Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scranos Rootkit Expands Operations From China To the Rest of the World (zdnet.com)

Posted by msmash on from the aggressive-expansion dept.

A malware operation previously limited to China's borders has expanded over the past few months to infect users from all over the world, antivirus firm Bitdefender said in a report published today. From a report: Users who have the bad habit of downloading and installing cracked software applications are at the highest risk. According to Bitdefender experts, these apps are laced with a relatively new malware strain named Scranos. The most important piece of this malware is a rootkit driver that's hidden inside the tainted apps and which allows the malware to gain boot persistence and take full control over users' systems in the early stages of an infection. Although Bitdefender describes Scranos as "a work in progress, with many components in the early stage of development," the malware is still very dangerous as it is. That's because Scranos is a modular threat that once it infects a host computer, it can ping its command and control (C&C) server for additional instructions, and then download small modules to execute a fine set of operations.

27 comments

  1. Death penalty? by Anonymous Coward · · Score: 0

    Wouldn't it be nice if the world could sign mutual extradition treaties for certain types of crimes that ruin the internet. I'm not saying all political crimes. But simply scamming and pissing in the pool should be extraditable. THey don't have to get the death penalty but some penalty. THe trouble is right now we can't marshall the resources to track these folks down because they are always extranational criminals.

    1. Re:Death penalty? by Penguinisto · · Score: 1

      THe trouble is right now we can't marshall the resources to track these folks down because they are always extranational criminals.

      In this case, I would not be too surprised if the ultimate originator (or patron, if you will) of this particular rootkit is a fully-paid up member of the Business Software Alliance.

      Yeah, tinfoil-y, I know, but the fear of being infected certainly does benefit them the most...

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    2. Re:Death penalty? by Zaiff+Urgulbunger · · Score: 1

      Wouldn't it be nice if the world could sign mutual extradition treaties for certain types of crimes that ruin the internet.

      Unnecessary. Just make blindly downloading and opening executables, illeg^H^H^H^H^H executable!! :D

      I mean, I think we all know what the real problem is don't we?!

  2. User stupidity ... by Anonymous Coward · · Score: 5, Insightful

    Users who have the bad habit of downloading and installing cracked software applications are at the highest risk.

    Well, once you're doing that you've pretty much left behind any hope you will have security.

    If you're installing software from a source you don't know you can trust, this is what happens.

    This reminds me of a receptionist we had back in the mid-90's. That lady would download every stupid thing she found ... dinosaur cursors, cat screen savers, puppy themed start menus ... you name it. Invariably every 2-3 months her machine would have to be completely re-imaged because she had it so infested with shit.

    We told her repeatedly "stop installing this shit, it's a security risk" ... and she always pretty much on day one started downloading the same shit. She didn't seem to grasp that she herself was why her machine was always fucked up.

    Me, at this point, I assume pretty much all apps are shit, full of malware, and adding little or no value (or even posing a risk). They're nothing more than a conduit for ads and having your data stolen.

    The entire app economy is based on garbage in my opinion, and if people can't grasp their own stupidity, they deserve the malware.

    1. Re:User stupidity ... by CaptainDork · · Score: 1

      Just a thought. Your post is the best, so far. (Admittedly, it's early) and I agree. I have mod points but I I don't have my permission to spend /. mod on AC.

      If that doesn't matter to you, well that's OK. Should it, login.

      Still, as a a retired IT guy, I have lived the frustration that you have lived.

      Thanks.

      --
      It little behooves the best of us to comment on the rest of us.
    2. Re:User stupidity ... by Penguinisto · · Score: 1

      Gotta agree with sibling. If I had mod points, I'd damned sure spend them here.

      Well, once you're doing that you've pretty much left behind any hope you will have security.

      If you're installing software from a source you don't know you can trust, this is what happens.

      Quoting the best line for propagation.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    3. Re:User stupidity ... by Anonymous Coward · · Score: 0

      If that doesn't matter to you, well that's OK. Should it, login.

      LOL, no, it doesn't matter to me.

      I had a login years ago, stopped using it because I found Slashdot was devolving into a lot of personal attacks and other bullshit as you had the crazies always seeking you out. I have no interest in collecting karma and foes any more.

      From what I can see, nothing has changed.

      Still, as a a retired IT guy, I have lived the frustration that you have lived.

      Yup, at a certain point, if you've told someone over and over again the dumb shit they're downloading is causing security risks to the company and infecting the PC with malware ... if that person keeps doing the same thing they'll get the same damned outcomes.

      I can understand why at some places users simply can't install software, because they're always going to be that subset of users who do stupid things.

      Downloading cracked software from dodgy sources ... well, that kind of stupid isn't a technology problem, it's a user problem.

    4. Re:User stupidity ... by Anonymous Coward · · Score: 0

      Why was the secretary able to install crapware? Her user privileges should have prevented it. If not, then you did not configure her machine correctly. So it was your fault, not her fault.

  3. Necessary evil by Anonymous Coward · · Score: 0

    These components and techniques are the same since 15 years ago... only changes are the language and the protocols.

    Thanks for the news tho! China bad! America!

  4. C&C server list by DigiShaman · · Score: 1

    So...any info on what exactly the IP address/s are of the C&C servers so they can be blocked at the firewall level?

