New Malware Infects Legit Downloads On the Fly

John Lister's picture

A new piece of malware can intercept Internet traffic to spot people downloading legitimate installation files and replace them with "infected" copies. Security company Kaspersky went as far as calling it "impressive" from a technical, if not moral standpoint.

Kaspersky has dubbed the malware "Reductor," after a term that appears in some of the code. It discovered the malware in April, 2019, so the fact it's only just going public suggests it took some serious analysis. (Source: securelist.com)

The malware's operation is exceedingly complicated, but one a machine is infected with it, the general principle involves the creators having analyzed the code that makes the Firefox and Chrome browsers operate. That let them figure out a way to predict the supposedly random numbers used while encrypting web traffic.

Web Certificates Manipulated

As a result, they are able to decode encrypted web traffic without having to intercept or manipulate it in a way that could easily arouse attention. In turn, the creators are able to install bogus security certificates on the browser that appear genuine.

Kaspersky believes the malware creators are using these powers to spot people who have just downloaded legitimate installation files for software. They are then able to immediately replace the legitimate files with bogus copies that are actually infected with malware.

That undermines a key computer security tactic of checking security certificates to make sure downloaded files are indeed from the source they claim to come from.

Russia And Belarus Targeted

Kaspersky told The Register that "We haven't seen malware developers interacting with browser encryption in this way before. It is elegant in a way and allowed attackers to stay well under the radar for a long time." (Source: theregister.co.uk)

The good news for Westerners (at least) is that the malware appears to be specifically targeted at users in Russia and Belarus. The level of sophistication implies that the malware creators have significant professional support, possibly from a government. The risk is that their techniques will likely become adopted by cyber criminals who go after the wider public.

For now it doesn't appear there's any immediate action users need to take. However, it's a reminder that using a range of cyber defenses, including scanning files before download and then again before opening, may be safer than sticking to a single method.

What's Your Opinion?

Is Kaspersky right to praise malware's creativity, albeit reluctantly? What methods does your security software use? Do you feel you understand how your PC is protected?

Rate this article: 
Average: 5 (16 votes)

Comments

equestrian_colt's picture

It's the N.S.A. and some of the other American three letter abbrevs.

fourwheelsonly_5516's picture

Suggested resolution: For now it doesn't appear there's any immediate action users need to take. However, it's a reminder that using a range of cyber defenses, including scanning files before download and then again before opening, may be safer than sticking to a single method.

I understand scanning downloaded files before opening, but how do we scan files that are not yet downloaded? You can't scan what you don't have.

gilvoice's picture

Seems the market just got better for a stand alone machine with virtual machine installed to download to a flash drive. Then there will be no problem running your defensive software.

Always remember there is no such thing as a absolutely save computer system. :-)