Digital pre-digging tool infects Windows computers via EternalBlue and WMI
A newly discovered malware family called CoinMiner is causing many users and companies to secure many problems, making it difficult to prevent or detect the combination of many unique features.
Malware - a digital digging tool - uses the NSA EternalBlue vulnerability to infect victims and the WMI toolkit (Windows Management Instrumentation) as a way of running commands on infected systems. In addition, CoinMiner runs on memory (malware without fileless files), uses multiple command classes and control servers to deploy the necessary scenarios to infect victims.
All of this creates a mixture of trouble for older computers, running anti-virus software is no longer suitable for new infection techniques.
Avoid getting infected with CoinMiner by turning off SMBv1
To avoid infection with CoinMiner, there are a number of measures users need to take. The simplest is to prevent the first infection, EternalBlue, a SMB vulnerability developed by the NSA and leaked online by Shadow Brokers hacker group. It is also used in attacks on WannaCry and NotPetya.
Users need to be sure to install Microsoft's MS17-010 security patch or at least turn off the SMBv1 protocol on their machines so that CoinMiner has no way of approaching.
Turn off WMI
In case the above protocol needs to be used to get network interaction, it is still possible to avoid CoinMiner by protecting itself from the second exploit of malware, which is WMI - the toolkit integrated in Windows versions. .
CoinMiner uses WMI to download scripts and other necessary components to infect computers and then download and run the real CoinMiner binary file.
CoinMiner computer infiltration process
Trend Micro, the company that discovered CoinMiner, recommends turning off WMI on a machine if it is not needed or at least restricting access to WMI to just one admin account, only IT staff.
Instructions on how to turn off SMBv1 and WMI are given at this address https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3- in-windows-and-windows and https://msdn.microsoft.com/en-us/library/aa826517(v=vs.85).aspx . For more detailed information, Trend Micro also released a detailed step-by-step technical report of CoinMiner. http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
CoinMiner is not the first digital digging tool to use EternalBlue to attack victims. Adylkuzz is the first malware of its kind, starting to attack shortly after the Shadow Brokers team leaked it on the network. On the other hand, CoinMiner is one of the few less-than-non-program-based virtual money digging tools.
You should read it
- New malware-digging tool on Linux devices
- Eternal Blues - NSA's EternalBlue vulnerability testing tool
- WannaCry is a year old, EternalBlue is bigger than you think
- Can Threadripper CPU dig up 'peer' pre-coding with VGA GTX 1080?
- History of digging a bitcoin, from a regular CPU to an ASIC system
- Hacker hijack CoinHive DNS to dig virtual money with thousands of websites
- Samsung produces dedicated chips to dig virtual money
- Many computers in Vietnam have been hijacked due to virus infection
May be interested
- Snapdragon 660: Benchmarks, accents and everything you need to knowthe transmission of the long-awaited snapdragon 653 finally appeared.
- Enter the back-to-school season like the boss with the Android apps belownext fall is also the back-to-school season, students must have fully prepared learning tools, but do not forget to accompany you as a mobile phone.
- Receiving capital at the last minute, SoundCloud is savedthe online music streaming service will continue to survive to bring good music to listeners after investors approve the loan proposal, help the company pay off the debt and continue to maintain the business. .
- Legal hacking tools can be useful for journalistssome open source research tools used by network security experts can help journalists.
- Google Now can understand more than 30 different languages around the worldcurrently, google has supported 30 additional languages for its voice recognition software. this means that about 1 billion others can talk to each other when they interact with google.
- How to open the infected PowerPoint file, causing hackers to invade the computer?previously, we knew that simply opening an ms word file could help bad guys invade your computer through a critical vulnerability in microsoft office.