One of the most destructive botnets can now spread to nearby Wi-Fi networks
0 likes53 views
The Emotet malware has evolved to spread to nearby Wi-Fi networks, using infected devices to enumerate and access unsecured networks. It employs compromised devices to guess passwords for connected devices and potentially deliver additional malware like Ryuk ransomware. This development highlights the need for strong passwords to secure Wi-Fi networks against such threats.
One of the most destructive botnets can now spread to nearby Wi-Fi networks
- 1. 2/14/2020 One of the most destructive botnets can now spread to nearby Wi-Fi networks | Ars Technica https://arstechnica.com/information-technology/2020/02/one-of-the-most-destructive-botnets-can-now-spread-to-nearby-wi-fi-networks/ 1/5 JUMPING THE WI-FI GAP — One of the most destructive botnets can now spread to nearby Wi-Fi networks Emotet's sophistication and reach continues to evolve. - 2/12/2020, 5:26 AM Enlarge MarcoVerch/Flickr DAN GOODIN SUBSCRIBE SIGN IN
- 2. 2/14/2020 One of the most destructive botnets can now spread to nearby Wi-Fi networks | Ars Technica https://arstechnica.com/information-technology/2020/02/one-of-the-most-destructive-botnets-can-now-spread-to-nearby-wi-fi-networks/ 2/5 FURTHER READING World’s most destructive botnet returns with stolen passwords and email in tow Over the past half decade, the Emotet malware has emerged as a top Internet threat that pillages people’s bank accounts and installs other types of malware. The sophistication of its code base and its regularly evolving methods for tricking targets into clicking on malicious links—in September, for instance, it began a spam run that addresses recipients by name and quotes past emails they sent or received—has allowed it to spread widely. Now, Emotet is adopting yet another way to spread: using already compromised devices to infect devices connected to nearby Wi-Fi networks. Last month, Emotet operators were caught using an updated version that uses infected devices to enumerate all nearby Wi-Fi networks. It uses a programming interface called wlanAPI to profile the SSID, signal strength, and use of WPA or other encryption methods for password-protecting access. Then, the malware uses one of two password lists to guess commonly used default username and password combinations. After successfully gaining access to a new Wi-Fi network, the infected device enumerates all non-hidden devices that are connected to it. Using a second password list, the malware then tries to guess credentials for each user connected to the drive. In the event that no connected users are infected, the malware tries to guess the password for the administrator of the shared resource. While Emotet is best known for circulating through malicious email runs, it has also been observed spreading in worm-like fashion from device to device over infected networks. If it successfully guesses the password to a connected device, it then loads the Emotet malware and possibly other pieces of malware—such as the Ryuk ransomware or the TrickBot malware— Join Ars Technica and Get Our Best Tech Stories DELIVERED STRAIGHT TO YOUR INBOX. Email address SIGN ME UP Will be used in accordance with our Privacy Policy Enlarge / An overview of Emotet's newly discovered Wi-Fi spreader.
- 3. 2/14/2020 One of the most destructive botnets can now spread to nearby Wi-Fi networks | Ars Technica https://arstechnica.com/information-technology/2020/02/one-of-the-most-destructive-botnets-can-now-spread-to-nearby-wi-fi-networks/ 3/5 READER COMMENTS 60 SHARE THIS STORY DAN GOODIN Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. EMAIL dan.goodin@arstechnica.com // TWITTER @dangoodin001 in exchange for fees paid by operators of those campaigns. No longer content with infecting only devices inside the compromised network, Emotet is now using the newly discovered version to jump from network to network. Beware of weak passwords “With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet’s capabilities,” researchers from security firm Binary Defense wrote in a recently published post. “Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords.” The Binary Defense post said the new Wi-Fi spreader has a timestamp of April 2018 and was first submitted to the VirusTotal malware search engine a month later. While the module was created almost two years ago, Binary Defense didn’t observe it being used in the wild until last month. The newly documented spreader underscores the importance of using strong passwords to restrict access to Wi-Fi networks. Emotet’s previously known ability to spread from device to device within a network already underscored the importance of using strong passwords to restrict access to devices connected to local networks. Passwords should always be randomly generated and should never be fewer than 11 characters. One aspect of the new Wi-Fi spreader is out of keeping with Emotet’s usual penchant for stealth of sophistication. The module uses unencrypted connections to communicate with attacker-controlled servers. That makes it easy to detect patterns in traffic that people can use to detect infections. The malware can also be detected through active monitoring of connected devices for new services being installed and watching for any processes or services running from temporary files and user profile application data folders. The Binary Defense post provides other indicators of compromise. How do you feel about the security of your data? 1 0 ,6 7 5 P EO P L E H AV E A N S W E R E D Not concerned Very concerned Share T&Cs