Stories
Slash Boxes
Comments

SoylentNews is people

posted by hubie on Wednesday May 11, @03:49PM   Printer-friendly [Skip to comment(s)]
from the how-is-this-still-a-thing? dept.

Stealthy Raspberry Robin Worm Is Spreading Malware Via USB Drives:

[...] Threat intelligence group Red Canary is tracking a worm that it calls Raspberry Robin, and it's definitely malware, but the question of "why" is still, in fact, a big question. [...].

In the age of the Internet, most malware spreads through the web, and Raspberry Robin does indeed make use of the internet to download critical files, however, it actually seems to spread via infected USB drives. Using Windows' autoplay functionality, it executes a .LNK file, which is a link shortcut. From there, it starts the Windows command interpreter and uses the Microsoft Installer, msiexec.exe, to download a malicious DLL that it then installs to the system. The purpose of this isn't entirely clear yet, but it seems to be for persistence.

After that, the system makes numerous attempts to connect to remote hosts, usually TOR exit nodes. The thing is, it's not actually clear what it is doing or why, and furthermore, Red Canary doesn't don't know who is infecting the systems where Raspberry Robin is found. Said systems include machines inside the networks of various manufacturing and technology companies.

As described in the related Red Canary blog post, after a USB drive is inserted the UserAssist registry entry is updated and records execution of a ROT13-ciphered value referencing a LNK file on the USB drive with malicious code. As a somewhat ignorant Windows person I have to ask: wasn't this autorun-like feature "fixed" 20 years ago?


Original Submission

Display Options Threshold/Breakthrough Reply to Article Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2, Interesting) by Anonymous Coward on Wednesday May 11, @04:27PM (8 children)

    by Anonymous Coward on Wednesday May 11, @04:27PM (#1244085)

    Bill Gates created an OS monoculture thats since been overrun by viruses, worms, bugs, and every other type of silicon based illness.

    Diversity is key to the health of a population.

    https://evolution.berkeley.edu/the-relevance-of-evolution/agriculture/monoculture-and-the-irish-potato-famine-cases-of-missing-genetic-variation/ [berkeley.edu]

    • (Score: 1, Interesting) by Anonymous Coward on Wednesday May 11, @05:19PM (7 children)

      by Anonymous Coward on Wednesday May 11, @05:19PM (#1244106)

      Disagree.

      Secure by design software is the key.

      Otherwise, why do people here laugh and say everyone should use Linux so this security exploit wouldn't happen? Using your logic, we would be encouraging Windows AND Linux adoption, not a mass switch to Linux. That's not what I see around here.

      • (Score: 0) by Anonymous Coward on Wednesday May 11, @05:22PM

        by Anonymous Coward on Wednesday May 11, @05:22PM (#1244109)

        There are many linux distros, it is diverse by default. If windows didn't exist someone would make a distro to fill that same niche.

      • (Score: 0, Interesting) by Anonymous Coward on Wednesday May 11, @05:51PM (5 children)

        by Anonymous Coward on Wednesday May 11, @05:51PM (#1244119)

        Secure by design software is the key.

        Cannot happen.
        You do not have bug-less libraries, nor compilers, nor interpreters, nor hardware itself.
        The trend to overcomplexify anything and everything has run its course, and is *still* running for a victory lap or ten.

        The only key is, and always has been, user awareness, but the same trend destroyed the foundation of it. How can one attribute one's device acting strangely to a malware action, when most of "legitimate" software installed on it, is itself with a side of malware, and only escapes being labeled as such because its makers are too big to fail, and/or chummy with the government?

        No, Pollyanna, this security ship has well and truly sailed.

        • (Score: 1, Interesting) by Anonymous Coward on Wednesday May 11, @07:07PM (2 children)

          by Anonymous Coward on Wednesday May 11, @07:07PM (#1244139)

          Isn't that SELinux? I had problems on the few systems where I turned it on, with security message spam and not being able to do things I wanted to do. I'll admit that I never gave it a serious effort to figure out how to configure things so that I was happy with it, but that at least was an attempt at secure by design. Well, maybe not I suppose, in that the software you wanted to run was assumed to NOT be secure by design and it was trying to protect you from yourself, so maybe this point is moot (but I won't delete it because I'm this far in with the typing!).

          • (Score: 1, Insightful) by Anonymous Coward on Wednesday May 11, @07:14PM (1 child)

            by Anonymous Coward on Wednesday May 11, @07:14PM (#1244142)

            Most software is not designed to run in SELinux. As long as SELinux is an *option* and not *the universal standard*, running software under it will always be painful, and therefore almost nobody will use SELinux.

