Viruses are malicious programs that can harm your computer, programs and important documents. Viruses are usually created by criminally minded programmers who want to test their skills or prove to the world that they are superior to computer security specialists. Such viruses are aimed at causing certain damage to a specific person or even an entire organization, causing the loss or theft of confidential information. The worst thing is that from time to time viruses get out of control and spread to a large number of computers.

There are many ways to infect a computer. For example, you may simply launch an unfamiliar program or navigate the Internet and suddenly discover that your computer has begun to behave rather strangely. Let's say a critical error is discovered when you try to run a certain program that was functioning perfectly yesterday, or your computer began to independently perform incomprehensible operations. Typically, such viruses are not very dangerous, because... they can be quickly detected by popular anti-virus programs such as True Sword. But there is another category of viruses that do not reveal themselves by any specific behavior. But at the same time, such a virus can be activated by a timer or a remote command. The consequences can be dire: physical damage to expensive computer components and loss of important information.

Detects and destroys more than 4,000 dangerous viruses. removes even unknown viruses thanks to the unique technology of heuristic algorithms.

Trojan horses (Trojans)

The meaning of the term "Trojan horse (Trojan)" source of information - Webopedia:
“These are destructive programs that masquerade as harmless ones. Unlike viruses, Trojans do not reproduce, but this does not make them any less dangerous. One of the most insidious types of Trojan horses is a program that offers to get rid of viruses on your computer, but, on the contrary, allows them in. The term itself was borrowed from Homer's Iliad, which tells how the Greeks gave a giant horse as a sign of reconciliation to their enemies, the Trojans. But after the Trojans placed a wooden horse within the walls of their city, a group of Greek soldiers emerged from the abdominal cavity of the gift and opened the gates to the rest of the troops of the state of Ancient Greece."

Our products - and - destroy a large number of common Trojans. The destruction process is similar to virus removal.

Spyware

"This is any software, which secretly collects user information via an Internet connection without the knowledge of the user. This information is collected for the purpose of offering forced advertising to its owner. Spyware applications are typically hidden components of free or shareware software that can be downloaded from anywhere on the Internet. However, a caveat must be made that most free or shareware software comes bundled with spyware. Once installed, spy apps monitor the user's online activity and transmit all information in the background to third parties. Spyware can also collect information about email addresses and even passwords and credit card numbers. Spyware is similar to Trojan horses in that users unknowingly install the products themselves when they try to download something else. Typically, users infect their PCs by downloading certain programs for working with peer-to-peer networks (torrents, etc.).

Away from ethics and privacy issues, spyware robs users by using computer memory resources and also reducing performance because... it sends information to third parties using the user's Internet connection. Because the spyware use memory resources and the entire system, applications running in the background can cause system crashes or general system instability.
Since spyware exists in the form of independent executable files, it has the ability to monitor key combinations typed, scan files on your hard drive, peek into other applications such as chat programs or text editors, install other spy applications, read cookies, change default settings in Internet navigation programs, consistently transferring all information to third parties who use it for advertising/marketing or outright criminal purposes.

License agreements that accompany software download processes sometimes warn users that spyware will be installed along with the requested software, but these documents are not always readable because notifications for spyware installations are usually provided with hard-to-read disclaimers."

Has an extensive database of known spyware. Our product finds and destroys spyware applications, protecting user privacy. Using heuristic algorithms, it even removes spies that are not present in the database.

Adware

Meaning of the term "Spyware" information source - Webopedia:
“1) This is a type of spyware that collects information about the user in order to impose advertisements on Internet browsing programs, depending on the network preferences of the user.
2) This is software that comes to the user bundled with other applications.”

Tracking software

Tracking software is a type of spyware that collects information about every activity you do on your computer. The practice of similar programs is used by managers to control their subordinates and detect their actions on corporate machines. Also, jealous spouses do not hesitate to use tracking software to “keep an eye” on their other halves. The list goes on for a long time. The main thing is that tracking programs infringe (or even violate) your privacy rights in a shameless manner.

And designed to respect your privacy.

Malicious dialers

"Dialers" are a type of software that uses your modem to make expensive calls without your knowledge to numbers, in most cases owned by companies providing adult services (they may also be called XXX services). You can infect your computer with such “dialers” during regular Internet sessions.

And they find and remove more than 100 known different malicious “dialers”.

Keyloggers

Keyloggers are a type of tracking software that records all the variations of keystrokes on your computer in a special file and sends it to third parties (i.e. hackers). Keyloggers are especially used to steal usernames, passwords, email addresses, credit card numbers, etc. removes a huge number of keyloggers. To further protect your PC from this malware, use , which blocks ALL types of keyloggers, both known and unknown.

