Staples Corporate Systems Hit With Malware Attack

The Framingham, Mass.-based retailer locked down its corporate systems on Thursday when it detected the notorious Changeup worm spreading on its share drives. Employees were notified about the infection in an email message this week, CRN has learned.

Company spokesperson Mark Cautela was reached by CRN and said he would look into the matter but did not respond Friday with details about the incident or indicate whether the infection exposed customer data.

[Related: 5 Factors Fueling Wave Of Java Attacks ]

The worm spreads through removable and mapped drives, and the malware author continually changes it, making it difficult for antivirus and some network security appliances to prevent it from infecting systems. The worm installs a file-sharing program removable storage drives and mounted network shares and makes copies of itself in the shared folder, causing it to quickly spread through corporate endpoint machines, said Marc Maiffret, CTO of Carlsbad, Calif.-based identity and threat management firm BeyondTrust.

"Malware doesn't discern between consumers and corporations," Maiffret told CRN. "If companies were doing the right things such as egress filtering to control executables coming in and out of the environment, they should be able to safely mitigate this type of malware."

In many cases, companies isolate network shares from systems containing more sensitive data, but even network shares can and often contain confidential data, he said. However, many times companies ignore even the basics of using antivirus on network shares because of performance reasons or a lack of understanding of how to implement it properly, Maiffret said.

Changeup infections initially spread via spam messages and through malicious links on social networking websites. Symantec warned in November that it had detected increased infections of the worm.

The worm also spreads by exploiting a Windows Shell shortcut file execution vulnerability, which was patched by Microsoft in 2010, Symantec said in its analysis of the worm.

Once it gains a presence on systems, the worm contacts a remote command-and-control server and downloads additional malware. Security firms have identified Changeup downloading banking Trojans, including Zeus and the peer-to-peer Zbot Trojan, but the malware frequently changes.

The Changeup worm exhibits characteristics typically found in a Trojan, according to U.K.-based security firm Sophos, which also provided analysis of it in November.

PUBLISHED APRIL 5, 2013