Hackers going Back to the Future

By dominic_cook | June 12, 2009 | Leave a Comment

It’s interesting to see the increasing threat of malicious software distributed and spread through removable devices. Just as hackers and malicious software writers of the late 80′s and early 90′s once used simple executable files on floppy discs to spread their wares, so too now they use the old malicious code exploits modified for use on removable USB devices to spread malware from unsuspecting user to user.

The Symantec Internet Security Threat Report showed that 65% of malicious code in EMEA is now spreading by shared executable files, up a third from the previous year. The reason?….removable media. These files are a propagation vector used by malware to copy themselves to removable media, and the popularity and increased use of USB-based media such as memory sticks has resulted in a resurgence of this historically successful method of distribution.

Back in the late 80′s and early 90′s the sharing of executable files by exchanging floppy disks was used by malicious code to spread from computer to computer. The goals of the bad guys were different back then, and mainly focused on disruption and proof of concept. However what hasn’t changed is using human nature to spread the malware: sharing files and information on removable media is easy and fast so many people did it. When electronic file transfer became popular (and better than floppy disks), the use of removable media as malware vectors dropped.

Now that USB keys are widely used, the bad guys have reclaimed the spreading technique but with a more profitable goal in mind: seeking personal information in order to make money on the Underground Economy.

The relatively large capacity of many portable USB devices may result in malicious code going largely unnoticed, whilst the autorun functionality on these devices is an attractive mechanism for attackers because it can allow malicious code to be launched without direct user interaction. Some malicious code is designed to automatically create copies of itself when removable storage devices are connected to the infected computer. When an unknowing user removes the infected device and connects it to another computer, the worm then automatically copies itself to the newly attached computer.

Some of the most common high-profile worms use this mechanism, including four of the top malicious code samples in the EMEA region: Mabezat, SillyFDC, Sality, and Gammima. These worms could, respectively, encrypt and infect files, download additional threats, remove security software or steal online gaming accounts.

To limit the propagation of threats like these, it’s important to ensure your computer is set up to scan all such devices for viruses when they are connected to a computer, whilst disabling autorun can also deny attempted attacks. Take a moment to think twice about the innocent little memory stick you’ve been handed by a friend or colleague, or you could end up sharing a lot more than files!

Emma Jeffs

Bookmark It