Find bug in Emotet malware, prevent it from spreading for 6 months
In the case of Emotet, security researchers found an error code that allowed them to install a kill-switch that made it impossible to spread. Kill-switch took effect, stopping Emotet from February 6, 2020 to August 6, 2020. After that, Emotet updated the source code, patched it and continued to distribute it.
Emotet is a very dangerous malicious code, it spread through spam email system controlled by botnet. After infecting a victim's system, Emotet can commit various destructive acts, including stealing information and deploying ransomware to encrypt the victim's important data and then ransom.
How is the kill-switch Emotet created?
Emotet first appeared in 2014 and continuously updated with new features and attack methods. Earlier this February, the new update of Emotet added a way to take advantage of infected devices to spread to nearby WiFi shared devices.
Also in this update, Emotet has added a new retention mechanism. It creates a file to store the malicious code on the victim's system, using a random system filename with the .exe or .dll extension from the system32 directory.
Emotet malware has a bug
Based on this mechanism, Binary Defense created a kill-switch to limit the spread of Emotet. The first version of the kill-switch came out about 37 hours after the Emotet update was deployed. Researchers used PowerShell scripts to generate registry key values for each victim and set the data to these values to null.
Thus, when malicious code checks the registry for a file to infect other computers, it will load an empty exe file. Therefore, the malicious code cannot be deployed on other machines.
EmoCrash
Quinn even created an upgraded version of the kill-switch called EmoCrash. According to Quinn's description, EmoCrash can exploit the cache overflow vulnerability discovered in the Emotet installation process to circumvent the Emotet installation process to help prevent this malware more effectively.
Instead of resetting the registry value, EmoCrash redefines the architecture of the system to create the registry setting value for the serial number for the drive, using it to store an 832 byte buffer.
This tiny buffer can destroy an Emotet and can even be pre-deployed like a vaccine or deployed as soon as the Emotet is spreading. EmoCrash has been quietly deployed to systems and organizations at risk of being attacked by Emotet in April 2020.
On July 17, 2020, Emotet began re-booting the malicious email spam system after a few months trying to avoid being prevented. However, it was not until August 6, 2020 that this malicious code completely fixed its bug code.
Now, with the new Emotet release, the Binary Defense security researchers' containment method is no longer in effect. However, according to Quinn, they have been very successful at stopping Emotet from spreading for six months.
Experts recommend that users should not click on links or attachments in emails sent from strange users. Besides, attachments and emails sent from acquaintances also need to be scanned for viruses before clicking.
You should read it
- Warning: The new Facebook virus, a malicious code that is spreading rapidly through Messenger
- Warning: New malicious code is infecting about 500,000 router devices
- 14 games on the App Store contain malicious code, iPhone users be careful
- After WannaCry, Petya's 'extortion' malicious code is raging, this is a remedy to prevent
- Malicious code is growing up
- 10 million Android devices are preinstalled with malicious code from the factory
- Detects malicious code showing porn ads in children's games on Google Play
- Malware sneaks into iOS through Apple's official distribution channels
May be interested
- Remcos Alert: Ingenious Excel Phishing Campaign Spreading Dangerous Fileless Malwareexcel users need to be on guard as a newly discovered phishing campaign is targeting microsoft's spreadsheet application.
- A new kind of malware is spreading through Messenger and Skype spam messagesrecently, network security experts at avast security have warned of a new malware that attacks computers in two steps and spreads through messaging services like facebook messenger and skype.
- Android malware believed to be spreading from Vietnam has attacked more than 10,000 Facebook accounts in 140 countriessecurity firm zimperium has discovered a malicious campaign spreading through social media hijacking, third-party app stores, and externally installed apps.
- Modular Malware - New stealth attack method to steal datasome malware variants can use different modules to change the way they affect the target system. so what is modular malware and how does it work?
- Microsoft patches vulnerability in Windows AppX Installer being used to spread Emotet malwaremicrosoft has patched a critical zero-day vulnerability in windows that is being exploited by cybercriminals to spread emotet malware.
- Prevent malware from breaking into the BIOSmalware (malware) can sneak into the bios in your computer and then activate itself before any anti-malware has a chance to detect it. therefore, you should set the password for the bios.
- Prevent virus infection via USBto prevent viruses from spreading via usb, you can use usb disk security software to protect your computer to always be safe when connecting to usb.
- How to find and remove WMI Persistence malware from Windows PCswmi persistence refers to the attacker installing a script, specifically an event handler, that is always fired when a wmi event occurs.
- What is Clipper Malware? How does it affect Android users?on january 8, 2019, users saw the first version of clipper malware on google play store. it has disguised as a harmless application to trick all downloads, then start redirecting electronic money to the owner of the malware.
- The spread of malware and how to prevent ityou often don't understand why viruses can infect your computer even though you have installed antivirus. so which routes have they spread and how to prevent them?