3,494
05-23-2024, 09:04 PM
I'm pretty old. I've been around since the Imsai 8080 was the "big" thing featured in the movie "Wargames." For me, the dream of building my own computer was seen as a "What the hell?" kind of interest. My first machine ran on a 6502, and I was personally affronted when a certain machine code was 'sold' to a startup called Microsoft for something called 'Windows.'
Since then things have come a long way, ever complicated by commerce, and now we all operate with the need for overlapping security against exploitation of the code we run on the systems we use. So I get a little paranoid now and again.
When my computer seems to be 'extra' active while idling, or unusual communication ports are opening up and closing, when graphics seem glitched for no reason... I worry.
Now it is clear that there are as many ways to exploit a computer as one could imagine, I found this:
From ArsTechnica: Researchers spot cryptojacking attack that disables endpoint protections
Subtitled: A key component: Installing known vulnerable drivers from Avast and IOBit.
Malware recently spotted in the wild uses sophisticated measures to disable antivirus protections, destroy evidence of infection, and permanently infect machines with cryptocurrency-mining software, researchers said Tuesday.
Key to making the unusually complex system of malware operate is a function in the main payload, named GhostEngine, that disables Microsoft Defender or any other antivirus or endpoint-protection software that may be running on the targeted computer. It also hides any evidence of compromise. “The first objective of the GhostEngine malware is to incapacitate endpoint security solutions and disable specific Windows event logs, such as Security and System logs, which record process creation and service registration,” said researchers from Elastic Security Labs, who discovered the attacks.
When it first executes, GhostEngine scans machines for any EDR, or endpoint protection and response, software that may be running. If it finds any, it loads drivers known to contain vulnerabilities that allow attackers to gain access to the kernel, the core of all operating systems that’s heavily restricted to prevent tampering. One of the vulnerable drivers is an anti-rootkit file from Avast named aswArPots.sys. GhostEngine uses it to terminate the EDR security agent. A malicious file named smartscreen.exe then uses a driver from IObit named iobitunlockers.sys to delete the security agent binary.
“Once the vulnerable drivers are loaded, detection opportunities decrease significantly, and organizations must find compromised endpoints that stop transmitting logs to their SIEM,” the researchers wrote, using the abbreviation for security information and event management. Their research overlaps with recent findings from Antiy.
As it turns out the vulnerability is exploited by shoehorning in code via an antiviral software dll. Suddenly your machine is crypto mining for someone else. Makes sense, right? Your hardware, your electricity expense, your time... usurped so someone else can make money for free...
Yeah... welcome to the machine.
Since then things have come a long way, ever complicated by commerce, and now we all operate with the need for overlapping security against exploitation of the code we run on the systems we use. So I get a little paranoid now and again.
When my computer seems to be 'extra' active while idling, or unusual communication ports are opening up and closing, when graphics seem glitched for no reason... I worry.
Now it is clear that there are as many ways to exploit a computer as one could imagine, I found this:
From ArsTechnica: Researchers spot cryptojacking attack that disables endpoint protections
Subtitled: A key component: Installing known vulnerable drivers from Avast and IOBit.
Malware recently spotted in the wild uses sophisticated measures to disable antivirus protections, destroy evidence of infection, and permanently infect machines with cryptocurrency-mining software, researchers said Tuesday.
Key to making the unusually complex system of malware operate is a function in the main payload, named GhostEngine, that disables Microsoft Defender or any other antivirus or endpoint-protection software that may be running on the targeted computer. It also hides any evidence of compromise. “The first objective of the GhostEngine malware is to incapacitate endpoint security solutions and disable specific Windows event logs, such as Security and System logs, which record process creation and service registration,” said researchers from Elastic Security Labs, who discovered the attacks.
When it first executes, GhostEngine scans machines for any EDR, or endpoint protection and response, software that may be running. If it finds any, it loads drivers known to contain vulnerabilities that allow attackers to gain access to the kernel, the core of all operating systems that’s heavily restricted to prevent tampering. One of the vulnerable drivers is an anti-rootkit file from Avast named aswArPots.sys. GhostEngine uses it to terminate the EDR security agent. A malicious file named smartscreen.exe then uses a driver from IObit named iobitunlockers.sys to delete the security agent binary.
“Once the vulnerable drivers are loaded, detection opportunities decrease significantly, and organizations must find compromised endpoints that stop transmitting logs to their SIEM,” the researchers wrote, using the abbreviation for security information and event management. Their research overlaps with recent findings from Antiy.
As it turns out the vulnerability is exploited by shoehorning in code via an antiviral software dll. Suddenly your machine is crypto mining for someone else. Makes sense, right? Your hardware, your electricity expense, your time... usurped so someone else can make money for free...
Yeah... welcome to the machine.
