Sophos and TrendMicro, and anumber of other security firms, are reporting a dramatic increase in the prevalence of a worm using AutoRun and social engineering to proliferate.
If you thought Microsoft solved the AutoRun problem, you aren’t alone. They tried to shut it down after it was famously and cleverly used to spread earlier variants of the Stuxnet worm that targeted the industrial control systems that controlled centrifuges at Iran’s Natanz nuclear enrichment facility. However, as we continue to move further and further from that date, and we continue to see the word AutoRun popping up in headlines, it is increasingly becoming one of those network security nuisances that just won’t go away.
Part of the problem here, according to Sophos, is that users still aren’t very good about patching their machines. It’s the same, simple old problem that never seems to change. Despite the fact that Microsoft shipped a patch to disable AutoRun nearly two years ago, some users still haven’t gotten around to implementing it. So the worm is spreading, in large part, through autorun.inf files loaded onto removeable media and writeable network shared.
As for those who have Windows 8, on which AutoRun was never a feature, or those who did implement the patch to disable it, TrendMicro claims that WORM_VOBFUS (or W32/VBNA-X, as Sophos calls it) is propagating using another old social engineering trick: sex.
They claim that variants of the worm are spreading around Facebook using filenames like ‘sexy.exe’ and ‘porn.exe’ to ensnare its victims.
While Sophos doesn’t touch on the Facebook angle, its explanation for how the worm is spreading in a world mostly rid of AutoRun almost identical to TrendMicro’s. Despite PC’s ignoring autorun.inf files picked up on removable media or from some other infection method, the worm creates a number of seemingly benign looking but ultimately malicious folders and merely waits for some unwitting user to click them.
Once the infection takes place, according to Sophos, the malware performs all the usual operations. It phones home to its command and control server, receives instructions for downloading further payloads, and then, at least in the case that Sophos looked at, downloads a banking trojan from the Zeus family, and tries to steal its victim’s money in one way or the other.