- In 2005 USB drives became popular and malware started using them to propagate.
- Even three years after malware started actively using this method to infect customers, Microsoft refused to accept the reality of the problem and continued offering AutoRun enabled by default in the Windows OS’s. However in 2008 Microsoft added an option for disabling AutoRun via policies or manual registry entries. However the workaround provided did not work. Even when disabled users were still open to attack from the AutoRun infection vector.
- In July 2008 Microsoft published MS08-038 which “fixed the broken fix” but this was only available via Windows Update for Windows Vista and Windows 2008. Instead of patching XP users as well, it kept the problem unsolved in what some might consider a business strategy to sell more Vista licenses.
- Towards the end of 2008 Conficker showed up taking advantage of the AutoRun feature in a never seen before manner. It created an autorun.inf file whose content looked like garbage yet was fully functional. All the Microsoft recommended workarounds to date via NoDriveTypeAutorun policies continued to be useless against malware exploits.
- In early 2009 and due to Conficker’s success Microsoft corrected a bug (CVE-2009-0243) which fixed portions of the previous problem and which was pushed out automatically to all Windows XP users. Amazingly it wasn’t considered a “security patch” and does not have an associated Microsoft Bulletin. In addition the patch modified the behaviour of AutoRun and after applying it created a new registry entry which was required to be manually configured correctly. Effectively AutoRun continued being a problem for the vast majority of users.
- In mid 2009 there seems to be some light at the end of the tunnel and Microsoft decides to improve the security of AutoRun in writeable removable media by preventing the AutoPlay dialog window in USB drives. However this is only included by default under Windows 7. Windows XP users, still the most widely used platform by far, had to manually download and install KB971029. This move was effectively useless from the point of protecting XP users from malware infection. Again some might consider this move a business-driven decision to “keep security low in XP in order to drive sales of the more secure Windows 7″.
- In July 2010 Stuxnet shocks the world. It is able to propagate via USB drives without requiring an autorun.inf file and using a zero-day vulnerability in .LNK files which allows for code execution even with AutoRun and AutoPlay disabled, which Microsoft promptly patches.
- Finally in February 2011 Microsoft decided to push an update to fix the problem for Operating Systems prior to Windows 7.
Here is yet another example of a company distributing malware to its userbase. Unfortunately it probably won’t be the last.
Today one of our colleagues received a brand new Vodafone HTC Magic with Google’s Android OS. “Neat” she said. Vodafone distributes this phone to its userbase in some European countries and it seems affordable as you can get it for 0â‚¬ or 1â‚¬ under certain conditions.
The interesting thing is that when she plugged the phone to her PC via USB her Panda Cloud Antivirus went off, detecting both an autorun.inf and autorun.exe as malicious. A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into.
A quick analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named “tnls” as the botnet-control mechanism shows:
00129953Â |.Â 81F2 736C6E74Â Â Â Â Â Â Â Â |XOR EDX,746E6C73 ; â€tnlsâ€
The Command & Control servers which it connects to via UDP to receive instructions are:
Once infected you can see the malware “phoning home” to receive further instructions, probably to steal all of the user’s credentials and send them to the malware writer.
Interestingly enough, the Mariposa bot is not the only malware I found on the Vodafone HTC Magic phone. There’s also a Confiker and a Lineage password stealing malware. I wonder who’s doing QA at Vodafone and HTC these days