Feeds

back to article Magic mystery malware menaces many UK machines - new claim

Security researchers have found malware that communicates using an unknown protocol and is largely targeting UK businesses. The mystery software nasty has infected thousands of machines at organisations in finance, education, telecoms and other sectors, we're told. It initially phones home to its masters by establishing a HTTP …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

It would be nice if we were told how to identify any potential infection by this malware...

15
0

exactly...

and what ports/destinations/packets/strings etc we could watch for at the perimeter..

From the blog post, it appears looking on HTTP for some_magic_code1 might help. Here's hoping that's a good start.

Any snort rules yet?

2
0
Silver badge

Re: exactly...

and is it something that will be spotted by Zonealarm firewall etc e.g. "Mysterious appplication is attempting to connect to the Internet Allow/Deny?"

2
0
Happy

Re: exactly...

I think it could be - I took zonealarm off a while back but reading this kind of story makes me wonder if I should reinstall it.

0
0
Silver badge

Re: exactly...

yeah zonealarm worked fine for years but then it started putting up messages all the time about some application trying to connect to something or other. I tried updating zonealarm but it kept doing it so eventually I gave up and turned it off. couldn't find any alternatives and now my browser is going crazy as well trying to make me buy some windowsantivirus or something but i already have anttivirus. technology! cant live with it cant live without it.

3
2
Anonymous Coward

Re: exactly...

quite a few of the current malware attacks check-on-install for zonealarm on PC (or LittleSnitch directories on Mac,) or the presence of VMware w.h.y. and abort install - just in case you might be a sysadmin or white-hat jam-pot researcher. So YES, really installing or mebbe just creating wireshark/firewall type directory names might give you a certain level of security...but you need a few more

repeat after me: multiple independent levels of security!

2
0
Silver badge
Devil

New claim! Fresh! Washes whiter!

Yeah... These days, keeping a lawya on retainer is as important as keeping a sysop on retainer.

0
0
Anonymous Coward

guessing here

System properties, Advanced, User Profiles , Settings and count the number of profiles? (under Windows 7)

Presumably it also has to allow remote connections, or ride the logged on user's session in some way.

0
0
zb

Try logging in username: WINDOWS, password: MyPass1234

5
0
Anonymous Coward

The tax man

Is watching you baby!

0
1
Bronze badge

@NomNomNom

You've been rooted. I hope you weren't doing anything important with your PC. Take your PC to someone who knows what they are doing and get them to nuke and pave it. Hopefully your data can be retrieved

0
0
Anonymous Coward

Re: @NomNomNom

He could have been making a joke.

0
0
Bronze badge

@AC Re: @NomNomNom

Quite probably,I just went off automatically. That particular sort of malware is I why I no longer do computer support for friends and family. Almost impossible to get rid of without nuking and paving and then you get bitched at because you couldn't (or wouldn't) save their collection of vintage donkey porn.

0
0
Silver badge

Can I be the first with the obligatory ...

... Skynet!

1
0
FAIL

Good to see all the "heuristic malware scanners" are doing their job

Not. And how did it get there in the first place?

Maybe the infected systems weren't running anti-malware computer-slowers.

How many other bits of malware are out there, "under the radar"?

7
0
Silver badge
Happy

Re: Good to see all the "heuristic malware scanners" are doing their job

If we knew how many others were under the radar they would no longer be under the radar.

5
0
Silver badge
Devil

Re: Good to see all the "heuristic malware scanners" are doing their job

"And how did it get there in the first place?"

Who says it's there at all? One AV vendor, who've offered no proof or detection method, although they obviously claim they can detect (and presumably) prevent it. A hardened cynic might wonder whether this AV outfit was previously involved in offering novel imperial clothing, and was now applying the same skills in the tech sector.

8
0
Happy

Re: Good to see all the "heuristic malware scanners" are doing their job

"And how did it get there in the first place?"

If I was a betting man, and given recent experiences, I'd bet this question can be answered with a single word... Java.

1
0
Anonymous Coward

Re: And how did it get there in the first place?

Warez, Pr0n or Free MP3 downloads, most likely.

0
2
Boffin

Re: Good to see all the "heuristic malware scanners" are doing their job

Malware remaining active on many machines and undiscovered for 11 months emphasises that scanning for known bad stuff within an everything per user access-control context isn't an effective security approach any more. Making sure you only execute known good stuff other than in very secure, application and time limited sandboxes seems to make more sense, e.g. the sandbox in which you do online purchases and run associated web-supplied Javascript shouldn't connect to any other sandbox and needs wiping and resetting to a known good state at short and regular intervals.

