"Changeup" cases climb as worm exploits AutoRun

Share this article:

Researchers have seen a significant uptick in cases of Changeup, a worm that spreads the banking trojan Zeus and other malware via removable media, such as USB sticks, or file-sharing programs. 

In a six-day period between Nov. 23 and last Wednesday, security firm Symantec noted that Changeup detections rose from around 8,000 cases to more than 14,000.

The worm – which goes by a number of other names, including “AutoRun,” coined by McAfee – is capable of infecting users' machines that run older Windows operating systems employing AutoRun by default. AutoRun is a Windows feature that allows files or programs to immediately engage as soon as a removable media device, such as a USB stick or CD-ROM, is insert into a computer.

Still, the outbreak of Changeup isn't nearly as widespread as some previous AutoRun worms.

In February 2011, Microsoft released updates primarily designed to disable AutoRun for users of Windows XP, 2003 and Vista. And Conficker, a widespread worm discovered in 2008 that exploits a vulnerability in the Windows Server service, ran rampant for years by attempting to abuse the AutoRun feature, along with other Windows vulnerabilities. Conficker, which initially impacted millions of machine worldwide, remains one of the top threats affecting users, mostly machines that haven't been patched.

Liam O Murchu, manager of operations at Symantec Security Response, told SCMagazine.com on Monday that victims can spot Changeup on their machines because the worm copies itself onto user profile directories using executable files named “secret,” “porn,” “sexy” and “password.” But the malware is harder to detect on removable devices, like memory sticks, he said.

“When it copies itself onto a USB or removable drive, it will copy itself to the same name as legitimate folders, and use that icon,” O Murchu said. “Then it will set the machine to hide the legitimate folder or file. It's definitely using camouflage tricks. It's not using any advanced techniques, but they can still be very effective for people who are not aware of them.”

Chester Wisniewski, a senior security adviser at Sophos, wrote a blog post Friday on the worm. Sophos, which named the malware “VBNA-X,” found that malicious code delivered with Changeup varied depending on the location and time of infection.

“The instances we investigated downloaded banking trojans belonging to the Zeus/Zbot family, but can frequently change based on time of day or geographic location,” Wisniewski wrote.

In addition to disabling AutoRun, researchers advise users to run up-to-date versions of Windows to avoid infection.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.