            • (Score: 2) by janrinok on Thursday May 12, @07:34AM

              by janrinok (52) Subscriber Badge on Thursday May 12, @07:34AM (#1244324) Journal

              I have to agree. But having used government systems which were protected with a correctly configured SELinux, it worked exactly as advertised.

              --
              We are always looking for new staff in different areas - please volunteer if you have some spare time and wish to help
        • (Score: 1, Interesting) by Anonymous Coward on Wednesday May 11, @07:11PM (1 child)

          by Anonymous Coward on Wednesday May 11, @07:11PM (#1244140)

          I agree with a lot of what you say, but you are arguing in absolutes.

          My point is that software that was designed with security in mind will do more to improve overall security than just saying there ought to be multiple operating systems in use. If security is not a design consideration in those multiple operating systems, you have not done anything to increase overall security; all you have done is increase the diversity of security exploits.

          And to answer another commenter, different Linux distros do not represent diversity to any real extent. That's like saying you a diversified diet if you eat Original Cheetos -AND- Flamin' Hot Cheetos.

          • (Score: 0) by Anonymous Coward on Wednesday May 11, @07:51PM

            by Anonymous Coward on Wednesday May 11, @07:51PM (#1244154)

            In the real world, software is designed with INsecurity in mind, for its user must be controlled, herded, datamined, spied on, etc etc etc. And all the backdoors left in there for "authorized" parties, inevitably go on the black market, sooner rather than later.

            Unless that genie is stuffed back into its bottle, and the bottle back into the arsehole that shat it out, any "security" song and dance is but a stupid skit in the security theater, and the only thing it really does, is frustrating and hindering the user.
            You cannot fix the problem without fixing the corruption at its root. And good luck to you with fixing that corruption.

  • (Score: 5, Insightful) by Anonymous Coward on Wednesday May 11, @04:28PM (5 children)

    by Anonymous Coward on Wednesday May 11, @04:28PM (#1244086)

    hmm... Let's associate the name of the most popular Linux single-board computer with Microsoft Malware. I can hear the boss now "What?? You've got a Raspberry plugged into your computer? Why are you trying to infect the company with Malware? Burn it and by the way, you're terminated!" They could have called it "Red Robin Worm" which actually would have been more catchy. This seems a little too coincidental to be chance.

    • (Score: 0) by Anonymous Coward on Wednesday May 11, @05:22PM (4 children)

      by Anonymous Coward on Wednesday May 11, @05:22PM (#1244110)

      Notice how Raspberry Pi doesn't have a TPM module... coincidence?

      • (Score: 1, Touché) by Anonymous Coward on Wednesday May 11, @09:56PM (2 children)

        by Anonymous Coward on Wednesday May 11, @09:56PM (#1244181)

        Notice how Raspberry Pi doesn't have need a TPM module... coincidence?

        ftfy

        • (Score: 2, Funny) by Anonymous Coward on Wednesday May 11, @10:26PM (1 child)

          by Anonymous Coward on Wednesday May 11, @10:26PM (#1244190)

          Plugged a known infected USB drive into my Raspberry Pi. It did not do anything. Did not autoplay. It found no Windows installers. Total malware failure!

          • (Score: 1, Funny) by Anonymous Coward on Thursday May 12, @06:02AM

            by Anonymous Coward on Thursday May 12, @06:02AM (#1244302)

            systemd failure!

      • (Score: 1) by pTamok on Thursday May 12, @08:52AM

        by pTamok (3042) on Thursday May 12, @08:52AM (#1244338)

        Notice how Raspberry Pi doesn't have a TPM module

        1) It might be able to run ARM Trustzone.
        2) In any case, in a Raspberry Pi, the boot process is handled by the GPU, which loads a binary blob.

        Beyond Logic: Understanding the Raspberry Pi Boot Process [beyondlogic.org]

        The GPU runs a ThreadX-based RTOS - https://en.wikipedia.org/wiki/VideoCore#Linux_support [wikipedia.org]

  • (Score: 5, Interesting) by PinkyGigglebrain on Wednesday May 11, @05:12PM (9 children)

    by PinkyGigglebrain (4458) on Wednesday May 11, @05:12PM (#1244104)

    Autoplay is STILL a vector?

    and from a USB volume no less.

    I don't know who to laugh derisively at, the average user who just takes what they are given, complains about getting malware, and then still whines "its too hard to learn a new OS". Or the programmers at MS who still enable autoplay by default.

    You know what? I'm still caffeinating for the day up so I'll just laugh at both to be fair.

    --
    "Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
    • (Score: 2) by Freeman on Wednesday May 11, @05:49PM

      by Freeman (732) on Wednesday May 11, @05:49PM (#1244117) Journal

      Definitely more reasonable than Microsoft enabling autoplay by default.

