Security Week 08: viruses return

When discussing computer threats, "malware" is often called any malware, but this is not entirely correct. The classic virus is a phenomenon of the pre-Internet era, when information was transmitted between computers mainly on floppy disks, and for the distribution of malicious code it was necessary to “attach” it to executable files. Last week, Kaspersky Lab experts published a study of the KBOT virus. It spreads by infecting executable files and is the first living virus seen in the wild in the last few years.

Despite the time-tested infection method, the functionality of this malware is quite up-to-date: stealing payment data and passwords and then downloading it to a command server, providing remote access to the infected computer using the standard RDP protocol. If necessary, KBOT can download additional modules from the server, in other words, it provides full control over the system. All this is a standard gentlemanly set of any modern cyberattack, but here we are also dealing with destructive infection of exe-files.

After launching the infected file, KBOT is fixed in the system, registering itself in startup and task scheduler. The study describes in detail the process of infection of executable files: the virus modifies them so that the original functionality of the program is not preserved. Because of this, files are modified only on plug-in logical drives: external media, network drives, and so on, but not on the system partition, otherwise, instead of data theft, the OS will be completely inoperative. Among other things, KBOT is a polymorphic virus, that is, it changes its code every time a file is infected.

The virus is most often found in Russia and Germany, but the total number of attacks is relatively small. KBOT and its modules are detected by Kaspersky Lab solutions like Virus.Win32.Kpot.a, Virus.Win64.Kpot.a, Virus.Win32.Kpot.b, Virus.Win64.Kpot.b and Trojan-PSW.Win32.Coins .nav. The traditional distribution approach in this malware is interesting, but not necessarily effective. Firstly, storing executable files on external media is now the exception rather than the rule. Secondly, if damage to data on a hard disk was normal for viruses 30 years ago, now the task of a cybercriminal is to gain access to personal data without being noticed for as long as possible. Breakage of executables does not contribute to stealth.

What else happened

A critical vulnerability was discovered in the GDPR Cookie Consent plugin for Wordpress, a simple add-on for displaying a message like “we use cookies on our website”. The bug allows any user registered in Wordpress to get administrator rights. The problem is especially dangerous on sites with open registration, for example, to comment on publications. Approximately 700 thousand sites are exposed.

F-Secure study on Amazon Alexa smart speaker hacking published . The specialists connected to the regular debug interface of the column, booted from external media (an SD card connected to the pins on the same interface for debugging) and gained access to the file system on the device. This scenario allows you to install malware on a column.

The Firefox 73 browser release closed several serious vulnerabilities, including at least one with the ability to execute arbitrary code when visiting a “prepared” website.

Palo Alto Networks has investigated examples of unsafe Docker configurations . Through Shodan, examples of insecure Docker Registry servers were discovered. Accordingly, the Docker images themselves and the applications stored in them were available. Five hundred malware were removed

from the extension store for the Google Chrome browser : they all collected user data and redirected victims to sites for subsequent infection of the computer. Malwarebytes told

about an interesting example of a malicious program for Android, which is restored after a device reset.