My next class:

Conficker's autorun and social engineering

Published: 2009-01-15. Last Updated: 2009-01-15 08:38:46 UTC
by Bojan Zdrnja (Version: 2)
1 comment(s)

We wrote several diaries about Conficker (or Downadup, depending on the AV tool you are using). F-Secure posted some interesting information about the number of infections which is almost certainly in millions (and who knows how many machines will stay infected as the owners will not even notice anything).

One of the reasons for infecting so many machines is that Conficker uses multiple infection vectors:

  1. It exploits the MS08-067 vulnerability,
  2. It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares and finally
  3. It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.

F-Secure also blogged about the autorun.inf file where they noticed that it contained a lot of garbage (about 60 kb of random binary data). This fooled some AV programs so they didn't scan the device properly (otherwise, they would have picked up the referenced DLL also stored on the device).

After removing garbage, one can see a nice autorun.inf file containing all important keywords. This grabbed my attention:

[Autorun]

Action=Open folder to view files
Icon=%systemroot%\system32\shell32.dll,4
Shellexecute=.\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn

This is a typical autorun.inf file created by Conficker. The social engineering trick comes from the first two keywords (Action and Icon). When you put this in a Vista machine with default settings, an Autoplay window will pop up asking you what to do, as shown below:

Conficker's autoplay on Vista

So, as you can see, the first part, "Install or run program" is there because Vista detected an autorun.inf file containing the shellexecute keyword. However, the text comes from the Action keyword and the icon is extracted from shell32.dll (the 4th icon in the file) - and it's the standard folder icon!

This can easily fool a user in clicking this one and thinking it will open the USB stick in Windows Explorer instead of the second (the real one). The first option will run Conficker, of course.

Very smart. For administrators among you, I would suggest that you disable AutoPlay in your environments, unless it's really necessary. Depending on the environment you might even completely disable USB, if you don't need it. The following article explain nicely how the AutoPlay feature works and how to disable it (http://technet.microsoft.com/en-us/magazine/2008.01.securitywatch.aspx). Or check this article on the Autorun registry key (http://support.microsoft.com/kb/953252).

UPDATE

- fixed a typo in the vulnerability, it is MS08-067 (not MS08-068)
- Nick Brown sent a URL to his blog where he described another method for disabling Autorun by modifying the IniFileMapping registry key, see more at http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html

--
Bojan

1 comment(s)
My next class:

Comments

Hello

This is a very interesintg site (although I miss an index)

Last week I just was in a cybercafe where Conficker has copied itself on my USB Stick. As I have Autorun turned completely off it could not infect my PC.

But when I try to delete Autorun.inf and jwgkvsq.vmx this is not possible.

Windows XP does not even show the security tab for files on removalbe drives.
Windows7 shows that the worm has set the ACL permissions to "Everyone"="Read". Bit Write and Delete are not allowed.

I tried to set "Full Access" permission with cacls but cacls also shows me an "Access denied" error.

Can you recommend a tool that resets the ACLs of a file so I can delete these files?

My USB stick is NTFS formatted.
The same cybercafe computer also infected my memory card of my digital camera. But there the files where easy to delete because it is FAT formatted.

Elmü

Diary Archives