'Magic' Malware Casts Spell on British Computers
New form of malware dubbed ‘magic’ because of a strangely worded command protocol
CREDIT: Qeomash, MuggleNet (www.mugglenet.com)
For a mysterious new form of malware, getting into a computer is as easy as saying the magic word.
Security experts have discovered a mysterious type of software that has infected thousands of machines in the United Kingdom across finance, education, telecom and other business sectors, according to a report from security firm Seculert.
The puzzling piece of malicious software, probably a remote-access Trojan or worm, works by connecting the infected machine to a remote server via an HTTP link. That's when the "magic" happens: the malware is able to authenticate itself via a command protocol that begins with the characters "some_magic_code1."
So either these hackers are fantasy fans, or some Hogwarts dropout is meddling with Muggle machines.
Essentially this piece of malware creates a backdoor connection between the infected computers and a remote server. So whoever is controlling the server has access to thousands of businesses' computers.
Dubbed "the magic malware," the invasive program was first detected last month, but experts believe it first began infecting computers in the United Kingdom as long as 11 months ago.
So what have the malware's creators used the backdoor to do? In the only reported instance thus far, the server commanded the malware to create a new user account on an infected computer, with the (laughably simple) username WINDOWS and password MyPass1234, thus enabling the people behind the server to remotely log into the computer.
The malware has also demonstrated the ability to remotely open browsers on infected computers.
Nothing too malicious, in other words, at least as of now. But investigators believe that the malware contains a number of features that are still under development or have yet to be implemented. "The missing and unused features are more technical, e.g. creating new processes under an impersonated user or parsing XML files," Seculert CTO Aviv Raff told Threatpost.