Stories
Slash Boxes
Comments

SoylentNews is people

posted by hubie on Wednesday May 11 2022, @03:49PM   Printer-friendly
from the how-is-this-still-a-thing? dept.

Stealthy Raspberry Robin Worm Is Spreading Malware Via USB Drives:

[...] Threat intelligence group Red Canary is tracking a worm that it calls Raspberry Robin, and it's definitely malware, but the question of "why" is still, in fact, a big question. [...].

In the age of the Internet, most malware spreads through the web, and Raspberry Robin does indeed make use of the internet to download critical files, however, it actually seems to spread via infected USB drives. Using Windows' autoplay functionality, it executes a .LNK file, which is a link shortcut. From there, it starts the Windows command interpreter and uses the Microsoft Installer, msiexec.exe, to download a malicious DLL that it then installs to the system. The purpose of this isn't entirely clear yet, but it seems to be for persistence.

After that, the system makes numerous attempts to connect to remote hosts, usually TOR exit nodes. The thing is, it's not actually clear what it is doing or why, and furthermore, Red Canary doesn't don't know who is infecting the systems where Raspberry Robin is found. Said systems include machines inside the networks of various manufacturing and technology companies.

As described in the related Red Canary blog post, after a USB drive is inserted the UserAssist registry entry is updated and records execution of a ROT13-ciphered value referencing a LNK file on the USB drive with malicious code. As a somewhat ignorant Windows person I have to ask: wasn't this autorun-like feature "fixed" 20 years ago?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by RamiK on Thursday May 12 2022, @10:13AM

    by RamiK (1813) on Thursday May 12 2022, @10:13AM (#1244347)

    There will always be some vulnerabilities when handling raw pointers from existing c/c++ code. Review wise, what matters is that potentially vulnerable code needs to stand out and draw out extra scrutiny instead of blending in. With Rust, such code is scoped with the "unsafe" keyword so when people are going through it, they know where to look.

    Regardless, between using Electron to drive VSCode and Java for smartphone GUI development, it seems even Rust and Golang are too low for most developers to use for tooling and small GUI applications.

    --
    compiling...
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2