“Changeup” cases climb as worm exploits AutoRun

Researchers have seen a significant uptick in cases of Changeup, a worm that spreads the banking trojan Zeus and other malware via removable media, such as USB sticks, or file-sharing programs. 

In a six-day period between Nov. 23 and last Wednesday, security firm Symantec noted that Changeup detections rose from around 8,000 cases to more than 14,000.

The worm – which goes by a number of other names, including “AutoRun,” coined by McAfee – is capable of infecting users' machines that run older Windows operating systems employing AutoRun by default. AutoRun is a Windows feature that allows files or programs to immediately engage as soon as a removable media device, such as a USB stick or CD-ROM, is insert into a computer.

Still, the outbreak of Changeup isn't nearly as widespread as some previous AutoRun worms.

In February 2011, Microsoft released updates primarily designed to disable AutoRun for users of Windows XP, 2003 and Vista. And Conficker, a widespread worm discovered in 2008 that exploits a vulnerability in the Windows Server service, ran rampant for years by attempting to abuse the AutoRun feature, along with other Windows vulnerabilities. Conficker, which initially impacted millions of machine worldwide, remains one of the top threats affecting users, mostly machines that haven't been patched.

Liam O Murchu, manager of operations at Symantec Security Response, told on Monday that victims can spot Changeup on their machines because the worm copies itself onto user profile directories using executable files named “secret,” “porn,” “sexy” and “password.” But the malware is harder to detect on removable devices, like memory sticks, he said.

“When it copies itself onto a USB or removable drive, it will copy itself to the same name as legitimate folders, and use that icon,” O Murchu said. “Then it will set the machine to hide the legitimate folder or file. It's definitely using camouflage tricks. It's not using any advanced techniques, but they can still be very effective for people who are not aware of them.”

Chester Wisniewski, a senior security adviser at Sophos, wrote a blog post Friday on the worm. Sophos, which named the malware “VBNA-X,” found that malicious code delivered with Changeup varied depending on the location and time of infection.

“The instances we investigated downloaded banking trojans belonging to the Zeus/Zbot family, but can frequently change based on time of day or geographic location,” Wisniewski wrote.

In addition to disabling AutoRun, researchers advise users to run up-to-date versions of Windows to avoid infection.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.