Malware, Trojans and Threats

Most computers are connected to a network (Internet, the local network), which simplifies the spread of malware (according to Russian standards, such programs are called “destructive” software", but because this concept is not widely used, the review will use the concept of "malware"; on English language they are called Malware). Such programs include Trojan horses (also known as Trojan horses), viruses, worms, spyware, adware, rootkits, and various other types.

Another plus is that MBAM rarely causes any conflicts with other anti-malware utilities.

Free Trojan Scanner SUPERAntiSpyware

. In addition to spyware, this program scans and removes other types of threats, such as: dialers, keyloggers, worms, rootkits, etc.

The program has three types of scans: quick, full or custom system scan. Before scanning, the program prompts you to check for updates to immediately protect you from the latest threats. SAS has its own blacklist. This is a list of 100 examples of various DLL and EXE files that should not be on your computer. When you click on any item in the list, you will receive a full description of the threat.

One of the important features of the program is the presence of Hi-Jack protection, which does not allow other applications to terminate the program (with the exception of Task Manager).

Unfortunately, the free version of this program does not support real-time protection, scheduled scans, and a number of other functions.

More programs

Other free Trojan scanners not included in the review:

• Rising PC Doctor (no longer available, you may still find older versions on the Internet) - Trojan and spyware scanner. Offers the ability to automatically protect against a number of Trojans. It also offers the following tools: management startup , process manager, service manager, File Shredder (a program for deleting files without the possibility of restoring them) and others.
• FreeFixer- will scan your system and help remove Trojans and other malware. But the user is required to correctly interpret the results of the program. Particular care must be taken when deciding to delete important system files, as this may harm your system. However, there are forums where you can consult if you are in doubt about a decision (links to the forums are on the website).
• Ashampoo Anti-Malware (Unfortunately, it has become a trial version. Perhaps earlier versions can still be found on the Internet) - initially this product was only commercial. The free version provides real-time protection and also offers various optimization tools.

Quick selection guide (links to download Trojan scanners)

Emsisoft Anti-Malware

PC Tools ThreatFire

Since childhood, we have heard that the good ones are intelligence officers, they work for our people. And the bad ones are spies, these are strangers - those guys in black glasses, in buttoned-up macintoshes and with a wad of dollars in their pockets. The twenty-first century has arrived, and now raincoats that are not at all rubberized are called macintoshes, although spies still appear in them... Meet today in the arena: spyware from the “good” and “evil” (however you look at it, eh?) sides of the force.

Scouts: malware for government needs

In the summer of 2012, employees of the Kaspersky antivirus laboratory discovered a malware called Morcut. It was used on a group of independent journalists from Morocco who were covering events during the Arab Spring; their computers were purposefully infected through an email service.

In the classification of other antivirus companies, the malware is called Crisis (Symantec) and DaVinci (Dr.Web). During an investigation conducted by Dr.Web, it was established that Morcut is a component of the system remote control DaVinci, which is developed and sold by Hacking Team.

DaVinci

The DaVinci system is positioned by the developer as a SORM (a system of technical means for providing the functions of operational investigative activities) for use by government agencies and law enforcement agencies. In addition to Hacking Team, similar SORMs are developed by a number of other companies. As a rule, this is a set of programs consisting of a control server and a client agent. The agent is installed on the computer unnoticed by the user and has the following functions:

• search and generate a list of files that meet specified criteria;
• sending arbitrary files, including electronic documents, to a remote server;
• interception of passwords from email and social networking services;
• collecting data about visited Internet resources;
• interception of data flow from electronic voice communication systems (Skype);
• interception of data from instant messaging systems (ICQ);
• collecting information about contacts with mobile phones, connected to a computer;
• recording audio and video information (if there is a connected webcam and microphone).

According to the Wall Street Journal, a number of European companies supplied SORM based on open source software with such functionality to countries in the Middle East, whose governments used them to combat opposition-minded sections of the population.

The non-governmental organization Privacy International (UK), which is engaged in identifying facts of human rights violations, constantly monitors the international SORM market and maintains a list of companies that develop solutions in this area. The list is compiled based on an analysis of companies participating in the specialized conference ISS World (Intelligence Support Systems - information collection support systems). At this event, which is held regularly several times a year, potential buyers and SORM developers meet. Here are some of the companies developing malware under the guise of SORM.

