Razzies for malware: These were the worst performances of the year

Just as audiences have suffered from bad movie craftsmanship, IT users have had to endure the consequences of the malicious work done by malware authors. Welcome to Razzies for malware.

Just as audiences have suffered from bad movie craftsmanship, IT users have had to endure the consequences of the malicious work done by malware authors. Welcome to Razzies for malware.

On Sunday night, for the 88th time, the Academy of Motion Picture Arts and Sciences awarded some of the finest actors, directors and movies with the most prestigious prizes in cinema – the Oscars. But they were preceded by another ceremony, the Razzies. Its organizers gave awards for the exact opposite – the worst performances on the silver screen.

But raspberries aren’t confined to the movie world. Just as audiences have suffered from bad movie craftsmanship, IT users have had to endure the consequences of the malicious work done by malware authors. We have therefore looked more closely at those pieces of malicious code that have made the life of their targets worse, and assigned them their own categories.

Judging from the final visual effects, one malware Razzie would go to the attackers who used the BlackEnergy malware family to target power companies in Ukraine. The results of their malicious activity could be seen during the penultimate week of 2015 across the whole of Ivano-Frankivsk region, where hundreds of thousands of homes were stricken by power outages.

The attack scenario was simple: a target in the energy company got a spear-phishing email with a malicious document attached. This contained text that tried to convince the victim to run a macro within it. If the victims were successfully tricked, they ended up being infected with BlackEnergy Lite.

Once activated, variants of BlackEnergy Lite allowed the malware operator to check specific criteria in order to assess whether the infected computer truly belonged to the intended target. If that was the case, the dropper of a regular BlackEnergy variant was pushed to the system.

For more details on this attack, read the multiple blogposts at We Live Security.

Never-ending disguise

Another raspberry could go to a series of porn clickers, also known as Android/Clicker, discovered recently by ESET researcher Lukáš Štefanko. Their category? Costume design, thanks to their success in masking themselves as popular games and constantly changing their disguise, duping users into installing them on their devices from the official Android store, Google Play.

After installation, these porn clickers generate fake clicks on advertisements to scale up revenue for their operators, robbing advertisers and harming advertising platforms. From the user’s point of view, these trojans generate a lot of internet traffic, which can negatively impact users on metered data plans.

“There have been many malware campaigns on Google Play, but none of the others have lasted so long or achieved such a huge numbers of successful infiltrations,” explains Lukáš Štefanko, a malware researcher at ESET. Along with his colleagues, he has identified 343 malicious porn clickers on Google Play over the course of the last seven months, each of them downloaded by an average of 3,600 users.

Currency director

Another malicious code that caught our attention was the business-oriented banking trojan Corkow. It could also be called the worst screenplay writer of the last year, as it made two currencies – the ruble and dollar – swing widely between 55 and 66 RUB/USD, a range far bigger than normal.

Even though it caused only marginal financial losses to the victim, it was a notable attack against a trading platform, and was actually able to make series of orders worth more than 200 million USD (bought and sold combined). Fortunately, the ‘screenplay’ was so bad that it wasn’t executed in full.

“The attack had a running time of only 14 minutes and “immediately after it, the malware received a command to wipe itself from the infected system and remove all traces of its activities,” explained Anton Cherepanov, a malware researcher at ESET.

Documenting the cards

Playing with the raspberry metaphor, there is one type of malware that really stood out because of the way it operated. Win32/Spy.Odlanor also known as Poker cheater, has secured its place in the club as the worst online card player of the year.

Its malicious activities specifically targeted two very popular poker sites: Full Tilt Poker and PokerStars.

First it got into victims’ computers as drive-by downloads for other, general purpose applications (from sources other than the official websites) or via poker-related programs, such as poker player databases or poker calculators.

After the successful infection, it started taking screenshots of the poker client’s windows on the targeted machine and sending them to the attacker’s remote computer. This gave the malicious actor an advantage, allowing him not only to see his opponent’s cards, but also the player ID, which could be used to track the victim and connect to the same game tables. In its later versions, Odlanor worsened, also stealing data such as passwords saved in various web browsers.

Which malware would you nominate, and in which categories? Let us know in the comments below.