managed to gain control of the device, they replace DNS-servers and all legitimate ads with their own, and also embed ads on sites where there was none at all.

The only way to avoid such problems is not to use default credentials for the router, disable remote access to the control panel (if possible), and update the device's firmware to the latest version to close vulnerabilities and avoid exploits used by DNSChanger.

2013: Trends in malware and intrusive advertising code in the mobile environment

Symantec has published a study that reviewed the latest trends in malware and intrusive ad code (also known as adware) in the mobile environment.

Key points of the study:

• A steady increase in the number of programs like "madware" on Google Play. 23% of all applications presented on the Google Play site contain code for aggressive ad imposition, also known as madware. In 2012, this figure was only 15%;
• Aggressive actions committed by "madware." Two-thirds of applications containing madware collect various information about the device, including the IMEI number, as well as the manufacturer's name and device model. In addition, a third of all these programs publish advertising messages in the notification panel, which can annoy users;
• The increase in the number of malware ON on the platform. Between Android June 2012 and June 2013, the number of unknown types of malicious code increased by 69%, and the number of known threats increased by almost 4 times.

More information can be found at these addresses:

• pdf study

2000-2008

2000. At the beginning of the year, the victims of computer viruses were alternately the operating system Windows 2000 and Visio, a popular application for creating diagrams and flowcharts. In May, the epidemic of the script virus I Love You!, which hit millions of computers within a few hours, broke out in the Guinness Book of Records. The investigation showed that the virus was created by a Filipino student who was not convicted due to the lack of relevant regulatory norms in Philippine law.

In July, three extremely interesting viruses appeared at once. "Star" became the first virus for the AutoCAD package. "Dilber" distinguished itself by containing the codes of five viruses at once, including "CIH," "SK," "Bolzano, etc. Depending on the current date, Dilber activated the destructive procedures of a particular component, which is why the virus received the nickname "Shuttle full of viruses." The third was the Jer Internet worm, which was activated when the corresponding HTML page was opened.

In August, the first Trojan Horse-class malware, called Liberty, was discovered for operating system PalmOS handheld computers. Palm Pilot At launch, "Liberty" erased the files, but did not have any reproduction functions. In September, this new type of malware supplemented the first real virus for PalmOS - "Phage." It was a classic parasite virus that, instead of being embedded in infected files, erased them and wrote down its code in their place. In early September, the first known computer virus ("Stream") was discovered, capable of manipulating additional streams (ADS) of the file system. In NTFS October, the first virus that breaks down in PIF ("Fable") information files and the first virus written in a script language (" PHP Pirus") appeared. In November, the Hybris virus was discovered, the author of which was a famous Brazilian virus writer nicknamed Vecna. He developed the idea of ​ ​ his first self-renewing virus "Babylonia" and took into account previously made mistakes. The main innovation was the use of both Web sites and electronic conferences to download new virus modules to infected computers.

In the same year, the first international agreement on countering computer viruses was signed.

2001. The main event of 2001 was the widespread spread of malware that exploits vulnerabilities in the security systems of operating systems and applications (for example, CodeRed, Nimda, Aliz, BadtransII, etc.). The global epidemics they caused became the largest in history and for a long time determined the development of the antivirus industry as a whole. The numerous variants of the ILoveYou worm, the Magistr and SirCam mail worms have become very noticeable events in the viral history.

The traditional dominance of traditional file viruses is gradually fading away and the main method of reproduction for malware is the transfer of its body over local and global networks.

Also, 2001 was marked by the emergence of a large number of malicious programs aimed at the Linux operating system. So the Ramen network worm, discovered on January 19, hit a large number of large corporate systems in a matter of days. The victims of the worm included the US National Aeronautics and Space Administration (NASA), Texas A&M University, Taiwanese computer equipment manufacturer Supermicro. Following Ramen, its clones and new original Linux worms appeared, which also caused numerous incidents.

In addition, in the same year, a new type of malicious code (CodeRed, BlueCode) was discovered, capable of actively spreading and working on infected computers without using files. The global epidemic of the CodeRed network worm (according to some estimates, more than 300,000 computers were infected) confirmed the exceptional effectiveness of the technology used by disembodied worms.

