SoylentNews is people
SoylentNews
Stealthy Raspberry Robin Worm Is Spreading Malware Via USB Drives:
[...] Threat intelligence group Red Canary is tracking a worm that it calls Raspberry Robin, and it's definitely malware, but the question of "why" is still, in fact, a big question. [...].
In the age of the Internet, most malware spreads through the web, and Raspberry Robin does indeed make use of the internet to download critical files, however, it actually seems to spread via infected USB drives. Using Windows' autoplay functionality, it executes a .LNK file, which is a link shortcut. From there, it starts the Windows command interpreter and uses the Microsoft Installer, msiexec.exe, to download a malicious DLL that it then installs to the system. The purpose of this isn't entirely clear yet, but it seems to be for persistence.
After that, the system makes numerous attempts to connect to remote hosts, usually TOR exit nodes. The thing is, it's not actually clear what it is doing or why, and furthermore, Red Canary doesn't don't know who is infecting the systems where Raspberry Robin is found. Said systems include machines inside the networks of various manufacturing and technology companies.
As described in the related Red Canary blog post, after a USB drive is inserted the UserAssist registry entry is updated and records execution of a ROT13-ciphered value referencing a LNK file on the USB drive with malicious code. As a somewhat ignorant Windows person I have to ask: wasn't this autorun-like feature "fixed" 20 years ago?
(Score: 5, Interesting) by PinkyGigglebrain on Wednesday May 11 2022, @05:12PM (9 children)
Autoplay is STILL a vector?
and from a USB volume no less.
I don't know who to laugh derisively at, the average user who just takes what they are given, complains about getting malware, and then still whines "its too hard to learn a new OS". Or the programmers at MS who still enable autoplay by default.
You know what? I'm still caffeinating for the day up so I'll just laugh at both to be fair.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 2) by Freeman on Wednesday May 11 2022, @05:49PM
Definitely more reasonable than Microsoft enabling autoplay by default.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Wednesday May 11 2022, @06:12PM (1 child)
People are still catching STDs too.
(Score: 0) by Anonymous Coward on Thursday May 12 2022, @02:00AM
Fortunately plugging in USB drives isn't critical to the continuation of the human race.
(Score: 4, Interesting) by RamiK on Wednesday May 11 2022, @09:03PM (5 children)
You're thinking about "autorun.ini"'s "open" variable. That was indeed disabled from auto-starting years ago and more recently disabled from launching on clicking the drive folder.
This is about the Autoplay popup that tells you whether you'd like to play a music CD, open an image editor or maybe browse the files... That is, windows still scans drives on mounting, if only to get an early start on building thumbnails.
Here, the article sorta skimps on the details but it suggests that while scanning, the .LNKs for folder shortcuts are parsed incorrectly, failing to sanitize or bound-check which ended up with an arbitrary code execution of some sort. e.g. A native guess would be it just passed the folder path directly to explorer.exe as an argument but that actually called for some infected .exe. More likely, it was passed as a variable to some function and was overflowing to another function to reach something that calls for system() which then made it to the infected .exe.
Anyhow, there were similar bugs in linux user-land software over the years whereby vulnerabilities in jpeg and png libraries that allowed for arbitrary code execution ended up being triggered by thumbnail caching in file managers. So, my takeaway is not to use c/c++ in the user-land wherever possible.
compiling...
(Score: 1, Informative) by Anonymous Coward on Wednesday May 11 2022, @10:00PM (1 child)
https://www.cvedetails.com/vulnerability-list/vendor_id-19029/product_id-48677/Rust-lang-Rust.html [cvedetails.com]
https://vulmon.com/searchpage?q=rust-lang [vulmon.com]
https://www.developer-tech.com/news/2022/jan/24/rust-vulnerability-enables-attackers-delete-files-and-directories/ [developer-tech.com]
Welcome to the real world.
(Score: 2) by RamiK on Thursday May 12 2022, @10:13AM
There will always be some vulnerabilities when handling raw pointers from existing c/c++ code. Review wise, what matters is that potentially vulnerable code needs to stand out and draw out extra scrutiny instead of blending in. With Rust, such code is scoped with the "unsafe" keyword so when people are going through it, they know where to look.
Regardless, between using Electron to drive VSCode and Java for smartphone GUI development, it seems even Rust and Golang are too low for most developers to use for tooling and small GUI applications.
compiling...
(Score: 2) by stretch611 on Thursday May 12 2022, @02:50AM (1 child)
Yes, linux has its bugs...
However, linux bugs tend to get fixed. (Admittedly, there are exceptions, but not nearly as many as microsoft.)
Also, in a case like this, linux would prompt a user to actually enter an admin/root password before installing a dll or other library file from the internet.
While some would blindly type the password if they had the rights, many would see this as the warning that it is and not let the malware install.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 2) by RamiK on Thursday May 12 2022, @10:21AM
I've been a linux desktop user for over 25 years so you don't have to sell me on it. I'm just saying that a certain class of fairly common bugs in user facing code can be avoided with safer languages.
compiling...
(Score: 3, Funny) by driverless on Thursday May 12 2022, @09:45AM
But that was autorun for CDs. You want autorun for DVD's fixed too? Stand by, hotfix coming out. Oh, and there are USB drives? Stand by for another hotfix. And portable hard drives? Never thought of that, another hotfix coming up. And plug-in SSD? Here's the hotfix. And phones-emulating-USB? Oh, never considered that either, here's the hotfix. And...
If there's one thing that's consistent about Microsoft it's their ability to patch the one single instance of the thing that caused the bad publicity and never think that there might be other instances that all have the same problem.