After discovering a bug, he used it to prepare an update that eliminates its most dangerous programs

A security researcher stops "cyber gang" attacks for a period of 6 months

Information security teams distributed the security update secretly to thousands of institutions and companies worldwide. From the source

A researcher in the field of cybersecurity was able to detect a dangerous vulnerability in the most dangerous malware produced by the "Botnet Emote" gang, which is currently classified as the largest global cybercrime gang organized through cyberspace. The researcher was able to exploit the vulnerability in preparing a security update that succeeded in Eliminate the program, and make it as if it were not.

But the security team to which the researcher belongs kept secret the matter, and then distributed the update secretly to thousands of information security officials around the world, which made the gang lose its balance and its ability to launch new attacks for a period of six months, since last February, before it corrected the error in its programs and regained its ability. On the attack.

Confrontation

Details of that confrontation appeared on the website of the company, Binary Defense, which specializes in information security, through a report written by a malware analyst working for the company, James Quinn, during which he explained that usually malware authors create their own code and distribute it to the victims through various methods. Information security experts make security updates to resist it, and when they are done, the attackers will make slight changes in their code to quickly restore their offensive advantage, but in this round the verse has turned, and the gang's programs have turned into a software target containing an exploitable security vulnerability to launch Attacking and destroying the program, just as malicious programs always do with computers and information networks.

Starting point

Quinn said in his report that the starting point was when he spotted a change in the code used in one of the malware that the gang used in one of the attacks carried out last February, and upon analyzing this change, he found that it was a change in a part of the malicious program called the "perseverance mechanism." The malware is allowed to remain in work without interruption when the computer is restarted, indicating that according to this change, the "emote" malicious program has created for itself an encryption key named "XOR" and puts it inside it, to carry out the process of "perseverance".

Quinn added that he had detected at this point a fatal flaw, which is that the "XOR" encryption key also works among the many checks that are made on the complete code of the program, including a part called the "pre-infection routine", responsible for making the malicious program start. the work.

He continued that from here it became apparent to him the possibility of issuing orders to reverse the malicious program, through the "pre-infection routine" loophole, to do the opposite of what is required of it, that is, to stop the malicious program instead of pushing it to work, pointing out that through dozens of attempts of trial and error, he was able to collect A small code script, "PowerShell," that builds a deformed registry key instead of the original registry key, and issues counter instructions that completely disable Emote instead of pushing it to work.

"Emo Crusher"

Quinn stated that he continued his work until he prepared a complete security update, which he called "Imo Breaker", and ran it on a computer that was not infected with the harmful "Emotate" program, then tried to intentionally infect the computer with the malicious program, so the deformed registry key smashed the malicious program, and achieved protection Complete the computer, then run the security update on computers already infected with the Emoteit program, so the update replaced the deformed registry key with the malicious program’s original registry key, and then the malicious program stopped working, and it lost its most important feature at all, which is the connection to the gang’s control and control server .

behind the scenes

Quinn mentioned that he and his colleagues inside the company, along with a security team from another information security company called "Cimro", decided to update to perform other tasks, including knowing the timing of the infection with the "emote" malicious program, and where it was infected, then they decided to keep the "Imo Crusher" under control. Confidentiality and complete secrecy, lest the gang catch up with him and fill the gap in their programs.

He said that they worked behind the scenes, and communicated in a safe manner, with the American Security Emergency Response Team (SIRT) to secretly publish the "Imo Breaker", which was already done, as it was published on 125 similar "Sirt" teams in different countries, and in turn delivered the update. To more than 6000 institutions and companies, as this effort helped the "Imo Breaker" to find its way around the world and stop hundreds of attacks.

reaction

Quinn pointed out that the gang lost its ability to initiate and move, and in response it made a long series of changes in its code, but it did not succeed in uncovering what happened, until it deleted and changed the code of the perseverance mechanism completely, and put another new one, which nullified the effect of the security update After six months of running smoothly.

- The vulnerability is in the code to keep the malicious program running when the computer is running.