Zimuse leverages an IQ test to infect its victims.

An oddball hybrid malware program grabbed some electronic headlines this week. The bad app combines the activity of a worm with the infectious  properties of a virus. There appears to be two variants of it: Win32.Worm.Zimuse.A and Win32.Worm.Zimuse.B.

What makes the pernicious program queer is its destructive properties. These days, Black Hats tend to concentrate their efforts on programming schemes that have a cash payoff. When that’s your line of business, stealth, not havoc, is your modus operandi. Zimuse’s creators, through, don’t seem to care about monetary gain. Proliferation and mayhem appear to be their game.

Given the putative origin of the malware, it’s easy to understand why it departs from the malware mainstream. According to security experts, the black app was originally written to infect fans of a motorcycle club in the Liptov region of Slovakia. As can be the case with computer pranks, however, the malware started spreading wildly and soon began infecting corporate networks. Now badware watchers say the majority of the machines infected by the Zimuse variants are in the United States, followed by Slovakia, Thailand and Spain.

The malware is a two trick pony. First, it infects a machine and looks for ways to propagate itself. Then, after a defined number of days, it trashes its host’s Windows operating system and cripples it.

One way Zimuse distributes itself is by compromising legitimate Web sites. It’s planted as a self-unpacking zip file that contains an IQ test. When the IQ test installs itself on a machine, it also installs the malware. The IQ test is a legitimate application and serves to obfuscate what Zimuse is doing under the compromised computer’s hood.

Continue reading Hybrid malware spreading via USB devices

USB devices can be a convenience and a curse.

Devices that plug into the USB ports on a computer are convenient to use, but they can be a security headache, too. What security-conscious system administrator hasn’t contemplated the grim consequences of gigabytes of sensitive data inappropriately stored on a thumb drive walking out the front door of his or her company in the shirt pocket or purse of an employee? What security specialist hasn’t cringed at the thought of a compromised USB device being plugged into his or her network where it can infect the system with a virus, Trojan or worm?

One way to identify problems associated with USB devices is to follow their leavings. Among the leavings left behind by USB devices when they’re attached to a computer running Windows are their serial numbers. Although not all USB devices have serial numbers, most do, and they can be used to perform some basic computer forensics, as Adrian Crenshaw pointed out in a recent posting in his Irongeek.com blog.

For example, if the ownership of a USB drive linked to malicious activity is in a dispute, a scan of the suspects’ computers would reveal which one the device had been connected to. Chances are the operator of the computer containing the serial number of the device in its Windows registry will be the culprit in the case.

If the source of a virus is linked to a USB device, comparing the serial numbers of the devices connected to the system at the time the infection began to spread could help identify the compromised hardware and even identify the point of initial infection.

Continue reading Follow the serial numbers