back to article Chinese malware intended to infect USB drives accidentally infects networked storage too

Malware intended to spread on USB drives is unintentionally infecting networked storage devices, according to infosec vendor Checkpoint. The software nasty comes from a group called Camaro Dragon that Checkpoint's researchers on Thursday suggested conduct campaigns similar to those run by China's Mustang Panda and LuminousMoth …

  1. Pascal Monett Silver badge

    "a conspicuous activity that can draw additional, unfavorable attention"

    Only if the IT department is up to snuff, which doesn't happen very often where hospitals are concerned because, whatever the technical level of the people in the department, it's practically a given that they don't have the budget to do everything they need to do.

  2. alain williams Silver badge

    What operating system ?

    Please, el-reg, when reporting on malware tell us what operating systems/environments are affected. I want to know if I need to worry.

    I notice references to "DLL" and the Checkpoint article uses MS Windows path names ... so, phew, I can stop being concerned about my own machines.

    Why, after all these years, is Microsoft still so susceptible ?

    1. Elongated Muskrat Silver badge

      Re: What operating system ?

      Nobody is writing malware for your Commodore 64, because it has a very small market share.

      Meanwhile, malware writers target Windows, because it has the largest market share, especially in business*, where there is juicy data to be had.

      *By which I mean, day-to-day desktop/laptop use, not server use, because the server is where the data is held, but the user's machine is where the weak point is (the user).

      1. BOFH in Training

        Re: What operating system ?

        I guess orgs like google who use Linux as their internal desktop OS are very safe.

        https://www.computerworld.com/article/3668548/the-story-behind-google-s-in-house-desktop-linux.html

        I have even heard of some other smaller orgs using Linux as a desktop OS as well.

        1. Elongated Muskrat Silver badge

          Re: What operating system ?

          Yeah, that's why there's no need for this Wikipedia page to exist, is there?

          As market share grows, so does the size of the target to black-hatters. Just because the Linux Kernel is designed in a different way to Windows doesn't mean vulnerabilities don't exist, and OS vulns are hardly the only target for hackers, the software running on that OS is often the target, such as a database server. Is it Microsoft's fault if someone finds an exploit in the Apache web server, or is it Linux's fault if someone finds a vuln in SQL Server, just because those pieces of software will run on their OS?

          Any OS can be used to launch an attack, if the user can be tricked into doing something to compromise their own security.

          1. Anonymous Coward
            Linux

            Re: What operating system ?

            @Elongated Muskrat: “Yeah, that's why there's no need for this Wikipedia page to exist, is there?

            Produce an example of Linux malware that can infect a computer by opening an email attachment or clicking on a URL.

            1. doublelayer Silver badge

              Re: What operating system ?

              Email attachment: simple. Attach a shell script or Perl, because most distributions have Perl installed at the start. You could also attach an ELF binary if you like the obfuscation it provides. Convince the user to run it. Basically the same as attaching any other kind of script, there's a bit of work involved in getting the user to get it executing, but it can install malware.

              Just visiting a URL is more difficult, because you would need to identify a fault in the user's browser which is much harder as they're patching things frequently. Note, however, that the flaw you need to find is in the browser. Generally, Windows can't be infected by just visiting a URL either. Malicious URLs generally just download an infectious file and rely on the user to retrieve and execute that file. Malicious pages have various intra-browser ways of messing with users, such as convincing them to enter data on a form which is not the one the user thinks it is, injecting scripts into a page they're on from an advertisement, or providing them misleading download links pointing to that malware, but those things will work on any operating system.

          2. BOFH in Training

            Re: What operating system ?

            No doubt there is some linux malware around. Just like there is macOS malware, etc.

            Am just responding to your previous comment where you stated that malware is created for windows cos of it's widespread use.

            And I am pointing out that unless you / your org is specifically targeted by someone with large amounts of resources, it's very unlikely that you will get infected with linux malware, compared to a general windows running org.

            If you are being specifically targeted by someone who has alot of resources, I think malware will be the least of your problems.

            1. doublelayer Silver badge

              Re: What operating system ?

              "And I am pointing out that unless you / your org is specifically targeted by someone with large amounts of resources, it's very unlikely that you will get infected with linux malware, compared to a general windows running org."

              It depends what the attackers are after. For example, one common type of Linux malware is ransomware. That's for a simple reason: ransomware operators have figured out that going after businesses makes a much better pay day than targeting individuals. Businesses, especially large ones, are likely to have at least some and probably a lot of Linux servers which have access to important data. The attackers want those servers infected, which is why many Linux versions of ransomware exist. Another set where Linux is targeted are proxies or botnets, because there are many improperly-secured Linux devices, from servers to embedded devices, on the public internet. Put up a server with insecure authentication and see how quickly someone breaks into it; for that matter, if you have any Linux device with a public IP and don't know about the thousands of attacks it gets per hour, then you may want to check it already for successful attacks.

              Meanwhile, if it's targeting individuals or something that's not likely to be assisted by accessing a server, the attackers likely did not try making their software. Malware that steals passwords, for example, is unlikely to have many Linux versions because it wants to run on users' systems, and there are a lot more of those on Windows than there are on Linux. The article isn't explicit about what kind of data this malware is intending to exfiltrate, but passwords, other authentication data, and documents are likely targets. Windows is the right place to get many of those, so unless the organization switches to Linux desktops, the Windows version will probably be considered the right way to get it. A lot of malware relies on user interaction to install, so it too would target desktops first, both because a user is more likely to execute a file on the machine in front of them instead of a remote server and because the users of servers are more likely to detect that something is amiss and not execute it.

          3. Anonymous Coward
            Anonymous Coward

            Re: What operating system ?

            Any OS can be used to launch an attack, if the user can be tricked into doing something to compromise their own security.

            That obvious truth hides the fact that especially Microsoft appear to go out of their way to keeping their products as leaky as a colander and force the users to gamble with the productivity and survival of their entire enterprise every two weeks. By walking away from products from Redmond you can significantly cut down your exposure footprint and it saves a lot of money to boot because the manhours you save outweigh the potential extra hardware investment by quite a margin.

            The purpose of infecting nations with Microsoft seems to be more and more to continue to keep the door open for industrialised espionage, and the only reason it's not formally mandated to be ripped out yet in Europe's effort to crank up security is simply a combination of carrot (lavish amounts of lobbying) and stick (threats to be locked out of the US economy which is still a controlling factor but diminishingly so). Maybe some blackmail too, who knows.

            Most business people lack the skills to spot they they keep getting sold a lemon, but with the fines and costs for failure and breaches now on the rise there will be a point where even the most lavish dinner (and associated 'gifts') and most brutal lock in entanglement will no longer be enough to hawk it - some countries have come up with the idea of adding executive jailtime to the consequences and that appears to have woken up enough people from their boardroom stupor to at last start paying attention to consequences.

      2. Anonymous Coward
        Terminator

        Re: What operating system ?

        According to wikipedia: “Windows was originally designed for ease-of-use on a single-user PC without a network connection, and did not have security features built in from the outset.

        1. Elongated Muskrat Silver badge

          Re: What operating system ?

          Whilst this might be true, it looks like it has escaped your attention that the current generation of Windows operating systems is not based on Windows 3.1

          I'm not an advocate for any particular OS, but the way, and certainly not for Microsoft. I'm just advocating exercising caution when it comes to claiming that one's particular OS of choice is better or more secure than another, because whilst this might appear to be objectively true in some cases, all software can have flaws (buffer overflow in the Unix login command, anyone?).

          It's massively simplistic to say "if you use Linux you are safe," because malware writers can be clever folk. Think about that the next time you type sudo...

    2. doublelayer Silver badge

      Re: What operating system ?

      "Why, after all these years, is Microsoft still so susceptible ?"

      Let's go through the method of infection here. The way this malware becomes active is that somebody clicks on an executable which has been written to their drive, thus running it. Can you find me an operating system that won't run an executable when the user instructs it to? Before anyone suggests it, the executable bit on Unix filesystems will not protect anything, because the executable has been written by the malware which will set that bit. You can mark removable media as not executable, just as you can on Windows, but most systems don't bother doing it and are thus susceptible to people running programs they shouldn't.

      1. alisonken1
        WTF?

        Re: What operating system ?

        Hmmm.

        Windows. USB Drive. Autorun.inf ?

        I'm not aware of a Linux distribution that allows autorun capabilities on drives - unless it's a boot drive, and only then when restarting the O/S.

        I could be wrong since I've only really used 3 distributions (Slackware, Fedora, Raspberry Pi OS) - although I've followed multiple distros as well.

        As far as clicking on an executable - linux doesn't use the filename extension as a reason to mark it executable either.

        1. doublelayer Silver badge

          Re: What operating system ?

          You are aware that autorun.inf was disabled by default fifteen years ago and disabled entirely about twelve years ago? Put an executable and an autorun.inf file on a drive and plug it in, and you'll see for yourself. Nothing happens anymore.

          As for executables, executables are identifiable and runnable by GUI file managers on Linux, and extensions and the #! line are used to identify executable scripts of many types which can be used either to run malware written in that scripting language or to pull a binary from somewhere and run it automatically.

