In
a world of constant change, one thing is constant-there will be more malware
coded every day. As attackers find new vulnerabilities and areas to attack, new
malware will be coded to exploit these. The number of new pieces of malware
introduced daily will also increase. This is a function of the increase in
computer and other connected electronics along with the criminal mind looking
to exploit a situation.
One
such piece is Genome. This was first detected on January 18, 2011 and is
engineered to attack the Windows systems. Granted this is over five years old,
however, this has been noted again in the wild. Although the users may be
careful, they may still click on the cute kitten picture or link in an email
from a third cousin the user did not know was in existence ever.
Description
Once
the user clicks on the malicious link or opens a file the Trojan begins the
download. Generally, this reaches out through port 80 to get.whitesmoke.com.
Once loaded, this notifies the C&C there is a new infected user, the
infected system is able to receive the malicious packets and other downloads,
receive any updates, and upload any data to the C&C from the infected user.
These programs and files are downloaded without the user’s consent or
knowledge. As more malware are downloaded to the user’s system, this may have
the system process much slower, freeze it, and eventually the user will receive
the infamous BSOD.
Mitigation
Hopefully
the users will have a sufficient amount of appreciation of info sec and listen
to the IT department. If this is on their personal system, the user would need
to in the least update their AV and download the new definitions. They should
then run a full system scan. This may pick up the malware.
This
sounds easy enough, however it may be difficult to remove. What makes this a
bit curious is unless this is completely removed, this will quasi-regenerate
via another download. This may also reside in the root. Another easy way to
verify this is done via a search for two files (utdqhz5i9inix.exe and
zlsrbvjm.exe).These generally indicate the user is infected with the Genome.
The user may still be infected even if these files are not present.
The
info sec engineers can also remind the users to watch for spam. They really
should not just open anything. They should also be reminded to not click on any
links or open attachments, especially the files with the “.exe” extension.
This
malware infection can be avoided with only a few steps and being careful with
certain emails.
No comments:
Post a Comment