What A USB .lnk Worm (Jenxcus) Looks Like To The End User

USB worms are one of those infections that should be long dead except that users keep them alive. All it takes is an unprotected computer at home and a user who decides to use their USB stick on their home computer as well as at work.

I've come across a lot of USB worms involving shortcut files in my work experience and I've found that many SOC analysts have a hard time understanding what's going on because they've never actually seen what's happening from the user's point of view. I've scoured the web for examples that demonstrate this clearly but haven't found anything satisfactory as a teaching aide.

In this example I'll be showing a Jenxcus .vbs infection that has taken over a USB stick.

The user sits down at their computer, plugs in their infected USB stick and wants to open a file called Introducing-NMAP.pdf. The trained user might notice that all of their files are shortcuts for some reason, but most do not. All of these shortcuts (.lnk) are malicious and will infect the machine with Jenxcus.

So the user clicks Introducing-Nmap thinking they're opening their PDF file. What are they actually opening?

The command line run is actually:
C:\Windows\system32\cmd.exe /c start aibdrozrug..vbs&start Introducing-Nmap.pdf&exit

This runs the malicious VB script aibdrozrug..vbs and then opens Introducing-Nmap.pdf so the user is completely unaware that they've just infected their computer. To them it looks like their PDF opened normally, albeit after a small delay.

But where are the real files? And where is the malicious aibdrozrug..vbs file? They're hidden files. Why don't we see them? Because by default Windows hides extensions for known files, as well as hidden and system files/folders.

When we uncheck these boxes, we can clearly see the malware on the USB stick. Notice how it creates shortcuts for every file and folder. All of them open the malicious .vbs script and then open their file/folder as expected.

Therefore if you're an analyst and you can see the command line data, look for &, start, exit, and explorer. The existence of these doesn't necessarily mean it's malware, but if you also see a suspicious looking script it's probably evil. Also, the parent process of the malicious cmd.exe will be explorer.exe because the user opened this shortcut from Windows Explorer. A persistence mechanism will usually be created and the malicious .vbs will be copied to the C:\ so the machine stays infected.

Here's some example shortcuts from this infection.
Opening a File:
C:\Windows\system32\cmd.exe /c start aibdrozrug..vbs&start Introducing-Nmap.pdf&exit
C:\Windows\system32\cmd.exe /c start aibdrozrug..vbs&start androidscareware.txt&exit
C:\Windows\system32\cmd.exe /c start aibdrozrug..vbs&start 20160112_205327.jpg&exit
Opening a Folder:
C:\Windows\system32\cmd.exe /c start aibdrozrug..vbs&start explorer Jenxcus&exit

Here's what the Process Tree looks like for the Introducing-Nmap shortcut:

There's also malware that uses this same shortcut technique but kicks off rundll32.exe with a malicious .dll file on the USB stick. I've seen cases where the .dll filename and extension are both gibberish so it's not obvious that it's a .dll file. (Andromeda malware)

There's no vulnerability involved in this method other than tricking the user. This infection works because the Windows default setting hides known file extensions and hidden files/folders. The user has no reason to think anything is wrong.

I'm not going to dig into the .vbs file itself as it is beyond the scope of what I wanted to show here. But VirusTotal coverage is only (38/57) at the time of writing and this malware is from 2013!

Some Thoughts on Machine Learning Antivirus

For a while I've been reading that signature based antivirus is dead and machine learning is the future. We're seeing the first wave of machine learning and math based antivirus products such as those made by Cylance, Sentinel One, and Crowdstrike. In my limited experience with these products they're pretty successful at recognizing malicious code, especially new malicious code. But signature based detection has a few perks that machine learning companies haven't recognized and captured yet.

Once we know that a malicious file is on a system, do we care what it's doing or what kind of malware it is? The average user at home may not care who or what is attacking their system, they just want it fixed. In the business space, however, especially in large corporations with sensitive intellectual property, it is critical to know what the malware is. Why do they care? To correctly assess the risk of an infected computer, you have to know whether you're dealing with something innocuous like adware or malware that is indicative of an attacker like a remote access trojan (RAT). One requires the cleaning of a computer while the other may require a full blown incident response investigation. The problem with machine learning AV at present is that they tell you a file is malicious, but not *why* it is malicious. There's no signature telling you this is GhostRAT. So what are your options when you're trying to determine what the malware is? You're going to copy the hash from the console and paste it into VirusTotal and find out what the 55 signature based products detect this malware as. That's not ideal and certainly not scalable if you run a Security Operations Center and receive dozens or hundreds of alerts per day.

Another major difference with current machine learning AV products is that they only check executed files. The files that get written to the file system are not checked. This could be problematic if you have an attacker moving laterally inside your network and planting tools. AV would be running but it wouldn't notify you of the infection until the attacker actually used the tools. Adversaries could essentially prepare the battlefield without being detected. In comparison, signature based AV has the capability of scanning files on access, so the attacker tools would conceivably be detected when they're dropped on the file system (assuming a signature exists for those files).

The traditional signature based AV suites originally just included malware protection. Over time these suites have evolved (bloated?) to include a large variety of functionality such as firewall, access control, encryption, and others. Some of them provide increased protection through cloud based signatures and/or blocking of known bad network traffic. On the other hand, machine learning AV is presently just antivirus and nothing more. I've personally seen systems infected and detected by machine learning AV while the C2 traffic continued unabated. If strict proxy and firewall rules were not set up, this could be a problem. Defense in depth is important.

Machine learning antivirus has only been around for a few years so this technology is still maturing and evolving. The detective potential is great but there are tradeoffs to consider and risks to mitigate. I hope the experiences I've shared help to inform.