File infector reveals some lessons to be learned
I have a webpage to monitor some of our stats and I use some GIF files to make it user friendly.
Yesterday I noticed that the pics were’nt displaying properly… Oddly enough, all the files also had the same size now…
I still had the originals, so I compared two of them. The new (infected) GIF contains PE Sections and PE Headers!
I renamed the GIF file to EXE and ran it:
Talk about a payload…
It replicates itself as “picture files” that really are executables, and disables the file extensions display.
Upon analysis with our tools, you can see the registry key in question that hides all the .EXE extension.
The file is well detected on VirusTotal:
You may wonder how the GIF files got infected in the first place…
The files are stored on a SAMBA network share… This being a Worm, it’s no big surprise that it tried to propagate through everything it could find.
This allowed us to realize there was a security hole in our virtual machines systems that opened up the network in some rare cirmcustances, but not rare enough to happen every once in a while.
We also tightened up the file permissions to prevent such a thing from happening again:
What does that teach me?
- Never take for granted what malware can and can’t do
- Access control is crucial
- System designs must be built with potential weak spots in mind
Jerome
Comments:
|
|