2002. 12 large and 34 less significant new virus epidemics were recorded, which occurred against the background of ongoing epidemics inherited from earlier periods (Sircam, Hybris, Magistr, CIH, BadtransII, Thus, etc.). During the year, malware continued to actively penetrate new platforms and applications. Already in January, with a difference of only two days, the flash virus LFM and the Donut virus appeared, which for the first time used .NET technology for their distribution.

In mid-May, the network worms Spida (infecting SQLservers -) and Benjamin were discovered. The latter became the inspiration for a whole family of malware, which throughout 2002 continuously attacked members of the file-sharing network. KaZaA Attacks on Linux users also continued. The Slapper worm managed to infect thousands of Linux systems around the world in just a few days. The same fate did not pass FreeBSD users: the Scalper network worm discovered in September was also quite widespread.

The undeniable leader in the number of incidents caused in 2002 is the Klez Internet worm. During 2002, two of the ten existing varieties of this worm - Klez.H (discovered 17.04.2002) and Klez.E (discovered 11.01.2002) - raged. In total, every 6 out of 10 reported infections were caused by Klez. Klez's closest competitor was the Internet worm Lentin. In late 2002, he was able to surpass Klez in the number of incidents caused. The Tanatos worm (also known as Bugbear), whose epidemic broke out in October 2002, was also very noticeable.

Among the computer viruses noticed in 2002, macro viruses showed themselves the most. First of all, Thus, TheSecond, Marker and Flop are worth noting here. These macro viruses for the Microsoft Word text editor showed amazing survivability. Epidemics with their participation were recorded in the late 90s, but in 2002 they survived a rebirth. Among Windows viruses, Elkern, CIH, FunLove and Spaces caused the most infections.

2003. The Lovesan network worm, which appeared in August 2003, exploited a critical vulnerability operating system in Windows for its distribution. In a matter of days, he managed to infect millions of computers around the world. The principle of reproduction used by him (through the global Internet, with a direct attack by an infected computer, ignoring the traditional distribution routes for that time - email, IRC) P2P-networks was first implemented back in 1988 in the first Morrison network worm in history, but then, for almost 15 years, nothing like this happened. Lovesan was not the only such worm in 2003. The first was the Slammer worm, which in three days in January 2003 managed to infect about half a million computers. He also exploited a vulnerability in Microsoft's software product, MS SQL Server. Slammer hit computers State Department USA where it damaged the database. US consulates around the world were forced to interrupt the visa issuance process for 9 hours.

The Sobig.f mail worm appeared at the very end of August 2003 and in just a couple of days caused the largest mail worm epidemic in the 21st century. At the peak of his activity, almost every tenth email contained such a worm. The worm did not exploit any vulnerabilities, had rather simple themes and texts of letters, but the scale of its penetration into user computers became so large that the function of receiving commands from outside it was discovered (backdoor) made all anti-virus experts with heavy hearts expect on August 22, 2003 - the day when the Sobig.f virus on all computers infected with it had to receive a command from its "creator." However, the team did not come, the servers from where it could be sent were promptly closed.

In September, the Swen worm appeared, which used traditional methods for reproduction - email, IRC, P2P channels. A feature of this worm was the most powerful method of social engineering: Swen pretended to be a special patch from Microsoft, allegedly eliminating all known vulnerabilities. The letter, which contained easily recognizable elements of the official Microsoft website, links to other resources of this company and well-crafted text, irresistibly acted not only on inexperienced, but also on many experienced users, forcing them to run the file attached to the letter.

The last prominent representative of 2003 was the Sober mail worm. Written as an imitation of Sobig, the worm used many different texts of letters, in different languages ​ ​ selected depending on the country of the recipient of the letter, and posed as a utility for removing Sobig.

2004. In early January, thousands of ICQ users were sent a message asking them to visit a site. The site hosted a Trojan program that, using one of the many vulnerabilities in Internet Explorer, secretly installed and launched the Mitglieder Trojan proxy server, which opened spam ports on the infected machine.

