|
Archive for the ‘Autorun’ Category
Tuesday, June 2nd, 2009
A new variant of an Autorun worm is on the loose, probably created by another childish and angry ex-lover. The little multithreaded beast injects into windows explorer, and attempts to communicate with one of several Irc servers at June.IRCdevils.net, June.helldark.biz, and June.a7aneek.net with a “VirUS/Virus” user/pass and a “VirUS-randstring” nick.
We noticed it this morning on multiple machines, and it seems to be spreading. The worm injects itself into the Windows explorer shell, and from there attempts to update multiple locations in the registry and removable drives like usb sticks with SETUP\DATA\June.exe.
It includes a nasty message in the accompanying autorun.inf file with a long annoying string.
;HEHhahahahehhehehahahahhehehehaha
It was packed with Armadillo, which potentially made it difficult to detect for the AV vendors — none detected it this morning, and this afternoon seems to bring only one or two vendors declaring it “suspicious” since we uploaded it to VirusTotal for sharing. Be sure to add true client-side behavioral protection to your system, and as always, use caution when sharing usb sticks with others.
We are seeing it running on systems alongside FakeAv installers, including “System Security”, where we see the fake scare tactics blaring “WARNING! 38 infections found!!!”. The two may be related, we are investigating.
Which of course, continues to nag the user with “System Security Firewall has blocked a program from accessing the internet” and pops its nag system tray balloon with “System Security Warning Your PC is still infected with dangerous viruses”
Posted in Autorun, FakeAlert, Rogueware, Worm | No Comments »
Monday, April 27th, 2009
At the RSA Conference in San Francisco, Bruce Schneier opined on the media sensation that Conficker became. According to Iain Thompson, Schneier said that “it was a classic example of how the mainstream news media misunderstood the threat from malware and used it to make news to the detriment of security…such cases may have helped vendors sell more security products but in some ways they made the situation worse, since people became inured to virus stories and this might lead them to ignore future warnings.” Here is a case where the old excuse “if it raises awareness, it must be a good thing” is wearing thin. At the same time, Conficker is in the wild, it is sophisticated code and actively run by an experienced group, and it is more than just an enterprise issue. So let’s not completely ignore it, and continue to keep a level head about the threat.
This past week, the ThreatFire community stopped a slew of autorun-launched malicious Conficker code from users’ removable drives:
c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
These are consumer PCs, and these Conficker/Downadup attacks continue to be real usb-stick based attacks on users’ systems. Please continue using a layered security approach, including a behavioral based solution for the times when you don’t patch immediately or there just isn’t a patch for a vulnerability, be sure to patch your system when patches/updates are released, and practice safe use of removable storage (network and usb-based).
Conficker autorun-based attacks made up a little less than 10% of the autorun-based attacks in April within the ThreatFire community. The other 90% of autorun based malware continues to thrive by abusing misunderstood autorun features, like Virut, Almanahe or SillyFDC, Dizan or Texel (also called Sality), W32.Whybo, W32.Rajump and a variety of Autorun worms that are dropping password stealers and keyloggers on victim machines. While the family names provided by Av scanners often are inaccurate or provide little information about the functionality of what was stopped, they are worms and they are real threats. In real terms, these worms are every bit as impactful on a system as the active Conficker threat.
Posted in Autorun, Common Sense, Worm | No Comments »
|
|
|
|
