Infested Office Computer(s)

[Dr. J]

Over the last couple of weeks, a friend of mine has brought me no less than three USB memory sticks, infected with a virus from the office where she works. On a Windows machine, the USBs appeared to contain a folder (same name and icon as the actual drive) containing the files from the drive, and there were some 'permission errors' when trying to open files. Over on Linux, it became clear that the 'folder' was actually a shortcut (*.lnk file), linked to an unnamed hidden folder, where all the drives files were present. Also, a couple of dodgy files (hidden from Windows) had been added, one called 'UserVolumeGuide', and the other a DOS executable with bunch on & signs in the name, with the extension .2. Attempting to read either with a text editor (I tried NANO, EMACS and Geany, on ArchLinux and Slackware) resulted in either an "Encoding not found" error, or a boatload of incomprehensible machine language.

The office IT crowd has since circulated an email stating that a virus was present on 'one' of the shared computers, and that the origin was traced to a 2 GB USB stick.

I removed the dodgy files and shortcut from the sticks, and moved the files back to where they should be, and everything seems to be fine, but I am curious if anyone has come across anything similar before, or is a ware of the scope of the threat.

[securitybreach]

Well with the correct control over the network, this should never happen. For instance where I work, you need local admin access to run any executable or even download an executable. Granted I work in an enterprise environment but that should still be case in all company networks. Luckily I have full local admin access as I am an IT engineer so I can run what I like (locally anyway).

 

USBs are a pretty common attack vector and is one of the easiest ways to infect a network. All you have to do is dropped stick here and there in the company parking lot and usually someone will pick one up and plug it in out of curiosity. That is literally all it takes to infect a network and that is why most companies either disable usb ports on assets (err computers) or send out bulletins all the time warning people of the threat of plugging in unknown usb drivers.

 

In my opinion, this is the fault of the IT more so than the employees since they should have the network properly secured in the first place.

[zlim]

I read about this yesterday

http://www.infoworld.com/article/3047123/security/usb-trojan-hides-in-portable-applications-targets-air-gapped-systems.html

 

since I use many portable apps on USB sticks, I was interested.

 

Bottom line: don't put USB sticks that are not under your control into a computer. This isn't a problem for us at home since we control our sticks but I can see it as a problem in an Office.

[Dr. J]

I read about this yesterday

http://www.infoworld...ed-systems.html

This may be something similar. From what I hear, It seems that the source USB planted it's payload onto the system, which is now scanning for other USB drives to infect.

Anyway, we're talking about the staff computers at an Adult Education Center, so I've got a funny feeling that it could all be traced back to either some malevolent newbie hacker testing his code, or someone downloading an executable from a dodgy website by mistake.

[securitybreach]

More than likely it is something someone downloaded versus an actual attack.

[goretsky]

Hello,

 

I would also suggest having them get in touch with their anti-malware vendor's help desk as soon as possible.

 

I don't think this is related to the USB trojan, but it could be a worm-like propagation mechanism for something else, part of some ransomware, et cetera.

 

You might want to try uploading a few of the .LNK files to VirusTotal, or any files which don't contain any of the company's data, to see if anything it detected.

 

Regards,

 

Aryeh Goretsky

[Dr. J]

Thank's Goretsky. I've deleted all of the suspicious files (I'm to fond of my computer to leave stuff like that lying around in my home folder), but If it happens again I'll give it a try and pass your suggestions on to the IT crowd (They claim to have it under control).

[raymac46]

This reminds me of a little story from the 1990s when we got our first network set up in the factory. Back then we didn't have big centralized servers, so each location had something like its own little LAN behind a firewall.

Somebody brought files home on a floppy and when they came back to work they brought the Fun Love virus on the floppy. Fun Love infected their PC then the server then everyone else's PC. This was before McAfee became standard issue at Unilever.

The IT guys brought in a hazmat team but they'd no sooner get things cleaned up and someone would come back from vacation, join the LAN and Bingo! everyone was back in Fun Love. Finally they made everyone in the building shut down and disconnect and they went around and hand cleaned every machine. Nobody got back on until Fun Love was history throughout the LAN. It was an interesting week.