Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11Find bug in Emotet malware, prevent it from spreading for 6 months
In the case of Emotet, security researchers found an error code that allowed them to install a kill-switch that made it impossible to spread. Kill-switch took effect, stopping Emotet from February 6, 2020 to August 6, 2020. After that, Emotet updated the source code, patched it and continued to distribute it.
Emotet is a very dangerous malicious code, it spread through spam email system controlled by botnet. After infecting a victim's system, Emotet can commit various destructive acts, including stealing information and deploying ransomware to encrypt the victim's important data and then ransom.
How is the kill-switch Emotet created?
Emotet first appeared in 2014 and continuously updated with new features and attack methods. Earlier this February, the new update of Emotet added a way to take advantage of infected devices to spread to nearby WiFi shared devices.
Also in this update, Emotet has added a new retention mechanism. It creates a file to store the malicious code on the victim's system, using a random system filename with the .exe or .dll extension from the system32 directory.
Emotet malware has a bug
Based on this mechanism, Binary Defense created a kill-switch to limit the spread of Emotet. The first version of the kill-switch came out about 37 hours after the Emotet update was deployed. Researchers used PowerShell scripts to generate registry key values for each victim and set the data to these values to null.
Thus, when malicious code checks the registry for a file to infect other computers, it will load an empty exe file. Therefore, the malicious code cannot be deployed on other machines.
EmoCrash
Quinn even created an upgraded version of the kill-switch called EmoCrash. According to Quinn's description, EmoCrash can exploit the cache overflow vulnerability discovered in the Emotet installation process to circumvent the Emotet installation process to help prevent this malware more effectively.
Instead of resetting the registry value, EmoCrash redefines the architecture of the system to create the registry setting value for the serial number for the drive, using it to store an 832 byte buffer.
This tiny buffer can destroy an Emotet and can even be pre-deployed like a vaccine or deployed as soon as the Emotet is spreading. EmoCrash has been quietly deployed to systems and organizations at risk of being attacked by Emotet in April 2020.
On July 17, 2020, Emotet began re-booting the malicious email spam system after a few months trying to avoid being prevented. However, it was not until August 6, 2020 that this malicious code completely fixed its bug code.
Now, with the new Emotet release, the Binary Defense security researchers' containment method is no longer in effect. However, according to Quinn, they have been very successful at stopping Emotet from spreading for six months.
Experts recommend that users should not click on links or attachments in emails sent from strange users. Besides, attachments and emails sent from acquaintances also need to be scanned for viruses before clicking.
Lesley MontoyaYou should read it
- Warning: The new Facebook virus, a malicious code that is spreading rapidly through Messenger
- Warning: New malicious code is infecting about 500,000 router devices
- 14 games on the App Store contain malicious code, iPhone users be careful
- After WannaCry, Petya's 'extortion' malicious code is raging, this is a remedy to prevent
- Malicious code is growing up
- 10 million Android devices are preinstalled with malicious code from the factory
- Detects malicious code showing porn ads in children's games on Google Play
- Malware sneaks into iOS through Apple's official distribution channels
May be interested
- Microsoft has just patched a critical security hole in Windows 10 discovered in 2018
in patch tuesday released august 2020, microsoft patched a vulnerability that allowed hackers to turn msi files into java files that could spread malicious code on windows 10. and more importantly, malicious files. this harm retains the legal digital signature. - Google Chrome has a serious zero-day error, and hackers can execute malicious code at its fullestthis vulnerability allows hackers to bypass the content security policy (csp) rules that were released in chrome 73. luckily, google has a patch for this vulnerability now.
- Wsreset tool of Windows 10 Store was used by hackers to bypass anti-virus softwarewsreset.exe is a legitimate debugging tool used by many users to identify problems and reinstall caching in the windows store.
- The Joker malware once again bypassed Google's security, spreading strongly on the Play Storethe joker malware has been around since 2017, but google has so far struggled to detect and stop it.
- The 'gang' behind the Sodinokibi malware began auctioning celebrity data on the dark websodinokibi is one of the most active ransomware strains in the internet today.
- Hackers can modify Safari on macOS to steal user dataapple was notified of this security flaw six months ago but has not yet patched it.
Attack the network
How to check if your PC is infected with Emotet malware- Microsoft warned the Emotet trojan back on a large scale, stealing the victim's banking information
- How many types of malware do you know and how to prevent them?
- Kaspersky can forecast malware translation
- Tips to block viruses from USB, how to prevent viruses from spreading from USB
How to check if your PC is infected with Emotet malware
Microsoft warned the Emotet trojan back on a large scale, stealing the victim's banking information
How many types of malware do you know and how to prevent them?
Kaspersky can forecast malware translation
Tips to block viruses from USB, how to prevent viruses from spreading from USB