Public Safety Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links | Liens de navigation communs

Skip Navigational Links Home > National security > Cyber Security: A Shared Responsibility > Cyber Security Publications > Analytical releases 2008 > IN08-007: Increased activity of malicious code spreading using removable devices

Institutional links

Increased activity of malicious code spreading using removable devices

IN08-007
Date: 22 December 2008

Purpose

The purpose of this Information Note is to draw attention to the increased prevalence of malicious code that employs USB removable devices in order to spread. The note will also provide mitigation information to reduce the exposure to this potential threat.

Assessment

This information note contains technical details and internet domains relating to malware. The scanning, probing, or internet searching for this information may result in malware infection of local networks and systems and should not be undertaken.

Background

Recently, a lot of attention has been drawn to malicious code spreading via removable devices such as USB flash drives. Increased public reports of infection have prompted US-CERT to send a warning to its constituents. According to the press, some organizations, such as the U.S. Department of Defense, have temporarily banned the use of removable devices such as USB flash drives and CDs.

CCIRC is not aware of any significant increase in malicious code spreading via USB flash drives within Canadian critical infrastructure sectors. However, vigilance and proper proactive measures are required in order to reduce exposure to the potential threat.

top of page

Threat Analysis

The Autorun feature was created by Microsoft as a convenient feature for removable media to automatically start a program upon insertion. This feature is enabled by default in some versions of the Windows Operating System and may be used with all removable media such as CDs, DVDs and USB memory sticks. The feature depends on a file named Autorun.inf which is stored on the removable device's root directory and read by the Autorun feature upon connecting the device to the computer. This file provides information such as icons, contextual menus and programs (stored in the removable media root directory) to be run. This feature poses a serious security risk because it allows malicious code to spread with very little interaction from the end user.

When activated, this malicious code has the ability to immediately infect newly attached removable devices by installing hooks in the operating system. Removable media devices are then infected by creating a special Autorun.inf file and copying the malicious code on it. When the infected removable media devices are inserted into other Windows-based systems with the Autorun feature enabled, the malicious code is silently executed.

Typically, the malicious code makes some system changes in order to survive a computer restart. One analyzed sample executed the following changes to a system

* A piece of code is injected in the Explorer.exe process.
* The following registry keys and values were created to allow the malware to re-activate after a reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StrtdCfg
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}\InprocServer32
default = %SYSTEM%\[Random Named DLL File]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}\InprocServer32
ThreadingModel: "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}
default = "Java.Runtime.52"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
UpdateCheck = {8F147B28-EF39-44A0-B6EC-3CC6F2F08794}

* The following files are installed on the host:

%SYSTEM%\[A DLL File with a Randomly generated Name]
%SYSTEM%\mswmpdat.tlb
%SYSTEM%\winview.ocx

Once infected, the system hosting the malicious code usually connects to the Internet in order to reach a malicious code controller service that may provide additional malicious code to install or specific instructions to follow.

Various domain names can be used for this purpose. However, the following domain was often used with USB-based malicious code:
hxxp://worldnews.ath.cx/update/[removed]

Symptoms of an infection include outbound traffic to unusual domains and the presence of an autorun.inf file on removable media.

top of page

Recommendations

Although many instances of USB-based malicious code are currently detected by most anti-virus products, reliance on detection capabilities alone is not a sound mitigation strategy.

CCIRC recommends that organizations evaluate and implement the following actions:

1. Disable AUTORUN on all systems.

CCIRC tested several solutions for disabling the ability to process Autorun.inf files on removable media. The results of these tests can be found in TR08-004 - Disabling Autorun:
http://www.publicsafety.gc.ca/prg/em/ccirc/2008/tr08-004-eng.aspx

Two solutions were found effective at preventing the launch of programs specified in the Autorun.inf file:
* CERT/CC's "Sys:DoesNotExist"
* Microsoft TechNet article (KB953252)

However, only the "Sys:DoesNotExist" solution prevented Windows from reading the Autorun.inf file. Microsoft's solution still lets Windows read parts of the Autorun.inf file such as the folder icon specifications.

Therefore, CCIRC recommends using the CERT/CC "Sys:DoesNotExist" solution because the Autorun.inf file is not read at all.

CERT/CC "Sys:DoesNotExist" solution
http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html

Microsoft TechNet article (KB953252)
http://support.microsoft.com/kb/953252

2. Regularly scan all systems and removable media with an antivirus product.

3. Block access to the URL hxxp://worldnews.ath.cx at the perimeter gateway, preferably using an application layer filtering device (such as a proxy).

4. Review proxy or content filtering system logs for connection attempts to hxxp://worldnews.ath.cx. Any computer accessing this URL should be investigated.

top of page

References

http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html
http://support.microsoft.com/kb/953252
http://www.us-cert.gov/current/archive/2008/11/20/archive.html#malicious_code_spreading_through_usb

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) operates within Public Safety Canada, and works with partners inside and outside Canada to mitigate cyber threats to vital networks outside the federal government. These include systems that keep Canada's critical infrastructure functioning properly, such as the electrical grid and financial networks, or contain valuable commercial information that underpins our economic prosperity. CCIRC supports the owners and operators of systems of national importance, including critical infrastructure, and is responsible for coordinating the national response to any serious cyber security incident.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca

Date Modified: 2008-12-22
Top of Page
Top of Page
Important Notices
Host: WWWDMZ01