Changeup Worm Growing

Friday, December 7, 2012 @ 05:12 PM gHale

A worm that spreads the banking Trojan Zeus and other malware via removable media, such as USB sticks, or file-sharing programs is growing.

In a six-day period between Nov. 23 and last Wednesday, detections of the worm Changeup rose from around 8,000 cases to more than 14,000, Symantec researchers said.

New Malware Targets Databases
Fake Certificates for Police Trojans
DNS Records Hacked
Best Practices for DKIM Hole

The worm – which goes by a number of other names, including “AutoRun,” coined by McAfee – is capable of infecting users’ machines that run older Windows operating systems employing AutoRun by default. AutoRun is a Windows feature that allows files or programs to immediately engage as soon as a removable media device, such as a USB stick or CD-ROM, inserts into a computer.

In February 2011, Microsoft released updates designed to disable AutoRun for users of Windows XP, 2003 and Vista. Conficker, a worm discovered in 2008 that exploits a vulnerability in the Windows Server service, ran rampant for years by attempting to abuse the AutoRun feature, along with other Windows vulnerabilities. Conficker, which had an impact on millions of machine worldwide, remains one of the top threats affecting users, mostly machines users have not patched.

Liam O Murchu, manager of operations at Symantec Security Response, said victims can spot Changeup on their machines because the worm copies itself onto user profile directories using executable files named “secret,” “porn,” “sexy” and “password.” But the malware is harder to detect on removable devices, like memory sticks, he said.

“When it copies itself onto a USB or removable drive, it will copy itself to the same name as legitimate folders, and use that icon,” O Murchu said. “Then it will set the machine to hide the legitimate folder or file. It’s definitely using camouflage tricks. It’s not using any advanced techniques, but they can still be very effective for people who are not aware of them.”

Chester Wisniewski, a senior security adviser at Sophos, found the malicious code delivered with Changeup varied depending on the location and time of infection.

“The instances we investigated downloaded banking Trojans belonging to the Zeus/Zbot family, but can frequently change based on time of day or geographic location,” Wisniewski said.

In addition to disabling AutoRun, researchers advise users to run up-to-date versions of Windows to avoid infection.

Leave a Reply

You must be logged in to post a comment.