New Malware Infects Legit Downloads On the Fly
A new piece of malware can intercept Internet traffic to spot people downloading legitimate installation files and replace them with "infected" copies. Security company Kaspersky went as far as calling it "impressive" from a technical, if not moral standpoint.
Kaspersky has dubbed the malware "Reductor," after a term that appears in some of the code. It discovered the malware in April, 2019, so the fact it's only just going public suggests it took some serious analysis. (Source: securelist.com)
The malware's operation is exceedingly complicated, but one a machine is infected with it, the general principle involves the creators having analyzed the code that makes the Firefox and Chrome browsers operate. That let them figure out a way to predict the supposedly random numbers used while encrypting web traffic.
Web Certificates Manipulated
As a result, they are able to decode encrypted web traffic without having to intercept or manipulate it in a way that could easily arouse attention. In turn, the creators are able to install bogus security certificates on the browser that appear genuine.
Kaspersky believes the malware creators are using these powers to spot people who have just downloaded legitimate installation files for software. They are then able to immediately replace the legitimate files with bogus copies that are actually infected with malware.
That undermines a key computer security tactic of checking security certificates to make sure downloaded files are indeed from the source they claim to come from.
Russia And Belarus Targeted
Kaspersky told The Register that "We haven't seen malware developers interacting with browser encryption in this way before. It is elegant in a way and allowed attackers to stay well under the radar for a long time." (Source: theregister.co.uk)
The good news for Westerners (at least) is that the malware appears to be specifically targeted at users in Russia and Belarus. The level of sophistication implies that the malware creators have significant professional support, possibly from a government. The risk is that their techniques will likely become adopted by cyber criminals who go after the wider public.
For now it doesn't appear there's any immediate action users need to take. However, it's a reminder that using a range of cyber defenses, including scanning files before download and then again before opening, may be safer than sticking to a single method.
What's Your Opinion?
Is Kaspersky right to praise malware's creativity, albeit reluctantly? What methods does your security software use? Do you feel you understand how your PC is protected?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
more than likely
It's the N.S.A. and some of the other American three letter abbrevs.
New Malware Post
Suggested resolution: For now it doesn't appear there's any immediate action users need to take. However, it's a reminder that using a range of cyber defenses, including scanning files before download and then again before opening, may be safer than sticking to a single method.
I understand scanning downloaded files before opening, but how do we scan files that are not yet downloaded? You can't scan what you don't have.
Malware Downloads
Seems the market just got better for a stand alone machine with virtual machine installed to download to a flash drive. Then there will be no problem running your defensive software.
Always remember there is no such thing as a absolutely save computer system. :-)