Worm Elevates Detection Techniques

Wednesday, February 20, 2013 @ 04:02 PM gHale

A virtual machine-aware AutoRun worm that makes use of obfuscation and polymorphic techniques in order to evade detection and infect removable media and mounted network shares is evolving and increasing its reach, security researchers said.

There has been a hike in samples of the one-year-old malware family, called W32/Autorun.worm.aaeb-h, which compiles in Visual Basic 6, said security researchers at McAfee.

Data Breaches Take Months to Find
Security Firm Hacked
New Attacks from ‘Gameover’ Gang
Changeup Worm Growing

This family of malware compromises machines through drive-by downloads or spam and ends up looking like any other thumb-drive infecting, AutoRun worm.

In reality, W32/Autorun.worm.aaeb-h is a very complicated virus among known members of this family. Its authors have upped their game with this latest version by encrypting all the important strings with one or in some cases two rounds through the RC4 cipher algorithm using a randomly generated encryption key. McAfee’s Sanchit Karve said earlier variants stored much of their code in plain-text.

The initial infection requires users either willingly execute the malicious file directly or navigate to a folder storing the files. Once a machine ends up compromised, the malware writes an “autorun.inf” file so it can automatically execute itself on any machines with AutoRun enabled as the worm spreads. Researchers have also observed the malware copying itself to Zip and RAR archive files and downloading new software from its command and control server.

The worm is also changing relevant directories so they appear hidden in affected drives. Beyond that the worm is copying itself as that hidden directory file but also as “secret.exe,” “sexy.exe,” “porn.exe,” and “passwords.exe” among other apparently-alluring-things in what McAfee claims is an attempt to trick new users into running the malicious executables.

Whoever is responsible for this worm is packaging it with VB6 projects in order to make it seem like legitimate software. Most of the payload files themselves are originating from the Zbot and BackDoor malware families.

Click here for more information.

Leave a Reply

You must be logged in to post a comment.