McDonalds serves up a McVirus in Japan

[iago]

Via The Blogger News Network.

[snip]

McDonalds in Japan seem to have got themselves in a bit of a McPickle.
As an advertising and obviously revenue generating program, they
decided to give away 10,000 mp3 players. Better still, these players
were loaded with 10 songs.

Unfortunately the Q&A process was not what it could have been, all of
the MP3 players came with an unwelcome guest.

As soon as you connected your free McPlayer to your computer a nasty
little piece of computer code scans your hard drive for passwords,
credit card numbers, etc.

With lots of McEgg on their face McDonalds have had to set up an
emergency response phone number to help the winners remove the McVirus.

[snip]

More:
http://www.bloggernews.net/1648

Props, paperghost.
http://www.vitalsecurity.org/2006/10/mcdonalds-serves-up-free-malware.html

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

[Explicit]

LOL, that's brilliant.

[Newby]

I want a free mp3 player. I'd love to see it read my ext3 file system and collect my passwords.

[Sidoh]

ROFL ! ROFL ! ROFL !

[AntiVirus]

Lmao!!  That's awesome.

[Blaze]

Lmao!!  That's awesome.

I have to agree. 

[Chavo]

Agreed.  Fan-friggin-tastic.

[Quik]

Who wrote the code that was on the mp3 players in the first place?

[Mythix]

It's pretty obvious. The scamburglar.

[iago]

I want a free mp3 player. I'd love to see it read my ext3 file system and collect my passwords.

That brings up another point that I think is dumb -- computers that will automatically run files off untrusted hardware.  I still think autorun was one of the dumber "features"

[Chavo]

It doesn't auto-run, it brings up a prompt asking the user to do one of a few things such as open a file explorer or run a program on the device that it wants to run (usually a device controller/setup), or do nothing.  I believe KDE has a very similar feature...

AFAIK the only thing it auto-runs is the plug and play driver

[AntiVirus]

It's pretty obvious. The scamburglar.

L M F A O!!

[iago]

It doesn't auto-run, it brings up a prompt asking the user to do one of a few things such as open a file explorer or run a program on the device that it wants to run (usually a device controller/setup), or do nothing.  I believe KDE has a very similar feature...

AFAIK the only thing it auto-runs is the plug and play driver

I think if there's an autorun.inf file, it auto-runs it (like a CD). 

And if KDE does that, then KDE is also stupid. 

[Chavo]

I could be wrong, but I don't think autorun.ini applies to USB devices.

[iago]

I could be wrong, but I don't think autorun.ini applies to USB devices.

I can't find any for-sure info about it.  It seems like speculation and other random FUD. 

[Chavo]

I tried creating an autorun.inf (typo earlier) file on my usb drive and could not get it to run the exe specified by autorun.inf even on a machine that had never previously been connected to the usb drive.

[Warrior]

...you can't be serious.

[iago]

I tried creating an autorun.inf (typo earlier) file on my usb drive and could not get it to run the exe specified by autorun.inf even on a machine that had never previously been connected to the usb drive.

I was googling about it, and there's a lot of suggestions about how to do it, but nothing sounded like the end-all solution.  I always assumed you could, but never really tested it. 

So if I want to infect people, I guess I'll stick to putting my virus on a CD with auto-run and leaving the CD laying around.  I forget where I read about that (maybe in Mitnick's book, but I'm not sure), but in a large-scale pen-test they left CDs containing a trojan laying around the building they were testing, and a lot of people put them in their computers.

Using your imagination, there are tons of ways you could convince somebody to put an evil CD into their computer.  And that's why I think autorun is evil. 

...you can't be serious.

Who?  And about what?  You have to quote when you say something like that.

[Warrior]

This whole mcdonalds mp3 players malware thing..

[Chavo]

Using your imagination, there are tons of ways you could convince somebody to put an evil CD into their computer.  And that's why I think autorun is evil. 

I think autorun was designed to give virus writers an easy way to target only people who don't use VMWare

[iago]

Ok, I did some research, and yes, you can do auto-run on USB.  You have to make the main partition CDFS partition, so that it's recognized as a CD. 

http://linuxbox.org/pipermail/funsec/2006-October/009425.html
http://linuxbox.org/pipermail/funsec/2006-October/009427.html

I have a ton of respect for both those posters, so I'm willing to believe them.

[Chavo]

It makes sense that autorun.inf is specific to cdfs.  I wonder how far the cdfs on usb can be taken to emulate a cd. 

* unTactical ponders

However, I have a beef with:

As of at least mid-year last year, I know that WinXP defaulted to autorun on USB sticks: I don't know if that has been reset in any of the recent patches.

Either Windows has been patched, or he is mistaking autorun for the dialog that opens and defaults the selection to the USB's internal app (I haven't looked to figure out where that is specified).  An important distinction.

