Advertisements

Why Friends Don’t Let Friends Run Windows: Conficker

Mary gave a gardening presentation at the local library, popping a 4 GB USB memory stick with the presentation into a library computer connected to the display projector. Back home, she deleted the presentations and was about to add more files, when she noticed something interesting:

drwx------  4 ed   ed    4096 Dec 31  1969 ./
drwxr-x---+ 3 root root  4096 Jan 31 19:21 ../
-r--r--r--  1 ed   ed   59288 Mar 21  2009 autorun.inf
drwx------  3 ed   ed    4096 Jan 30 19:31 RECYCLER/
drwx------  4 ed   ed    4096 Jan 31 19:10 .Trash-1001/

Ubuntu 12.10 automagically mounts FAT filesystems with the current user as owner and group. The .Trash-1001 directory is the Linux trash heap, but where did all that other stuff come from? The autorun.inf definitely looks Window-y, doesn’t it?

Perforce, the library runs Windows, but that shouldn’t add files to a USB memory stick that just was plugged in and used for a read-only presentation, should it?

Huh. You know where this is going…

Let’s hand autorun.inf to VirusTotal for a second opinion. The first three results from their long list confirm my suspicion:

Antivirus Result Update
Agnitum INF.Conficker.F 20130131
AhnLab-V3 Win32/Conficker.worm 20130131
AntiVir Worm/Kido.IH.40 20130131

The executable file containing the actual payload is, of course, buried in a subdirectory that might look more innocent on a Windows box:
/RECYCLER/S-5-3-42-2819952290-8240758988-879315005-3665/

It sports a randomized name to evade a really stupid malware detector:
jwgkvsq.vmx

Here’s what VirusTotal reports from some heavy hitters in the AV field:

Kaspersky Net-Worm.Win32.Kido.ih 20130131
Kingsoft Worm.Kido.ih.(kcloud) 20130131
Malwarebytes Worm.Conficker 20130131
McAfee W32/Conficker.worm 20130201
McAfee-GW-Edition W32/Conficker.worm 20130131
Microsoft Worm:Win32/Conficker.B 20130131

The Wikipedia article gives the details. I suppose that PC got it from somebody else’s USB stick, but the library really should be running some defensive software; Conficker dates back to 2008, so it’s not new news these days.

That kind of Windows Genuine Advantage makes up for all the hassles of running Linux, right there. Mary reported the problem to the library; we’ll never know the rest of the story.

[Update: We got an update!]

Advertisements

  1. #1 by Mick on 2013-02-18 - 15:10

    some of these posts make absolutely no sense to me at all. I look at them and wonder…..is this guy making this stuff up? :)

    • #2 by Ed on 2013-02-18 - 15:32

      is this guy making this stuff up?

      I wish I was… but it’s real. All too real!

      • #3 by Jetguy on 2013-02-18 - 16:22

        At least it wasn’t the FBI hoax virus running around. Seriously, I know people dumb enough to send money.

        http://www.fbi.gov/scams-safety/e-scams

        • #4 by Ed on 2013-02-18 - 17:19

          the FBI hoax virus

          Y’know, it used to be you could tell the difference between the good guys and the bad guys at a glance…

  2. #5 by Red County Pete on 2013-02-18 - 16:35

    That’s one reason why I don’t use the desktops at the library, but take advantage of the wi-fi (and free power when the library is open) with Julie’s laptop. No apologies for using Windows–lack of bandwidth tends to lead one to solutions that can be shipped via FedEx.

    I guess if Ubuntu (and other *ixes) starts getting more penetration, you’ll see malware going after it. I gather that Macs are starting to see some. Perfect target with MS–popular and not too secure.

    • #6 by Ed on 2013-02-18 - 16:58

      malware going after it

      Absolutely. Right now, with a market share rounding off to zero and a fragmented programming model, there’s not much motivation: too much up-front effort, too little potential return. If Canonical gets any traction with their mobile version, that’s sure to attract some attention.

      • #7 by Red County Pete on 2013-02-18 - 18:52

        too little potential return

        I think that’s the reason why I’ll only get a probing attack every two weeks or so. As a customer of one of the largest remaining dialup ISPs, you’d think there’s a “why bother” flag on the IP address block. Not sure how much is botnet and how much is script kiddies. Certainly the phishing emails have been spectacularly lame lately. A bearing company in Taiwan needs me to collect money for them? Gee Whillickers! [rolls eyes]

        • #8 by Ed on 2013-02-18 - 18:58

          the phishing emails have been spectacularly lame lately

          Yeah, I haven’t won more than maybe two million bucks in the last month; it’s hardly worth replying to the emails…

  1. Capacity Test For USB Flash Drive Memory | The Smell of Molten Projects in the Morning
  2. Conficker vs. Library: The Rest of the Story | The Smell of Molten Projects in the Morning