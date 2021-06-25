Usually malware tries to profit from its victims. A variant that has now been discovered, on the other hand, acts as a secret fighter against injustice and makes life difficult for pirates.

Trojans and other malware have become highly professional in recent years. They use new methods to blackmail their victims, cheer them on unwanted advertisements or steal the most personal data. A variant that has now been discovered is almost refreshing: in the style of the dark avenger Batman, it only tackles alleged culprits. And even prevents them from further action.

This was discovered by the expert Andrew Brandt, who is employed by the antivirus provider Sophos. “It is really unusual to discover something like this. Usually there is only one motive behind malware: to steal things,” he explains on Twitter his surprise about the new malware. “Whether it is about the recording of passwords or keyboard entries, cookies, intellectual property, access or even the CPU to mine crypto currencies – the motive is always theft”, explains Brandt. “But not in this case.” The observed software would only start a few processes, “” none of which fits the typical motifs of malware, “the expert wonders.

What is “Vigilante”?

The observed software uses well-known patterns: it waits hidden in cracked versions of games or programs offered on pirated pages; it was observed, for example, as an alleged version of the anti-virus software Malware Bytes. If the programs are downloaded and the installation file started, the malware also installs itself secretly in the background. Once on the computer, it transmits the name of the installation file used and the IP address to the operator of the software. Just as many of the evil relatives do. However, from the further procedure you can see that the operator seems to be interested in something different.

Instead of stealing the user’s data or blackmailing them with encrypted files, the file only changes the so-called host file – and in this way blocks browser access to dozens of popular pirated sites such as Pirate Bay. To put it simply, it redirects all inquiries to these pages to the local address. This does no real harm, but makes it impossible to visit the site.

In keeping with this behavior, Brandt has christened the program “Vigilante”. The term refers to people who take the law into their own hands – and is used again and again in American pop culture for comic heroes like Batman or Spider-Man who put themselves above the law.

No real damage

What exactly is behind the action is not yet known. It is conceivable that the operator uses the data as evidence to send warnings to the owners of the infected computers. A corresponding case has not yet become public. The victims of the vigilante do not have to fear any further consequences: After a restart, the program disappears again, only the modified host file remains. Nevertheless, Sophos offers a tool with which you can test your own computer if you suspect an infection with the program.

The fact that Brandt has little to gain from the operator of the software despite the harmless approach and the apparently respectable motive is due to another detail. The developer had filled part of the program code with meaningless text. And decided to repeat a racist swear word over 1000 times. “Filling an archive with meaningless text can serve to cover up the real file size,” explains Brandt. “But using racist slurs tells me everything I need to know about the developer.”