1
0
Silver badge
Linux

As Eadon is busy elsewhere...

May I be the first to say that Windows is as leaky as a sieve and should not be connected to the internet.

7
3
Anonymous Coward

Re: As Eadon is busy elsewhere...

Please try not to...

0
0

Re: As Eadon is busy elsewhere...

As a representative of the British Sieve Manufacturers' Association, I insist that you substantiate your slur or sieves or withdraw.

8
0
Bronze badge
Windows

Re: As Eadon is busy elsewhere...

OK, then!!!

Windows is as leaky as a boat that has had its hull peppered with large bore shot, springing up fountains as it slowly sinks into the Abyss.

Satisfied NOW?????

4
0
Silver badge

Re: As Eadon is busy elsewhere...

you forgot to end your post with:

WINDOWS-LEAKY-BOAT-BORE-SHOT-PEPPERRED-HULL FAIL

1
0
Silver badge

I was thinking about

building a honeywall using a Raspberry Pi this morning.

Almost every piece of software I install wants to phone home without asking permission or giving any indication in the EULA or documentation that it will do so.

It's been quite a while since a ran a honeywall and honeypots, getting back into it again will be a nice refresher. Something for rainy Sunday afternoons, I expect we will get a lot of them in summer.

3
0
Bronze badge
Paris Hilton

Har dee har har!

My guess is that it is HMRC (Her Majesties Revenues and Customs) and UK Treasury based on it being limited to UK businesses (and I guess individuals too).

Those tax collecting Whitehall bods need all the cash they can get their hands on and if that means granny with her empty bedrooms or one's pension then one's pension will always win!

(Sad innit?)

0
2
Bronze badge
Thumb Up

You may be right

The malware uses 'custom' protocols, essential features are 'still under development' and nobody knows what it's meant to do - sounds like a Government project to me.

8
0
Anonymous Coward

Re: Har dee har har!

You don't think perhaps it just happens to be targeting the naive and ill-informed who use BT as their business's ISP then? (insert other business-class ISP of ill repute, as applicable).

0
0
Anonymous Coward

Errr...

"In one instance, the malware contacted the command server for further instructions, and was told to create a new user — username: WINDOWS, password: MyPass1234 — enabling the attacker to remotely log into the infected computer"

Please explain how creating a new user account on a machine magically allows a user to remotely log into the machine?

2
0
Silver badge

Re: Errr... SMARTR Virtual Leader Ships Fully Armoured Battle Stations with Satellite Weaponry

Please explain how creating a new user account on a machine magically allows a user to remotely log into the machine?

IT creates ACE Anonymous CyberIntelAIgent Entities to SHAPE Command and Control Mentoring and Monitoring of Virgin ProgramMING to XSS Standards for Entry to the Above. :-)

Does the Military Prevent Control Access to Sensitive Active Triggers with Realisation that Presentation of what can be Built Creatively with them, is Classified HQE/Need to Know TS/SCI.

C42QCCSystems trawling and a'hauling for Phish in Deep Intelligent Supply Counters for Alternative Moves and Power Plays/Control Blitzes.

0
1
Trollface

Re: Errr... SMARTR Virtual Leader Ships Fully Armoured Battle Stations with Satellite Weaponry

Is that you Dr. Sanjay Gupta?

0
0
Silver badge
Facepalm

So.....

What if you create a user account WINDOWS on all your systems, set the password to something other than MyPass1234 (I suggest a very long string of text copied from your favourtie book), then when the virus tries to create the account it will fail.

0
1
Hoe
FAIL

Re: So.....

Only it almost certainly wont as it probably checks for the existences and resets the password regularly anyway in case any admin has attempted to block access.

0
1
Linux

Re: So.....

Been running Linux for so long I can't remember - don't you need Admin rights to create a new user on Windows? You certainly do in Linux, which's why malware downloaded by a "user" can't attack the system. No "write" or even "read" (in most cases) rights.

How does this malware gain Admin rights on Windows?

1
0
Anonymous Coward

Re: So.....

It'll be all those user running as admin by default.

0
0
Silver badge

Re: So.....

It'll be all those user running as admin by default.

Ah SOHO users!

0
0
Boffin

Re: So.....

I've also been running Linux since the late nineties, but that doesn't prevent us from being attacked by Javascript related vulnerabilities in our over complex web browsers operating cross site or across web applications. Firefox vulnerabilities will apply regardless of OS.

Insecurity results from a combination of complexity and complacency and while Linux is good it ain't no magic bullet.

1
0
Silver badge

Re: So.....

"It'll be all those user running as admin by default..."

...and who have no firewall at all.

