The company NordLocker discovered a large amount of partly sensitive data records in the course of malware analyzes. Malicious code, which the researchers call “Nameless Malware”, is said to have copied the data from more than three million Windows computers between 2018 and 2020. In order to give those potentially affected at least an indication of a possible infection, NordLocker has passed on more than 1.1 million e-mail addresses from the data set to the Have I Been Pwned inspection service.
According to NordLocker, the “prey” of the nameless malware includes not only the said addresses but also complete access data records for some very well-known web services and platforms such as Facebook, Google (Gmail and Co.) or Amazon. The malicious code had apparently saved the data copied from the systems in a central database accessible via the Internet. NordLocker reported the database discovery to the US-CERT and the responsible cloud storage provider, who removed the database from the network.
Check your email address at HIBP
HIBP offers the possibility to search a huge database with meanwhile more than 11 billion entries for a mail address. Usually you can do this by entering the relevant address directly on the start page of haveibeenpwned.com. However, HIBP operator Troy Hunt has the data from NordLocker labeled as “Sensitive Breach”so that only the owners of the email addresses can check whether they are affected. That works over the “Notify me” menu item or via the Counterpart “Domain Search” for domain owners. In the event of a hit, a direct notification will be sent to the specified email address.
Almost 26 million login records captured
The “Nameless Malware” description from NordLocker According to the malware, it stole almost 26 million login records, consisting of combinations of the aforementioned e-mail addresses (or, alternatively, a user name) with passwords from the 3.25 million Windows systems. Most credentials were copied from browsers, especially Google Chrome. In addition, there are more than two billion cookies and 6.6 million files from desktops and from download folders. More than 50 percent of the files were text files in which the researchers in turn discovered access data or other personal information that was often noted down.
NordLocker assigns the copied access data to twelve different areas. Particularly eye-catching among other things
- 1,540,650 Google and 403,580 Outlook access data (“Email Services”)
- 1,471,416 Facebook and 261,773 Twitter access data (“Social Media”) and
- 209,534 Amazon login data (“Online Marketplace”).
There are also some well-known names in the areas of “Online Gaming”, “Streaming Services”, “Financial” and Co. It should be noted, however, that according to NordLocker, the credentials yield are “scattered” across almost a million services and platforms, not all of which are as well known (and as badly affected) as the examples mentioned here. In addition, the data was apparently collected within a period of around two years (namely in front 2021), so that the topicality and validity of many access data sets are likely to be questionable.
Inconspicuous, but durable
The term “Nameless Malware” makes it clear that the current malicious code discovery is neither an isolated case nor a particularly sophisticated malicious code species. In fact, NordLocker emphasizes that Trojans of this type can be had en masse on relevant platforms and for around 100 US dollars; it is a booming market.
The way the malware spreads also seems rather unspectacular: it traveled in the luggage of illegal software downloads such as cracked games, Adobe Photoshop 2018 and a Windows cracking tool, writes NordLocker. But precisely the inconspicuousness of such malware, which is in stark contrast to the very “loud”, currently ubiquitous ransomware attacks, ensures that it represents an undetected (and data-gathering) threat over a long period of time, the developers of which often get away with impunity .