FinFisher (finfisher.com), a division of Gamma International (UK)

According to some reports, after the resignation of Hosni Mubarak after the events of 2011, documents were found in Egypt (see Fig. 3, 4) indicating that the FinFisher company provided surveillance services for Egyptian citizens using the FinSpy complex. The company stubbornly denies the fact of purchasing a five-month license to the Mubarak regime in Egypt for 287 thousand euros. FinSpy is capable of intercepting phone calls Skype, steal passwords and record audio and video information. FinSpy is installed on users’ computers as follows: a message is sent via email with a link to a malicious site. When the user opens the link, they will be prompted to update the software. In fact, instead of an update, malware will be installed. FinSpy's method of distribution via email was noted in the summer of 2012 against pro-democracy activists in Bahrain.

Hacking Team (hackingteam.it), Italy

The developer of the DaVinci remote control system, which is positioned as a tracking tool intended for use by governments and law enforcement agencies of various countries. The functionality of DaVinci is similar to FinSpy - it intercepts Skype, emails, passwords, instant messaging (ICQ) data, as well as recording audio and video information. The client part of DaVinci is capable of functioning both in the environment of operating systems of the Windows family (versions XP, Vista, Seven) and in the environment of operating systems of the Mac OS family (versions of Snow Leopard, Lion). The price of the DaVinci system is supposedly about 200 thousand euros, it includes obligations to constantly update and support the product until the final goal of the attack (obtaining necessary information) will not be achieved.

Area SpA (area.it), Italy

In November 2011, it became known that employees of this company installed a monitoring system for the Syrian government, capable of intercepting, scanning and storing almost all email messages in the country. A month after this fact was revealed, the EU banned the export of technical surveillance equipment to Syria and their maintenance. The system was deployed on the basis of an agreement with the Syrian telecommunications company STE (Syrian Telecommunications Establishment), which is the main fixed-line operator in Syria. For installation, a method was used that is effective if there is access to telecommunications networks (state intelligence agencies and law enforcement agencies have such access) - information substitution. For example, when searching for information on google.com, a user received links leading to a malicious site and was infected under the guise of installing browser components necessary to correctly display the site’s content.

Amesys (amesys.fr), a division of Bull SA, France

Wall Street Journal journalists in one of the Internet monitoring centers abandoned by Gaddafi supporters in Tripoli (Libya) discovered the use of an Amesys tracking system. According to their testimony, Libyan authorities were able to read email, obtain passwords, read instant messages and map connections between people. Documents posted on WikiLeaks showed that the system deployed by Amesys made it possible to monitor dissidents and opposition figures even abroad, for example living in the UK.

spies

The Trojans used in cyberattacks in 2013 were, for the most part, nothing out of the ordinary. If 2012 was the year of PR for Kaspersky Lab on the topic of hi-tech cyber weapons, then in 2013 a new trend emerged - the use of widespread malware in targeted attacks, as opposed to those clearly written by a team of professionals for specific purposes. And increasingly, individual signs point to possible attack organizers such as China and North Korea. Thus, we can talk about the so-called “Western” and “Asian schools” of writing Trojans used to carry out APT-class attacks. What is characteristic of the “Western school”?

1. Significant financial resources are being invested.
2. Malicious code is digitally signed by legal companies; certificates for it are usually stolen from hacked servers, which requires some preparatory work, human resources and, ultimately, point number 1. The signature allows you to easily install drivers to switch to kernel mode, which makes it possible to implement a rootkit -functions, and also in some cases bypass the protection of anti-virus tools.
3. Zero-day vulnerabilities are widely used to secretly launch and increase one’s privileges in the system; such vulnerabilities cost a lot, so again see point 1.

Since 2010, the following malware has been discovered with the catchy label “cyberweapon” (see Fig. 2), in this article we will not describe their exploits in full - we have already done this before - but will simply go through their most interesting features.

Stuxnet

It stands out from the general background in that it is so far the only representative of malware capable of physically damaging some enterprise objects. So, in fact, only this can be classified as a cyber weapon. What else was interesting about it - four zero-day vulnerabilities, spread to USB not through the trivial autorun.inf, but through the label processing vulnerability MS10-046. When autobooting from a flash drive through a malicious shortcut, the rootkit component was triggered, after which the malicious Stuxnet components located on the USB flash became invisible. It had the functions of a worm, like Conficker (MS08-067), as well as a method of spreading over the network through a vulnerability in the printing subsystem (MS10-061). The drivers were signed with stolen certificates.

