Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Conficker's autorun and social engineering - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Conficker's autorun and social engineering

We wrote several diaries about Conficker (or Downadup, depending on the AV tool you are using). F-Secure posted some interesting information about the number of infections which is almost certainly in millions (and who knows how many machines will stay infected as the owners will not even notice anything).

One of the reasons for infecting so many machines is that Conficker uses multiple infection vectors:

  1. It exploits the MS08-068 vulnerability,
  2. It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares and finally
  3. It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.

F-Secure also blogged about the autorun.inf file where they noticed that it contained a lot of garbage (about 60 kb of random binary data). This fooled some AV programs so they didn't scan the device properly (otherwise, they would have picked up the referenced DLL also stored on the device).

After removing garbage, one can see a nice autorun.inf file containing all important keywords. This grabbed my attention:

[Autorun]

Action=Open folder to view files
Icon=%systemroot%\system32\shell32.dll,4
Shellexecute=.\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn

This is a typical autorun.inf file created by Conficker. The social engineering trick comes from the first two keywords (Action and Icon). When you put this in a Vista machine with default settings, an Autoplay window will pop up asking you what to do, as shown below:

Conficker's autoplay on Vista

So, as you can see, the first part, "Install or run program" is there because Vista detected an autorun.inf file containing the shellexecute keyword. However, the text comes from the Action keyword and the icon is extracted from shell32.dll (the 4th icon in the file) - and it's the standard folder icon!

This can easily fool a user in clicking this one and thinking it will open the USB stick in Windows Explorer instead of the second (the real one). The first option will run Conficker, of course.

Very smart. For administrators among you, I would suggest that you disable AutoPlay in your environments, unless it's really necessary. Depending on the environment you might even completely disable USB, if you don't need it. The following article explain nicely how the AutoPlay feature works and how to disable it (http://technet.microsoft.com/en-us/magazine/2008.01.securitywatch.aspx). Or check this article on the Autorun registry key (http://support.microsoft.com/kb/953252).

--
Bojan

Bojan

349 Posts
ISC Handler
Hello

This is a very interesintg site (although I miss an index)

Last week I just was in a cybercafe where Conficker has copied itself on my USB Stick. As I have Autorun turned completely off it could not infect my PC.

But when I try to delete Autorun.inf and jwgkvsq.vmx this is not possible.

Windows XP does not even show the security tab for files on removalbe drives.
Windows7 shows that the worm has set the ACL permissions to "Everyone"="Read". Bit Write and Delete are not allowed.

I tried to set "Full Access" permission with cacls but cacls also shows me an "Access denied" error.

Can you recommend a tool that resets the ACLs of a file so I can delete these files?

My USB stick is NTFS formatted.
The same cybercafe computer also infected my memory card of my digital camera. But there the files where easy to delete because it is FAT formatted.

Elmü
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!