Also in 2004, two epidemics occurred, which can be safely called the largest in the history of the Internet - the spread of the MyDoom.a mail worm (January-February 2004) and the Sasser.a network worm (May 2004). Mydoom is known for a massive 12-day DDoS attack on the website of SCO, which began on February 1, 2004. In a couple of hours, the server was completely paralyzed and could www.sco.com return to normal mode only on March 5. The Sasser worm hit more than 8 million computers in May 2004, and losses from it are estimated at 979 million. dollars UNITED STATES. To penetrate, Sasser exploited a vulnerability in the LSASS Microsoft Windows service.

In June, Cabir appeared - the first network worm to spread via Bluetooth and infect mobile phones running OS Symbian. Each time an infected phone was turned on, the virus was controlled and began to scan the list of active Bluetooth connections. Then I chose the first available connection and tried to transfer my main caribe.sis file there. Cabir did nothing destructive - it only reduced the stability of the phone by constantly trying to scan active Bluetooth devices.

Soon, in August 2004, viruses for PocketPC appeared - the classic Duts virus and the Brady Trojan program. This year was also remembered for the large-scale arrests of virus writers - about 100 hackers were convicted, and three of them were among the twenty most wanted criminals by the FBI.

2005. In 2005, there was a slight decline in the activity of mail worms. According to Kaspersky Lab, in 2005 there were 14 virus epidemics, three times less than in 2004 (46 epidemics). The largest epidemics were recorded only four - modifications of the Bagle mail worm with indexes.ah and.au (January), the Mytob.c network worm virus (March) and two modifications of the Sober mail worm - Sober.p (May) and Sober.y (November). The most widespread and widespread of all that appeared in 2005 was the Mytob family of worms. This was expressed in more than 120 detected varieties of worms of this family. Mytob variations throughout the year accounted for more than half of the total number of malware caught in mail traffic.

2006. 2006 continued the main trends in the development of malware identified in previous years. This is the predominance of Trojans over worms and the increase in the proportion of programs focused on causing financial damage to users in new samples of malicious code. In 2006, according to Kaspersky Lab, among all new families and variants of malware, the share of Trojans exceeded 90%. Notable events of the year were the first "real" viruses and worms for the MacOS operating system, Trojan programs for the mobile platform J2ME and the associated way to steal money from a user from a mobile account. The increase in the number of all new malware compared to 2005 was 41%. In 2006, 7 major virus epidemics were recorded - half the figure of the previous year (14 epidemics). The 2006 epidemics can be divided into four groups. These are the Nyxem.e worm, the Bagle and Warezov worms, and several variants of the Gpcode ransomware Trojan.

2007. The number of malicious computer programs more than doubled in 2007. According to the LoC, in general, more than 220 thousand new viruses were registered over the year. In 2007, 18.348 thousand new computer viruses appeared monthly, which is also more than twice the level of the previous year (8.563 thousand.) More than half of all malicious programs sent by e-mail in 2007 were mail worms (54.55%), followed by programs of the Trojan-Downloader family (universal downloaders of arbitrary malicious code from the Internet, 14.87%) and Trojan-Spy (programs that steal confidential information from computers of users and organizations, 13.41%).

The share of Trojans in the total volume of malware was 91.73%, and the number of such programs increased by 2.28% compared to 2006. In 2007, the number of malicious programs aimed exclusively at online game players increased significantly. If in 2006 a little more than 15 thousand programs were discovered that steal passwords from online games, then at the end of 2007 their number approached 35 thousand.

2008. In the first half of 2008, Kaspersky Lab analysts discovered 367,772 new malware - 2.9 times more than in the second half of 2007. The average number of new malware detected per month was 61,295,33. Compared to the second half of 2007, the number of new programs increased by 188.85%. This growth rate significantly exceeds the results of 2007, when 114% more malware was detected than in 2006.

2008 did not make significant changes to the ratio of malware classes. The absolute leader is still Trojans, which account for more than 92% of all malware. At the same time, the share of Trojans increased by only 0.43%, which is significantly less than their growth by more than two percent in 2007. The number of new Trojan programs discovered in the first half of 2008 increased by 190.2% compared to the previous half of the year.

1990-1999.

