Researchers exploited a bug in Emotet malware to create a killswitch, containing its spread for six months
But Emotet's operators have now patched the flaw
Researchers at information security firm Binary Defense say they identified a flaw in Emotet malware and used it to create a killswitch, which held back the spread of the malware for nearly six months.
The bug was discovered by James Quinn, a malware researcher at Binary Defense, who has been chasing Emotet, a banking Trojan that can steal data by eavesdropping on network traffic, for several years in efforts to track the activity of its operators.
Quinn said he found the bug in February while he was studying the code update for Emotet. He noticed a change in the code of a payload that the botnet used by the threat actors was spamming across the internet. The change was part of the persistence mechanism, which enables malware to survive PC reboots.
Quinn found that the malware was saving an XOR encryption key inside a newly-created Windows registry key. The key was not only used for persistence, but also as part of several other Emotet code checks.
Through trial and error, Quinn was able to write a PowerShell script, dubbed EmoCrash, which used the registry key mechanism to crash Emotet itself. The script scanned the system and then generated a malformed registry key.
When Quinn used the malformed registry key to infect a clean machine, it caused a buffer overflow in Emotet code, causing the malware to fail.
When EmoCrash was used on systems already infected with Emotet, it crashed the malware, prevented communication between infected hosts and Command and Control servers.
The Binary Defense team decided to use the discovery for a good cause. They approached Team CYMRU, a firm with long history of organising botnet takedowns, as well as various Computer Emergency Response Teams (CERTs), to stop the spread of the Emotet malware.
Quinn said they received many messages from companies during the six-month period between from February to August, who said that EmoCrash helped to prevent Emotet attacks or uncover ongoing attacks.
Emotet's operators eventually found out about the error in their persistence mechanism, and updated the malware on 6th August.
"On August 6th, a core loader update was sent out which finally removed the vulnerable registry value code, effectively 'killing' EmoCrash," Quinn said.
"Just for fun, I submitted a vulnerability report to MITRE's CVE program to see if they would assign it a CVE number."
"It is for the best that it was denied, since public disclosure would have been exactly the opposite of what we wanted, but it was fun to get a denial from MITRE about it," he added.