Is it safe to perform the following tasks?

I'm troubleshooting problems present on our computers. The problems seem to do with the faulty USB external drive. But some suggest it may be malware too.

So I would like to ask if it's possible for a computer to get infected under the following circumstances:
1. Simply plug in the infected USB drive / discs / USB stick and do absolutely nothing!
2. Simply copy and paste the infected file, or move the infected file. We will be infected even if we haven't run/executed it!!
3. Just extracting files from an infected archive (e.g. zip or rar)
4. Simply double click to open an infected archive without extracting anything
5. All computers would get infected automatically if one computer in the same local network is infected. It doesn't require any user interaction!!

What should we do to help minimize the risks of infection if we are handling people with infected PCs, drives or files?

Please help and confirm. Thanks.

 

1. Minimum -
You need to prevent the autorun function on your PC.

2.
Probably ok.
In a proof of concept I saw how a single click on a file can run an executable.
However I don't think this has ever been seen in the wild.

3.
Not sure. Probably same as 2)

4.
Defo no. The file may show as an zip file but could have a false extension on it. i.e could be bad.exe.zip.

5.
No idea. My guess would be prob yes all would be infected,
if they are on the same network.

If you need to test for malware , I'd defo switch off the wireless network and unplug any network cables

 

I'd install Returnil (or a program like it) and lock down the system before doing anything.

 

Michael Horowitz had a good column about this issue:
ComputerWorld

He refs to this article:
Social Engineering, the USB Way
an eye-opening case study of network exposure via USB flash drives

 

See here for a fix for the autorun bug. Just save this as a .reg file and double-click it:

Code:

REGEDIT4  
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Re 5: it can happen. If computers on the network have certain services running or ports open, it may be possible for a worm to send them packets that exploit bugs in said services to execute a payload... such as a copy of the worm. IIRC this is how Conficker spread. Having a software firewall obviously helps, although there have even been examples of worms that spread using exploits in firewalls (e.g. Witty).

 

Uwe Sieber has lots of good info on USB flash drives and troubleshooting / protecting systems from them:
http://www.uwe-sieber.de/usbstick_e.html

 

Oh! That's horrible. Many proofs of concept turned into practice by malware writers in the past, rootkits being one of them. It's enough to get alert when a working proof of concept presents.

Do you have a link to that proof of concept (or page which explains this)?

I wonder if it's also dangerous to click on the folder which has the malware inside too.

What do you mean when the malware has false extension?
The windows will run it as if it's a zip archive.
Do I still get infected even if I just open it as if it's an "archive"?

 

Lockdown programs don't seem to be absolutely safe either:
MBR Rootkit Malware vs Security Software
Malwaretestlab 9 Killdisk Virus vs 25 Security Software

The following programs failed to pass all tests:

• Shadow User Pro
• Windows SteadyState
• Virtual Sandbox
• Disk Write Copy Pro
• Hdguard
• COMODO DiskShield
• Returnil Virtual System Premium
• RollBack Rx

So it's safe to know more about what malware can do and prevent from getting infection by doing potentially dangerous operations.

 

Thanks for the links, axial.

The Witty worm: http://news.zdnet.com/2100-1009_22-135008.html

It doesn't require any user interaction to get infected from what I understand, correct?

I wonder if the situation can be prevented if I have a router too even if the software firewall has exploits.

This story should imply Windows firewall alone doesn't guarantee safe from outside attacks (it can have its own exploits too). Even scarier, malware can still infect even without any user interaction. A sophisticated firewall is required to keep our computer safer. Is that what those examples imply?

 

Hi there,

Questions:
1. Simply plug in the infected USB drive / discs / USB stick and do absolutely nothing!
2. Simply copy and paste the infected file, or move the infected file. We will be infected even if we haven't run/executed it!!
3. Just extracting files from an infected archive (e.g. zip or rar)
4. Simply double click to open an infected archive without extracting anything
5. All computers would get infected automatically if one computer in the same local network is infected. It doesn't require any user interaction!!

