Tuesday, July 24, 2007

Is it that easy to write desktop worms?

Some days ago, a friend of mine wanted few documents from me. So I plugged his pen-drive into the USB slot. As the next obvious step, I opened the drive. And strange things started happening on my computer.


First of all, I saw an executable file with its icon similar to that of a normal directory. The name of which was MicrosoftPowerPoint.exe. Note that I noticed the extension because luckily I keep the 'Hide extensions for known file types' option off. Another reason why I noticed this was because I had 'Show all files' and 'Show system files' options on.


Next, I saw an alert with some strange text on it. Now this was clearly a sign of my computer being infected with some evil code.I quickly opened the pen-drive in explorer and noticed an Autorun.inf file! Now this was the root cause of the whole problem.

It contained the following lines

open=MicrosoftPowerPoint.exe

shellexecute=MicrosoftPowerPoint.exe

shell\Auto\command=MicrosoftPowerPoint.exe


Clearly, as soon as you/system opened the drive, the executable ran silently and did all the work. When I deleted the inf file and the exe file from the drive, it appeared again. Clearly a sign of something resident in memory.

Fortunately (?), the alert popped up again, and thus I was able to locate the exact process which was carrying out the whole operation.It was svchost. Now under normal circumstances, you see multiple instances of it in the task manager. The thing different about this one though was that it ran with user equal to my user name. I quickly killed the process, and deleted the two evil files on the pen drive.


As I had suspected, on rebooting my computer the alerts were seen again. Then after looking at the registry, I figured out that the worm had created a start-up entry on the system. It had copied itself at c:\heap41a.


On searching the internet for heap41a, I found the whole description of the worm.


Lessons learnt:

  1. Pen drives are dangerous!
  2. Never login as privileged user when running such devices.
  3. Never trust your antivirus (I have free edition of AVG fully updated).
  4. Inf files are 'BAD'.
  5. Propogating such worms is as easy as spreading ajax worms (? Any thoughts)

Luckily, the worm did not do anything evil I suppose. But you may not get so lucky.

3 comments:

Jordan said...

FYI -- standard USB drives don't autorun:

http://www.microsoft.com/whdc/device/storage/usbfaq.mspx

The only ones that do are ones marked (in hardware) as cdroms and fixed-disk drives.

So the only time this can happen is if someone has either purchased a special piece of hardware that is designed for this sort of task, or they've hacked a U3 drive to be able to do it for them.

http://www.u3.com/

I'd be /really/ curious if someone actually wrote a worm that was able to detect and reprogram U3 drives since from the last time I looked they were updated differently, and there was no vector to automatically infect all of them.

In other words, the more likely explanation is the USB drive your friend had was specially prepared as a "gift" for you and not a result of a random usb-infecting virus. :-)

Autorun is always a good idea to turn off regardless.

The /really/ dangerous version of this attack would come as a USB device that provides its own drivers built-in (which windows will happily install). I haven't seen it done yet, just discussed and it would require some know-how and custom hardware. Still, would be pretty cool. To defend against /that/ threat, you'd need to restrict via GPO or some other mechanism (there are commercial products that do this) what devices are loaded on the USB bus.

Kishor said...

Hi Jordan, Thanks for the info.

This friend of mine does not know much about computers. I guess his drive must have been infected in an automated way.

But it looks like an interesting area worth exploring.

fedek6 said...

Create write protected autorun.inf on your pendrive, that won't mess windows autorun ability but will dissable autorun worms for sure. Gr33tz.