According to researchers, botnets targeting Windows PCs are expanding rapidly. This is because of a new infection technique that allows malware to spread from computer to computer.
The Purle Fox malware was first discovered in 2018 and spread through phishing emails and exploit kits. It’s a way for criminal groups to use existing security flaws to infect devices.
Researchers at security firm Guardicore, Amit Serper and Ophir Harpaz, discovered the new method of infection and posted it on their blog, where the malware was found on weak passwords connected to the Internet. They said it was targeting Windows PCs and using them as a scaffolding to accelerate their spread.
The malware guesses weak passwords for Windows user accounts by targeting Server Message Block (SMB). SMB is a feature that Windows uses to talk to external devices such as printers and file servers.
Once gained access to a vulnerable computer, the malware triggers a malicious payload from a network of nearly 2000 already invaded Windows web servers, secretly installing rootkits, making the malware permanently reside on your computer, making it even more difficult to detect and remove.
Once infected, the malware tries to prevent another criminal group from hijacking a computer that has already been hacked or re-infected by closing the firewall port that it used to infect.
The malware then generates a list of Internet addresses, searches the Internet for vulnerable computers with weak passwords, and spreads the infection to expand the network of compromised computers.
A botnet is created by registering hundreds of thousands of hacked devices in a network controlled by a criminal group. It is used to launch a DoS attack and bring down the targeted organization’s network with wasted traffic.
However, by controlling these devices, criminal groups can also use botnets to spread malware and spam, and even send file-encrypting ransomware to infected computers.
However, this type of worm-invading botnet is even more risky because it spreads on its own.
Surper, vice president of security research at Guardicore, said worm-infecting infection techniques can be performed “cheaper” than traditional phishing and exploit kits.
“The opportunistic attack of constantly monitoring the Internet for vulnerable machines means that criminals can, in a sense, ‘set and forget’,” he said.
The scheme seems to be successful. Data from Guardicore’s own Internet sensor network show that Purple Fox infections have surged 600% since May 2020. The actual number of infections must be much higher, with more than 90,000 in 2020 alone.
Guardicore has released an aggression indicator for the network to find out if it is infected. Researchers don’t know what these botnets are used for, but they warn that size is a risk to organizations.
“We think this is laying the groundwork for doing something in the future,” Surper said.