Security researchers discovered a new malware that seems to have no intention to breach your PC or laptop. Here’s why Oddball could be a good guy.
Oddball, a new malware, is quite different from other malicious content since security researchers confirmed that this file doesn’t want to create a massive breach, unlike other computer hacks.
Although it will enter your laptop or computer system, Oddball specifically prevents you from targeting illegal sites, such as piracy websites. Right now, piracy is very rampant since there are various animes, songs, and other entertaining content released by artists, companies, production houses, and other organizations.
Once the new Oddball malware infects your device, you can no longer access illegal URLs. This malicious file, which SophosLabs principal researcher Andrew Brandt described as one of the strangest malware he discovered, works by modifying the HOSTS file on the infected system, in a crude but effective method to prevent a computer from being able to reach a web address.”
Other Details Of the New Malware
The new Oddball malware changes the so-called HOSTS file, which is an integral part of the Windows OS used to map IP addresses to hostnames or domain names. In this way, it ostensibly acts as a local DNS service for a computer that can override mappings from the DNS service of the network to which the computer is connected.
But, you can still solve this riddle since the new Oddball malware doesn’t have a persistence mechanism. This simply means that any infected user can easily remedy the effect it has on a local computer by removing the affected entries after they’ve been added to the HOSTS file. On the other hand, Brandt said that these files will stay removed unless of course the system becomes infected with the malware a second time.
The researcher of the new computer virus also explained that “this seems to be a fresh trick on an old attack of compromising people attempting to download pirated software and media. In this case, though, it seems to be an individual or group trying to protect intellectual property, but make no mistake, this is still clearly criminal behavior.
Aside from this, John Bambenek, threat intelligence advisor at Netenrich, said that the new computer virus reminds him of the previous Sony rootkit scandal, which became rampant a decade ago.
What Happens When You Access A Piracy Website?
If contact is made with the website, the new computer virus delivers a secondary payload, an executable named ProcessHacker.jpg that performs several more functions to block the infected system from running pirated software.
In some samples observed, one of the computer virus’ features was a kill switch that searches for a couple of very specific filenames in any of the locations defined by the “%PATH%” environment variable, which causes the software to quit if it finds them both, Brandt wrote.
ProcessHacker.jpg also modifies the HOSTS file when granted administrator privileges, which most of the samples examined by Sophos did by asking Windows for privilege elevation, which is granted.
On the other hand, the involved security experts said that they could not identify the computer virus’s provenance. However, they explained that can be detected through endpoint detections by identifying the runtime packer used with it, Mal/EncPk-APV, which coincidentally is the same one used by the unrelated Qbot malware family.