Wednesday, April 01, 2009

teaching bad dogs new tricks

well, april 1st is nearly gone and the internet is still here... conficker's magical doomsday payload didn't materialize - which is good, i would have felt worse if it had...

huh? what? why would i feel bad about such a thing? well it's come to my attention that i may, possibly have contributed to the problem in some small way...

take one autorun worm that employs autoplay social engineering...

add one video that suggests autoplay social engineering was first seen in this worm...

and finally add one blog post published 3 months prior to the discovery of the worm that describes that very feature as a passing remark in the last sentence...

what do you get? a not so great feeling in the pit of my stomach... of course it's probably the height of conceit to imagine that i personally gave this idea to the author(s) of conficker, but autorun worms aren't exactly new in and of themselves so this new behaviour following so close on the heels of my mentioning of it does seem a little bit troubling...

so if i am responsible for that particular feature, my apologies to, well, the entire internet and computer using public... i thought it was an obvious ploy, i assumed it had already been done... it was not my aim to give the bad guys ideas (if anything i'd rather be giving the good guys ideas - if only they'd listen)... i'd like to say that i've come up with safeguards against giving the bad guys ideas in the future, but short of keeping my big yap shut i really can't think of anything...

on the bright side, at least i didn't write and distribute proof of concept attack code that was later used in real malware like some folks i could mention...

what is autoplay social engineering?

autoplay social engineering is a subset of social engineering tricks that specifically utilize the autoplay dialog that windows normally presents when certain types of storage media are inserted into the computer...

related to autorun malware, autoplay social engineering assists in getting the malware executed in situations where autorun doesn't automatically launch the malware as soon as the storage media is inserted into the machine... when the autoplay dialog is displayed it presents the user with a list of options for how the user can view the data on the storage media (such as viewing a slide show if the media contains pictures, viewing a video on the media, opening the drive in explorer, etc) and can also include an option, specified in the autorun.inf file in the root directory on the media, that can literally be anything (including launching of malware processes)... this optional entry would appear at the top of the list and be selected by default when the autoplay dialog opens...

should the option specified in the autorun.inf file present itself as something it's not, such as showing the icon and description identical to that for opening the drive in explorer when it actually runs malware, then that represents a form of social engineering as it's tricking the user into doing something s/he doesn't really want to do...

back to index