Emotated after handling: what happens to the victims?

Emotated after opposing: What happens to the victims?

With the confiscation of the IT infrastructure of the emotender gang, the police in principle has the possibility to help the victims of the criminal action. And that is obviously also the plan: in the announcement is the speech, you have "The malicious software moved to the sacrificial systems in Quartaine" And on the Internet there is evidence of a deflated uninstall function.

But of course, there is in what the police may do anywhere on the systems of third parties. Where the exactly run is still the subject of violent discussions. After all, there is danger in default in many cases and there is an acute need for action. Many ten thousand PCs are still infected with emotated and their owners do not know that usually.

But whoever may or must do something business and who then bears the responsibility, if something goes wrong? Finally, the emotender sacrifice to be cleaned could be a PC in a hospital that controls life-keeping systems. Or a system, on whose hard drive has just been captured in millions, which are still in the memory, but after a restart were unsettable lost.

No key for the data

Speaking of a folding data: Emotates herself casually. This typically makes the refunded Schadling Ryuk the trick bird gang. And that operates their own CC servers. That’s what there is currently no indication that in the course of the seizure of the key, there could already be locked data. Who caught the trick bird gang, which is still in the rain.

It’s even worse: In the course of an emotated infection, a variety of malfunctions of other gangs will be charged very quickly. This is often trickbot or about an online banking trojan like Qakbot. Because that is emotet’s business model: Installing money the Unrat others on the systems you have infected systems. (See also: Emotated, Trickbot, Ryuk – An Explosive Malware Cocktail)

Acute danger for thousands of systems

And in the course of the confiscation, the police have ensured that it can no longer cause any damage anymore. But the subsequent trojans like trickbot and co are still active and fir-cyclically. In order to involve the danger, the police obviously seized two mails: On the one hand, the built-in update function ensures that it emotes only with the police-operated control servers. This is a comparatively low threshold procedure, because only configuration data of the already existing shadling can be changed.

In addition, the security researcher has reported Milkream on Twitter that he has discovered a new function uninstall_emotet () when analyzing a current emotete samples. This is currently delivered from known emotated servers to the infected PCs and according to the code shown from the 25. April carried out. Whether this scheduled uninstallation mentioned by the BKA "Move in Quarantabe" represents or if there is something else behind it, we could not find out yet.

Emotates this uninstalls. But probably in April as in Marz.

Small note on the edge: Milkream gives the 15 as a start date. Marz. But the C structure shown is paying the months from 0 to 11, so the value TM.tm_mon = 3 corresponds to the fourth month, ie April. The days, however, go from 1 to 31 – one of the many oddities in C.

Limited cleaning

Thus, there was active code in the computers of the victims, which should provide for cleaning. This already has another quality than the other configuration to secure values. Who has done that, is so far unclear; Just like the legal basis for that. But apparently, this code only refers to emotated self – Trickbot and Co remained untouched.

Apparently, you’re looking back in front of it, because at least known Trojans are stopped at least known Trojans with a small, subsequent cleaning tool. Instead, the BSI has transferred the ungrateful task to notify those affected and draw attention to the fact that they have a problem and there is a need for action.

Specifically, this is probably due to how the other notification activities of the BSI also: Getting the police control servers the IP addresses of the infected systems that report there. The BSI then informs the providers in the hope that they will inform their customers. And then you should then clean your system in your own.

But that works rather bad as law. Given that the warning does not reach all those affected and of those who get them are surprised and some also ignore them simply. Ultimately, the experience of the months after months is a slightly more than half of the affected systems enchanted.

Whether the police can access the PCs of third parties in such a context or may even have to pay for danger, from my point of view. Discuss this question and the resulting consequences with me and other IT security professionals in the Expert Forum of Heise Security Pro:

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: