According to researchers at security firm Sophos, a new family of worms is targeting removable storage devices, including USB memory sticks and floppy disks. The worms, formally named W32/SillyFD-AA, create a hidden file to ensure a copy of the worm is run the next time the media is connected to a Windows PC. It also changes the title of Internet Explorer windows to append the phrase "Hacked by 1BYTE."
Graham Cluley, senior technology consultant for Sophos, warned computer users to tread carefully when attaching an unknown device to a PC. "With USB keys becoming so cheap, they are increasingly being given away at trade shows and in direct mailshots," he said. "Marketing people are prepared to use them as 'throwaways' with the aim of securing sales leads."
As the SillyFD-AA threat is demonstrating, careless use of the increasingly popular memory sticks and other removable media might offer more than harmless file transfers. With a significant rise in financially motivated malware, Cluley noted, the Silly worm could be an obvious backdoor into a company for criminals bent on targeting a specific business with their malicious code.
No Laughing Matter
Targeted attacks aside, the Silly worm is indicative of another security trend. As more and more businesses implement strong defenses to protect against e-mail-borne malware, hackers are increasingly looking for less well-defended routes.
"In this example, changing the title of the Internet Explorer browser's windows should be a pretty clear sign to most people that something strange is afoot," Cluley noted. "It also indicates that this particular variant of the worm has not been written with completely clandestine intentions." A savvier Internet criminal, he said, would not have made it so obvious that the PC has been infected.
The Silly worm might seem like a new tactic, but it's really an old trick rehashed for a new generation. Computer viruses first evolved by infecting files on floppy disks that were taken from one PC to another; the Silly worm uses the same strategy.
Michael Sutton, a security evangelist at SPI Dynamics and former director of VeriSign iDefense Labs, said it's amusing to see attackers revert to outdated techniques for worm propagation, but pointed out that it's largely unnecessary considering that e-mail is still an effective method for infecting PCs.
"There are still more than enough vulnerable machines and gullible people to make an e-mail-based worm the fastest and most effective way to infect a broad range of hosts," Sutton argued. "Security has a long was to go before attackers will be forced to revert to the sneaker net to spread malicious code."
Sophos experts offered some common-sense advice: Any storage device that is attached to a computer should be checked for viruses and other malware before use. Also, users should disable the autorun facility of Windows so removable devices such as memory sticks and CD-ROMs do not automatically launch applications when they are inserted.
Sophos reiterated that floppy disks, CD-ROMs, USB keys, external hard drives, and other devices are all capable of carrying malicious code that could infect the computers of innocent users, and recommended that companies employ automatic antivirus updates, and defend their users with a multipronged solution to block viruses, spyware, hackers, and spam.