Hi all,
Writing for some advice as I'm not an expert on the topic at all.
I went to a copy shop with a USB stick with some files on it. I plugged it in the PC, and something weird happen to the directory structure of the USB stick. I paid little attention I was in a rush, and in the end I managed to print the files.
Week after, I go back to the same copy shop and the same thing happens again. Now I got curious and I poked around the USB stick at home. It turns out the "weird directory structure" on the USB stick is a windows shortcut (.lnk) that looks like a link to the USB stick itself (same icon, same name as the USB stick) BUT in reality it executes cmd.exe with some parameters. The original content of the USB stick has been moved to a folder on the stick that has been made hidden, so when opening the USB stick one sees a shortcut to the USB stick itself only. As said, the shortcut is not actually a shortcut to the USB stick, it just looks like it. From what I understand the shortcut passes the content of a hidden file, that is now also on the USB stick, as input to cmd.exe (i.e. something like cmd.exe < wbq.usb). And then somehow it opens the hidden folder with your original files. The user, if they fail to notice the little "shortcut" icon badge on the shortcut, might thing double clicking on the USB drive didn't work the first time and just click it again and now it works (but they unknowingly run the cmd.exe)
So, now I want to know if I got infected with malware, and with what malware.
I submitted the lnk file and the hidden file to VirusTotal.
For the lnk file, I get 4 vendors out of 57 flagging it as malicious. I guess it flags anything that executes CMD as potentially malicious? For the hidden file (wbq.usb), I get 0 vendors detecting it as malicious.
There so many red flags here that I'm pretty sure something fishy is going on. I opened the hidden file with an hex editor and I found a string with an http URL that looks fishy and includes the URL parameter "%computername%" as if it was sending this info out.
This must be some kind of malware, right? None of the VirusTotal vendor detected the wbq.usb as malicious, should I report it to someone for further analysis? Would it help at all? i.e. if it's indeed a malware that currently evades detection, vendors can add it to their list, right? I just want to make sure this malware doesn't cause damage to others.
... and from now on, better change copy shop :)
[link] [comments]
from hacking: security in practice https://ift.tt/3mgSrpF
Comments
Post a Comment