“In the last week there has been an increase in the number of W32.Changeup detections. The increase in detections is a result of an updated version of W32.Changeup now circulating in the wild,” warns Symantec.
“It spreads,” warns McAfee, “by creating copies of itself in removable storage devices and mounted network shares. It will also create an ‘autorun.inf’ to allow it to automatically execute itself when attached to another system with autorun enabled.”
It is not new malware, notes Sophos in a NakedSecurity blog posting, but “it has become considerably more aggressive in its latest iteration.” All three companies class it as a worm but point out that it also has the characteristics of a trojan. “Its most obvious method of spreading appears to be through the use of autorun.inf files dropped on removable media and writable network shares,” says Sophos’ Chester Wisniewski.
This is not a new infection vector, and has been used by malware such as Conficker in the past. Microsoft attempted to close the door by changing the way Autorun operates from Vista onwards, and releasing a patch for XP last year. Autorun no longer auto runs for anything other than CDs and DVDs. “You would hope this technique wouldn't be too effective on today's PCs,” says Wisniewski.
These new detections suggest otherwise, “so people must be clicking on the malware itself, but why?” The answer would appear to be a mix of social engineering, poor default settings and user carelessness.
Once installed, the malware behaves in the standard manner: it tries to disguise itself and to maintain its presence – and contacts remote C&C servers to download more malware. “The instances we investigated,” warned Wisniewski, “downloaded banking Trojans belonging to the Zeus/Zbot family, but can frequently change based on time of day or geographic location.”
His advice to Windows users is to completely disable Autorun (to stop automatic infection), to configure the operating system to show file extensions and hidden files (to make it harder for the malware to hide), to restrict write permissions to file shares (to stop it spreading), and to use a firewall to block all outbound connections to unknown ports and services (to stop it from calling home). Finally, he adds, “Ensure behavioral detection technologies are enabled in your anti-virus product to detect addition of malware persistence schemes and tampering with updating and anti-virus settings.”