During the last couple of years we have seen malware authors increasingly incorporate the autorun.inf infection vector into malware families–with stunning success. In addition to traditional autorun worms that use this feature, pure-play backdoors, bots, password stealers, and even parasitic viruses that previously required a user to click on an executable file to infect the system have incorporated this technique. While the autorun functionality in operating systems does provide some convenience (it saves a couple of clicks), it has single-handedly revived the 1980s model of hand-carried malware propagation.

Two prolific parasitic virus families that have incorporated this infection vector are W32/Sality and W32/Virut. When a removable drive is inserted into an infected machine, the W32/Sality virus infects Microsoft Notepad or Minesweeper and copies it onto the removable drive. The infected notepad.exe or winmine.exe file is renamed with a random .pif or .scr extension and is accompanied with an obfuscated autorun.inf. Below you’ll see a code snippet and the accompanying autorun.inf file.

Even if the removable drive is cleaned of the virus infection, the random namely Microsoft executable would still exist on the drive. Although benign, the leftover remnants would cause some degree of confusion about the origin of the file. Especially since it’s a renamed Microsoft file with a .pif or .scr extension!

The W32/Virut virus is also known to copy infected notepad.exe files to removable drives. Both these virus families are a royal pain in the posterior to clean. This technique provides a resourceful way for them to reinfect hosts even after cleanup.

The third edition of our monthly spam report was released today. This edition discusses some fascinating topics. Key findings include:

Spam campaigns are taking advantage of “partitioning” to increase their effectiveness and combat the efforts of security tools to reduce their reach.

Replica-watch spam has taken over the number one position for holiday spam.

Business leaders and legislatures have promised to stamp out spam, yet the plague persists. Does reputation-based security hold the key?

Putting a dollar value on productivity lost due to spam.

The topic of lost productivity and bringing quantifiable numbers to the impact of spam on a business is particularly interesting and worth a solid read. Download a copy here.

One month ago, my colleague Marius Van Oers posted a blog to announce the number of drivers in our DATs passed 500,000. Today, at McAfee reached another record: We received our twenty-millionth malware sample.

In about 22 years, from 1986 to March 2008, 10 million samples piled up in our collection. In just the last 12 months, however, from March 2008 to March 2009, this figure doubled. This pace represents 27,000 samples in a day, or 1,100 each hour.

These figures demonstrate that real-time response is more vital than ever. But it is not sufficient. Faced with such quantity, researchers have to innovate to create sophisticated heuristic detections. And a third need is a multidisciplinary response: Research teams devoted to host intrusions, network intrusions, and ethical vulnerability disclosure also have to play an important part in this battle. As a global research team, McAfee Avert Labs is able to take up the challenge. I’ll just wish “good luck” to all my colleagues.

The other day I blogged about Google Trends being abused to serve malware.  The attackers were not only targeting the most popular search terms, but also manipulating Google’s page rankings to appear high up on search results.   Shortly thereafter it appeared that Google took action against that attack.  In deed a Google spokesperson confirmed that idea.

Today, Brian Krebs blogged on a separate story, but mentioned that while searching for a related term (pifts.exe), Google returned a poisoned link high on the results list.  After doing a little searching I discovered that the relevant term did seem to appear on Google’s top 100 search terms for a brief period.  However, the other terms I checked on Google Trends did not yield high ranked poisoned links as before.  But, I did come across a potential source for the page rank manipulation aspects of these attacks;  www.democrats.org, which is “Paid for by the Democratic National Committee “, and linked to from www.barackobama.com.

It turns out that this high-ranking website has a community blog feature that allows anyone to create a blog and post whatever they want.  Attackers have flooded this forum with bogus posts and thousands of links for more than a month.

Blog spam such as this is not anything new.  However, this highlights one significant effect of such spam and underlines the cause and effect relationship of security on the web.

Web searches are immensely useful and quite powerful.
Web 2.0, where a community of users contributes content for the betterment of the community can be a great thing.
But combined, a bad apple (or thousands) doesn’t just hurt the community; it can hurt a significant portion of the Web itself.

Windows offers the useful option of “Safe Mode” to recover from any damage caused by various malfunctions in the system. Booting in Safe Mode loads limited drivers and services that are required for the basic operation of the system, but avoids adding many extras that complicate the environment. In general, Safe Mode is very helpful in recovering the system from malware infections. However, malware can exploit this feature by loading in Safe Mode, thus creating great difficulties for users and administrators in recovering from these infections.

The services and drivers that load in Safe Mode are listed under the following registry key(s):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

If malware gains control of the system, it can add its entry under the above key(s) to load during a Safe Mode boot. This type of malware is difficult to remove manually; you’ll need an anti-virus product to detect and clean such malware.

