(Please FReepmail me if you would like to be on or off of the list.)
Posted on 02/19/2008 11:25:20 AM PST by sandyeggo
An insidious computer virus recently discovered on digital photo frames has been identified as a powerful new Trojan Horse from China that collects passwords for online games - and its designers might have larger targets in mind.
"It is a nasty worm that has a great deal of intelligence," said Brian Grayek, who heads product development at Computer Associates, a security vendor that analyzed the Trojan Horse.
The virus, which Computer Associates calls Mocmex, recognizes and blocks antivirus protection from more than 100 security vendors, as well as the security and firewall built into Microsoft Windows. It downloads files from remote locations and hides files, which it names randomly, on any PC it infects, making itself very difficult to remove. It spreads by hiding itself on photo frames and any other portable storage device that happens to be plugged into an infected PC.
The authors of the new Trojan Horse are well-funded professionals whose malware has "specific designs to capture something and not leave traces," Grayek said. "This would be a nuclear bomb" of malware.
By studying how the code is constructed and how it's propagated, Computer Associates has traced the Trojan to a specific group in China, Grayek said. He would not name the group.
(Excerpt) Read more at sfgate.com ...
Probing......
Why don`t we do the commies a fav and simply block all traffic that comes outta that sh**h**e.
Where’s the fix?
{^_^}
Deborah Hale at SANS suggested that PC users find friends with Macintosh or Linux machines and have them check for malware before plugging any device into a PC.
Seriously, asking a friend with a Mac to use Disk Utility to annihilate the cr@pware that comes pre-installed on a lot of USB devices, before you stick it in your PC, is not a bad idea.
Agreed.
Ugh, we were already sick of digital photo frames -- and now it looks those now-discontinued virus-ridden Insignia units from Best Buy and several other models produced in China were carrying a much nastier trojan that we'd originally heard. According to an analyst form Computer Associates, the trojan, called Mocmex, is able to block more than 100 types of security and anti-virus software from killing it, and bypasses the Windows firewall to download files from remote locations, spreading them randomly over your hard drive and any portable storage device you plug into your PC -- like, for example, a digital photo frame. The trojan is apparently set to only steal gaming passwords at present, but CA says it's capable of stealing nearly any information on your machine, and thinks it might be a test for a much worse virus yet to come. Infected frames have come from Sam's Club, Target and Costco, in addition to Best Buy, so we'd say to avoid picking one up until this mess gets sorted out -- or, you know, forever.
Probing tools brought to you via the PLA...
I tweak all my machines to do no autorun.
Unless you know what you are doing... don't mess with the registry. Don't say I didn't warn you if you are a n00b and brick your box.
Dont disable your local disks. cd, removeable, remote and network are ok to set no autorun for.
These frames as well as mp3 players, etc all get seen as removeable drives. It is the autorun that allows them to infect your machines.
There are two registry values that can be used to persistently disable AutoRun: NoDriveAutoRun and NoDriveTypeAutoRun. The first value disables AutoRun for specified drive letters and the second disables AutoRun for a class of drives. If either of these values is set to disable AutoRun for a particular device, it will be disabled.
The NoDriveAutoRun value disables AutoRun for specified drive letters. It is a REG_DWORD data value, found under the following key:
The first bit of the value corresponds to drive A:, the second to B:, and so on. To disable AutoRun for one or more drive letters, set the corresponding bits. For example, to disable the A: and C: drives, set NoDriveAutoRun to 0x00000005.
The NoDriveTypeAutoRun value disables AutoRun for a class of drives. It is a REG_DWORD or 4-byte REG_BINARY data value, found under the same key.
By setting the bits of this value's first byte, different drives can be excluded from working with AutoRun.
The following table gives the bits and bitmask constants, that can be set in the first byte of NoDriveTypeAutoRun to disable AutoRun for a particular drive type. For Microsoft Windows NT® and later systems, you must restart Windows Explorer before the changes take effect.
| Bit Number | Bitmask Constant | Description |
|---|---|---|
| 0x04 | DRIVE_REMOVEABLE | Disk can be removed from drive (such as a floppy disk). |
| 0x08 | DRIVE_FIXED | Disk cannot be removed from drive (a hard disk). |
| 0x10 | DRIVE_REMOTE | Network drive. |
| 0x20 | DRIVE_CDROM | CD-ROM drive. |
| 0x40 | DRIVE_RAMDISK | RAM disk. |
Don’t get all excited, this doesn’t mean your platform has some how become significant ;)
As we all know, you try to target the biggest group possible, hence, Windows users.
http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
I forgot that tweakui has it in an idiot proof form.
under my computer -> autoplay -> you can turn off autoplay for all removable drives.
