Incident Response, Malware, TDR, Vulnerability Management

Virtumundo, now a worm, spreading via USB stick

A long-standing trojan that serves as a malware-distribution service has found a new way to infect computers: via a USB stick or other removable device.

Sophos security researchers issued a warning that the Virtumundo trojan, also known as Virtumonde or Vundo, is now infecting computers via AutoRun, a Windows feature that enables files or programs to run immediately as soon as a removable media device, such as a USB stick or CD-ROM, is connected to a computer.

Virtumundo is an adware program that displays pop-up advertisements on the desktop and also downloads other software from various remote servers, according to researchers at Sunbelt Software. Ever-evolving, the trojan is capable of attaching itself to browsers and injecting fake entries into search results.

Virtumundo is one of the most prolific ad/spyware threats in the wild to date, said Ken Dunham, director of global response at iSIGHT Partners, in an email Thursday to SCMagazineUS.com.

“It began several years ago, around 2004, and has had a surge of activity over the past year through aggressive spreading tactics," he said. "'Sneakernet' infections is one of the more troubling vectors of attack for malicious code in the past year, including OnlineGames trojans, AutoRuns, Conficker, and now Virtumundo."

Such threats are blended, including multiple vectors for spreading, he said. While threats like Conficker are highly effective for many reasons, other codes with less prevalence in the wild, like AutoRuns and Virtumundo, do improve their survivability in the wild by adding an INF thumb drive vector for spreading.

“The behavior of most AutoRun worms is generally predictable,” wrote Julie Yeates on the Sophos' blog this week. “They copy themselves to the system folder, create an AutoRun file, spread to any available removable storage devices or network shares and change registry entries to enable themselves to run automatically.”

Analysts at SophosLabs in the UK have been noticing a constant stream of updates over the past few weeks, including downloaded updates several times per day.

They explain that the update mechanism uses "server-side polymorphism," a strategy that continually changes the packaging of the toxic DLL (Dynamic Linked Library) file. This is done to fend off pattern-based detection.

“Virtumundo is certainly ‘out there' in the wild, and has infected a lot of people's computers,” Graham Cluley, senior technology consultant at Sophos, wrote in an email to SCMagazineUS.com on Thursday.

However, he said it is very different from Conficker, which also spreads with the help of AutoRun but requires a  Microsoft security vulnerability.

Cluley agreed that the principal aim of Virtumundo is to deliver advertising pop-ups. This makes it distinct from Conficker, which, he said, “is principally creating a botnet with -- as yet -- unknown intentions.”

“What makes Virtumundo so interesting is the considerable effort its creators seem to have put in place to continually change it, in an attempt to avoid detection,” Cluley said. "I don't believe that Virtumundo is affecting as many computers and causing as much disruption as Conficker did, but it certainly has caused a lot of headaches for some computer users as they have struggled to remove it from their Windows PCs."

Further, Sophos analysts believe that the insidious nature of this trojan – infecting systems with a cocktail of rootkits, trojans, viruses, downloaders, etc. – suggests it is likely in the service of criminal gangs who are using it as a malware-distribution service. And the fact that worming capability has now been detected, enabling it to spread via removable media storage devices, suggests that its creators are doing everything they can to ensure its survival.

Thumb drives have proven to be a significant threat for both data loss and malicious code risk, with the risk significantly increased in the past year due to changes in the global economy and the popularization of INF spreading tactics utilized by authors of malicious code, said Dunham.

Dunham said that to help mitigate such threats, disable AutoPlay options within the registry or employ other tactics.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.