Sekoia decides the fate of a virus that was left without an operator many years ago.
Researchers from the company Sekoia have revealed disturbing details about the PlugX malware worm, which, left unattended by its creators many years ago, continues to spread independently and infect millions of computers around the world.
PlugX, which has alleged links to the Chinese Ministry of State Security, was first spotted by experts back in 2008. In 2019, it began to automatically infect USB drives, which, in turn, transferred the malware to new systems.
Specialists bought the IP address of an abandoned command server and connected their own infrastructure to it to intercept incoming traffic (this process is usually called synkholing). So they were able to estimate the real scale of distribution of the standalone PlugX. It turned out that signals from infected devices are received daily from 90-100 thousand unique IP addresses. And in six months of monitoring, the total number of IP addresses reached 2.5 million.
These types of requests are standard for almost all types of malicious software and usually occur at regular intervals from a few minutes to several days. Although the number of affected addresses does not show the actual number of infected PCs, the amount of data still indicates that the worm remains active on thousands, possibly millions of devices.
"Initially, we thought that we would find only a few thousand infected computers, as is the case with our usual sinkholes, "wrote Sekoia researchers Felix Aim and Charles M."However, after installing a simple web server, we witnessed a continuous stream of HTTP requests, the number of which changed throughout the day."
It is interesting that the greatest concentration of infections is observed in countries that are of particular strategic importance for China in terms of military interests and large investments in infrastructure. Experts believe that the original purpose of distributing PlugX was cyber espionage in favor of Beijing. They also write:
"After analyzing the data obtained, we can see that more than 80% of the total number of infections are in 15 countries. It is also interesting that these states do not have as much in common as it was in the case of other viruses that spread via USB. Like RETADUP, which was especially active in Spanish-speaking countries. This suggests that this virus could have spread from several "zero patients" in different countries at once."
The researchers note that the worm is easy to capture for any attacker who can manage the IP address or interfere with data transfer between the server and the device. Thus, the team was faced with a difficult choice. They could maintain the status quo without interfering in any way, or activate the self-deactivation feature built into PlugX to remotely destroy code on all computers.
It would seem that the solution is obvious. However, the second option also had its risks. The fact is that even if all PCs are disinfected, some of the malicious code will remain on flash drives and external disks, from where PlugX will start its journey again.
The situation is also complicated by the fact that deleting malicious code from connected drives is fraught with the loss of users personal data. And ignoring the problem opens the way for a new large-scale wave of infections across the planet.
After investigating all possible scenarios, Sekoia specialists transferred the right to decide the fate of PlugX to computer incident response centers and law enforcement agencies in different countries. Within three months, national cybersecurity organizations will be able to use the company's infrastructure to send commands to deactivate or completely remove malicious code.
The postponement will allow the most thorough and safe operation to "neutralize" PlugX with minimal losses. At the same time, each country will have to make the final decision on whether to destroy the malicious program independently.
Researchers from the company Sekoia have revealed disturbing details about the PlugX malware worm, which, left unattended by its creators many years ago, continues to spread independently and infect millions of computers around the world.
PlugX, which has alleged links to the Chinese Ministry of State Security, was first spotted by experts back in 2008. In 2019, it began to automatically infect USB drives, which, in turn, transferred the malware to new systems.
Specialists bought the IP address of an abandoned command server and connected their own infrastructure to it to intercept incoming traffic (this process is usually called synkholing). So they were able to estimate the real scale of distribution of the standalone PlugX. It turned out that signals from infected devices are received daily from 90-100 thousand unique IP addresses. And in six months of monitoring, the total number of IP addresses reached 2.5 million.
These types of requests are standard for almost all types of malicious software and usually occur at regular intervals from a few minutes to several days. Although the number of affected addresses does not show the actual number of infected PCs, the amount of data still indicates that the worm remains active on thousands, possibly millions of devices.
"Initially, we thought that we would find only a few thousand infected computers, as is the case with our usual sinkholes, "wrote Sekoia researchers Felix Aim and Charles M."However, after installing a simple web server, we witnessed a continuous stream of HTTP requests, the number of which changed throughout the day."
It is interesting that the greatest concentration of infections is observed in countries that are of particular strategic importance for China in terms of military interests and large investments in infrastructure. Experts believe that the original purpose of distributing PlugX was cyber espionage in favor of Beijing. They also write:
"After analyzing the data obtained, we can see that more than 80% of the total number of infections are in 15 countries. It is also interesting that these states do not have as much in common as it was in the case of other viruses that spread via USB. Like RETADUP, which was especially active in Spanish-speaking countries. This suggests that this virus could have spread from several "zero patients" in different countries at once."
The researchers note that the worm is easy to capture for any attacker who can manage the IP address or interfere with data transfer between the server and the device. Thus, the team was faced with a difficult choice. They could maintain the status quo without interfering in any way, or activate the self-deactivation feature built into PlugX to remotely destroy code on all computers.
It would seem that the solution is obvious. However, the second option also had its risks. The fact is that even if all PCs are disinfected, some of the malicious code will remain on flash drives and external disks, from where PlugX will start its journey again.
The situation is also complicated by the fact that deleting malicious code from connected drives is fraught with the loss of users personal data. And ignoring the problem opens the way for a new large-scale wave of infections across the planet.
After investigating all possible scenarios, Sekoia specialists transferred the right to decide the fate of PlugX to computer incident response centers and law enforcement agencies in different countries. Within three months, national cybersecurity organizations will be able to use the company's infrastructure to send commands to deactivate or completely remove malicious code.
The postponement will allow the most thorough and safe operation to "neutralize" PlugX with minimal losses. At the same time, each country will have to make the final decision on whether to destroy the malicious program independently.
