Microsoft: Removable Drive Worm Still Spreading


A quick-spreading worm that first surfaced on removable drives in 2009 is still finding success, and once it infiltrates corporate networks, it can be difficult to contain as it swiftly spreads from system to system, according to Microsoft.

Once the Vobfus worm infects a system, it downloads additional malware from remote servers while simultaneously looking for other removable drives to spread to other machines. Vobfus has been connected to a variety of financially motivated attack campaigns and has been used by a number of botnets, including Zbot, the Zeus banking Trojan malware family.

When Vobfus reaches out to a command-and-control server to download additional malware, it can make remediation efforts more difficult for IT teams, wrote Hyun Choi, a Microsoft malware researcher, in his analysis of the threat in the Microsoft Malware Protection Center blog. In particular, Hyun said a Trojan downloader called Beebone, seen in conjunction with Vobfus, causes serious problems because Beebone will also reach out to a remote server to download additional malware including other variants of Vobfus.

[Related: Top 10 Malware Threats To Microsoft PCs]

"Based on our observations, Beebone variants then download other variants of Vobfus, creating an infection cycle that means where you see one of these families, you'll often see the other," Choi wrote. "This cyclical relationship between Beebone and Vobfus downloading each other is the reason why Vobfus may seem so resilient to antivirus products."

Security experts have long been warning about worms that spread via removable drives. The threat is potentially serious because it enables an attacker to bypass the company firewall and other network security appliances. Once a USB stick is plugged into a victim's PC, the malware infects the system and seeks out other ways to spread on the network, including mapped drives.

The threat was highlighted last year when Symantec warned about a worm called Narilam that spreads through removable drives and network shares. If a system is connected to a network share, it can move quickly, said Shunichi Imano, a Symantec researcher, at that time. It only takes one infected system to disrupt a corporate network in minutes, Imano said.

A malware infection that wreaked havoc on a network share at Framingham, Mass.-based office retailer Staples in March initially spread on removable drives. It was connected to the ChangeUp worm, a longstanding threat that took advantage of Microsoft's Autorun feature.

ChangeUp is also connected to financially motivated cybercrime. It downloads banking Trojans and other malware designed to steal account credentials.

Two Autorun Java worms, which are more sophisticated than ChangeUp, have been behind some successful attack campaigns, according to Kaspersky Lab, which analyzed the malware last month. The worms are programmed to modify themselves once they infect a victim's PC, making them more difficult for signature-based antivirus to detect.

The worms have been more successful in India and Malaysia where many PCs are still running Windows XP. Microsoft disabled the Autorun in Windows 7 and has also provided instructions on how to disable Autorun in Windows XP.

PUBLISHED JULY 2, 2013