1990. The first polymorphic viruses appeared - Chameleon (1260, V2P1, V2P2 and V2P6). The so-called "virus production plant" has appeared in Bulgaria. During this year and a number of subsequent years, a huge number of new viruses were discovered, which were of Bulgarian origin. These were entire families of viruses - Murphy, Nomenclatura, Beast (or 512, Number-of-Beast), new modifications of the Eddie virus and many others. A particular activity was shown by a certain Dark Avenger, which released several new viruses a year that used fundamentally new algorithms for infection and hiding themselves in the system. In the same place, in Bulgaria, the first BBS (VX BBS) appeared, focused on the exchange of viruses and information for virus writers. In the same year, the first known domestic viruses were discovered: "Petersburg," "Voronezh" and Rostov "LoveChild."

In July 1990, a serious incident occurred with the English computer magazine PC Today. Each issue of the magazine included a floppy disk for free, as it turned out later, infected with the DiskKiller virus.

In December 1990, the European Institute for Computer-Virus Research (EICAR) was established in Hamburg, Germany. Around the same time, Symantec introduced its antivirus product, NortonLifeLock (formerly Symantec) AntiVirus.

1991. Following the Bulgarian VX BBS and the elusive Dark Avenger, other virus-sharing-oriented stations and new virus writers are emerging around the world. Cracker Jack (Italian Virus Research Laboratory BBS) appears in Italy, Gonorrhoea in Germany, Demoralized Youth in Sweden, Hellpit in the USA, Dead On Arrival and Semaj in England.

1992. File, boot, and file-boot viruses are becoming increasingly important for the most common MS-DOS operating system on an IBM-PC computer. The number of viruses is growing exponentially. Various antivirus programs are developing, dozens of books and several regular virus magazines are published. The first polymorphic generator MtE appears. Its main purpose is the ability to integrate into other viruses to ensure their polymorphism. The first viruses of the anti-antivirus class appear, capable of bypassing protection and remained invisible. In July 1992, the first virus designers appeared - VCL and PS-MPC, which made it possible to create viruses of various types and modifications. At the end of the same year, the first virus for Windows appeared - Win.Vir_1_4 (10), infecting the executable files of the operating system.

1993. The Satan Bug virus affects hundreds of computers in Washington. Even White House computers suffer. The FBI arrested the author - he turned out to be a 12-year-old teenager. Recorded the appearance of "time bombs" - viruses that penetrate computers and activate only when a certain date occurs. Microsoft has released its own antivirus - Microsoft AntiVirus (MSAV), which was included in the standard delivery of MS-DOS and Windows operating systems. The first tests carried out by independent testing laboratories showed high reliability of the product. However, subsequently its quality began to gradually deteriorate, and after a while Microsoft decided to close this project.

1994. The problem of viruses on CDs is becoming increasingly important. Quickly becoming popular, this type of media turned out to be one of the main ways viruses spread. Several incidents were recorded at once when the virus hit the master disc when preparing a batch of CDs.

At the beginning of the year, two extremely complex polymorphic viruses appeared in the UK - SMEG.Pathogen and SMEG.Queeg. The author of the viruses placed infected files on BBS stations, which caused a real epidemic and panic in the media. In January 94, Shifter appeared - the first virus to infect object modules (OBJ files). In April - SrcVir - a family of viruses that infect the source code of programs (C and Pascal). In June, an epidemic of polymorphic virus OneHalf began. In September, there was an epidemic of the file-boot virus "3APA3A," which uses an extremely unusual method of implementation in MS-DOS. Around the same time, the international debut of the AntiViral Toolkit Pro (AVP) antivirus program took place.

1995. ByWay and DieHard2 viruses have become widespread - reports of infected computers have been received from almost all over the world. In February, Microsoft released a beta version of the new Windows 95 system on floppy disks infected with the Form virus. In August, the first virus for Microsoft Word ("Concept") was discovered in a "live form." In just a month, the virus "flew around" the entire globe, flooded the computers of users of the word processor. In 1995, the English branch of the Ziff-Davis publishing house distinguished itself twice. In September, his magazine PC Magazine (English edition) distributed a floppy disk containing the Sampo boot virus to its subscribers. In mid-December, another Ziff-Davis magazine, Computer Life, sent readers a floppy disk with Christmas greetings. In addition to congratulations, the disk also contained the boot virus Parity_Boot.

