We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
Windows AutoRun malware spreading, experts warn

Windows AutoRun malware spreading, experts warn

Anti-virus firms puzzled since Windows 7 and Windows 8 PCs will not launch autorun.inf files

Article comments

Antivirus vendors are warning customers of a spreading malware that can infect computers through a well-known bug in the Windows AutoRun software used to automatically launch programs on a DVD or USB device.

The significant increase in infection is curious because Windows 7 and Windows 8 PCs will not launch autorun.inf files, and Microsoft has released two patches for older systems. Therefore, security experts believe infections are happening through a combination of unpatched computers, shared folders and files and social media.

Someone inserting a USB drive or memory stick carrying the malware can infect unpatched PCs. On other systems, an infection can occur once the malware travels to a network share and someone clicks on an infected file or folder. Trend Micro reported that malware was also spreading on Facebook.

Other vendors tracking the malware include McAfee, Symantec and Sophos. While it is interesting that cybercriminals are still exploiting a four-year-old AutoRun bug, Sophos says most corporate PCs are being infected through network sharing.

Clicking the malware on Facebook would certainly open a quick path to a shared folder on a corporate network, said Chester Wisniewski, a senior security adviser for Sophos.

"I would say the AutoRun part of it is probably not the source of the majority of infections," Wisniewski said on Friday. "It's just an interesting note that [criminals] are still using it. I think spreading through the file shares is probably the primary vector to get people in trouble."

Microsoft released an AutoRun patch in 2009, a month after the US Computer Emergency Readiness Team (US-CERT) issued a warning that Windows 2000, XP and Server 2003 did not properly disable the feature. Microsoft had patched AutoRun a year earlier in Vista and Windows Server 2008.

The infamous Stuxnet malware created an autorun.inf file to infect computers via USB drives. Stuxnet, created jointly in 2009 by US and Israel, The New York Times, damaged Iranian nuclear facilities.

The latest malware disguises itself as files and folders in writeable network shares and removable devices, while hiding the originals. The application will also create .exe files named "porn" and "sexy" and a folder called "passwords," to entice people to click on them, Sophos said.

The malware adds a registry key, so it can start when a PC is booted up. Variants of the application will disable Windows Update to prevent the victim from downloading patches to disable the malware.

Once a PC is infected, the application follows the typical procedure for such malicious software. It contacts a command-and-control server for instructions and to receive other applications. Malware downloaded include Trojans in the Zeus/Zbot family, which steals online banking credentials, Sophos said

To combat the malware, security experts recommend disabling AutoRun on all Windows operating systems and restricting write permissions to file shares. Depending on the AV vendor, the malware has several names, including W32/VBNA-X, W32/Autorun.worm.aaeb, W32.ChangeUp and WORM_VOBFUS.

The latest outbreak arrives about a year and a half after Microsoft reported big declines in AutoRun infection rates. In the first five months of 2011, the number of AutoRun-related malware detected by Microsoft fell 59% on XP computers and 74% on Vista PCs, compared with 2010.

Share:

Comments

Advertisement
Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *