News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Emotet malware disrupted

    Home Forums AskWoody blog Emotet malware disrupted

    • This topic has 9 replies, 5 voices, and was last updated 1 month ago.
    Viewing 4 reply threads
    • Author
      Posts
      • #2338072
        Susan Bradley
        Manager
      • #2338139
        berniec
        AskWoody Plus

        I have a question about this.  Krebs says “If the computer opened the attachment or the link, the malware got installed”.   How does that work?  I read my email and run my web browser [and do most everything else] as an non-privileged user.  Can Emotet infect you from a non-privieged account?  If so, how does that happen?

        • #2338279
          Paul T
          AskWoody MVP

          Malware can infect you via security holes in Windows / iOS / Linux. That is why patches are released, to patch those holes.

          The basic rule of computer security is: if you don’t know the sender or were not expecting an attachment, don’t open it until you have checked / virus scanned.

          cheers, Paul

          • #2338344
            berniec
            AskWoody Plus

            I know that there is always the vague allegations of zero-day privilege escalation bugs lurking.   BUT — did *this*specific* attack exploit one such or are you just making a blind general statement about the probably of serious bugs in a very complicated system?  If you’re just saying “we don’t know but there must be a bug it found”, that’s not very reassuring [nor particularly helpful]

            In the past, for example, almost all Windows vulnerabilites took advantage of patched security holes that the user just never installed.  If emotet was exploiting something already-patched, then it is a much less dangerous bit of malware than if the best we can say is “we haven’t a clue how it managed to get itself installed, but it did”, which is truly scary [since I’d assume that whatever that vulnerability is other malware besides emotet could be out there exploiting it]

            • #2338346
              Paul T
              AskWoody MVP

              Not knowing your level of knowledge I provided the basics. If you want the details read this CISA article.

              cheers, Paul

              • #2338354
                berniec
                AskWoody Plus

                There are a bunch of user-level things that are annoying [scraping addresses from Outlook, Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads, etc]  but the only “real” threats I saw were:

                • Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced.
                • Emotet has been seen exploiting SMB via a vulnerability exploit like ETERNALBLUE (MS17-010) to achieve lateral movement and propagation.  [patched in 2017!]

                Is that the extent to how it gets embedded?

                [and I have to plead guilty an rethink it: I have a not hard to guess password on my local admin account even though I have very secure passwords [via pwsafe] for everything else.   I probably need to enter the admin password once or twice a day.   So if it were a secure 20 character monster [as all my pwsafe passwords are] I’d go crazy.]

                I know you can do a gigantic amount of damage to a system just as the local user [e.g, encrypting/deleting all the files that the user has write access to, setting itself to be restarted [scheduled tasks, adding to the startup jobs], reaching out on the local net and to SMB mounted drives, etc, and I do worry about that stuff easily undone.   Once a privileged account is breached [again, IMO], though, your system is pretty well cooked.

                meta question: drive-by web downloads — if you normally run with javascript disabled [via noscript in FF] does that mitigate the danger of drive-by-malware?

      • #2338106
        anonymous
        Guest

        more good news on the ransomware front

        https://www.bleepingcomputer.com/news/security/netwalker-ransomware-dark-web-sites-seized-by-law-enforcement/

        wonder who keeps the seized assets? they should return the funds to unfortunate victims.

        1 user thanked author for this post.
      • #2338133
        anonymous
        Guest

        There is a link in the krebs comments (translate to language of choice) allowing people to check their email address. I suspect most reading askwoody are more than sufficiently educted to avoid the problem but those who service clients with potentially affected computers may like to take advantage of the email check service.

      • #2338373
        b
        AskWoody MVP

        Law enforcement has started to distribute an Emotet module to infected devices that will uninstall the malware on April 25th, 2021.

        Europol: Emotet malware will uninstall itself on April 25th

        1 user thanked author for this post.
    Viewing 4 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Emotet malware disrupted

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.