      --
      Forced Microsoft Account for Windows Login → Switch to Linux.
    • (Score: 0) by Anonymous Coward on Wednesday May 11, @06:12PM (1 child)

      by Anonymous Coward on Wednesday May 11, @06:12PM (#1244126)

      People are still catching STDs too.

      • (Score: 0) by Anonymous Coward on Thursday May 12, @02:00AM

        by Anonymous Coward on Thursday May 12, @02:00AM (#1244250)

        People are still catching STDs too.

        Fortunately plugging in USB drives isn't critical to the continuation of the human race.

    • (Score: 4, Interesting) by RamiK on Wednesday May 11, @09:03PM (5 children)

      by RamiK (1813) on Wednesday May 11, @09:03PM (#1244166)

      You're thinking about "autorun.ini"'s "open" variable. That was indeed disabled from auto-starting years ago and more recently disabled from launching on clicking the drive folder.

      This is about the Autoplay popup that tells you whether you'd like to play a music CD, open an image editor or maybe browse the files... That is, windows still scans drives on mounting, if only to get an early start on building thumbnails.

      Here, the article sorta skimps on the details but it suggests that while scanning, the .LNKs for folder shortcuts are parsed incorrectly, failing to sanitize or bound-check which ended up with an arbitrary code execution of some sort. e.g. A native guess would be it just passed the folder path directly to explorer.exe as an argument but that actually called for some infected .exe. More likely, it was passed as a variable to some function and was overflowing to another function to reach something that calls for system() which then made it to the infected .exe.

      Anyhow, there were similar bugs in linux user-land software over the years whereby vulnerabilities in jpeg and png libraries that allowed for arbitrary code execution ended up being triggered by thumbnail caching in file managers. So, my takeaway is not to use c/c++ in the user-land wherever possible.

      --
      compiling...
      • (Score: 1, Informative) by Anonymous Coward on Wednesday May 11, @10:00PM (1 child)

        by Anonymous Coward on Wednesday May 11, @10:00PM (#1244183)
        • (Score: 2) by RamiK on Thursday May 12, @10:13AM

          by RamiK (1813) on Thursday May 12, @10:13AM (#1244347)

          There will always be some vulnerabilities when handling raw pointers from existing c/c++ code. Review wise, what matters is that potentially vulnerable code needs to stand out and draw out extra scrutiny instead of blending in. With Rust, such code is scoped with the "unsafe" keyword so when people are going through it, they know where to look.

          Regardless, between using Electron to drive VSCode and Java for smartphone GUI development, it seems even Rust and Golang are too low for most developers to use for tooling and small GUI applications.

          --
          compiling...
      • (Score: 2) by stretch611 on Thursday May 12, @02:50AM (1 child)

        by stretch611 (6199) Subscriber Badge on Thursday May 12, @02:50AM (#1244278)

        Yes, linux has its bugs...

        However, linux bugs tend to get fixed. (Admittedly, there are exceptions, but not nearly as many as microsoft.)

        Also, in a case like this, linux would prompt a user to actually enter an admin/root password before installing a dll or other library file from the internet.
        While some would blindly type the password if they had the rights, many would see this as the warning that it is and not let the malware install.

        --
        Vaccinated, boosted (twice), and still expecting to be asked to roll up my sleeve again in the fall
        • (Score: 2) by RamiK on Thursday May 12, @10:21AM

          by RamiK (1813) on Thursday May 12, @10:21AM (#1244348)

          I've been a linux desktop user for over 25 years so you don't have to sell me on it. I'm just saying that a certain class of fairly common bugs in user facing code can be avoided with safer languages.

          --
          compiling...
      • (Score: 3, Funny) by driverless on Thursday May 12, @09:45AM

        by driverless (4770) on Thursday May 12, @09:45AM (#1244346)

        wasn't this autorun-like feature "fixed" 20 years ago?

        But that was autorun for CDs. You want autorun for DVD's fixed too? Stand by, hotfix coming out. Oh, and there are USB drives? Stand by for another hotfix. And portable hard drives? Never thought of that, another hotfix coming up. And plug-in SSD? Here's the hotfix. And phones-emulating-USB? Oh, never considered that either, here's the hotfix. And...

        If there's one thing that's consistent about Microsoft it's their ability to patch the one single instance of the thing that caused the bad publicity and never think that there might be other instances that all have the same problem.

  • (Score: 1, Funny) by Anonymous Coward on Wednesday May 11, @06:16PM

    by Anonymous Coward on Wednesday May 11, @06:16PM (#1244129)

    > "why"

    I'm going to suggest someone over the age of 50 wanted to prove their old virus-writing skills had value.

(1)