The Anti-virus Times

Friday, October 6, 2017

Astute Dr.Web users have probably noticed that some threats in our database have slightly weird names. In addition to obvious things like Android.* or Trojan.*, you can come across things like Tool.*. What does that mean?

Well, those threats are tools that can be dangerous. They may include, for example, applications that mine cryptocurrencies. On the one hand, nothing is inherently wrong with mining. One can install and use a miner to the extent permitted by law. But criminals are also eager to get hold of a few bitcoins, and they use the same applications to do so. But they install them on computers without user consent.

And sometimes unscrupulous employees install mining software on their company's servers—naturally they don't notify the management about that.

As a rule, in our laboratory the prefix Tool is appended to the names of special utilities—file content viewers, system tuning utilities… These programs are regarded as potentially dangerous because if users don't know exactly what they are doing and how they need to do it, they may cause damage in the system. Furthermore, programs of this kind can have flaws or malfunction under certain circumstances—and the consequences can be dire for the operating system.

However, even more dangerous incidents can happen. For example, keyloggers (which record key strokes and thus enable password information to be extracted and other people's activities to be monitored) are also placed in the Tool.* category. Another example of something that can be a threat is Tool.DroidSheep—it scans unencrypted Wi-Fi traffic to check for the presence of cookie files from popular social media websites and websites offering services—e.g., VKontakte (VK.com), Facebook, Amazon and Google. Harvested data can be used by attackers to sign in to them under the compromised accounts.

How do Tool threats differ from ordinary Trojans? If, for example, a keylogger is distributed in the guise of a harmless application or as part of a game or another program, a Trojan is involved. But if it is clearly stated that the program is a keylogger that can be installed when a friend steps away from their computer, the threat involved belongs in the Tool category.

Surely, applications of this sort can be used for legitimate purposes, e.g., one of the files detected under this category can be used as a simple utility that extracts passwords saved in browsers to help users with memory problems. But the utilities may also perform dubious tasks. For example, Tool.VkObmen can send multiple queries and adjust vote counters on VK.com.

If you know what you’re doing, you can add such a program to your anti-virus's whitelist and use it. Most important, remember that you are solely responsible for the possible consequences. Otherwise, you are better off without applications of this sort. After all, an axe can be used just as well to chop wood or to commit a crime that then incurs a punishment.