Social Engineering Autoplay and Windows 7

Newsfeed

Nachrichtenbote
The Downadup worm utilizes autorun.inf files to spread via removable devices such as USB drives.

Our January 7th post, When is AUTORUN.INF really an AUTORUN.INF?, provided analysis. The autorun.inf uses some tricks, such as variable size, to help avoid detection.

Bojan Zdrnja at SANS Internet Storm Center recently posted some additional analysis. Downadup attempts a social engineering trick in Windows Vista.

Downadup's autorun.inf file uses an action keyword and icon extracted from shell32.dll to produce the following:

windows_vista_open_folder_to_view_files.png


The category is "Install or run program" but the text and icon are for "Open folder to view files".

The first option will run Downadup, not good. The second "general" option is the choice that will safely open the USB drive.

Being curious, we tried this autorun.inf with Windows 7:

Windows7_Downadup_Autorun_inf.png


And the results for Windows 7 were the same as Vista's:

windows_7_open_folder_to_view_files.png


Downadup attempts to disguise the installation option as an open folder action.

We would click on 7's "Send Feedback" link, but the lab's Windows 7 system is not connected to the Internet. It's being used to test our Client Security 8 application. Client Security 8 (and Internet Security 2009) can generically detect Downadup's autorun file as Worm:W32/Downaduprun.A.

worm_w32_downaduprun_a.png
On 19/01/09 At 04:44 PM



Weiterlesen...
 
Zurück
Oben