Autorun malware used to be kind of a big deal around here. Worms that jump directly from removable media such as USB drives as soon as they are connected to a PC can cause some major trouble, spreading quickly through a network. Microsoft made a change to newer versions of Windows that disables the autorun functionality, cutting of this infection vector, but there are still a lot of older Windows XP systems out there that still have the function enabled. Researchers recently have seen a major increase in the volume of autorun malware in some countries, thanks to a couple of new worms infecting those older machines.
The two new worms, Worm.JS.AutoRun and Worm.Java.AutoRun, both take advantage of the autorun functionality to spread, and the JavaScript worm has other methods of propagation, as well. Researchers at Kaspersky Lab say that the volume of autorun worms has remained relatively constant over the last few months, but there was a major spike in those numbers in April and May, thanks to the distribution of the two new pieces of malware.
“These two worms have three key features in common: heavy obfuscation, backdoor-type essential payloads, and similar methods of propagation. Both worms spread by copying themselves and the configuration file autorun.inf into the root folders of logical volumes of removable storage media and network disks. If these infected storages are opened on other computers, the infection can spread. Having infected the operating system and established a foothold on the victim computer, the malicious programs deploy their principal payload,” Konstantin Markov of Kaspersky Lab wrote in an analysis of the new worms.
The Java-based worm only spreads through the autorun functionality and comprises four individual components, each with different jobs. Once the worm is on a new PC, it extracts a DLL from its code and then copies itself to the temporary user folder. It also copies the Java executable from %ProgramFiles% to the same folder. The worm then spawns a process and injects a library into it that enables it to spread to available network shares.
“As well as these quirks, this worm also uses strong obfuscation. Here a packer is used in conjunction with Zelix KlassMaster obfuscation. Also, as mentioned above, the worm is polymorphic. This makes it more difficult for antivirus solutions to detect,” Markov said.
The JavaScript worm employs the same autorun infection method as its Java-based cousin, but it also has the ability to spread through FTP, shared folders, file-sharing sites and CDs and DVDs. The JavaScript malware has the ability to tell whether it’s running in a virtual machine and also can find and terminate anti-malware applications on an infected machine.
“The malware receives commands via a file downloaded from the command center. These instructions are mostly about collecting information from the infected system. In particular, cybercriminals want the worm to gather information about the system, the user and the installed software,” Markov said. “Like Worm.Java.AutoRun, this sample is well-encrypted and can change its form in different infections.”
Both worms are mainly spreading in Southeast Asia right now.
Image from the Flickr photostream of LadyDragonflyCC.