1996. In January, the first virus appeared for the Windows 95 operating system - Boza, and there was an epidemic of an extremely complex polymorphic virus Zhengxi, written by a Russian programmer from St. Petersburg Denis Petrov. March saw the first virus epidemic for Windows 3.x. - Win.Tentacle. This virus infected a computer network in a hospital and several other institutions in France. In June, "OS2.AEP" appeared - the first virus for OS/2 to correctly infect EXE files of this operating system. Prior to that, only viruses were found in OS/2, which were written instead of a file, destroying it or acting using the "companion" method.

In July, Laroux was discovered - the first virus for Microsoft Excel, besides, it was caught in a "live form" almost simultaneously in two oil producing companies in Alaska and South Africa. Like MS Word viruses, the principle of operation of "Laroux" is based on the presence of so-called macros in files - programs in the Visual Basic programming language. At the end of summer, virus writers under the pseudonyms Nightmare Joker and Wild Worker almost simultaneously release macro-virus designers for the German and English versions of MS Word, respectively - Word Macro Virus Construction Kit and Macro Virus Development Kit. In mid-October, the Wazzu maxro virus was discovered on the Microsoft website, in one of the Word documents on technical support for Microsoft software products in Switzerland. In December, the first resident virus for Windows 95 appeared - "Win95.Punch." It loaded into the system as a VxD driver, intercepted calls to files and infected them. In general, 1996 can be considered the beginning of a large-scale offensive of the computer underground on the operating systems of Windows95 and Windows NT, as well as on Microsoft Office applications .

1997. In February, the first virus appears for the Linux operating system - "Linux.Bliss." At the same time, the next version of the Microsoft Office 97 suite of office applications notes a gradual "crawling" of macro viruses to this platform. March 1997 marked the emergence of the ShareFun macro virus for MS Word 6/7, which opened a new page in the history of the computer industry. It became the first virus to use the capabilities of modern e-mail for its distribution, in particular the MS Mail mail program. In April, the Homer virus was discovered - the first network worm virus to use the File Transfer Protocol (FTP) for its distribution. In June, the first self-encrypting virus for Windows 95 appeared - "Win95.Mad." The virus, which is of Russian origin, was sent to several BBS stations in Moscow, which caused a rather large epidemic. In December, a fundamentally new type of computer worms using IRC (Internet Relay Chat) channels appeared. Also in 1997, the antivirus division of KAMI, headed by Yevgeny Kaspersky, separated into the independent company Kaspersky Lab.

1998. At the beginning of the year, an epidemic of a whole family of Win32.HLLP.DeTroie viruses was recorded, not only infecting executable Windows files, but also capable of transmitting information about an infected computer to their "master." In February, a new type of virus appeared for Excel documents - Excel4.Paix (or Formula.Paix). This type of macro virus for its introduction into Excel spreadsheets did not use the usual macro area for viruses, but formulas, which, as it turned out, can also contain self-multiplying code. In the same month, Win95.HPS and Win95.Marburg were registered - the first polymorphic Win32 viruses.

In March, AccessiV was discovered - the first virus for Microsoft Access. Around the same time, the appearance of the first multi-platform macro-virus was recorded, infecting documents simultaneously two MS Office applications: Access and Word. Following him, several more macro viruses appeared, transferring their code from one Office application to another. The most notable of these was "Triplicate" (also known as "Tristate"), capable of infecting Word, Excel, and PowerPoint.

In May, the RedTeam virus appeared, which became the first virus to infect Windows EXE files and spread by e-mail using the Eudora program. In June, an epidemic of the Win95.CIH virus began, which first became massive and then global. Depending on the current date, the virus erased the Flash BIOS, which in some cases could lead to the need to replace the motherboard. August was marked by the advent of BackOrifice (Backdoor.BO), a hidden (hacker) administration utility for remote computers and networks. Following BackOrifice, several other similar programs appeared: NetBus, Phase and others. Also in August, the first virus appeared that infects running Java modules - Java.StangeBrew. In December, another application from MS Office became a victim of computer viruses ("Attach," "ShapeShift" and "ShapeMaster"). It became a program for creating presentations - PowerPoint.

