Vigilante: the Malware that Blocks Access to Download Websites

Vigilante

Malware has changed its target in recent years. In the past, the aim was simply to hinder the operation of computers without obtaining a revenue in return. Later they were looking for passwords and account data, and then the ransomware arrived, which encrypts users’ files and asks for a ransom in return. For this reason, it is rare to find a virus that simply aims to annoy users , and with a topic as curious as pir-cy .

That’s the case with the Vigilante malware, discovered and christened by SophosLabs chief researcher Andrew Brandt . Malware is installed when users download and run what they believe to be software or games. However, the malware reports the filename and IP address of the user to a server controlled by the attacker.

Malware blocks access to 1,000 websites

In addition, another small detail that the malware has is blocking access to more than 1,000 pages related to pir-cy. With this, it seems that at first glance the malware was made by some anti-pir-cy association such as ACE.

Thus, while most malware seeks to steal data such as passwords, cookies, intellectual property, or keystrokes, it is dedicated to trying to stop the hacker activity of the user, something that should not matter to the malware creators.

To block access to web pages, the malware modifies the Windows hosts file , redirecting the URLs to IP 127.0.0.1 , so that when the user tries to access them from the browser, the web does not load. The only way to fix it is to go to the archive and delete the new entries.

Infected files in Discord pools and torrents

The distribution of the malware appears to be very widespread, where Brandt has detected it in several files shared in Discord groups . He also discovered it on torrent networks within games, productivity tools, and security-related software.

Analyzing the malware code , other peculiarities are also found. For example, many of its executables are digitally signed with a fake signing tool. These signatures contain a string of 18 characters in lowercase and uppercase. The validity of the certificates begins on the day the files become available, and they expire in 2039.

Interestingly, when the code is analyzed with a hex editor , the executables also feature a racist message that is repeated more than 1,000 times. This seems done to modify the final hash of the file, and provides a lot of information about the type of person who has been able to create the malware and its principles.

Vigilante malware has the advantage that it does not have any built-in persistence method, so that once it has acted, it does not act again. Therefore, all you need to do is edit the hosts file to return it to normal. Of course, the stolen data cannot be recovered.