May 2015 virus activity review from Doctor Web

In terms of information security, May 2015 appeared to be rather uneventful. During the last spring month, no major instances of malicious mass mailings were detected. Botnets also kept a low profile.

Principal Trends In May

  • Growing number of detected adware and unwanted installer applications that target OS X
  • Noticeable increase in activity on the part of cybercriminals who continue tricking Internet users into giving away their money
  • New malicious programs for Android

Threat of the month

Existence of numerous installers of useless and unwanted applications is not news to Windows users. However, not so many programs of this kind target OS X. Due to this fact, security researchers took a great interest in an installer application that has been added to Dr.Web virus databases under the name of Adware.Mac.InstallCore.1.

Consisting of several components, Adware.Mac.InstallCore.1 can not only install unwanted programs on the user’s computer but also change the browser home page and the search engine used by default. Moreover, this program encompasses debugging functions; that is, once it is launched, it scans the system for the presence of virtual machines, anti-viruses, or some other applications. If the scan returns positive results, the malware will not prompt the user to install additional programs. The following list presents some programs and utilities, which Adware.Mac.InstallCore.1 can install on the system:

  • Yahoo Search
  • MacKeeper (Program.Unwanted.MacKeeper)
  • ZipCloud
  • WalletBee (Adware.Mac.DealPly.1)
  • MacBooster 2 (Program.Unwanted.MacBooster)
  • PremierOpinion (Mac.BackDoor.OpinionSpy)
  • RealCloud
  • MaxSecure
  • iBoostUp
  • ElmediaPlayer

According to the statistics gathered by Dr.Web CureIt!

In May, 84,063,249 malicious programs and riskware were detected.

April 2015 May 2015 Dynamics
73,149,430 84,063,249 + 14.9%

The most common malware:

This Trojan installs adware and other unwanted programs.

This malicious program installs various unwanted applications and adware on the infected computer.

These plug-ins for popular browsers display annoying advertisements to users as they browse web pages.

This malicious program is designed for installation of other malware.

A family of Trojans that display annoying advertisements and open dubious web pages without user consent.

A family of Trojans designed to replace existing advertisements with new ones and to display unsolicited advertisements to users as they browse various web pages.

These plug-ins for popular browsers display advertisements to users as they browse web pages.


According to Doctor Web’s statistics servers

The most common malware:

A family of downloader programs designed to install unwanted and useless applications on the user’s computer.

This malicious program is designed for installation of other malware.

A family of downloader programs generated by servers belonging to the LoadMoney affiliate program. These applications download and install unwanted software on the victim's computer.


Statistics concerning malicious programs discovered in email traffic

The most common malware:

This Trojan covertly downloads and launches other malicious programs in the infected system and executes commands issued by cybercriminals.

A family of Trojans mainly distributed via email messages. Once one of these Trojans infects a system, it hides its further activity. Trojan.Oficla connects the computer to a botnet, which allows cybercriminals to upload other malicious software to the compromised machine. After the system gets infected, cybercriminals that control the botnet get control over the victim’s computer. In particular, they become able to upload, install, and use any malicious software they choose.

A family of Trojans that covertly download and install other malicious applications on the infected computer.

A representative of encryption ransomware that encrypts files using the legitimate GPG utility with BAT scripts.


Encryption ransomware

The number of requests for decryption received by the Doctor Web technical support service

April 2015 May 2015 Dynamics
1,359 1,200 - 11.6%

The most common ransomware programs in May 2015

  • BAT.Encoder
  • Trojan.Encoder.858
  • Trojan.Encoder.567
  • Trojan.Encoder.263
  • Trojan.Encoder.741