1999. In January, a global epidemic of the Internet worm Happy99 (also known as Ska) broke out. It was the first modern worm to use the program for its distribution. In MS Outlook March, the Melissa virus hit tens of thousands of computers. Immediately after infecting the system, he read the address book of the MS Outlook mail program and sent his copies to the first 50 found addresses. US law enforcement agencies responded extremely quickly to the Melissa epidemic. After some time, the author of the virus was discovered and arrested, which turned out to be a 31-year-old programmer from New Jersey (USA), a certain David L. Smith. On December 9, he was found guilty and sentenced to 10 years in prison and a fine of dollars US 400,000.

In May, the Gala virus appeared (also known as GaLaDRieL), written in the Corel Corporation SCRIPT language. "Gala" became the first virus capable of infecting both Corel CorporationDRAW! and Corel CorporationPHOTO-PAINT and Corel CorporationVENTURA files. At the very beginning of summer, an epidemic of a very dangerous Internet worm "ZippedFiles" (also known as ExploreZip) broke out. It was an EXE file that, after being injected into the system, destroyed the files of some popular applications.

In August, the Toadie worm virus (Termite) was discovered, which, in addition to infecting DOS and Windows files, also attached copies of itself to emails sent via Pegasus and tried to spread through IRC channels. In November, the world was shocked by the emergence of a new generation of invisible worms that spread by e-mail without using attached files and penetrated computers immediately after reading the infected letter. The first of these was Bubbleboy, followed by "KakWorm." All viruses of this type used a "hole" found in the Internet Explorer security system (browser). In the same month, many cases of Windows virus FunLove were reported in the United States and Europe.

In December, Babylonia was discovered - the first worm virus that had remote self-renewal functions: every minute it tried to connect to a server located in Japan and download a list of virus modules from there.

1980-1989

1981. The Elk Cloner virus affects Apple computers. The virus was written to the boot sectors of the floppy disks that were being accessed. Elk Cloner flipped the image on the screen, made the text flash, displayed a variety of messages

1983. Len Eidelman first uses the term "virus" when applied to self-multiplying computer programs. On November 10, 1983, Fred Cohen, the founder of modern computer virology, at a seminar on computer security at Lehai University (USA) demonstrates on the VAX 11/750 system a virus-like program that can be implemented into other objects. A year later, at the 7th Information Security Conference, he scientifically defines the term "computer virus" as a program capable of "infecting" other programs by modifying them in order to implement their copies.

1986. For the first time, a virus was created for the IBM PC - The Brain. Two software brothers from Pakistan wrote a program that was supposed to "punish" local "pirates" who steal software from their firm. The program included the names, address and phones of the brothers. However, unexpectedly for everyone, The Brain went beyond the borders of Pakistan and infected hundreds of computers around the world. The success of the virus was ensured by the fact that the computer community was absolutely not ready for such a development of events. Interestingly, the Brain virus was also the first invisible virus. When an attempt to read an infected sector of a disk was detected, the virus imperceptibly "substituted" its uninfected original. In the same year, German programmer Ralph Burger discovered the possibility of creating copies of himself by adding his code to executable COM DOS files. A prototype program, called Virdem and having such an ability, was presented by Bürger in December 1986, in Hamburg, at the computer underground forum - Chaos Computer Club. At that time, the forum was gathering hackers specializing in hacking VAX/VMS systems.

1987. Emergence of Vienna virus. Its origin and distribution almost all over the world had a great resonance and caused heated debate about the real author. In the same year, one of the applicants for authorship - Ralph Berger, wrote the first book on the art of creating and combating viruses. The book was called "Computer Viruses. A disease of high technologies "(Computer Viruses. The Decay of High Technologies) and became the "letter" of novice virus creators. In addition, in 1987, several more viruses for IBM-compatible computers appeared independently of each other: the famous Lehigh virus, named after the University of Bethleham, Pennsylvania, USA; the Suriv virus family; a number of boot viruses (Yale in the United States, Stoned in New Zealand, Ping-pong in Italy) and the first self-encrypting Cascade file virus in computer history.

