Wiper malware from no fewer than 9 families has appeared this year. Now there are 2 more.
Over the past year, a flurry of destructive wiper malware from no fewer than nine families has appeared. In the past week, researchers cataloged at least two more, both exhibiting advanced codebases designed to inflict maximum damage.
On Monday, researchers from Check Point Research published details of Azov, a previously unseen piece of malware that the company described as an "effective, fast, and unfortunately unrecoverable data wiper." Files are wiped in blocks of 666 bytes by overwriting them with random data, leaving an identically sized block intact, and so on. The malware uses the uninitialized local variable char buffer[666].
[...] Despite the initial appearance of an undertaking by juvenile developers, Azov is by no means unsophisticated. It's a computer virus in the original definition, meaning it modifies files—in this case, adding polymorphic code to backdoor 64-bit executables—which attack the infected system. It's also entirely written in assembly, a low-level language that's extremely painstaking to use but also makes the malware more effective in the backdooring process. Besides the polymorphic code, Azov uses other techniques to make detection and analysis by researchers harder.
"Although the Azov sample was considered skidsware when first encountered (likely because of the strangely formed ransom note), when probed further one finds very advanced techniques—manually crafted assembly, injecting payloads into executables in order to backdoor them, and several anti-analysis tricks usually reserved for security textbooks or high-profile brand-name cybercrime tools," Check Point researcher Jiri Vinopal wrote. "Azov ransomware certainly ought to give the typical reverse engineer a harder time than the average malware."
A logic bomb built into the code causes Azov to detonate at a predetermined time. Once triggered, the logic bomb iterates over all file directories and executes the wiping routine on each one, except for specific hard-coded system paths and file extensions. As of last month, more than 17,000 backdoored executables had been submitted to VirusTotal, indicating that the malware has spread widely.
(Score: 5, Insightful) by canopic jug on Thursday December 15 2022, @06:51PM (6 children)
It looks like another case of Windoze Total Cost of Ownership (TCO) being ignored as an externality.
The malware is named Azov and is Windows-only [checkpoint.com]. We've watched malware, and in particular ransomware, which was only a cottage industry a few years ago grow into a global growth sector netting over a billion in profit [cbsnews.com] annually. Because of managers' die-hard attachment to all things M$ that number is projected to only grow, unless we remove the cause: With apologies to Cory Doctorow, it has been clear since the 1990s that Windows deployments on desktops and data centers are the used, oily rags of computing but less useful.
Moving to GNU/Linux, or FreeBSD, in and of itself won't be a panacea, but it will eliminate more than 99.9% of all malware, including ransomware. The question is not how much it costs to fire the microsofters working against their employers while on their payroll, the question is how much it costs not to fire them and replace them with real staff, not working for M$, and actually knowledgeable about real software and systems. Leaving microsoft resellers embedded in what used to be actual IT departments is costing real time and money through thoroughly unnecessary expenses. Windoze certification on the resume? Pink slip and a frog march to the parking lot by security carrying the box.
Seriously, as the war has become more visible, and kinetic, this year, the cost of allowing microsofters to persist anywhere near a keyboard is dangerous -- and expensive.
Money is not free speech. Elections should not be auctions.
(Score: 2) by Sjolfr on Thursday December 15 2022, @07:06PM (3 children)
I wish more articles were more clear about these viruses and malware garbage. Windows only folks. There are still ZERO viruses and stuff for linux, BSD, unix, MacOS (since they migrated to BSD based OS) and so on. And, just because people can imagine a virus for linux, it doesn't mean that it's technically feasible or even doable.
Without properly stating the extent of the problem this stuff is just click-bait and gas-lighting.
(Score: 4, Informative) by canopic jug on Thursday December 15 2022, @07:39PM
The obfuscation is apparently intentional. There have been many opportunities over the years to point out which systems are affected. Yet, when possible, the authors and/or their editors choose to make the articles and headlines as unclear as possible when it comes to Windows-only malware. Contrast that with the situations when anything goes wrong with anything even peripherally related to GNU/Linux or Free and Open Source Software in general. In that case, the term "Linux" or "Open-Source" (with the hyphen) is all over the headline and the lede.
