Malware hitches a ride on digital devices

Discussion in 'malware problems & news' started by Malcontent, Jan 13, 2008.

Thread Status:
Not open for further replies.
  1. Malcontent

    Malcontent Registered Member

    Joined:
    Dec 30, 2005
    Posts:
    606
    Location:
    Cleveland, Ohio USA
    http://www.theregister.co.uk/2008/01/11/malware_digital_devices/

     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    Dis-a-ble auto-run, pro-blem sol-ved.
    Mrk
     
  3. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,388
    How to do this and what other purpose does autorun serve? If I disable this function, when should I be aware of something not happening as expected (apart from malware being silently installed)?
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    TweakUI
    With autorun disabled, when you insert removable media nothing happens. You must go to "My Computer", right-click in the appropriate drive and choose "Explore" to see its content.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    XP antispy also I think.
     
  6. computer geek

    computer geek Registered Member

    Joined:
    Oct 6, 2007
    Posts:
    776
    Here, from another article.
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    That's an interesting trick. How does a trojan which depends on Auto-run to execute, re-enable Auto-run so that it can execute?


    ----
    rich
     
    Last edited: Feb 16, 2008
  8. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Some electrical trick? :D
     
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Talk about misinformation :D :thumbd:
     
  10. computer geek

    computer geek Registered Member

    Joined:
    Oct 6, 2007
    Posts:
    776
  11. Elrendhel

    Elrendhel Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    27
    Here's the updated URL for the SFGate article.

    Does NOD32 have the definitions to properly identify and remove the Malware that get's loaded on infected machines?
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    The SF Chronicle Story appeared last Friday/15th.

    A search for Mocmex through the weekend found nothing except references to the SF story.

    However, on the 19th CA released a Security Advisory:

    Win32/Mocmex.AM

    But nothing in the analysis mentions that once the worm infects a USB device, that the device, when connected to another computer, can enable a disabled AutoRun.

    I was able to contact the person who wrote the analysis, and I asked him for clarification. He answered that if AutoRun is disabled, the exploit will not run, unless the user manually clicks on the file.

    Unless something else is revealed about this exploit, from a preventative point of view, there is nothing new here.



    ----
    rich
     
  13. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    If you disable Auto-Run prior to plugging in the frame on a clean system, I don't see how you could become infected.

    If you plug it in, then disable Auto-Run, yes, your hosed.

    This sounds a little FUD like to me.
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    It turns out that it depends on how you disable AutoRun.

    One of the frustrations of figuring out what is really going on is that the published analyses don't analyze in depth. The success of the exploit depends on specially crafted AutoRun.inf files, which haven't been talked about much: how do they really work?

    So I decided to find out. I've written a short article which you can read here. I've included some basics of autorun.inf files along with analyzing one of the files that was used in an exploit:

    http://www.urs2.net/rsj/computing/tests/digiframe/InfFile.html

    I hope others can experiment to see if your results corroborate my findings.

    regards,

    -rich
     
  15. Dogbiscuit

    Dogbiscuit Guest

    Very helpful article Rmus. Thanks.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Except Explore I think. It just bypasses the autotun.inf. This is what I see on XP.
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Hello, aigle,

    If the AutoRun.inf file contains these lines:

    then right-clicking on the drive and clicking "Explore" should open maliciousfile.exe

    Did you test with the AutoRun.inf file I posted?

    I'll check again with XP.

    EDIT: Looking back at my test, I see that I used both Win2K and WinXP.


    ----
    rich
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hi Rmus, I will check later.

    I am too busy today n may be later as well. Just did a few quick tests. Thanks for all the useful info and POCs.

    Take care
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks a lot Rmus for your writeup and PM by the way. This particular issue should be taken seriously because it can create all kinds of havoc, and to think this is been around since Windows 98 days.

    I been aiming on getting around to investigating Autorun ever since i found the Pen Drive hack-tool switchblade and some others that lay claim carefully fashioned .inf + .bat files can sweep across sensitive sections of a PC in a matter of seconds and capture private or any other type data as well as capable to deliver a crippling payload on this type of interaction.

    More interest needs to be given to this area, nice effort. Thanks again.
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    You are all welcome.

    A colleague and friend asked the other day, If you purchased an infected USB device, would you rather block the AutoRun.inf file from executing, or let it execute and have the commands in the file blocked, either by script blocking or White Listing which prevents the executable from installing?

    She raises an interesting point, because the malicous files are hidden on the device and not readily seen.

    By letting the AutoRun.inf file run and then be alerted to a script or executable, you would then know that the device is infected and could deal with cleaning it up. Or returning it to the retailer.

    Regarding Switchblade and that silly parking lot fiasco, two things were evident:

    1) people are gullible (connecting to your computer a pendrive you find in a parking lot)

    2) the computers in question had no protection against installation of unauthorized executables by remote code execution (AutoRun.inf file)


    ----
    rich
     
    Last edited: Mar 17, 2008
  21. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I'd block Autorun and then format the newly purchased drive.
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Can you describe how you block AutoRun?

    Note that you have to do more than just format U3 devices::

    http://en.wikipedia.org/wiki/U3
    I just confirmed with Mrk that you have to uninstall the U3 software first. Here is an article:

    http://www.mydigitallife.info/2006/09/11/disable-remove-and-uninstall-u3-launchpad/


    ----
    rich
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.