Other issues in this category (12)
The price of altered data
Hackers have a sufficiently narrow focus. As a rule, they are interested in passwords (which can be sold or added to a vast collection), videos and music, and photos (which, if they contain any nudity, can also be sold or used to blackmail the owner). All in all, hackers are after things that can be quickly downloaded and sold. Analysing the contents of the documents (especially right in the infected system) on a random target can yield some benefits, but looking for information that may interest someone is somewhat tedious, and ultimately one can end up with no buyers.
As a rule, documents are downloaded and deleted.
BackDoor.Apper.1 steals documents in infected systems. Once an entry for its application is added to the Windows Registry so that it launches automatically, the backdoor removes its source file
Modifying documents in a compromised system is more characteristic of banking Trojans which analyse and replace forms on webpages.
Trojan.Bolik.1 is primarily designed to steal valuable personal information. The malware can accomplish this in several ways. For example, it can monitor data that is being transmitted by Internet Explorer, Chrome, Opera, and Mozilla Firefox.
So does this mean that if information hasn't been deleted from a hard drive, its integrity is intact? If only that were true…
Wikileaks revealed another exploit for Windows which was called Athena. This tool is designed to provide access to any OS from Microsoft starting from Windows XP and up to Windows 10. It enables attackers to gain full control over the targeted system.
Athena can download malware to perform specific tasks on an infected computer and add/obtain files from specified directories.
WikiLeaks published information about another hack tool from the CIA's arsenal. The Pandemic malware is used to compromise computers that have shared folders which are accessed over SMB.
According to WikiLeaks, the program is installed in an attacked system as a file system filter driver. It monitors SMB traffic and detects when users attempt to download shared files from an infected machine. Pandemic intercepts download requests, responds on behalf of the compromised system and provides users with malicious files instead of legitimate ones.
When a user sends a request to an infected device in order to download something from a shared folder, Pandemic intercepts the SMB query and responds in the attacked computer’s stead. As a result, instead of the requested file, the user will download malware that was kindly provided by Pandemic.
This means that you will receive an entirely different document, and your screen will display information the attackers want you to see.
Files don’t even need to be replaced. Instead, documents can be modified on the fly. Traditionally, this behaviour is typical of macro viruses. For example, MS Word makes use of VBA (Visual Basic for Application). Using the language to replace text in a document is dead easy. We won't use the old macro virus, which replaced commas and full stops with rough language, as an example. Just take our word for it: it really is simple to do.
It is very unlikely that an ordinary user will be targeted by special services, but the computer of a high-ranking company official is a whole different story. Having data altered on a machine belonging to someone like that can incur significant costs. And this means that it is imperative to install anti-virus software and updates and prevent unknown applications from being installed.