Emotet Computer Worm



Security researchers have detected a new form of the famous malware loading program Emotet. This modified version of the worm spreads through Wi-Fi networks that are protected only by weak passwords. What makes this malware a worm as apposed to a virus is that while viruses must be triggered into activation by their host, worms can self-replicate and propagate independently as soon as they have breached a system.

According to Binary Defense, the main executable used for this process is called worm.exe.

“Upon startup of Worm.exe, the first action it takes is to copy the service.exe string to a variable that will be used during file spreading. Next, it steps into the main loop and immediately begins profiling the wireless network using wlanAPI.dll calls in order to spread to any networks it can access,” the firm explained.

Before it can infect a system, the malware must first defeat the password through a brute-force attack. By profiling the networks in this way beforehand, the worm maximizes its efficiency and can compromise more systems. If your password is not sufficiently robust, it is certainly possible that a simple brute force or dictionary attack against your network could succeed.

Once inside the network, Emotet begins searching for all non-hidden shares – either brute forcing these as well or doing the same for the administrator account within the network resource.

When individual user accounts have been accessed, it then modifies its binary which installs Windows Defender System Service to gain persistence.

Researchers noted that a worm.exe timestamped for 4-16-2018 indicates that the module may have been running without being detected for a considerable amount of time. It is possible that this is due to its infrequent use by attackers or because for it to show up researchers would have to have a Wi-Fi card in their sandbox environment.

The main takeaway and the good news for businesses is that stronger passwords make brute forcing entry incredibly processor intensive and is the best protection against such attacks.

“Detection strategies for this threat include active monitoring of endpoints for new services being installed and investigating suspicious services or any processes running from temporary folders and user profile application data folders,” the vendor concluded.

“Network monitoring is also an effective detection method, since the communications are unencrypted and there are recognizable patterns that identify the malware message content.”

In the increasingly network connected world, having your IoT devices infected can take your business totally offline depending on what you do. That is why is it critical to use passwords that take into consideration best practices for information security. Most all attacks against our systems rely on some element of user error or negligence, so consider making information security a part of your organization’s culture.