It’s a rare masterstroke that security researchers at Binary Defense have achieved this year. Last February, they analyzed a new version of ’Emotet, one of the most widely distributed Trojans around. They discovered a new mode of installation and persistence that relied, among other things, on creating a Windows registry key to back up an encryption key. Upon closer inspection, they noticed that the installation process was vulnerable to a buffer overflow.
Neither one nor two, they then decided to create a script called “EmoCrash” which generates in Windows a similar registry key, but with a carefully chosen value. In the event of an infection, Emotet is bound to stumble upon this registry key, read its contents and … crash completely. The installation is then aborted and the system is safe and sound.
As of February 12, Binary Defense researchers secretly distributed their script to cyber attack alert and response centers around the world, which allowed many companies to be “vaccinated” against the virus. malware. The immunity, unfortunately, did not last very long. On August 6, the authors of Emotet changed their code, in particular removing the use of this famous registry key. It’s a shame, but it’s always won.
Source : Binary Defense