Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security IT

Millions of IPs Remain Infected By USB Worm Years After Its Creators Left It For Dead 25

A now-abandoned USB worm that backdoors connected devices has continued to self-replicate for years since its creators lost control of it and remains active on thousands, possibly millions, of machines, researchers said Thursday. ArsTechnica: The worm -- which first came to light in a 2023 post published by security firm Sophos -- became active in 2019 when a variant of malware known as PlugX added functionality that allowed it to infect USB drives automatically. In turn, those drives would infect any new machine they connected to, a capability that allowed the malware to spread without requiring any end-user interaction. Researchers who have tracked PlugX since at least 2008 have said that the malware has origins in China and has been used by various groups tied to the country's Ministry of State Security.

For reasons that aren't clear, the worm creator abandoned the one and only IP address that was designated as its command-and-control channel. With no one controlling the infected machines anymore, the PlugX worm was effectively dead, or at least one might have presumed so. The worm, it turns out, has continued to live on in an undetermined number of machines that possibly reaches into the millions, researchers from security firm Sekoia reported. The researchers purchased the IP address and connected their own server infrastructure to "sinkhole" traffic connecting to it, meaning intercepting the traffic to prevent it from being used maliciously. Since then, their server continues to receive PlugX traffic from 90,000 to 100,000 unique IP addresses every day.
This discussion has been archived. No new comments can be posted.

Millions of IPs Remain Infected By USB Worm Years After Its Creators Left It For Dead

Comments Filter:
  • Reminds me of the viruses I'd get through pirated software on my Amiga that spread through floppy disks. Each time you inserted another disk that was writeable it'd copy itself into the boot sector of the disk.

    • by antdude ( 79039 )

      Same with DOS. That spreaded during my college days and had to be cleaned with McAfee VirusScan (before it turned into crappy).

  • My thumb-drive is a web server, that's pretty cool! To commemorate the feat, I shall set up my new website: WinnieThePooh.cn

  • Why not make a patch that deletes the worm every time it calls home
    • That would require people to actually update their software.

    • by Firethorn ( 177587 ) on Friday April 26, 2024 @04:16PM (#64428500) Homepage Journal

      Oops, you probably meant having the researchers create a program that every time the worm calls in it sends back instructions to delete itself.

      The answer to that is probably "liability": There are legal questions to be asked if they actually write anything to alter the computers that connect to that IP address in the worm's way, even if it would be purely beneficial. It could be considered illegal hacking, for example.
      The next question is: They'd be doing this for free, but if they managed to screw up the delete program and it damages computers at all - they may be sued or even arrested.

      So while setting up the server prevents anybody else from screwing with the worm in its original form and provides them their research data, actually clearing the infections is a case of "high risk for no gain".

    • by gweihir ( 88907 )

      That would be a criminal act.

  • by Indy1 ( 99447 ) on Friday April 26, 2024 @04:15PM (#64428498)

    Goddamn Autoplay/autorun.inf, a script kiddies wet dream for spreading crapware.

    The day M$ enabled flash drives to run a program as soon as a flash drive is plugged in, with zero user intervention was just BEGGING to be abused. And it has for decades now.

    Idiots. I've been disabling it from day one on my builds and its saved me (and my clients) a LOT of headaches.

    • According to TFA, it's a shortcut that uses the same icon (and name) as a removable disk to launch a payload stored in a RECYCLER.BIN directory that has the hidden and system attributes set on it. To the user, the drive appears to be empty save for the "Removable Disk" icon. So the idea is social engineering. To trick the user into thinking Windows didn't open the drive and running the shortcut.

      The attack has nothing to do with autorun, just auto-PEBKAC.
      • Hit the submit button before I was ready....

        The real issue isn't that Windows auto executes things, it's that the default security policy allows executing random binaries from user writable locations. I.e. The same crap that allows a user to "install" programs into %APPDATA% (that's effectively $HOME/.local or $HOME/.config for Linux users) and run them.

        Sure, a "proper" policy won't prevent a user with admin rights from doing so, but blocking execution from user writable locations should be the default
        • by Kaenneth ( 82978 )

          Pretty much impossible. A Word document or saved webpage can have scripts.

        • It's interesting how easily USB malware can be transmitted, especially in areas with slow or spotty internet access. A study found that 60% of people that found unattended USB drives would plug them in to see what was on them. That number went up to 90% if an employer's company logo was on the USB drive. https://xsolutions.com/leave-t... [xsolutions.com]

          USB cables can also carry malware. Just this week I saw a lost USB C cable on the sidewalk that looked brand new. I walked right past it. It's not worth infecting my P

  • The researchers purchased the IP address

    How do you do that? If an ISP has the target IP in its own IP blocks, you could purchase connectivity or hosting there and perhaps get the address allocated to you, but otherwise?

  • by markdavis ( 642305 ) on Friday April 26, 2024 @04:56PM (#64428596)

    >"In turn, those drives would infect any new machine they connected to"

    Really? I doubt it would on Linux machines. I think what was meant was "any new MS-Windows machine", perhaps.

    https://www.securityweek.com/s... [securityweek.com]

    "The worm adds to the connected flash drive a Windows shortcut file with the driveâ(TM)s name, and three files for DLL sideloading, namely a legitimate executable, a malicious library, and a binary blob within the driveâ(TM)s RECYCLER.BIN hidden folder. It also moves the driveâ(TM)s contents to a new directory. "

    Yep.

Algebraic symbols are used when you do not know what you are talking about. -- Philippe Schnoebelen

Working...