Duqu

Used as a shipping container word document(launched through a vulnerability in font processing MS11-087, zero-day), sent directly via e-mail. The drivers, like those of Stuxnet, were signed, which is why some antivirus analysts are still trying to justify the connection between Stuxnet and Duqu.

Flame

It is interesting because the signature of the components belongs to Microsoft, it was created by selecting an MD5 collision. Unrealistically large source size, about 20 MB, use large quantity third party code. There is a module that uses Bluetooth to intercept information from mobile devices.

Gauss

It has a modular structure, the modules are given internal names of famous mathematicians such as Gödel, Gauss, Lagrange. Uses removable media to store collected information in hidden file(this allows information to leak through the protective perimeter, where there is no Internet, on a flash drive). Contains plugins designed to steal and monitor data sent by users of several Lebanese banks - Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais.

MiniFlame

A project related to Flame. An analysis of the Flame C&C servers revealed that there were four different types clients (“malware”) codenamed SP, SPE, FL and IP. MiniFlame corresponds to the name SPE, Flame, respectively, - FL. Malware named SP and IP were never detected in the wild.

Sputnik

Capable of stealing data from mobile devices, collecting information from network equipment (Cisco) and files from USB drives (including previously deleted files, for which it uses its own file recovery technology), steal mail databases from the local Outlook storage or from a remote POP/IMAP server, and also retrieve files from local FTP servers on the network.

MiniDuke

It is written in assembler, which in our time already causes surprise (apparently, they recruited someone from the old school). C&C server addresses are taken from Twitter. If Twitter didn't work out, Google Search was used to find encrypted links to new control servers.

Chinese cyber groups are trying to keep up with progress, and, for example, a Trojan such as Winnti, used to attack companies involved in online computer games, contains signed drivers.

Asian School Spies

• July 2012 - Madi;
• August 2012 - Shamoon;
• November 2012 - Narilam.

All of them are written in Delphi (lameware:)), the code is not particularly technologically advanced, there is nothing to say about zero-day and signatures. There is a clear use of public technologies and methods. But nevertheless - they work! By the way, Trojans with destructive functions are becoming fashionable again in the wake of APT attacks; Shamoon and Narilam are among them. They were used to paralyze the work of individual organizations by destroying information on computers.

Terminology issues

Old terms like “virus”, “worm” and “Trojan” no longer fully correspond to reality. It is especially unfortunate that journalists of online publications are deeply unaware of how a virus differs from a Trojan, and a person who has the slightest understanding of the topic is struck by phrases such as “stuxnet virus”, “kido virus” or “carberp virus”. Let's remember the basic concepts once again:

• virus - has a self-propagation function, infects executable files;
• Trojan - does not have a self-propagation function;
• worm - has the function of self-propagation, in the classical sense - through the use of vulnerabilities in OS services available over the network (Morris worm), a little later - through soap and flash drives;
• rootkit - uses functions to hide signs of its presence in the system.

In practice, many malware samples combine several of these characteristics. Nowadays, malware can be classified according to some other criteria. Let's try to figure it out. First of all, any malware of our time is primarily a commercial project. The only difference is in the initial finances and final goals. The following groups can be roughly distinguished:

• lameware is a newfangled term meaning malware written by beginners or amateurs in this matter (in everyday life - lamers). Delphi is often used. Development, as a rule, does not require any financial investments, although the income in relative terms is small. The main factor that motivates one to write lameware is to amuse one’s feelings;
• high-quality commercial malware - malware with a “global” reputation, having several generations and going back several years;
• APT is spyware, the distribution and functionality of which is characterized by a targeted focus on specific targets - companies, organizations.

Conclusion

Internetization, computerization and other globalization have made life easier for people. And for you and me, and for those who previously had to jump with a parachute, gnaw through barbed wire, eavesdrop, spy, undermine and bribe. Most of the work of these strong guys is now done by talented programmers for millions of dollars, which are ridiculous by the standards of their respective budgets. Yes, by the way, life has also become easier for criminals who previously had to run after stagecoaches with a Colt. Be careful and careful!

Kaspersky Lab specialists have discovered a malicious program for mobile devices on the Android platform that has a whole range of technical capabilities. Company employees emphasized that some of the functions of the Trojan virus (malware) were identified for the first time.

“Most Trojans are similar to each other: once they get onto a device, they steal the owner’s payment information, obtain cryptocurrency for the attackers, or encrypt data to demand a ransom. But sometimes you come across instances whose capabilities make you remember Hollywood films about spies,” says Kaspersky Lab in a message dedicated to the virus.

