Millions of IPs Remain Infected By USB Worm Years After Its Creators Left It For Dead 25
A now-abandoned USB worm that backdoors connected devices has continued to self-replicate for years since its creators lost control of it and remains active on thousands, possibly millions, of machines, researchers said Thursday. ArsTechnica: The worm -- which first came to light in a 2023 post published by security firm Sophos -- became active in 2019 when a variant of malware known as PlugX added functionality that allowed it to infect USB drives automatically. In turn, those drives would infect any new machine they connected to, a capability that allowed the malware to spread without requiring any end-user interaction. Researchers who have tracked PlugX since at least 2008 have said that the malware has origins in China and has been used by various groups tied to the country's Ministry of State Security.
For reasons that aren't clear, the worm creator abandoned the one and only IP address that was designated as its command-and-control channel. With no one controlling the infected machines anymore, the PlugX worm was effectively dead, or at least one might have presumed so. The worm, it turns out, has continued to live on in an undetermined number of machines that possibly reaches into the millions, researchers from security firm Sekoia reported. The researchers purchased the IP address and connected their own server infrastructure to "sinkhole" traffic connecting to it, meaning intercepting the traffic to prevent it from being used maliciously. Since then, their server continues to receive PlugX traffic from 90,000 to 100,000 unique IP addresses every day.
For reasons that aren't clear, the worm creator abandoned the one and only IP address that was designated as its command-and-control channel. With no one controlling the infected machines anymore, the PlugX worm was effectively dead, or at least one might have presumed so. The worm, it turns out, has continued to live on in an undetermined number of machines that possibly reaches into the millions, researchers from security firm Sekoia reported. The researchers purchased the IP address and connected their own server infrastructure to "sinkhole" traffic connecting to it, meaning intercepting the traffic to prevent it from being used maliciously. Since then, their server continues to receive PlugX traffic from 90,000 to 100,000 unique IP addresses every day.
Floppy disk (Score:2)
Reminds me of the viruses I'd get through pirated software on my Amiga that spread through floppy disks. Each time you inserted another disk that was writeable it'd copy itself into the boot sector of the disk.
Re: (Score:2)
Same with DOS. That spreaded during my college days and had to be cleaned with McAfee VirusScan (before it turned into crappy).
Slick work, Xi! (Score:2)
My thumb-drive is a web server, that's pretty cool! To commemorate the feat, I shall set up my new website: WinnieThePooh.cn
Re: Slick work, Xi! (Score:2)
Re: (Score:2)
Not sure if that would last long. I'd suggest WinnieThePooh.wang
One a side note, did you know that .homedepot is a valid TLD?
Since researchers got the IP for it (Score:2)
Re: (Score:2)
but sometimes it happens - if anyone remembers the ISS Code Red / Code Green fiasco
Re: (Score:2)
*IIS
Re: (Score:2)
That would require people to actually update their software.
Re:Since researchers got the IP for it (Score:4, Insightful)
Oops, you probably meant having the researchers create a program that every time the worm calls in it sends back instructions to delete itself.
The answer to that is probably "liability": There are legal questions to be asked if they actually write anything to alter the computers that connect to that IP address in the worm's way, even if it would be purely beneficial. It could be considered illegal hacking, for example.
The next question is: They'd be doing this for free, but if they managed to screw up the delete program and it damages computers at all - they may be sued or even arrested.
So while setting up the server prevents anybody else from screwing with the worm in its original form and provides them their research data, actually clearing the infections is a case of "high risk for no gain".
Re: (Score:2)
That would be a criminal act.
Windows Autoplay - the gift that keeps on giving (Score:5, Insightful)
Goddamn Autoplay/autorun.inf, a script kiddies wet dream for spreading crapware.
The day M$ enabled flash drives to run a program as soon as a flash drive is plugged in, with zero user intervention was just BEGGING to be abused. And it has for decades now.
Idiots. I've been disabling it from day one on my builds and its saved me (and my clients) a LOT of headaches.
Re: (Score:2)
The attack has nothing to do with autorun, just auto-PEBKAC.
Re: (Score:2)
The real issue isn't that Windows auto executes things, it's that the default security policy allows executing random binaries from user writable locations. I.e. The same crap that allows a user to "install" programs into %APPDATA% (that's effectively $HOME/.local or $HOME/.config for Linux users) and run them.
Sure, a "proper" policy won't prevent a user with admin rights from doing so, but blocking execution from user writable locations should be the default
Re: (Score:2)
Pretty much impossible. A Word document or saved webpage can have scripts.
Re: (Score:3)
It's interesting how easily USB malware can be transmitted, especially in areas with slow or spotty internet access. A study found that 60% of people that found unattended USB drives would plug them in to see what was on them. That number went up to 90% if an employer's company logo was on the USB drive. https://xsolutions.com/leave-t... [xsolutions.com]
USB cables can also carry malware. Just this week I saw a lost USB C cable on the sidewalk that looked brand new. I walked right past it. It's not worth infecting my P
They purchased the IP address (Score:2)
The researchers purchased the IP address
How do you do that? If an ISP has the target IP in its own IP blocks, you could purchase connectivity or hosting there and perhaps get the address allocated to you, but otherwise?
Re:They purchased the IP address (Score:4, Informative)
The researchers purchased the IP address
How do you do that? If an ISP has the target IP in its own IP blocks, you could purchase connectivity or hosting there and perhaps get the address allocated to you, but otherwise?
Replying to myself: the original paper [sekoia.io] has the answer: the IP was indeed within a hosting provider's IP block.
Any? (Score:3)
>"In turn, those drives would infect any new machine they connected to"
Really? I doubt it would on Linux machines. I think what was meant was "any new MS-Windows machine", perhaps.
https://www.securityweek.com/s... [securityweek.com]
"The worm adds to the connected flash drive a Windows shortcut file with the driveâ(TM)s name, and three files for DLL sideloading, namely a legitimate executable, a malicious library, and a binary blob within the driveâ(TM)s RECYCLER.BIN hidden folder. It also moves the driveâ(TM)s contents to a new directory. "
Yep.
Re: (Score:2)
Solve all your problems and format your drives with ext4
Re: (Score:2)
>"Solve all your problems and format your drives with ext4"
All my drives *are* ext4 (except the one that is zfs), since they all run Linux.