1988. One of the most significant events in the field of viruses in 1988 is the global epidemic caused by the Suriv-3 virus, better known as Jerusalem. The virus was detected simultaneously in the computer networks of many commercial firms, government organizations and educational institutions. In fact, the virus itself was discovered: on Friday, the 13th, it destroyed all files running on the infected computer. In 1988, this black date was May 13. It was on this day that thousands of incidents involving Jerusalem were reported from all over the planet, primarily Europe America, and the Middle East. In the same year, a 23-year-old American programmer created a worm that hit 6,000 computers on the ARPANET network. And for the first time, the court sentenced the author of this virus to a fine of 10 thousand dollars and 3 years of probation.

On April 22, 1988, the first electronic forum on the problem of antivirus security was created. It was the Virus-L conference on the Usenet network, which was created by Ken van Wyk. In addition, 1988 was marked by the emergence of an antivirus program - Dr. Solomon's Anti-Virus Toolkit. The program was created by the English programmer Alan Solomon (Alan Solomon), gained great popularity and lasted until 1998, when the company was absorbed by another antivirus manufacturer - the American Network Associates (NAI).

1989. ARPANET is officially renamed the Internet. New viruses appear - Datacrime, FuManchu (modification of the Jerusalem virus) and entire families - Vacsina and Yankee. The Datacrime virus had an extremely dangerous manifestation - from October 13 to December 31, it initiated low-level formatting of the zero cylinder of the hard drive, which led to the destruction of the file allocation table (FAT) and irretrievable loss of data.

On October 4, 1989, IBM Virscan antivirus for MS-DOS went on sale. On October 16, 1989, a WANK Worm virus epidemic was detected on VAX/VMS computers on the SPAN network. To spread, the worm used the DECNet protocol and changed system messages to the message "WORMS AGAINST NUCLEAR KILLERS," accompanied by the text "Your System Has Been Officially WANKed." WANK also changed the user's system password to a set of random characters and forwarded it to the GEMPAK name on the SPAN network.

In December of the same year, the first "Trojan horse" appeared - AIDS, which made all information on the computer's hard drive inaccessible and displayed only one inscription on the screen: "Send a check for $189 to such and such an address." The author of the program was convicted of extortion.

Until the 1980s

1949. Hungarian-American scientist John von Naumann developed the mathematical theory of creating self-replicating programs. This was the first theory of the creation of computer viruses, which aroused very limited interest in the scientific community.

In the early 60s, engineers from the American company Bell Telephone Laboratories - V.A. Vysotsky, G.D. McIlroy and Robert Morris - created the game "Darwin." The game assumed the presence in the memory of a computer of the so-called supervisor, who determined the rules and procedure for fighting among themselves rival programs created by players. The programs had the functions of space exploration, reproduction and destruction. The meaning of the game was to remove all copies of the enemy program and capture the battlefield.

Late 60s - early 70s. The appearance of the first viruses. In some cases, these were errors in programs that led to the fact that programs copied themselves, clogging the hard drive of computers, which reduced their productivity, but it is believed that in most cases viruses were deliberately created to destroy. Probably the first victim of a real virus written by a programmer for fun was the Univax 1108 computer. The virus was called Pervading Animal and infected only one computer - on which it was created.

1974. The Telenet network was created - a commercial version of ARPANET. A program called Rabbit appears on computers of this time. She received this name because, in addition to reproduction and distribution on information carriers, she did nothing. The program cloned itself, occupied system resources and thus reduced system performance. Having reached a certain level of distribution on an infected machine, the "rabbit" often caused a malfunction in its operation.

1975. The first-ever network virus, The Creeper, spreads through Telenet. Written for the once popular, operating system Tenex this program was able to independently log into the network through a modem and transfer its copy to a remote system. On infected systems, the virus found itself with the message: "I'M THE CREEPER: CATCH ME IF YOU CAN." To counter the virus, for the first time in history, a special antivirus program The Reeper has been written.

1979. Engineers from the Xerox research center created the first computer worm.

Notes

• Malware Descriptions
• "PC Mastering. Quick Start Guide "
• History of computer viruses
• Viruses and Their Control Tools
• Viruses. History of the question.
• Antivirus protection of computer systems
• Brief history of viruses on the web
• Viruses and spam in 2005. Totals and Trends
• Review of virus activity in 2006
• In 2007, more than 220 thousand new computer viruses were registered