A new malware instance detected by Trend Micro is a fine indicator of the sophistication of today’s virus writers’ and propagators’ skills, with a five-stage infection process that’s as sophisticated as it is effective.
But the details given of the methods used by the malware’s author(s), while impressive from a purely technical point of view, contain the same phrases and terminology that’s found in the majority of such news items. Here’s just a few: ‘weak passwords’, ‘legacy systems’, ‘publicly available codes’, and ‘unpatched vulnerabilities’.
The malware’s eventual aim, in this case, was to deploy code that used infected devices’ capabilities to mine for Monero, a largely-anonymous cryptocurrency. Unlike some other such currencies, Monero does not require sophisticated hardware to mine effectively, therefore making it an attractive choice for this type of distributed attack.
In short, just about any machine can be turned to mining. And of course, the more miners (albeit slow ones) there are, the greater the dividends. Monero mining can be difficult to detect, other than by machines running slowly – hardly an unusual occurrence given the type of operating systems in use by end-users in most companies today.
The malware begins its journey by attempting to compromise a computer connected to a network that’s “protected” by a weak password. Trend Micro quote some prime examples, including “baseball”, “football”, “hello” and those perennial favorites, “qwertyuiop”, and its more exotic cousin, “zxcvbnm”. Literally gigabytes of similar examples can be found on the internet; a search for “free password list” will reveal dozens of files containing, in plain text, millions of common or default passwords.
The details of what happens after the machine is unlocked will be of specific interest to those of a particular technical inclination but, in short, the malware updates itself, spreads across the organization’s (or household’s) network, grabbing information like each victim’s unique address & ID, and available graphics memory. It also looks for badly-protected SQL database servers, again, with poor-quality passwords.
The final payload is not file-based (meaning it will circumvent older AV protection), residing instead in memory, a deployment that’s more difficult to detect. Apart from the Monero mining activities, the malware sends to its command & control base each host machine’s details; while that’s not an issue in terms of personal data privacy, it’s enough information to be used in future malware instances that could be downloaded and deployed on untreated computers.
Trend Micro‘s advice is to ensure all users deploy complex passwords, update outdated software, and consider a multi-layer approach to authentication at all levels:
“We recommend updating systems with available patches from legitimate vendors as soon as possible. Users of legacy software should also update with virtual patches from credible sources […] Use complicated passwords, and authorize layered authentication whenever possible. Enterprises are also advised to enable a multi-layered protection system that can actively block these threats and malicious URLs from the gateway to the endpoint.”
As commentators on this type of security issue nearly daily, at TechHQ we would urge all our readers to follow the company’s advice. All business owners and the security conscious manager need to be aware of some of the following standard practices the danger of which staff may be unaware:
- Staff members sharing passwords and log-on credentials with one another.
- No password policy in place whereby automated systems can reject passwords for being too simple.
- No multifactor authentication.
- Administrators using the same password for multiple in-house systems.
- Personnel using the same password(s) for all or any of their private and work accounts.
- Legacy software considered to be ‘mission-critical’ and ‘worth the risk’ to keep running.
There are multiple products on the market today that can help with all of the above. We urge every organization, irrespective of size, to take any required actions, or seek advice as to the best ways forward from properly-qualified professionals.