Worm Tries AutoRun, Then Social Engineering to Infect
Contributed by: Email on 12/01/2012 02:53 PM
[
Comments
]
Sophos and TrendMicro, and a number of other security firms, are reporting a dramatic increase in the prevalence of a worm using AutoRun and social engineering to proliferate.
If you thought Microsoft solved the AutoRun problem, you arent alone. They tried to shut it down after it was famously and cleverly used to spread earlier variants of the Stuxnet worm that targeted the industrial control systems that controlled centrifuges at Irans Natanz nuclear enrichment facility. However, as we continue to move further and further from that date, and we continue to see the word AutoRun popping up in headlines, it is increasingly becoming one of those network security nuisances that just wont go away.
Part of the problem here, according to Sophos, is that users still arent very good about patching their machines. Its the same, simple old problem that never seems to change. Despite the fact that Microsoft shipped a patch to disable AutoRun nearly two years ago, some users still havent gotten around to implementing it. So the worm is spreading, in large part, through autorun.inf files loaded onto removeable media and writeable network shared.
As for those who have Windows 8, on which AutoRun was never a feature, or those who did implement the patch to disable it, TrendMicro claims that WORM_VOBFUS (or W32/VBNA-X, as Sophos calls it) is propagating using another old social engineering trick: sex.
They claim that variants of the worm are spreading around Facebook using filenames like sexy.exe and porn.exe to ensnare its victims.
While Sophos doesnt touch on the Facebook angle, its explanation for how the worm is spreading in a world mostly rid of AutoRun almost identical to TrendMicros. Despite PCs ignoring autorun.inf files picked up on removable media or from some other infection method, the worm creates a number of seemingly benign looking but ultimately malicious folders and merely waits for some unwitting user to click them.
Once the infection takes place, according to Sophos, the malware performs all the usual operations. It phones home to its command and control server, receives instructions for downloading further payloads, and then, at least in the case that Sophos looked at, downloads a banking trojan from the Zeus family, and tries to steal its victims money in one way or the other.
If you thought Microsoft solved the AutoRun problem, you arent alone. They tried to shut it down after it was famously and cleverly used to spread earlier variants of the Stuxnet worm that targeted the industrial control systems that controlled centrifuges at Irans Natanz nuclear enrichment facility. However, as we continue to move further and further from that date, and we continue to see the word AutoRun popping up in headlines, it is increasingly becoming one of those network security nuisances that just wont go away.
Part of the problem here, according to Sophos, is that users still arent very good about patching their machines. Its the same, simple old problem that never seems to change. Despite the fact that Microsoft shipped a patch to disable AutoRun nearly two years ago, some users still havent gotten around to implementing it. So the worm is spreading, in large part, through autorun.inf files loaded onto removeable media and writeable network shared.
As for those who have Windows 8, on which AutoRun was never a feature, or those who did implement the patch to disable it, TrendMicro claims that WORM_VOBFUS (or W32/VBNA-X, as Sophos calls it) is propagating using another old social engineering trick: sex.
They claim that variants of the worm are spreading around Facebook using filenames like sexy.exe and porn.exe to ensnare its victims.
While Sophos doesnt touch on the Facebook angle, its explanation for how the worm is spreading in a world mostly rid of AutoRun almost identical to TrendMicros. Despite PCs ignoring autorun.inf files picked up on removable media or from some other infection method, the worm creates a number of seemingly benign looking but ultimately malicious folders and merely waits for some unwitting user to click them.
Once the infection takes place, according to Sophos, the malware performs all the usual operations. It phones home to its command and control server, receives instructions for downloading further payloads, and then, at least in the case that Sophos looked at, downloads a banking trojan from the Zeus family, and tries to steal its victims money in one way or the other.
Comments