Answers:
1. Maybe, depends on the configuration.
2. Maybe, depends what precedes the copy; if you plugged in an infected USB device and copied the file, you may think the infection comes from the copy, when it comes from previous step. Furthermore, if certain files have all sorts of shell handler thingies, interacting with the file could potentially trigger an infection.
3. No, but see 2.
4. Not likely.
5. Maybe, if the malware is network aware, hosts have no firewall or permit LAN traffic and are vulnerable to the same infection as the one problematic host.

Best solution:
Disable USB autorun/autoplay as suggested.
Use alternative apps to popular mainstream thingies.
Do not install malware or fiddle with suspected files. If in doubt, no doubt.
If you must fiddle, use command line (cmd) to perform actions and not GUI.

Cheers,
Mrk

 

--
I'd have a different attitude to POC's than you , they would not worry me at all. I was reading though one poster here and basically threats that occured in the wild ,
and had lots of publicity , were all basically them same.
They all tried to download an executable file to your PC.
So POC's don't really bother me.
--
Sadly I can't find the link to it.
It involved adobe I think. The idea was when your in explorer one of the tabs , like size etc , is description.
Now windows will ask the file for its description.
When it does so , a bug in Adobe will allow it to run a different command.
This command could be anything.

So by just by clicking on the infected Adobe file , it could run something in the background.

---

Regarding the other thing , the bad.exe.zip I think windows will run this as bad.exe , not bad.zip.

So the malware runs , your zip application doesn't.
90% sure on that.

 

Yeap I'd agree. I'd split those virus into very different groups though.

The MBR one , is about the most sophisticated malware around. Going the MBR route , and waiting 30 mins to run, and lots of other stuff. So basically I think a virus of that type of sophistication , will get past most defences.
So put it in the 1% of risk that will always be there.

The killdisk is a different one. If all it does is wreck a PC , its not going to make its owners any money. So I think those viruses are becoming less common. So while probably detectable, I also wouldn't consider it a big problem.

 

I'd look at it a little differently.
Again it's quite an unusual case.
A piece of security software was exploited to spread viruses.

So the lesson I'd take from it.
Don't rely on one piece of security software.

However I'd say its very unlikely a piece of security software will be exploited again.
As it would kill their business I'm sure they take this risk much more seriously after the 2004 exploit.

 

Would you explain the second part (shell handler) more? How does it actually work? It would be preferable if you know a page which explains this kind of infection.

And I have another question. If file copy/movement can trigger infection, what if I download the file? Will I get infected when I'm downloading the malware via a link?

It appears we can still get infected even we have a software firewall installed as long as the hacker can find exploits on that software firewall. The true problem is it doesn't require any user interaction.

Is it better if I move, or copy (possibly infected) files via command line? Can I be sure I won't get infected during the process?

 

Hi,

Explanations:

Shell handlers, check out the PDF vulnerability thread and pay attention to Rmus' postsa (use the search function to find them).

Copy itself won't do anything. The question is, what else does Windows do in the background. Example, email preview. While you're not opening the email per se, the mail client is parsing the code in the email, effectively executing it, without you doing the actual open.

Another example is malicious PDF files + Acrobat Reader (vulnerable version). Again, check for threads talking about scanning and neutering these files. Do not use Acrobat Reader - this goes under alternative apps. Use cross-platform open-source solutions instead of the popular and populistic things and you'll remove 99% of vulnerabilities.

Use OpenOffice instead of MS Office, Pidgin instead of MSN or Yahoo IM, VLC instead of Windows Media player and so forth.

Hacker won't hack your firewall.

If your machine is infected and the malware is network aware, the attempts to infect other machines will be purely automated, simply sending of packets to possibly listening services and trying to exploit possible holes in them. That simple. Use even Windows firewall that does not permit LAN traffic and all is good.

This is why you never introduce untrusted things into trusted network.

Command line, you exclude Windows GUI shenanigans from the picture and avoid a million GUI related problems, including this or that shell handler, this or that image, animation, cursor problem and so forth. Just you and plain text.