Speaking of Trojan Horses, does anyone know if there’s a DSL connection? I just got DSL two weeks ago, and I’ve already been hit with 3 Trojan Horses. In the 10 years that I’ve been on the Internet, I’ve never had one before. Just thought there might be a connection.
Dear NSA,
I’m still wondering when you guys are going to send a virus back to the Chicoms that will destroy all of the data on every connected computer within a week or 2 of infection.
A. Taxpayer.
How do you clear the drive, without wiping it out, once you stop the auto run? Do you format it? Which Disk Utility do you use? I’ll be turning off the autorun for now, using that n00b proof method you just gave me.
Must be the one I got. I knew it was very sophisticated the minute I got it. Lost Windows Security Center, Spybot S& D, etc., plus I just noticed my add/remove software is busted. The hack also appears to have real time surveillance and control. That would make it a sophisticated hack indeed. Pretty intelligent if a human can monitor you keystrokes in real time and throw a monkey wrench into the works with a keystroke. Personally I think the Chicoms are hoping for a Hillary win based on the interference the hack has run on my ops. The watchers don’t like you to type Commies s*ck in the search engine and such. I usually start a good movie in the background and then go about my business.
Another good one they don’t like is “Global Warming —Put some ice on it.”
Why would you want to clear the drive? Just turn off autorun, use firefox with the noscript addon, and run avg free. Also, stay away from hacker sites, and dont open crud that comes in as attachments in email.... unless you confirm with the person who sent it it was sent and is legit. Finally run a firewall between you and the net, apply ALL OS patches, and run all your stuff except for doing installs from a limited (non-Administrator) account. You will have no problems that way.
I have a Mac. Do I need to worry about this?
I was wanting to ensure the drive was clean (getting rid of unwanted files that may have come on the drive) before running anything. A lot of usb stuff comes from China - my work-issued thumb drive included.
“Why don`t we do the commies a fav and simply block all traffic that comes outta that sh**h**e.”
Because that would severely hamper all the U.S. businesses that have moved to China and also all the DOD and research employees that are trying to transmit classified info back to China. :)
oh... ok... you mean what to do to the usb stuff.
Once autorun is turned off you can reformat the usb keys and stuff like that. MP3 players and things like cameras... consult the manual or google them. In any case, once autorun is off... you have to run something from the device to cause infection. If the device came with bundled software... forgo that and download a fresh copy of the latest version from the manufacturer. (ie, backup software or itunes or whatnot)
Perhaps, but logically, you’d then have to explain webserver exploits and that virus for a few thousand firewall a while back..
I’d take that issue up with your ISP provider. They’re not doing something right over there.
Not really... just that with any broadband connection you can download the trojans faster than greased lightning. I have a friend who is still on a dialup with Windows... and his sessions are so short, he just gets on, checks his email, and disconnects... that he disconnects before any malware can finish its download...
Just using DSL makes you a target. Same as cable internet. The horse’s arses that come up with these Trojans know who owns the IP blocks. They target IP blocks owned by Comcast, ATT, Covad, and other high speed providers. IP blocks owned by dialup providers are not as good of a target. Why? Dialup connections are not always on. A cable or DSL connection is always available. Some people leave the computer on all the time. The PERFECT environment for a Trojan or a virus to operate with impunity.
If you have DSL, the FIRST thing to do is add a hardware firewall. This is easy to do by just adding a good router as the first thing past the modem. A router also adds NAT as another step in security so outsiders cannot see your network. If they can’t find you, they can’t target you.
Okay, the idea of a trojan horse being on digital frames is bad enough..to come directly from a commie manufactorer, but I am REALLY getting sick of all the bad news from china. what next?
How do we find out if we have the dang thing or not?
ping
Thanks for the info on DSL. I’ll call my ISP tomorrow. Since the Trojan Horses, I now disable the Local Area Connection and the 1394 Connection each night, then shut down the computer (which is probably overkill). I also run an AVG scan every day.
LTGM,
Thanks. FR is a great resource. I figured formatting would cure it, but then, with my luck, I’d be looking at a spendy paperweight.
The short answer is No.
The longer answer is this is a Trojan. Only download and open programs from trusted sources. Ninety nine percent of what the MS users here are trying to do like shutting off auto run, etc. is already SOP for the Mac.
MS's backward support keeps biting them in the ....
get the kid to read
I assume these are the digital photo frames out there - the gadgets that display random photos. Does this mean photo frames can introduce the virus fresh out of the box, upon plugging them into a computer?
Yep.
Okay. Then the wording should be different. Instead of saying, “It spreads by hiding itself on photo frames,” it should say, “It speads because someone has hidden it in photo frames commercially available through stores such as . . . and may spread further by . . . “
I’m going to read the article again, in case I missed it.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.