    --
    Life is not for the lazy.
    1. Re:C&C server list by Anonymous Coward · · Score: 0

      So...any info on what exactly the IP address/s are of the C&C servers so they can be blocked at the firewall level?

      Which will work for users on wifi, but not once they're on cellular data, no?

      As soon as they walk outside, they're vulnerable again.

    2. Re:C&C server list by Dunbal · · Score: 1

      Better still block it at the download level and don't download it. Back before broadband was common and digital downloads didn't exist, an argument could be made for trying to get something you couldn't find elsewhere. Now we're surrounded by cheap digital sources, you can buy and download any software you want, you have a wide variety of services that stream all sorts of movies and shows. There's not much drive for piracy except for the need to "get stuff for free". Well caveat emptor.

      --
      Seven puppies were harmed during the making of this post.
    3. Re:C&C server list by Anonymous Coward · · Score: 0

      You have no idea what you're blathering about.

    4. Re:C&C server list by Anonymous Coward · · Score: 0

      All accesses lead to Cloudflare. The bad guys are hiding all of their DNS queries and web accesses for the C&C IOC list behind their service. This malware is only as successful as Cloudflare allows them to be.

      Will they shut it down? or will they continue to allow collateral damage?

  5. Understated by Anonymous Coward · · Score: 0

    download small modules to execute a fine set of operations

    That's quite an understatement. This is the finest set of operations I've ever seen, possibly the finest in computing history.

  6. ALL Important question by Anonymous Coward · · Score: 0

    Does this run on Minix? If not, what does it run on.

  7. Target? by bill_mcgonigle · · Score: 2

    Why doesn't TFS say if this affects iOS, lightbulbs, Windows, or Fedora?

    Just SCADA systems, then? FFS.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    1. Re:Target? by Anonymous Coward · · Score: 0

      word.

    2. Re:Target? by CODiNE · · Score: 1

      When they don't tell you what it affects, it's always Windows.

      Otherwise they clearly point it out by stressing how other OS' are JUST AS vulnerable.

      And yes just as vulnerable to Trojan horse software.

      --
      Cwm, fjord-bank glyphs vext quiz
  8. why dont someone make a useful malware for once? by Anonymous Coward · · Score: 0

    Why dont someone make a useful malware for once? One that would bypass the great firewalls etc.

  9. Re:TRUMP IN 2020? by Anonymous Coward · · Score: 0

    Mod parent down: Off topic.

    Unfortunately I think the Dem party autocrats wont their s**t together to form a challenge. Four more years of monkey business.

  10. Scaranos communique easily snuffed by hosts by Anonymous Coward · · Score: 0

    0.0.0.0 a12.fun
    0.0.0.0 b12.fun
    0.0.0.0 ab12.fun
    0.0.0.0 ossdown.fun
    0.0.0.0 d3pk.com
    0.0.0.0 fffffk.xyz
    0.0.0.0 downmsdn.com
    0.0.0.0 hh1m.com
    0.0.0.0 www.fffffk.xyz
    0.0.0.0 s3.amazonaws.com
    0.0.0.0 info.d3pk.com
    0.0.0.0 info.d3pk.com
    0.0.0.0 dl.ossdown.fun
    0.0.0.0 ab12.fun
    0.0.0.0 info.d3pk.com
    0.0.0.0 ab12.fun
    0.0.0.0 count.b12.fun
    0.0.0.0 fffffk.xyz
    0.0.0.0 80FD4C6BAC35BAB54608B2F60A9A1759.online
    0.0.0.0 A4E43EDE382B7613F03D2997C80E2DA9.online
    0.0.0.0 9D3C13FAF748710EBB5A8E1232B43CA7.online
    0.0.0.0 80FD4C6BAC35BAB54608B2F60A9A1759.online
    0.0.0.0 D43AC96995C02E4A7CCECE3059730B95.online
    0.0.0.0 EC33503163B5789F6786C0D82B479364.online
    0.0.0.0 1898799673.rsc.cdn77.org
    0.0.0.0 1898799673.rsc.cdn77.org
    0.0.0.0 rsc.cdn77.org
    0.0.0.0 cdn77.org
    0.0.0.0 www.hh1m.com
    0.0.0.0 www.hh1m.com
    0.0.0.0 hh1m.com

    * SOURCE https://www.bitdefender.com/fi...

    APK

    P.S.=> For the BEST hosts file:

    APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p

    1. Re:Scaranos communique easily snuffed by hosts by Anonymous Coward · · Score: 0

      As always you are a day late and a dollar short. None of that will keep you from getting infected, remove the infection, or do anything of any real value. Just like APK. Maybe you should get back to posting conspiracies about bumpstocks, the pope, Hillary Clinton, and George Soros as it would be a more effective use of your time and meager brain power.

    2. Re:Scaranos communique easily snuffed by hosts by Anonymous Coward · · Score: 0

      This is a live threat. Blocking those stops it working even if you are infested and stops you from getting it in the 1st place. Why do you think security sites post this material? Go away troll.

  11. Here you go for hosts file level blocking by Anonymous Coward · · Score: 0

    Here you go for hosts file level blocking https://it.slashdot.org/commen...

    * :)

    APK

  12. ... but does it run on Linux? by mspohr · · Score: 4, Funny

    If it only runs on Windows, it is of no consequence since it only affects those too stupid to protect themselves.

    --
    I don't read your sig. Why are you reading mine?