Mrk

 

Yes, if autorun is enabled.

Yes, depending on where you extract the file to. For certain functions, Windows and some programs will by design automatically load files located in certain folders.

Depends on where you extract the files to. See above.

No.

Yes, some worms will automatically probe the LAN for vulnerable machines. Correctly-configured software firewalls on each LAN machine will stop the majority of these.

 

Let us sum it up.

1. No extension is safe. You may get infected by a PDF file, an image file, or whatever.
2. You may get infected even if you just select the file without actually running/executing it manually.
3. You may get infected if you just browse the folder which has the malware inside.
4. You may get infected even if you just copy/move the files without actually running/executing them manually.
5. You may get infected even if you just download the malicious file without actually running/executing it.
6. Plugging in any removable device is unsafe unless you completely turn off Autorun/Autoplay.
7. Your computer may still get infected without user intervention if the malware makes use of the exploits on your software firewall

I know select/cut/copy/paste itself is safe, but the environment, the GUI and the software which handles it may have exploitable bugs.

Does it mean there is really no way to prevent from infection if you try to handle some possibly infected files or drives?

I don't know how high or widespread the risk is, but we want to minimize it, as much as practically possible, since it exists.

Command-line only operation is interesting but it's much more difficult to do things in DOS only. You may not have the necessary knowledge to do it either.

I'm thinking about LiveCD. Will the chance of infection much lower if I boot the computer via LiveCD to handle the possibly infected drive or files?

 

Just in terms of % risk , this would be usefull to keep in mind ( all IMO )

One thing I would say is that actually executing a malware file is by far the most common means of infecting a PC.
so don't execute the maybebad.exe

The Adobe exploits are fairly specific,usually the infected file itself, only opens a internet connection to download the really damaging malware from the internet.

The other problems mentioned again would be quite rare.
I mentioned one which was only a POC , so its very unlikely its live malware looking at you.

Finally PC's have loads of glitchs ( as you know ). IMO Its more sensible to assume a glitch on your PC is a software or driver bug first , and then go down the anti-virus root.
I would isolate the PC in question first though.

I think best solution would be
1) take image of a PC.
2) install returnil on that PC
3) detact PC from any networks
4) connect PC to malware USB drive.

Its not 100% secure , but its a way forward .
Returnil will probably take care of everthing but If not you have the backup image.

 

I have a slightly different stance than you.

Sometimes a risk which was rare in the past can become common nowadays. Rootkit is one of them. It has become one of the serious common threat to Windows users now. There is a time gap between a hacker using the technique to infect computers and when the public realise the seriousness of the problem.

The majority of the malware is marked as "low risk" in the virus encyclopedia. You are going to encounter a few of the "low risk" malware some day although you are not going to meet so many of them.

I wouldn't lose sleep about them but I would become more alert and try to implement more security measures to prevent them, if at all feasible. I don't want to fall into the next victim.

Unfortunately the hacker won't name its malware some name like this.
It would be a nice image file or pdf file which the hacker lures you to open it. You don't suspect those files because you think they are perfectly safe.

There are over millions of malware existing now, and it keeps rising. It's very hard to know if the malware author has already used the same or similar technique present in the POC to infect people's. There are so many malware which don't have news coverage. Just like there are many accidents happening each day but only a small portion is reported by the media.

I did see a POC coming into real usage so I won't say we shouldn't care since it's still POC.

If you are interested this is the problem (explained in depth) that we are currently facing. The post is very long (you have been warned ).

Autorun was off before plugging in the USB drive.
File transfers to and from that USB drive caused HDD random crashes and BSOD. Either the USB drive or malware is at fault but the computers are acting really funny as if they get infected. Then how come we could get infected if what we did was plugged in and copy/move files?

 

My guess is that the files on the usb or the hard drive of the usb is severely corrupted.

Then when you copy files to a PC , the files on the PC are so corrupted that it causes BSOD.