HAVE I BEEN EMOTET? Two italian engineers can tell if you are

For this free initiative they were thanked by companies of the caliber of Swatch, Volkswagen, Airbus and then by N.C.I.S. of the American Navy, by the French and Austrian Cert, by the Belgian and Australian police, who verified that their domains were in the database as bogus senders carrying the Emotet infection.

By Arturo Di Corinto

Image for post
Image for post
Enrico and Gianfranco Tonello (2020, Padua, Italy)

They are two brothers from Padua, and have just received compliments from the US marines for finding out which of their email addresses were infected. Their names are Enrico and Gianfranco Tonello. Instead, he is a computer engineer for a small company in the Cesena area and in his spare time he has developed a method to trace the phenomenon of computer blackmail. His name is Luca Mella. The former have created a bait system to intercept the dangerous Emotet banking virus, the latter a method to track down criminal gangs that distribute the dangerous ransomware.

The search engine to find out if you have been infected with the Emotet virus was developed by the Italian Tg Soft together with Cram, its anti-malware research center. The service works a bit like Google: once you enter your email address in the search field, it allows us to find out if we are infected with this dangerous malware that has been raging since 2014 and that spies on our emails.

The virus is transmitted by e-mail and could look like the usual spam email, but if we open the malicious attachments of the email, in Word and Excel, disguised as an invoice, count or parcel receipt, the malware runs and installs a trojan ( a Trojan horse), capable of reading the address book from the victim and transmitting addresses to remote servers controlled by the criminals. With the corresponding login credentials.

At this point, Emotet can use the victims’ accounts to send further messages with the malicious code embedded and start a chain of infections. But it can also download add-ons like TrickBot, the ransomware that Microsoft, Eset and UsCybercommand are fighting relentlessly against because it is feared that it could be used to interfere with the US elections. Ransomware is in fact a type of malware that blocks access to our files and can also lock the screen making the device unusable.

Tg Soft’s project mimics the more famous “Have I been Pwned!”, (pwned in video games indicates total defeat or humiliation by a rival). The site, created by cybersecurity expert Troy Hunt, tells us if our email address has ended up in some database stolen or put up for sale on the Darkweb, perhaps to commit crimes using our online identity. Hunt’s database now has several billion stolen emails and passwords. Test to see if you are there too.

How the site Have I been pwned? The Tg Soft site “Have I been Emotet” understands if the email address we entered was used to send messages containing the Emotet malware or if we have received one or more email messages containing the malware itself. From the site we learn that it happened to several italian journalist at La Repubblica. At least four reporters received the malware.

The emails uploaded with Emotet are intercepted by the honeypots (the “honey jar”, i.e. the bait) of Tg Soft, then they are blocked and the recipient will not receive them. Gianfranco, one of the brothers engineers who created it, tells us: “Emotet steals the password and username of the email account, be it MsOutlook or Thunderbird, then puts them away and steals your inbox messages, then sends them to its C2 — the Command & Control servers (there are about 400). On the infected machine of the victim, Emotet waits to receive the commands, and then sends the spam messages with the stolen account using the message body of the correspondences made with our contacts in a ‘reply chain’, so as to pretend to be a legitimate sender with whom we exchanged a precedent email to more easily deceive the victim “. The serious thing, he adds, is that “If the criminals who run Emotet’s servers rent them to other gangs that produce other threats, they download different viruses every time, as in the case of Trickbot.”

The two engineers, Enrico and Gianfranco Tonello are two veterans of computer science. They have been on the market for thirty years with a small and dynamic company created in the 90s near Padua, when information security was only spoken of in universities. For this free initiative they were thanked by companies of the caliber of Swatch, Volkswagen, Airbus and then by N.C.I.S. by the American Navy, by the French and Austrian Cert, by the Belgian and Australian police, who verified that their domains were in the database as bogus senders carrying the Emotet infection.

The story has been originally published for La Repubblica here: https://www.repubblica.it/tecnologia/sicurezza/2020/10/28/news/gli_artigiani_informatici_italiani_che_ci_aiutano_contro_i_cybercriminali-272141887/

Written by

Teacher, journalist, hacktivist. Privacy advocate, copyright critic, free software fan, cybersecurity curious.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store