Endpoint Protection

 View Only
Back to Library

The return of the “Sneaker network” 

May 02, 2010 02:11 PM

Those of us who have been around for a long time remember when viruses were primarily jokes that were distributed via floppy disks. This was often referred to as the “Sneaker Network”.

I have recently seen a few viruses that seem to transmit only via removable storage (USB, Camera, smart phone, etc), which is the newer version of the floppy drive sneaker network.

What I saw:
(NOTE: Antivirus did not catch this, but I observed network traffic trying to call home to known bot-network’s Command and Control servers)

In 2 separate incidents I found the virus was launching from removable storage (USB drive, and a camera). The devices were allowed to autoplay which launched the autorun.inf file, which in turn launched the malware from a specialized folder.

Autorun.inf pointed to an executable file in a folder that, from Windows Explorer, appears to be the recycle bin and when you try to open it from Explorer you are redirected to the Recycle Bin.

Screenshot of an example folder (that I created) and the actual Recycle BinExplorer Trick


An here is the screenshot when viewed through DOSDOS Trick


Sample contents of autorun.inf:
[autorun
;s?Tj?Xëú
open=ggggg/virus.exe
;õ??mRC)???ù?
icon=%SystemRoot%\system32\SHELL32.dll,4
;??A}OëÊMb?
action=Open folder to view files using Windows Explorer ;LkdÏOF shell\\open\command= ggggg/virus.exe
;?Zf]???Mé
shell\explore\\command= ggggg/virus.exe
;?s??çt??
useautoplay=1
;?øüÌ????àÒY?
[AutoRun]
 
 
Contents of ggggg\Desktop.ini:
[.ShellClassInfo]
IconFile=%SystemRoot%\system32\SHELL32.dll
IconIndex=32
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
The “CLSID=” corresponds with the Recycle Bin. Information taken from Microsoft at:
http://msdn.microsoft.com/en-us/library/cc144096(VS.85).aspx
 
Notice that the autorun.inf will launch virus.exe. This process “hooks” itself into Explorer.exe which makes it difficult to remove.
Removal:
Launch Task Manager and a command prompt
Kill the all Explorer.exe processes


  1. With the command prompt navigate to the root of the removable device and run the following commands:
    attrib -s -r -h *
                (this will remove the read-only, system and hidden attributes of all files on the root of the device)
  2. del autorun.inf
                 (deletes the autorun.inf)
  3. cd <folder name>
                 (navigates into the unusual folder, run 'dir /ad' to get the folder name)
  4. xcopy *.* c:\
                 (copies all files to the PC, so they can be submitted to your antivirus vendor)
  5. del *
                 (deletes all of the files)
  6. cd ..
                 (navigate up one folder ‘..’ is important)
  7. rmdir <folder name>
                 (deletes the folder)
 
Of course you could simply reformat the device (had to do this for the camera as the files reappeared), but that does not allow for future protection.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
Jul 06, 2010 12:44 PM


Autorun is always dangerous. I would always prefer turning this off. Though it takes a little more time and effort to locate the exact file in the drive using readme and other documentation, it is worth it considering the amount of peril and downtime that would come upon later eating our valuable productive billable time.

Migration User
May 15, 2010 12:47 AM

Regarding this issue... rather than we reformatting the drive, my suggestion would be disable the autorun and delete the autorun file and try to use some tools like Icesword to remove that infected file.....

Migration User
May 05, 2010 09:12 AM


good

Related Entries and Links

No Related Resource entered.