The world of computers is full of clandestine indecipherable jargon, and there’s no reason why any would-be crypto-enthusiast should be without a necessary cipher to help them through the maze.
That’s where we come in.
In this ongoing series, we’ll be detailing two of the more common types of viruses affecting the average user today, and providing hints to avoid them. Getting rid of viruses themselves is kind of specific, and may require professional assistance beyond what McAffey, Norton or Symantec have to offer, but those three sources should be your first go-to if you find yourself in a jam.
So let’s get started.
Ransomware is a type of malware designed to freeze your computer and all of its files until a ransom is paid. It spreads through phishing e-mails or through cookies given by a malicious website. It’s annoying and maddening on an individual level as the average ransom is about 1.5 bitcoins, which right now is about CAD$16K, and therefore probably means you’re out a computer if you don’t know someone who can take the ransomware off.
The individual doesn’t tend to be the target here, though. These hackers are looking for banks, exchanges, lawyers and doctors—people with the cash to pay their ransom, but maybe not the savvy to know not too.
Oh, and if you’re ever infected, it should be obvious that you shouldn’t pay it. You probably won’t get your computer back and you’ll be out sixteen grand.
One of the largest and most prevalent examples is the “WannaCry worm,” which first appeared on the scene in May 2017, and is noteworthy because it actually travels between computers on a network without user interaction. That’s right. Someone else on the network clicked on the spam e-mail, downloaded it, and it infected the entire network.
“WannaCryFake is a strain of ransomware that uses AES-256 to encrypt a victim’s files. Files that have been encrypted by WannaCryFake are appended with the file extension: ‘.[email@example.com].WannaCry’”
Attacks increased by 118% over the first three months of 2019, according to cybersecurity company McAfee Labs. The comapny added that one of these ransomware campaigns used the Ryuk ransomware strain, which was successful in temporarily shutting down newspaper printing in the United States.
Here’s how ransomware works:
It is called cryptoviral extortion and it was inspired by the fictional facehugger in the movie Alien.
Cryptoviral extortion is the following three-round protocol carried out between the attacker and the victim.
- [attacker→victim] The attacker generates a key pair and places the corresponding public key in the malware. The malware is released.
- [victim→attacker] To carry out the cryptoviral extortion attack, the malware generates a random symmetric key and encrypts the victim’s data with it. It uses the public key in the malware to encrypt the symmetric key. This is known as hybrid encryption and it results in a small asymmetric ciphertext as well as the symmetric ciphertext of the victim’s data. It zeroizes the symmetric key and the original plaintext data to prevent recovery. It puts up a message to the user that includes the asymmetric ciphertext and how to pay the ransom. The victim sends the asymmetric ciphertext and e-money to the attacker.
- [attacker→victim] The attacker receives the payment, deciphers the asymmetric ciphertext with the attacker’s private key, and sends the symmetric key to the victim. The victim deciphers the encrypted data with the needed symmetric key thereby completing the cryptovirology attack.
Cryptojacking and the Bitcoin Virus:
A common boast from would-be hackers back in the ’90’s and early oughts where I was growing up was that they had written script that would let the hijack computers from afar. They would enter through a trojan horse and afterwards take control of a computer or network from the comfort of their mother’s basement. Most of these people were attention seeking assholes who read something on the internet and wanted to look badass for their friends, but occasionally if you run in the right circles, you’d meet the real deal.
What they’re talking about is an early series of programs that allowed the savvy hacker (or lucky script-kiddy) through any of the many gaping back doors in the Windows 95 and Windows 98 infrastructure (including Windows NT). One of the more popular programs called called Back Orifice.
Back Orifice Overview
Back Orifice is a tool consisting of two main pieces, a client application and a server application. The client application, running on one machine, can be used to monitor and control a second machine running the server application. The operations that the client application can perform on the target machine (e.g., the machine running the server application) include the following:
- Execute any application on the target machine.
- Log keystrokes from the target machine.
- Restart the target machine.
- Lockup the target machine.
- View the contents of any file on the target machine.
- Transfer files to and from the target machine.
- Display the screen saver password of the current user of the target machine. The creators of Back Orifice also claim to be able to display “cached passwords” for the current user, but no other passwords were displayed during our analysis.
It’s obsolete now, primarily because Microsoft closed most of the gaping fissures in their code, but cybersecurity is an arms race, and hackers have caught up. For example, last month, French authorities shut down a botnet army responsible for crypto-jacking thousands of computers across 140 countries.
Here’s why this makes sense. You can’t mine Bitcoin or Ethereum (and a few other coins) using GPU’s, but getting into some of the smaller coins where it’s still somewhat easier to close the block and get the reward is still an option. It’s going to be expensive, though, because most of those coins will still require a fair amount of wattage-hours to mine.
With cryptojacking, you hack into someone else’s computer using a trojan, and take over their computer using some super advanced version of Back Orifice to turn on and get mining during off-hours. When the coin’s appear, the hacker snatches them up for themselves and the host family’s jaws drop when they get their power bill next.
If the user has a look at their task manager, they may see a new process running in the background, such as XMRig, The Miner.Bitcoinminer or a similar name can even take over your Windows, Mac or Android devices.
Bitcoin virus is detected under various names, including:
- PUA.CoinMiner, etc.
Protect your neck.
If your spam filter thinks something is malicious and you don’t recognize the source, then don’t click it. Also be careful with your torrents, because they’re an easy source of the trojan viruses that give access to your computer (and network) to these unscrupulous assholes.
And for your sake, don’t watch porn on the same computer you use to buy your crypto.