Info-tech

Malware Smominru still active, infects 4,700 PCs a day

Our Bureau Hyderabad | Updated on October 08, 2019 Published on October 08, 2019

Malware Smominru, whose incidence was first reported in 2017, continues to infect computers in a big way. The fact that infected 4,700 computers a day shows how fast it is spreading. Reports suggest that it infected 90,000 machines globally in the month of August alone.

According to cyber security experts at Kaspersky, the victims range from universities to healthcare providers as the hackers are not too particular about their targets. “About 85 per cent of infections occur on Windows 7 and Windows Server 2008 systems. The rest include Windows Server 2012, Windows XP and Windows Server 2003,” they said.

The malware seems to have the ability to come back to hit the old victims if they fail to tackle the problem completely. “About one-fourth of the affected machines were infected again after Smominru was removed from them. In other words, some victims did clean their systems but ignored the root cause,” they said.

Modus operandi

After intruding into a computer, Smominru creates a new user, called admin$, vesting itself with admin privileges on the system and starts to download a whole bunch of malicious payloads. “The most obvious objective is to silently use infected computers for mining cryptocurrency at the victim’s expense,” they said.

The malware also downloads a set of modules used for spying and credential theft. On top of that, once Smominru gains a foothold, it tries to propagate further within the network to infect as many systems as possible.

The botnet is fiercely competitive and kills any rivals it finds on the infected computer. It disables and blocks any other malicious activities running on the targeted device. It prevents further infections by competitors.

The botnet relies on more than 20 dedicated servers, mostly located in the US, though some are hosted in Malaysia and Bulgaria.

A difficult problem

Experts at Kaspersky are of the opinion that it is not quite easy to take it down. Smominru’s attack infrastructure is widely distributed, complex, and highly flexible, making it unlikely to be taken down easily. The botnet will be active for quite some time before it can be tackled completely.

The experts ask the people to update operating systems (OS) and other software regularly to leave no doors open for the attackers.

Using strong passwords and deployment of a reliable password manager to create, manage, and automatically retrieve and enter passwords would help protect the users against brute-force attacks.

Published on October 08, 2019
  1. Comments will be moderated by The Hindu Business Line editorial team.
  2. Comments that are abusive, personal, incendiary or irrelevant cannot be published.
  3. Please write complete sentences. Do not type comments in all capital letters, or in all lower case letters, or using abbreviated text. (example: u cannot substitute for you, d is not 'the', n is not 'and').
  4. We may remove hyperlinks within comments.
  5. Please use a genuine email ID and provide your name, to avoid rejection.