What’s the Fuss with WORM_VOBFUS?
Some malware are more persistent than others – like WORM_VOBFUS. This recent heap of WORM_VOBFUS variants seen spreading on Facebook does not exhibit new routines, but it is a good reminder for users about well-known, but easily forgotten safe computing practices.
Based on our initial analysis, these WORM_VOBFUS variants that recently surfaced do not show any advanced routine or propagation technique. However, based from our Smart Protection Network™ feedback, the infection of these malware grew the past days.
Aside from spreading on Facebook, there is nothing new so far about WORM_VOBFUS. So why is it still a problem? Below are some persistent issues surrounding WORM_VOBFUS.
Disabling AUTORUN has its merits – but not everyone knows. Worms, like WORM_VOBFUS, are known to propagate by taking advantage of Windows Autorun feature on drives. To address this, users are often advised to disable Autorun to prevent their drives from being infected. For reason of inconvenience (or maybe forgetfulness?) users do not disable this feature. However, users can disable this feature, and in effect preventing worm from spreading, by doing certain steps.
Using the oldest trick in the book does the trick. According to reports, WORM_VOBFUS variants were found spreading on Facebook, using sexually-suggestive filenames such as Sexy.exe, Porn.exe. This use of sex or other provocative topics and events to lure users into executing a malicious file was (and still is) the centerpiece of web threats. What does this tell us? Users still respond to such social engineering ploy. But instead of arriving as attachments to email messages, users may now encounter them on social media sites like Facebook.
Exploiting old vulnerability still works. WORM_VOBFUS variants are known to exploit Windows Shortcut File vulnerability (MS10-046) aka CVE-2010-2568, a vulnerability addressed by Microsoft since 2010. This same vulnerability was targeted in the notorious STUXNET attack, in which malicious shortcut files (those with .LNK extensions) execute automatically if accessed by common file managers like Windows Explorer. Trend Micro Deep Security protects users from this rule via Deep Security rule 1004314.
Given the two years that elapsed since the vulnerability was reported and resolved, one can readily assume that users should have applied the solution by now.
The reality, however, is different. Based on a survey done by Skype, not all users apply the solutions provided by software vendors. Reasons vary from the notion that the updating takes up too much time to users not really seeing the benefit of these updates.
For enterprises, implementing software and server updates is trickier. IT administrators, who take care of an organization’s security, have to consider the effect of these updates to the organization’s operations. From testing updates to long hours of updating, security update implementation is not “a walk in the park”.
The benefit of timely update implementation outweighs these inconveniences. Thus, users should apply these software updates regularly, to avoid attacks leveraging old (but reliable) vulnerabilities. Users must also be cautious when downloading or executing files found on email messages, websites, and even social networking sites like Facebook.
To know more about how to protect yourself from WORM_VOBFUS, you may read the following:
- How to Maximize the Malware Protection of Your Removable Drives
- WORM_VOBFUS: A Polymorphic Downloader
As WORM_VOBFUS and other threats using old but reliable exploit show, threats do not burn and turn into ashes easily. Sometimes, they fade away but surface again.
Trend Micro Smart Protection Network™ detects and deletes WORM_VOBFUS variants if found on systems. Trend Micro Deep Security protects users from exploits using Windows Shortcut File vulnerability via Deep Security rule 1004314.