back to article Magic mystery malware menaces many UK machines - new claim

Security researchers have found malware that communicates using an unknown protocol and is largely targeting UK businesses. The mystery software nasty has infected thousands of machines at organisations in finance, education, telecoms and other sectors, we're told. It initially phones home to its masters by establishing a …


This topic is closed for new posts.


  1. Alister Silver badge

    It would be nice if we were told how to identify any potential infection by this malware...

    1. lansalot


      and what ports/destinations/packets/strings etc we could watch for at the perimeter..

      From the blog post, it appears looking on HTTP for some_magic_code1 might help. Here's hoping that's a good start.

      Any snort rules yet?

      1. Pen-y-gors Silver badge

        Re: exactly...

        and is it something that will be spotted by Zonealarm firewall etc e.g. "Mysterious appplication is attempting to connect to the Internet Allow/Deny?"

        1. Anonymous Coward

          Re: exactly...

          I think it could be - I took zonealarm off a while back but reading this kind of story makes me wonder if I should reinstall it.

          1. NomNomNom

            Re: exactly...

            yeah zonealarm worked fine for years but then it started putting up messages all the time about some application trying to connect to something or other. I tried updating zonealarm but it kept doing it so eventually I gave up and turned it off. couldn't find any alternatives and now my browser is going crazy as well trying to make me buy some windowsantivirus or something but i already have anttivirus. technology! cant live with it cant live without it.

            1. Anonymous Coward
              Anonymous Coward

              Re: exactly...

              quite a few of the current malware attacks check-on-install for zonealarm on PC (or LittleSnitch directories on Mac,) or the presence of VMware w.h.y. and abort install - just in case you might be a sysadmin or white-hat jam-pot researcher. So YES, really installing or mebbe just creating wireshark/firewall type directory names might give you a certain level of security...but you need a few more

              repeat after me: multiple independent levels of security!

              1. Destroy All Monsters Silver badge

                New claim! Fresh! Washes whiter!

                Yeah... These days, keeping a lawya on retainer is as important as keeping a sysop on retainer.

            2. Not That Andrew


              You've been rooted. I hope you weren't doing anything important with your PC. Take your PC to someone who knows what they are doing and get them to nuke and pave it. Hopefully your data can be retrieved

              1. Anonymous Coward
                Anonymous Coward

                Re: @NomNomNom

                He could have been making a joke.

                1. Not That Andrew

                  @AC Re: @NomNomNom

                  Quite probably,I just went off automatically. That particular sort of malware is I why I no longer do computer support for friends and family. Almost impossible to get rid of without nuking and paving and then you get bitched at because you couldn't (or wouldn't) save their collection of vintage donkey porn.

    2. Anonymous Coward
      Anonymous Coward

      guessing here

      System properties, Advanced, User Profiles , Settings and count the number of profiles? (under Windows 7)

      Presumably it also has to allow remote connections, or ride the logged on user's session in some way.

    3. zb

      Try logging in username: WINDOWS, password: MyPass1234

    4. Anonymous Coward
      Anonymous Coward

      The tax man

      Is watching you baby!

  2. Frankee Llonnygog

    Can I be the first with the obligatory ...

    ... Skynet!

  3. HereWeGoAgain

    Good to see all the "heuristic malware scanners" are doing their job

    Not. And how did it get there in the first place?

    Maybe the infected systems weren't running anti-malware computer-slowers.

    How many other bits of malware are out there, "under the radar"?

    1. Don Jefe

      Re: Good to see all the "heuristic malware scanners" are doing their job

      If we knew how many others were under the radar they would no longer be under the radar.

    2. Anonymous Coward

      Re: Good to see all the "heuristic malware scanners" are doing their job

      "And how did it get there in the first place?"

      Who says it's there at all? One AV vendor, who've offered no proof or detection method, although they obviously claim they can detect (and presumably) prevent it. A hardened cynic might wonder whether this AV outfit was previously involved in offering novel imperial clothing, and was now applying the same skills in the tech sector.

    3. ed2020

      Re: Good to see all the "heuristic malware scanners" are doing their job

      "And how did it get there in the first place?"

      If I was a betting man, and given recent experiences, I'd bet this question can be answered with a single word... Java.

      1. Anonymous Coward
        Anonymous Coward

        Re: And how did it get there in the first place?

        Warez, Pr0n or Free MP3 downloads, most likely.

    4. PyLETS

      Re: Good to see all the "heuristic malware scanners" are doing their job

      Malware remaining active on many machines and undiscovered for 11 months emphasises that scanning for known bad stuff within an everything per user access-control context isn't an effective security approach any more. Making sure you only execute known good stuff other than in very secure, application and time limited sandboxes seems to make more sense, e.g. the sandbox in which you do online purchases and run associated web-supplied Javascript shouldn't connect to any other sandbox and needs wiping and resetting to a known good state at short and regular intervals.