They said that the discovered Skygofree malware has 48 different functions, including unique ones that the company’s specialists have never seen before in malware.

For example, the Skygofree Trojan can track the location of an infected device and start recording sound at the moment when its owner is in a certain place.

“Another interesting trick that Skygofree has mastered is to quietly connect an infected smartphone or tablet to Wi-Fi networks that are under the complete control of attackers. Even if the owner of the device has completely turned off Wi-Fi on the device,” said Kaspersky Lab.

This allows not only to analyze the victim’s traffic, but also to read logins, passwords or card numbers entered by the user. The malware can also monitor the operation of a number of instant messengers, including Facebook Messenger, WhatsApp, Skype and Viber, collecting their text messages.

“Finally, Skygofree can covertly enable front camera and take a photo when the user unlocks the device,” the experts added.

• Reuters
• Robert Galbraith

The company's specialists discovered Skygofree in early October 2017, but during the study of the malware, it turned out that the initial versions of this program were created at the end of 2014. Since then, the functionality of the Trojan has increased significantly and the program has acquired some unique abilities.

According to Kaspersky Lab, Skygofree was distributed on Internet pages imitating websites mobile operators and dedicated to optimizing mobile Internet speed.

According to the company, only a few users were attacked by the virus, and only in Italy.

Also, during the investigation of the malware, several spyware tools for Windows were discovered, but it is still unknown whether the program was used to attack this operating system.

"It doesn't attack hundreds of thousands of users"

RT spoke with Kaspersky Lab antivirus expert Viktor Chebyshev, who shared some details about the new virus. According to him, Skygofree managed to remain invisible for a long time because this Trojan spy uses undocumented system capabilities and increases its privileges in such a way that all its actions “remain behind the scenes.”

“It is located almost at the system level, and all the capabilities that it implements are absolutely transparent to the user. That is, the user does not see any activity, does not hear any actions, simply remains in the dark,” Chebyshev explained.

RT’s interlocutor clarified that creating such a program is very difficult, so most likely a whole team of high-level professionals who understand all the features worked on it operating system Android.

According to the antivirus expert, another feature of the virus that allowed it to operate undetected is the narrow focus of Skygofree to attack a specific user.

“This is a spy that is not aimed at the mass segment. It does not attack hundreds of thousands of users, squeezing a little out of them. This is a spy application that attacks specific people,” Chebyshev said.

“It is created so that it is invisible both to the victim and to everyone else around. Plus, it has trace cleaning mechanisms that destroy it after it has worked,” the expert added.

• Victor Chebyshev: this is a spy who is not aimed at the mass segment

He clarified that the target of the spy virus was devices on the Android platform, since it is this system that allows you to install applications from third-party sources, and not just from the official application store Google Play. However, not only Android devices can become vulnerable to such malware.

“In other operating systems this feature is not available; all applications are installed from one centralized source, which is moderated. And the likelihood of infection is thus minimal. However, it is not excluded,” the expert explained.

“This is a whole team, one might say, an organized criminal group. The resources are serious,” Chebyshev noted.

The expert clarified that the main goal of the discovered Trojan was never an attack on the general public. The program is designed specifically for espionage, surveillance of a specific person, into whose devices it is “planted.” According to him, the range of applications of this program can extend from industrial espionage to surveillance of government officials.

“The main task of this Trojan is to understand what is happening to the victim, around her, what she is doing, where she goes, who she talks to, what documents she interacts with... It can shoot with a video camera, take photographs, record conversations in a specific situation ", said a Kaspersky Lab employee.

• Viktor Chebyshev: this Trojan monitors specific people

The antivirus expert clarified that immediately after the virus was discovered, the company provided protection to its customers. Speaking about the threat to ordinary users around the world, Chebyshev noted that they were never the target of the malware, but urged them not to relax.

“If we talk about the mass market, about you and me, then most likely we were not threatened with an attack from the very beginning. Specific individuals are attacked. However (massive attack. - RT) should not be written off: what is implemented in this Trojan can be replicated, it can be distributed to a huge number of users,” the RT interlocutor emphasized.

Speaking about ways to counter the virus threat, the expert urged all users not to install applications from third-party sources in the first place. In addition, he advised consumers to secure their mobile devices, installing a good security solution that will not allow you to follow a malicious link and will block the installation of a virus application.

“It is imperative to take personal hygiene measures for your device. Because you won’t be attacked at any time, and then everything will be sad. “With a defensive solution, everything will be fine,” Chebyshev summed up.