0
0
Bronze badge

doesn't prevent us from being attacked by Javascript related vulnerabilities

Don't you run noscripts?

0
0
Silver badge
Facepalm

Re: Hoe Re: So.....

Learn to read. If you do not have a WINDOWS account already you do not have the virus. Duh! So if you then create a user account called WINDOWS the attempt to create a new one should fail.

0
1
Anonymous Coward

Re: doesn't prevent us from being attacked by Javascript related vulnerabilities

With no script you might as well give up browsing, it's a nightmare to use. Better to use adblock and a flash blocker, or disable javascript completely.

0
0
Unhappy

Saw this or similar months ago

And it's only just being detected now?

0
0

"It initially phones home to its masters by establishing a HTTP connection to what appear to be a command-and-control server. "

So who is at the end of the address it phones home to?

0
0
Unhappy

..date check..

....someone said "zonealarm" and I was suddenly terrified the last 12 years never happened...

4
0
Silver badge
Go

Why terrified?

Given the way those particular years have seen political correctness replace common sense and fear replace freedoms, I couldn't be happier if the last 12 years had never happened TBH!

7
0

Fishy

There's an awful lot of gaps in that blog post, perhaps most of all: "For instance, in case the attacker would like to open a browser on the victim’s machine, the malware will popup on the RDP session for the attacker a box with the message: 'TODO:Start browser!'

That indicates thay've already got a copy of the C&C/client code, so they should have pretty well profiled what it's doing, and if they can see the "magic" id at the start of it, tha suggests it's not encrypted.

I'd be interested to see how you can run RDP through a firewall to a target machine on an RFC1918 network, unless they've implemented a reverse telnet equivalent of RDP. If so, please open source it 'cos it would make a lot of my job a lot easier and I wouldn't have to bother with VPNs anymore

1
0
Devil

The Chinese are coming! The Chinese are coming!!!!

1
0
Joke

Magic unknown protocol malware ..

Who is is going to protect us from UNIX protocol malware?

0
0
Silver badge

Per Ardua ad MetaDataBase Cloud Heavens:-) ..... Special AIResearch Services

"This campaign has been active and under the radar for almost a year, targeting mostly UK entities," Aviv Raff, CTO of Seculert, told The Register. "Also, the malware seems to be still under development by the attackers."

As Military Advanced IntelAIgents LAN Ware, you might best reconsider attackers as homespun Master Pilots on Sensitive AIMissions ……. Heavenly Pursuits.

And there you all were thinking that the RAF does nothing for you in Command and Control with Cyber Space Stations.

And if you want a plausible denial, ask the MOD about the current Inventory of Virtual Defence Arms with NEUKlearer HyperRadioProActive Security Protection ….. Future ForeSighted.

The System might report that IT be at Liberty to Support Secure Self-Protective Immunity ProgramMING, but as to their Actual Partaking in Programs, both Private and Pirate and Public ….. well, that one imagines is Classified Full Disclosure/Need to Know Only.

Mars in Minerva Right Stuff ….. on Active Duty AIMission ….. For the LOVE Lashes of ADA:-)

Poe's Law rules that last string and shares the Future to Critical Strategically Tactical Key Markets for CHAOS SecureIT Supply to Storming Cloud Clusters in Clouds Hosting Advanced Operating Systems, and with Virtual Machinery in Full Utility with Right Royal Command in Control, are fortunes made and remade over again for Right Royal spending on creative talent, which was what they used to do, isn't it, …. Remotely Sponsor by Royal Appointment.

Indeed, I do believe they still do provide such graces albeit presumably frightfully more hush hush underground than before and a courtesy afforded so as not to alert or alarm or harm the natives above ground and Earthed.

"The custom protocol of the malware requires a magic code for 'authentication'. The C2 server will only expose the commands for the infected machine, if the magic code will be provided at the beginning of the custom-protocol request." ®

I don't know that you do can anything to break into/crack hack such a custom protocol which requires a magic code for 'authentication', other than to learn and/or practise Magic Authentic Coding.

Methinks that Particular and Peculiar Engine be Immaculate Passion Driven in Live Operational Virtual Environments …… There be No Sins nor Vices in Perfect Pleasures Given and Received and Enjoyed in the See of Strangers that Share Light on what Living is Like in OUR Worlds/your Worlds/their Worlds. :-)

Has anyone asked the owner the purpose of the available vulnerability? It may not be malware at all that is being deployed? Although how to guarantee it not turning out at a later date to become malware is quite another matter and when regarded and considered with no questions to answer, are such situations deemed resolved and solved, if only temporarily in a cobbled together quick fix/dodgy patch.

0
3

Page:

This topic is closed for new posts.