  4. Mystic Megabyte

    As Eadon is busy elsewhere...

    May I be the first to say that Windows is as leaky as a sieve and should not be connected to the internet.

    1. Anonymous Coward
      Anonymous Coward

      Re: As Eadon is busy elsewhere...

      Please try not to...

    2. Oor Nonny-Muss

      Re: As Eadon is busy elsewhere...

      As a representative of the British Sieve Manufacturers' Association, I insist that you substantiate your slur or sieves or withdraw.

      1. Fatman

        Re: As Eadon is busy elsewhere...

        OK, then!!!

        Windows is as leaky as a boat that has had its hull peppered with large bore shot, springing up fountains as it slowly sinks into the Abyss.

        Satisfied NOW?????

        1. Jamie Jones Silver badge

          Re: As Eadon is busy elsewhere...

          you forgot to end your post with:


  5. adnim

    I was thinking about

    building a honeywall using a Raspberry Pi this morning.

    Almost every piece of software I install wants to phone home without asking permission or giving any indication in the EULA or documentation that it will do so.

    It's been quite a while since a ran a honeywall and honeypots, getting back into it again will be a nice refresher. Something for rainy Sunday afternoons, I expect we will get a lot of them in summer.

  6. All names Taken
    Paris Hilton

    Har dee har har!

    My guess is that it is HMRC (Her Majesties Revenues and Customs) and UK Treasury based on it being limited to UK businesses (and I guess individuals too).

    Those tax collecting Whitehall bods need all the cash they can get their hands on and if that means granny with her empty bedrooms or one's pension then one's pension will always win!

    (Sad innit?)

    1. Fink-Nottle
      Thumb Up

      You may be right

      The malware uses 'custom' protocols, essential features are 'still under development' and nobody knows what it's meant to do - sounds like a Government project to me.

    2. Anonymous Coward
      Anonymous Coward

      Re: Har dee har har!

      You don't think perhaps it just happens to be targeting the naive and ill-informed who use BT as their business's ISP then? (insert other business-class ISP of ill repute, as applicable).

  7. Anonymous Coward
    Anonymous Coward


    "In one instance, the malware contacted the command server for further instructions, and was told to create a new user — username: WINDOWS, password: MyPass1234 — enabling the attacker to remotely log into the infected computer"

    Please explain how creating a new user account on a machine magically allows a user to remotely log into the machine?

    1. amanfromMars 1 Silver badge

      Re: Errr... SMARTR Virtual Leader Ships Fully Armoured Battle Stations with Satellite Weaponry

      Please explain how creating a new user account on a machine magically allows a user to remotely log into the machine?

      IT creates ACE Anonymous CyberIntelAIgent Entities to SHAPE Command and Control Mentoring and Monitoring of Virgin ProgramMING to XSS Standards for Entry to the Above. :-)

      Does the Military Prevent Control Access to Sensitive Active Triggers with Realisation that Presentation of what can be Built Creatively with them, is Classified HQE/Need to Know TS/SCI.

      C42QCCSystems trawling and a'hauling for Phish in Deep Intelligent Supply Counters for Alternative Moves and Power Plays/Control Blitzes.

      1. MacGyver

        Re: Errr... SMARTR Virtual Leader Ships Fully Armoured Battle Stations with Satellite Weaponry

        Is that you Dr. Sanjay Gupta?

  8. Matt Bryant Silver badge


    What if you create a user account WINDOWS on all your systems, set the password to something other than MyPass1234 (I suggest a very long string of text copied from your favourtie book), then when the virus tries to create the account it will fail.

    1. Hoe

      Re: So.....

      Only it almost certainly wont as it probably checks for the existences and resets the password regularly anyway in case any admin has attempted to block access.

      1. garbo

        Re: So.....

        Been running Linux for so long I can't remember - don't you need Admin rights to create a new user on Windows? You certainly do in Linux, which's why malware downloaded by a "user" can't attack the system. No "write" or even "read" (in most cases) rights.

        How does this malware gain Admin rights on Windows?

        1. Anonymous Coward
          Anonymous Coward

          Re: So.....

          It'll be all those user running as admin by default.

          1. Tom 7 Silver badge

            Re: So.....

            It'll be all those user running as admin by default.

            Ah SOHO users!

          2. itzman

            Re: So.....

            "It'll be all those user running as admin by default..."

            ...and who have no firewall at all.

        2. PyLETS

          Re: So.....

          I've also been running Linux since the late nineties, but that doesn't prevent us from being attacked by Javascript related vulnerabilities in our over complex web browsers operating cross site or across web applications. Firefox vulnerabilities will apply regardless of OS.

          Insecurity results from a combination of complexity and complacency and while Linux is good it ain't no magic bullet.