Always practice “safe surfing,” which is the first step in keeping your computers clean, and keep your anti-virus signatures updated.

Last week I blogged about how the community forum of Democrats.org was being abused to help manipulate Google’s search results; to lead people to malware.  It appeared that by the end of last week, Democrats.org began the cleanup process of removing all the bogus posts, which seems to have been completed as of this time.  Google’s cache shows that other popular sites were hit as well, including my.barackobama.com and Microsoft’s silverlight.net, which were cleaned up sometime before the end of last week.

In looking a little more at the spammed phrases, it appears as though there are likely multiple groups behind these attacks, perhaps with different agendas.   Some of this is obvious from the formatting of the spam.  The terms themselves also vary, some appear in more dictionary style, while others are more focused on current events, and others still are rather uncommon.  The uncommon terms (including typos) lead me to speculate that at least some terms originated from compromised systems.  There may be a circular nature to this, where unsuspecting victims become infected with one piece of malware, only to have their search terms harvested, analyzed, and subsequently used to entice other victims, but again this is speculation at this point.

Users should always take care while surfing the Internet and reading mail, and today maybe more than usual: Another spam run from the Waledac botnet is on the loose, this time misusing the good reputation of the news agency Reuters. After the “President Inauguration,” “Valentine Scam,” and the “Economic Crisis,” this time the social-engineering trick is a “Terror Attack” in your city. Mails with subjects such as “Why did they explode bomb there?” or “Why did it happen in your city?” are being sent out by the botnet right now.

Again the bad guys are using geolocation services to better target their audience. As described in my earlier blog, they are using the city name of the user visiting the fake website and inserting this name into the website itself. So the “breaking news” gets even more attention, because when an attack happens in your home town, everyone would be anxious and curious, right? The screenshot below is an example what a user from New York would see; other users would see the same message but with their local city being “attacked”:

The website claims that a “dirty bomb” exploded in the user’s city and that at least 12 people have been killed. A video from Reuters is presented but “You need the latest Flash player to view video content. Click here to download.” It’s another example of the time-worn missing-codec trick. The needed “update” named main.exe or save.exe is in fact the real malware.

The fast-fluxing website also includes a malicious IFRAME that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection.

The Waledac/Storm authors try to keep their botnet running and always craft new social-engineering tricks to fool unsuspicious users to follow their lure. As always, the best advice is to not click links in spam mails. And the malicious IFRAME pointing to a drive-by infection is another good reminder that “curiosity killed the cat.”

For years, the Japanese word processor Ichitaro has been attacked by malware authors exploiting flaws in the application. So it is no surprise that in the last week we discovered in the wild specially crafted Ichitaro document files exploiting a new vulnerability.

This time, the crafted file (detected as the Exploit-TaroDrop.g Trojan) drops and runs the Generic Dropper Trojan, which is responsible for dropping the BackDoor-DNW Trojan. The last attempts to connect “lightsut.com:80” and opens a backdoor to give attackers remote access to compromised machines. McAfee proactively detects Generic Dropper, which prevents users from being infected with BackDoor-DNW even with a non-patched copy of Ichitaro.

Detection alert of Japanese McAfee VirusScan Enterprise

The patch for this vulnerability has already been published by JustSystem. Ichitaro users should apply the update as soon as possible.

McAfee Avert Labs will now produce more detailed documentation on prevalent threat families. The “Combating Threats” document series is designed to arm security staff within organizations with more information concerning prevalent threat families as well as to provide additional mitigation steps that can be taken. The first two documents in this series, “W32/Virut Family” and “Finding W32/Conficker.worm,” are now available via our blog, prior to our “Combating Threats” web page going live.

UPDATE MARCH 17th

Apologies for the busted links yesterday. All seem to be resolving fine now.

When I wrote a scanner plug-in this week for an old directory traversal vulnerability–CVE-2008-4419–I wondered whether there are vulnerable HP LaserJet printers online that can be controlled from the Internet. To find out, I used Google. The search listed almost 50 results, and I found that almost all of these printers are not patched, even though HP has provided firmware updates to resolve this vulnerability. An attacker could leverage this unicode-encoded directory traversal vulnerability to read configuration files or cached documents, and gain read access from the Internet to important internal information.

Usually administrators ignore the security of printer devices. They may think there is no harm even if the printer can be controlled remotely by an attacker.

The administration web interface of these LaserJets can be accessed without passwords. The attacker can use these LaserJets to print any documents from anywhere. Although attackers may not be able to reach the printouts, at least they can waste a lot of paper. Spammers can also post free advertising to companies if they connect to these printers.

So please harden your network gateway or firewall to restrict access to these devices. Don’t give everyone on the Internet a chance to use your printer, and patch the vulnerable LaserJets to prevent the potential information disclosure.

To download the HP firmware updates and upgrade instructions, click here.