A strange malware that blocks access to pirated distribution sites

　SOPHOS researchers explained in detail on June 17 that they found a malware that takes different actions.The malware is believed that instead of invading the system to steal information and fraudulent, it will not be accessible to many sites that are infected users distributing pirated software. "

　There are various ways to distribute malware, and it is embedded in an archive that looks like a software package introduced in the gamer's chat service "Discord", and is distributed directly via "BITTORRENT".

　According to SOPHOS's chief researcher Andrew Brandt, the creator is named a number of software brands, games, productive tools, and cyber security solutions to hide malware.From gamers to professionals, he seems to be targeting.

　The names of malicious packages are often used when distributing illegal copies of software, such as "Minecraft 1.5.2 Cracked [Full Installer] [Online] [Server List]".The file is tagged so that it looks like an uploading from the trent file search site "THEPIRATEBAY".

　When you double -click the malware executable file, you will see a message that the victim's system does not find an important .dll file.Malware gets a secondary payload called "Processhacker" in the background.This payload seems to be involved in changing the target machine Hosts file.

　The malware uses a rudimentary method to block access to pirated sites.It is simply a way to add a few hundred to 1000 web domains to the Hosts file and guide them to the local host address.Strangely, some sites on the block list are completely unrelated to illegal copies.

　Regarding changes in the hosts file, in the latest "Windows" machine, malware needs to be executed as an administrator authority.However, not all were promoted to Malware authority to Windows systems.If the authority is not promoted, the change of the Hosts file has failed.

　"Hosts files are rough but effective in order to prevent computers from reaching specific addresses," Sophos explains."Rough cutting is because the purpose can be achieved, but this malware has no mechanism to maintain permanence. Anyone can delete the entry added to the Hosts file."

　In some malware packages, the installer was bundled to make it look like a pirated software package.Each archive contained files of data that did not make sense and unrelated images.There was also a .nfo file that contained racist slander.

　"Looking at the target and tools of the attacker, I get the impression that it was violently compiled for a self -vigilant's pirated paradise campaign, but from gamers to businessmen.Considering all the possibility of targeting a wide range of users, a set of strange tools with new and new, tools, techniques, means, and the strange list of sites blocked by malware, the final of this attack.The purpose is not clear. "

　This malware may not have a major impact on the user.However, if Sophos is infected and the hosts file has been changed, launch "Notepad" as an administrator, open "C: \ Windows \ System32 \ Drivers \ etc \ Hosts", and at 127.0.0.1.It is said that it can be cleaned up by deleting the line that starts with the starting line or the THEPIRATEBAY site.

This article edited by Asahi Interactive for an article from overseas RED VENTURES for Japan.