New virus spreading through flash drives
Some time ago, VirusBlokAda experts reported on the discovery of a new virus distributed via USB-drives. A feature of this malware is the following:
1. The well-known vulnerability with autorun.inf is not used for embedding into the system. This time, the work is built on an absolutely fresh vulnerability , which affects all versions of Windows. The essence of this vulnerability is that shortcut files are created on media with the following name:
Each label, when processed by the system to display a label image, launches the Trojan library ~ wtr4141.tmp (or ~ wtr4132.tmp, numbers may be different).
At the moment , the option of an exploit is publicly available , which makes you think that there will be something else - the vulnerability has not yet been covered and is a tasty morsel for the virmeykerov.
2. After infection, two files are placed in the% SystemRoot% \ System32 \ drivers directory: mrxnet.sys and mrxcls.sys, one of which works as a file system filter driver, and the second as a malicious code injector. The% SystemRoot% \ inf directory contains 2 oem6c.pnf and oem7a.pnf files, the contents of which are encrypted. Drivers are signed with a valid digital signature issued by Realtec Semiconductor:
')
At the moment, it was possible to achieve recall of this certificate. However, a new version of the malware, similar in functionality, is signed with a certificate from JMicron Technology:
Please note: this certificate is not even expired, as in the case of Realtec.
3. Immediately after infection, without rebooting, the rootkit launches additional threads in system processes, hiding the modules from which these threads were launched, and installs interceptions in system services services.exe, svchost.exe, lsass.exe, perhaps - winlogon .exe. This allows you to hide the above malicious files and implement malicious functionality.
At the moment, the greatest number of victims of malware is recorded in India, Iran and Indonesia, but some cases have been noted in other countries, including the CIS countries.
At the moment, the study of the virus continues, in particular, the mechanisms of malicious activity are not fully understood. It is believed that the malware is engaged in industrial espionage, connecting to the specialized systems Simatic WinCC of Siemens. However, the final analysis is not yet available.
Currently, for ordinary users, the danger is not even this malware (already named Trojan-Dropper.Win32.Stuxnet, Rootkit.TmpHider, SScope.Rookit.TmpHider.2, etc.), but the very open concept of infection through USB- carriers. The only way to prevent infection with new variants that are not yet included in the anti-virus database is to disable the display of icons for shortcuts, as well as the WebClient service.
AddOn : While the message undergoes views and evaluations, I found something like the first decent Stuxnet analysis . Therefore I decided to mention it.
1. The well-known vulnerability with autorun.inf is not used for embedding into the system. This time, the work is built on an absolutely fresh vulnerability , which affects all versions of Windows. The essence of this vulnerability is that shortcut files are created on media with the following name:
"Copy of Copy of Copy of Copy of Shortcut to.lnk"
"Copy of Copy of Copy of Shortcut to.lnk"
"Copy of Copy of Shortcut to.lnk"
"Copy of Shortcut to.lnk"Each label, when processed by the system to display a label image, launches the Trojan library ~ wtr4141.tmp (or ~ wtr4132.tmp, numbers may be different).
At the moment , the option of an exploit is publicly available , which makes you think that there will be something else - the vulnerability has not yet been covered and is a tasty morsel for the virmeykerov.
2. After infection, two files are placed in the% SystemRoot% \ System32 \ drivers directory: mrxnet.sys and mrxcls.sys, one of which works as a file system filter driver, and the second as a malicious code injector. The% SystemRoot% \ inf directory contains 2 oem6c.pnf and oem7a.pnf files, the contents of which are encrypted. Drivers are signed with a valid digital signature issued by Realtec Semiconductor:
')
At the moment, it was possible to achieve recall of this certificate. However, a new version of the malware, similar in functionality, is signed with a certificate from JMicron Technology:
Please note: this certificate is not even expired, as in the case of Realtec.
3. Immediately after infection, without rebooting, the rootkit launches additional threads in system processes, hiding the modules from which these threads were launched, and installs interceptions in system services services.exe, svchost.exe, lsass.exe, perhaps - winlogon .exe. This allows you to hide the above malicious files and implement malicious functionality.
At the moment, the greatest number of victims of malware is recorded in India, Iran and Indonesia, but some cases have been noted in other countries, including the CIS countries.
At the moment, the study of the virus continues, in particular, the mechanisms of malicious activity are not fully understood. It is believed that the malware is engaged in industrial espionage, connecting to the specialized systems Simatic WinCC of Siemens. However, the final analysis is not yet available.
Currently, for ordinary users, the danger is not even this malware (already named Trojan-Dropper.Win32.Stuxnet, Rootkit.TmpHider, SScope.Rookit.TmpHider.2, etc.), but the very open concept of infection through USB- carriers. The only way to prevent infection with new variants that are not yet included in the anti-virus database is to disable the display of icons for shortcuts, as well as the WebClient service.
AddOn : While the message undergoes views and evaluations, I found something like the first decent Stuxnet analysis . Therefore I decided to mention it.
Source: https://habr.com/ru/post/99859/
All Articles