Some of that may be due to the few remaining online magazines and newspapers being entirely beholden to the advertising money coming in from m$ partners. However, I would not eliminate the possibility of ideological opposition to Open Source and specifically Free Software. Either way, they seem to be trying to throw as much shade on FOSS as they can get away with.
Money is not free speech. Elections should not be auctions.
(Score: 2, Informative) by Runaway1956 on Thursday December 15 2022, @10:33PM (1 child)
*cough cough*
https://en.wikipedia.org/wiki/Linux_malware#Threats [wikipedia.org]
Of course, the wiki list is not comprehensive.
https://www.kaspersky.com/resource-center/threats/a-brief-history-of-computer-viruses-and-what-the-future-holds [kaspersky.com]
Don't be a creeper who spreads falsehoods about *nix-like OSs. We have our problems, and we can lose everything, just like the Windows world. The difference is, Unix was built with security from day one. Security in Windows has always been an after market bolt-on.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 5, Informative) by Sjolfr on Friday December 16 2022, @01:15AM
Code like the stuff in your list depend on user execution on linux/unix. That means they are not really viruses or malware ... they are simply destructive progams. Plus, they can not move outside of the speciic users' environment, unless some dope runs them as root, and they can not infect other computers.
There are always fulnerabilities in code that gets patched with the development cycle. Those too are not really viruses or malware.
Sayig that unix and linux OSs do not have viruses is not false. It's technially true. Calling a destructive program a virus is just conflation.
None are in the wild. A set of code is not a virus unless it can propigate itself in the wild. Next, let's talk about why unix/linux doesn't suffer from the same problems as windows. I'll let you start.
(Score: 2) by turgid on Thursday December 15 2022, @09:25PM
Linux? We all run WSL now. No need to install Ubuntu any more!
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 3, Insightful) by corey on Thursday December 15 2022, @09:33PM
Nicely said. What you say is exactly my work’s IT department. Everything is Dell, Microsoft. Copy, paste. Meanwhile our laptops are so locked down that I can’t run any executable unless it’s on some whitelist, can’t install anything, can’t modify any system configs, plug in any USB or even mount any smb shares outside of the companies domain controller. It means every time I open Edge, it steals the default browser setting and Firefox no longer opens links and I have to manually tell Firefox to reset itself as the default browser. That’s a waste of my time, which isn’t cheap. What also is a waste of my time is the SharePoint system we are forced to use for project file storage; it’s pathetic. I have to check in a file whenever I add a new one, and that requires clicking the … then Advanced, then Check In. It’s not the new SharePoint. My laptop is some fancy 10th Gen Intel with 32GB ram and dedicated video, but it sits with the fan going mad literally half the day. Upon checking task manager, it’s always sophos scanner running or some ivanti update service. I define our IT “function” as being disfunctional.
(Score: 2) by istartedi on Thursday December 15 2022, @09:55PM (2 children)
How do they know it's written in assembly, unless they actually have source? Do they have profilers for all the compilers that allow them to say definitively, "No known compiler generates this kind of code". It seems like that's the best they could do. AFAIK, there's no real way to tell a High Level Language (HLL) isn't being used to maintain the sources, although it might be an unreleased HLL.
Appended to the end of comments you post. Max: 120 chars.
(Score: 1, Informative) by Anonymous Coward on Thursday December 15 2022, @10:31PM
It is normally fairly easy to spot a compiled version of code as opposed to assembly versions of it.
Compiled code usually has a number of idiosyncrasies that make it obvious as being compiled: tell-tale initialisation code, use of libraries and, surprisingly, often (normally?) much better optimisation than hand-crafted code. Assembly code, on the other hand, often uses tricks that depend on optimising the algorithm for solving specific problems instead of optimizing the code per se.
(Score: 3, Informative) by WeekendMonkey on Thursday December 15 2022, @10:42PM
Back when I was developing legacy BIOS, which was written mostly in assembler, I spent a lot of time debugging problems with interactions between the BIOS and OS. After a while doing that you start to recognise the tell-tale signs of compiled code, such as stack-based local variables and function call entry and exit code. I chould usually tell where I was in a piece of C code just from the assembler opcodes (I wasn't using source-level debug). Compilers are certainly more efficient now, but I would have expected the optimization to concentrate on loops and inlining often-repeated sections, not on saving a few cycles in a function's entry and exit code. So I'm sure that pattern's exist for the trained eye, regardless of the language.