Malware Smominru, whose incidence was first reported in 2017, continues to infect computers in a big way. The fact that infected 4,700 computers a day shows how fast it is spreading. Reports suggest that it infected 90,000 machines globally in the month of August alone.
According to cyber security experts at Kaspersky, the victims range from universities to healthcare providers as the hackers are not too particular about their targets. “About 85 per cent of infections occur on Windows 7 and Windows Server 2008 systems. The rest include Windows Server 2012, Windows XP and Windows Server 2003,” they said.
The malware seems to have the ability to come back to hit the old victims if they fail to tackle the problem completely. “About one-fourth of the affected machines were infected again after Smominru was removed from them. In other words, some victims did clean their systems but ignored the root cause,” they said.
Modus operandi
After intruding into a computer, Smominru creates a new user, called admin$, vesting itself with admin privileges on the system and starts to download a whole bunch of malicious payloads. “The most obvious objective is to silently use infected computers for mining cryptocurrency at the victim’s expense,” they said.
The malware also downloads a set of modules used for spying and credential theft. On top of that, once Smominru gains a foothold, it tries to propagate further within the network to infect as many systems as possible.
The botnet is fiercely competitive and kills any rivals it finds on the infected computer. It disables and blocks any other malicious activities running on the targeted device. It prevents further infections by competitors.
The botnet relies on more than 20 dedicated servers, mostly located in the US, though some are hosted in Malaysia and Bulgaria.
A difficult problem
Experts at Kaspersky are of the opinion that it is not quite easy to take it down. Smominru’s attack infrastructure is widely distributed, complex, and highly flexible, making it unlikely to be taken down easily. The botnet will be active for quite some time before it can be tackled completely.
The experts ask the people to update operating systems (OS) and other software regularly to leave no doors open for the attackers.
Using strong passwords and deployment of a reliable password manager to create, manage, and automatically retrieve and enter passwords would help protect the users against brute-force attacks.