          1. John Brown (no body) Silver badge

            Re: What operating system ?

            "As for executables, executables are identifiable and runnable by GUI file managers on Linux, and extensions and the #! line are used to identify executable scripts of many types which can be used either to run malware written in that scripting language or to pull a binary from somewhere and run it automatically."

            Unless, as a user, you have made some dangerous changes to the default behaviour of your OS, just downloading an executable file does make it executable on your filesystem. You need to manually set the execution bit first, eg chmod u+x $filename or, have a file association manually set up to associate a file type with something like perl, python, rust etc such that clicking on say Malicious.py will run "python3.0 Malicious,py" None of this is default behaviour and the file extension, if any, is rarely relevant and not required.

            Windows, on the other hand, will detect an inserted USB device, assume the device is honest when it declares what it is, and then go look for a driver for it, in some cases accepting a driver from the USB devices inbuilt firmware so, although apparently not in this case, a malicious USB device could supply and "auto run" a malicious "driver".

            1. doublelayer Silver badge

              Re: What operating system ?

              "Unless, as a user, you have made some dangerous changes to the default behaviour of your OS, just downloading an executable file does make it executable on your filesystem. You need to manually set the execution bit first"

              I already addressed this. In this case, the file has been written to a USB device by a program running on an infected host. If that program were designed to write Linux-compatible malware, it is perfectly capable of setting the execute bit after the file is written. What you say is true of downloading an executable file from a malicious server, which is not what happens in this case, but even then it's a relatively weak protection. Windows, for example, will detect that you've just downloaded a new executable file and will give you a security warning before it is executed, and if the file is unsigned that security warning hides the run button so it's confusing to many users how to run it anyway, but we don't view that as a cast iron security mechanism, do we?

              "Windows, on the other hand, will detect an inserted USB device, assume the device is honest when it declares what it is, and then go look for a driver for it, in some cases accepting a driver from the USB devices inbuilt firmware"

              I may be wrong, but I see no evidence of this workflow. See the device, yes. Assume it's telling the truth, yes (although I'm not sure what other option you think it has, because that's nearly required for an open interface like USB). Retrieve drivers from the device, no. It can retrieve drivers from Windows Update, but that's checking Microsoft's servers for drivers it already knows about. I have seen drivers carried on a device before, but in every case, that's managed by having the device present a storage mode with the files stored on it and instructing the user to install them manually, something that will require administrative credentials and multiple security warning screens.

    3. Kevin McMurtrie Silver badge

      Re: What operating system ?

      Different approaches to security.

      Linux apps rarely need to request authorization. Malware can trivially harm your account, but asking the user for authorization to harm the OS would raise suspicions.

      MacOS and Windows ask for authorization to the point of being nagging. One more request goes unnoticed - granting becomes a user reflex. The complex means of requesting, granting, and delegating temporary app permissions is a frequent source of accidental vulnerabilities.

  3. Anonymous Coward
    Terminator

    Malicious Delphi launcher on the infected USB flash drive

    We should ban this ‘Delphi’ from computers /s

  4. Grunchy Silver badge

    Is the vulnerability “AutoPlay”?

    Windows has this “AutoPlay” setting by which it performs a pre-determined behaviour upon the “event” of a particular media type becoming loaded into the PC.

    “Under Choose AutoPlay Defaults, set the default action for AutoPlay when connecting each type of media or device.”

    (Because it is bothersome to command Windows to run the installation software, and since the OS detects when the media is loaded and “mounts” the directory structure, why can’t it go a step further and run the installer too?)

    OR: I think sometimes a usb device will present a system-specific driver to be installed that facilitates access to the usb device. Which the OS might do automatically.

    Another possibility, an executable is provided an icon that looks like a folder, so the user double-clicks it to explore the folder, but instead they unintentionally activate the payload.

    Which vulnerability was exploited? We’re curious!

    1. doublelayer Silver badge

      Re: Is the vulnerability “AutoPlay”?

      No, this vulnerability is putting an executable file on a disk and seeing if they can get a user to click on it. They might use the icon trick to help with that. Autoplay isn't allowed to run executables anymore because of exactly the risk you're talking about, and that was many years ago.

      1. Elongated Muskrat Silver badge

        Re: Is the vulnerability “AutoPlay”?

        This might be true. However, Windows still does do something very stupid by default, which is hiding file extensions. That makes it trivially easy to disguise an executable file as pretty much anything else (readme.exe?) to the naïve user.

  5. Missing Semicolon Silver badge

    anti-cheat

    It sounds like it drops malware that looks like the anti-cheat drivers some gaming companies install. Which hide themselves from the user.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like