New Autorun Worms Spiking

Friday, June 14, 2013 @ 02:06 PM gHale


There is a big hike in the volume of autorun malware hitting some countries because of some new worms infecting older machines, researchers said.

The autorun issue became a moot point a few years ago when Microsoft made a change to newer versions of Windows that disables the autorun functionality, but there are still a lot of older Windows XP systems out there still chugging along that still have the function enabled. Autorun worms jump directly from removable media such as USB drives as soon as they are connected to a PC can cause some major trouble, spreading quickly through a network.

RELATED STORIES
Dorkbot Spreads via Facebook Chat
New TDL Malware Releases
Malware Costs Consumers $4B a Year
‘Cyber risk Intelligence’ for Total Security

The two new worms the researchers found are, Worm.JS.AutoRun and Worm.Java.AutoRun, which both take advantage of the autorun functionality to spread, and the JavaScript worm has other methods of propagation, as well.

Researchers at Kaspersky Lab said the volume of autorun worms has remained relatively constant over the last few months, but there was a major spike in those numbers in April and May, thanks to the distribution of the two new pieces of malware.

“These two worms have three key features in common: Heavy obfuscation, backdoor-type essential payloads, and similar methods of propagation. Both worms spread by copying themselves and the configuration file autorun.inf into the root folders of logical volumes of removable storage media and network disks,” Konstantin Markov of Kaspersky Lab wrote on securelist. “If these infected storages are opened on other computers, the infection can spread. Having infected the operating system and established a foothold on the victim computer, the malicious programs deploy their principal payload.”
https://www.securelist.com/en/blog/8107/AutoRun_Reloaded

The Java-based worm only spreads through the autorun functionality and comprises four individual components, each with different jobs. Once the worm is on a new PC, it extracts a DLL from its code and then copies itself to the temporary user folder. It also copies the Java executable from %ProgramFiles% to the same folder. The worm then spawns a process and injects a library into it that enables it to spread to available network shares.

The JavaScript worm employs the same autorun infection method as its Java-based cousin, but it also has the ability to spread through FTP, shared folders, file-sharing sites and CDs and DVDs. The JavaScript malware has the ability to tell whether it’s running in a virtual machine and also can find and terminate anti-malware applications on an infected machine.

Both worms are mainly spreading in Southeast Asia right now.



Leave a Reply

You must be logged in to post a comment.