Magic Mystery Malware Menaces Machines

[anuseems]

Security researchers have found malware that communicates using an unknown protocol and is largely targeting UK businesses.

The mystery software nasty has infected thousands of machines at organisations in finance, education, telecoms and other sectors, we're told.

"This 'magic malware' as weve dubbed it is active, persistent and had remained undetected on the targeted machines for the past 11 months. Since then the attackers were able to target several thousands of different entities, most of them located in the United Kingdom."

It initially phones home to its masters by establishing a HTTP connection to what appear to be a command-and-control server. The malicious software then uses a custom protocol to authenticate itself, and always uses a magic word - literally, some_magic_code1 - at the start of the conversation, according to security researchers at Seculert.

The malware appears to be in development as new features are being added. Even though Seculert's researchers have had it under observation for around a month, its true aim remains unclear.

At present the malware appears to be monitoring the activities of its targeted entities, but since it's readily capable of downloading and executing additional malicious files it might easily be activated at any time to launch a broader attack.

"This campaign has been active and under the radar for almost a year, targeting mostly UK entities," Aviv Raff, CTO of Seculert, told The Register. "Also, the malware seems to be still under development by the attackers."

"The custom protocol of the malware requires a magic code for 'authentication'. The C2 server will only expose the commands for the infected machine, if the magic code will be provided at the beginning of the custom-protocol request."

@ http://www.theregister.co.uk/2013/04/18/magic_malware_menaces_uk/