Internet privacy and security course
About translation
Previous Next

Chapter 87

Universal method of deleting programs for cyber espionage

  Not so long ago, one of the subscribers of the CyberYozh channel in Telegram wrote me. The essence of his problem was stated on the ITsec market channel, where we publish for free requests for assistance on IT security issues.

ITsec market

He had cryptocurrencies worth $ 30,000 stolen from various wallets and financial exchanges. The presence of several resources immediately allows to decline the option of vulnerability in a particular exchange or wallet. But maybe he himself showed incredible carelessness?

This is not true. He used a Mac and was familiar with the basic rules for data security. It is noteworthy that the cryptocurrency was stolen from him when he was on a plane and could not somehow know what had happened. From my point of view, it can be nothing else but a well-planned attack, and the malefactors had access to the victim’s laptop, which made it possible to gain access to all accounts.

  Not only the inhabitants of the darknet, but also the North Korean government hackers are engaged in cryptocurrency hunting. Every day they go to work to develop software designed for stealing money. It is their duty to their homeland, and they do it conscientiously.

According to publicly available statistics, North Korean hackers in 2017-2018 stole about 570 million dollars in cryptocurrency. I assume that in our case the person became their victim.

If your device is infected with a ransomware, the result of its activity will soon become noticeable, as it's hard enough not to notice when almost all files and documents are encrypted. And what if the program designed for espionage was quietly installed on your computer and it is collecting data?

Sometimes cryptocurrency becomes a target, and sometimes you and your data are the one. Only recently, several critical vulnerabilities have been discovered that can lead to getting full access to computers running Windows, macOS and Linux with the simple opening of a link by a victim.

  One of the last is a combination of vulnerabilities in Chrome (CVE-2019-5786) and Windows 7, which hackers actively used, we wrote about it on our ITsec news channel. It was enough for the victim to open a malicious website, while they could have all the latest updates and an antivirus, this did not prevent infection.

ITsec news

Yes, now these vulnerabilities are fixed, but it is known that they were, and it is known that they were used for attacks. How do you know if you have already become a victim to one of these attacks and don’t you have malicious software on your devices?

The first option is to install an antivirus and scan devices, only antiviruses are practically useless against professional spyware, especially if you are a macOS or Linux user. I'm not talking about Android or iOS.

In iOS, despite many delusions, there are antiviruses, but they are of little use if your phone is without jailbreak and applications are installed only from an official source. Among Android users, antiviruses are incomparably more popular, only their use is a debatable question.

Antiviruses themselves are not equally effective. Recently, the Austrian AV-Comparatives laboratory has checked 250 Android antiviruses on 2000 malware. They were able to save 80 applications in the minimum number of cases; two thirds could not cope with 30% of malicious programs. And this is about well-known malware.

Any spyware is tested for lack of detection by antivirus before use, or even blocks antivirus, as it was done by the CertLock Trojan. If antiviruses could protect against all threats, the whole course could be reduced to one piece of advice. Unfortunately, in practice, the antivirus does not help to remove installed spyware, except some rare cases when it may be detected by experts and added to the antivirus databases.

The second option is to send a hard drive or laptop to the laboratory for analysis by specialists. This is the most effective method, which is usually what companies do after being hacked in, but will you agree to transfer all your data for the sake of complacency? In the end, it is not a cheap pleasure.

  Do not forget that sometimes such companies report where they should about the data found on client devices, we are aware of such cases.

I am ready to offer you an alternative option, which is to reset the operating system to its original state. Many people will stop me right away, because there is software that can integrate into the firmware, and they will be right, but such malware is extremely rare (and in this case, only a device replacement will help).

99% of professional spyware simply “registers” in the operating system and secretly collects data, forwarding it to the malefactors' servers. Sometimes this software can search for traces of using cryptocurrency in the form of opening sites and software, sometimes it searches for other data, checking correspondences in messengers and email for word beacons.

It is almost impossible to delete this software, but it will be perfectly removed by a system rollback to the initial state (data reset). Therefore, my advice is to roll back the system to its original state at least once every six months if you work with valuable information and guess that you can be spied over.

 

Tip

Every six months, roll back the system to its original state (data reset).

  In addition to data reset, there are two more fundamental tips, i.e. auditing installed software and changing passwords regularly, all of which can be combined. Collect all the necessary data in a cryptocontainer and transfer it to a USB flash drive or external hard drive.

  Then reset the system to its original state and prepare it for work, installing only the software you need. After that, transfer the cryptocontainer with the data and change all the passwords. It is important to change passwords right after the move, since if the malefactors had access to the system, they could gain access to your passwords.

With the phone, everything is done in a similar way, except that data is usually transferred using cloud storage. Detailed instructions for resetting data for various operating systems will be provided in the next chapter of the course.

Previous
3561
Next