          1. Jess

            doesn't prevent us from being attacked by Javascript related vulnerabilities

            Don't you run noscripts?

            1. Anonymous Coward
              Anonymous Coward

              Re: doesn't prevent us from being attacked by Javascript related vulnerabilities

              With no script you might as well give up browsing, it's a nightmare to use. Better to use adblock and a flash blocker, or disable javascript completely.

      2. Matt Bryant Silver badge

        Re: Hoe Re: So.....

        Learn to read. If you do not have a WINDOWS account already you do not have the virus. Duh! So if you then create a user account called WINDOWS the attempt to create a new one should fail.

  9. Lost in Cyberspace

    Saw this or similar months ago

    And it's only just being detected now?

  10. Barrie Shepherd

    "It initially phones home to its masters by establishing a HTTP connection to what appear to be a command-and-control server. "

    So who is at the end of the address it phones home to?

  11. Old Painless
    Unhappy check..

    ....someone said "zonealarm" and I was suddenly terrified the last 12 years never happened...

    1. Steven Roper

      Why terrified?

      Given the way those particular years have seen political correctness replace common sense and fear replace freedoms, I couldn't be happier if the last 12 years had never happened TBH!

  12. John Halewood


    There's an awful lot of gaps in that blog post, perhaps most of all: "For instance, in case the attacker would like to open a browser on the victim’s machine, the malware will popup on the RDP session for the attacker a box with the message: 'TODO:Start browser!'

    That indicates thay've already got a copy of the C&C/client code, so they should have pretty well profiled what it's doing, and if they can see the "magic" id at the start of it, tha suggests it's not encrypted.

    I'd be interested to see how you can run RDP through a firewall to a target machine on an RFC1918 network, unless they've implemented a reverse telnet equivalent of RDP. If so, please open source it 'cos it would make a lot of my job a lot easier and I wouldn't have to bother with VPNs anymore

  13. 6 inches long, handle.

    The Chinese are coming! The Chinese are coming!!!!

  14. Anonymous Coward

    Magic unknown protocol malware ..

    Who is is going to protect us from UNIX protocol malware?

  15. amanfromMars 1 Silver badge

    Per Ardua ad MetaDataBase Cloud Heavens:-) ..... Special AIResearch Services

    "This campaign has been active and under the radar for almost a year, targeting mostly UK entities," Aviv Raff, CTO of Seculert, told The Register. "Also, the malware seems to be still under development by the attackers."

    As Military Advanced IntelAIgents LAN Ware, you might best reconsider attackers as homespun Master Pilots on Sensitive AIMissions ……. Heavenly Pursuits.

    And there you all were thinking that the RAF does nothing for you in Command and Control with Cyber Space Stations.

    And if you want a plausible denial, ask the MOD about the current Inventory of Virtual Defence Arms with NEUKlearer HyperRadioProActive Security Protection ….. Future ForeSighted.

    The System might report that IT be at Liberty to Support Secure Self-Protective Immunity ProgramMING, but as to their Actual Partaking in Programs, both Private and Pirate and Public ….. well, that one imagines is Classified Full Disclosure/Need to Know Only.

    Mars in Minerva Right Stuff ….. on Active Duty AIMission ….. For the LOVE Lashes of ADA:-)

    Poe's Law rules that last string and shares the Future to Critical Strategically Tactical Key Markets for CHAOS SecureIT Supply to Storming Cloud Clusters in Clouds Hosting Advanced Operating Systems, and with Virtual Machinery in Full Utility with Right Royal Command in Control, are fortunes made and remade over again for Right Royal spending on creative talent, which was what they used to do, isn't it, …. Remotely Sponsor by Royal Appointment.

    Indeed, I do believe they still do provide such graces albeit presumably frightfully more hush hush underground than before and a courtesy afforded so as not to alert or alarm or harm the natives above ground and Earthed.

    "The custom protocol of the malware requires a magic code for 'authentication'. The C2 server will only expose the commands for the infected machine, if the magic code will be provided at the beginning of the custom-protocol request." ®

    I don't know that you do can anything to break into/crack hack such a custom protocol which requires a magic code for 'authentication', other than to learn and/or practise Magic Authentic Coding.

    Methinks that Particular and Peculiar Engine be Immaculate Passion Driven in Live Operational Virtual Environments …… There be No Sins nor Vices in Perfect Pleasures Given and Received and Enjoyed in the See of Strangers that Share Light on what Living is Like in OUR Worlds/your Worlds/their Worlds. :-)

    Has anyone asked the owner the purpose of the available vulnerability? It may not be malware at all that is being deployed? Although how to guarantee it not turning out at a later date to become malware is quite another matter and when regarded and considered with no questions to answer, are such situations deemed resolved and solved, if only temporarily in a cobbled together quick fix/dodgy patch.


This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020