viralamo

Menu
  • Technology
  • Science
  • Money
  • Culturs
  • Trending
  • Video

Subscribe To Our Website To Receive The Last Stories

Join Us Now For Free
Home
Technology
Newly discovered Vigilante malware outs software pirates and blocks them
Technology

Newly discovered Vigilante malware outs software pirates and blocks them

17/06/2021

A warning sign on a grid-style metal fence.

A researcher has uncovered one of the more unusual finds in the annals of malware: booby-trapped files that rat out downloaders and try to prevent unauthorized downloading in the future. The files are available on sites frequented by software pirates.

Vigilante, as SophosLabs Principal Researcher Andrew Brandt is calling the malware, gets installed when victims download and execute what they think is pirated software or games. Behind the scenes, the malware reports the file name that was executed to an attacker-controlled server, along with the IP address of the victims’ computers. As a finishing touch, Vigilante tries to modify the victims’ computers so they can no longer access thepiratebay.com and as many as 1,000 other pirate sites.

Not your typical malware

“It’s really unusual to see something like this because there’s normally just one motive behind most malware: stealing stuff,” Brandt wrote on Twitter. “Whether that’s passwords, or keystrokes, or cookies, or intellectual property, or access, or even CPU cycles to mine cryptocurrency, theft is the motive. But not in this case. These samples really only did a few things, none of which fit the typical motive for malware criminals.”

But not in this case. These samples really only did a few things, none of which fit the typical motive for malware criminals.

For one thing, they modify the HOSTS file on the PC to add entries. A lot of entries.

They had a common theme. pic.twitter.com/O1Z2fSXZ1n

— Accountability Brandt (@threatresearch) June 17, 2021

Once victims have executed the trojanized file, the file name and IP address are sent in the form of an HTTP GET request to the attacker-controlled 1flchier[.]com, which can easily be confused with the cloud-storage provider 1fichier (the former is spelled with an L as the third character in the name instead of an I). The malware in the files is largely identical except for the file names it generates in the web requests.

Vigilante goes on to update a file on the infected computer that prevents it from connecting to The Pirate Bay and other Internet destinations known to be used by people trading pirated software. Specifically, the malware updates Hosts, a file that pairs one or more domain addresses to distinct IP addresses. As the image below shows, the malware pairs thepiratebay.com to 127.0.0.1, a special-purpose IP address, often called the localhost or loopback address, that computers use to identify their real IP address to other systems.

Advertisement

Sophos

By mapping the domains to the local host, the malware ensures that the computer can no longer access the sites. The only way to reverse the blocking is to edit the Hosts file to remove the entries.

Brandt found some of the trojans lurking in software packages available on a Discord-hosted chat service. He found others masquerading as popular games, productivity tools, and security products available through BitTorrent.

There are other oddities. Many of the trojanized executables are digitally signed using a fake code signing tool. The signatures contain a string of randomly generated 18-character uppercase and lowercase letters. The certificate validity began on the day the files became available and is set to expire in 2039. Additionally, the properties sheets of the executables don’t align with the file name.

When viewed through a hex editor, the executables also contain a racial epithet that’s repeated more than 1,000 times followed by a large, randomly sized block of alphabetical characters.

“Padding out the archive with purposeless files of random length may simply be done to modify the archive’s hash value,” Brandt wrote. “Padding it out with racist slurs told me all I needed to know about its creator.”

Vigilante has no persistence method, meaning it has no way to remain installed. That means people who have been infected need only to edit their Hosts file to be disinfected. SophosLabs provides indicators of compromise here.

Source link

Share
Tweet
Pinterest
Linkedin
Stumble
Google+
Email
Prev Article
Next Article

Related Articles

TechCrunch’s Favorite Things of 2019
TechCrunch ist Teil von Verizon Media. Klicken Sie auf ‘Ich …

Hulu to debut new ad formats in 2020 focused on letting users make choices, transact with advertisers

Boston Dynamics will ship Spot with a robot arm ‘in a few months’ and for home use ‘someday’
Boston Dynamics founder Marc Raibert today shared what’s next for …

Boston Dynamics will ship Spot with a robot arm ‘in a few months’ and for home use ‘someday’

Leave a Reply Cancel reply

Find us on Facebook

Related Posts

  • 2020 will be a big year for online childcare — here are 7 startups to watch
    GrubHub/Seamless’s pandemic initiatives are predatory and exploitative, …
    06/04/2020
  • TechCrunch’s Favorite Things of 2019
    ‘A city where you can pilot almost …
    08/02/2020
  • Microsoft trains world’s largest Transformer language model
    Microsoft researchers create AI ethics checklist with …
    11/03/2020
  • I’m a great director of marketing. Why am I not a VP?
    I’m a great director of marketing. Why …
    24/11/2019
  • Beat Saber is now an Oculus studio after Facebook acquisition
    Layoffs reach 23andMe after hitting Mozilla and …
    23/01/2020

Popular Posts

  • 10 Disturbing and Eerie Photographs of Abandoned …
    28/06/2022 0
  • 10 Darkest Rock Albums Ever Made – …
    31/05/2022 0
  • 1.1 quintillion operations per second: US has world’s fastest supercomputer
    1.1 quintillion operations per second: US has …
    31/05/2022 0
  • Google fixes two more Chrome zero-days that were under active exploit
    Code execution 0-day in Windows has been …
    31/05/2022 0
  • Broadcom plans a “rapid transition” to subscription revenue for VMware
    Broadcom plans a “rapid transition” to subscription …
    01/06/2022 0

viralamo

Pages

  • Contact Us
  • Privacy Policy
Copyright © 2022 viralamo
Theme by MyThemeShop.com

Ad Blocker Detected

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Refresh