[MyndFyre]

Guess what guys!  autorun.inf is NOT specific to NTFS.  My tablet came with a recovery partition - guess what - it had an autorun.inf that would run when I double-clicked the volume!

[iago]

Guess what guys!  autorun.inf is NOT specific to NTFS.  My tablet came with a recovery partition - guess what - it had an autorun.inf that would run when I double-clicked the volume!

It was never specific to NTFS.  Did you mean CDFS?

But we're talking about making it run when you plug in the USB device, not when you double-click on it.  I think that's what formatting it with CDFS does.

[Joe]

Ok, I did some research, and yes, you can do auto-run on USB.  You have to make the main partition CDFS partition, so that it's recognized as a CD. 

http://linuxbox.org/pipermail/funsec/2006-October/009425.html
http://linuxbox.org/pipermail/funsec/2006-October/009427.html

I have a ton of respect for both those posters, so I'm willing to believe them.

Yep. My flash drive (I forgot the brand name, but it's symbol is a M with a circle.. Magnavox?) does this to automagically install it's backup software as well as Firefox (odd..), and it's really pissing me off. I think I was going to run gparted on it once but I didn't have drivers or something.

[Quik]

unTactical's post made me think of something interesting: a free USB stick that I recieved from an engineering trade show (companies like to give away free shit so you look at their products ) had an auto-run program on it when attached to the USB drive. I believe it shows up as a CD on one partition, as well.

[MyndFyre]

Guess what guys!  autorun.inf is NOT specific to NTFS.  My tablet came with a recovery partition - guess what - it had an autorun.inf that would run when I double-clicked the volume!

It was never specific to NTFS.  Did you mean CDFS?

But we're talking about making it run when you plug in the USB device, not when you double-click on it.  I think that's what formatting it with CDFS does.

Yes I meant CDFS.

No, formatting it with CDFS does not make it auto-run; it has nothing to do with the file system.  Here's what happens.

Autorun is a function of the shell (typically explorer.exe).  When you mount a file system while explorer.exe is running, Explorer looks for autorun.inf and updates the display as needed.  This could involve altering the shell icon for the device, or executing the autorun command specified in the .inf.  Explorer.exe also changes the default action associated with the object - if you right-click on an object in Explorer, you'll see one item is almost always highlighted.  Typically this is the Open command.  However, when a file system is mounted with an autorun.inf file, Explorer sees the autorun.inf file, and adjusts its context menu so that the AutoPlay action is the default, and when you double-click on the object, the default action is performed.

For proof, I've created a network folder called Library (I'm at work, shutup) in the public share.  I created an autorun.inf file in this folder that specifies to open the command prompt (C:\Winnt\System32\cmd.exe), which you can see in my first attachment, autorun-inf-in-network-share.png.  I then mapped the Library folder to the network drive H, and lo and behold, the command prompt ran when I finished the mapping.  The second attachment is me right-clicking on the mapped drive in Explorer - you can see that AutoPlay is the default action, share-with-autorun.png.  Finally, double-clicking on it - just like mounting it - causes to run the autoplay file.  You can see this in the third attachment, autorun-cmd-prompt.png, as the command prompt started in the H:\ path, the network share where the autorun.inf file is located.

Please note that network shares in Windows are presented through the Network File System (NFS), and that the underlying physical file system is not represented to the components in the lower levels.

I hope this lesson in how Windows actually works (as opposed to speculation related to file systems) has been educational.

What would be intelligent for companies like Apple to do would be to not expose their file systems to Windows like a USB hard drive.  (Note: USB hard drives are also, incidentally, autorun-enabled, and they're on FAT file systems - how do you think USB drive manufacturers push their backup/sync software to users when they pop the drive in?  It's not firmware). 

iago, I realize you consider yourself a security expert, but touting about how awful Windows is when you don't actually know how it works makes you lose credibility.  If you like, I'll make you a FAT-formatted USB drive and mail it to you so you can plug it in Windows and watch it auto-play.

[iago]

That's all fine and dandy.  I don't care about the icon changing, and what happens when you double-click it is, while important, not the issue either. 

The issue is, when you plug in the USB stick, can it run a program? 

According to the guys on that security list (that I referenced), it will iff it's formatted as a CDFS.  At least, that's how I understand it. 

From a cursory check on Google, I couldn't find any other method to auto-running a USB stick. 

Is that the same thing that you're talking about?  Or are we talking about different things?


(On a sidenote: I don't pretend to be a Windows expert -- I'm not.  I haven't touched Windows for more than a couple minutes in probably 2 years)

[MyndFyre]

According to the guys on that security list (that I referenced), it will iff it's formatted as a CDFS.  At least, that's how I understand it. 

The guys on the security list, or your understanding, are wrong.  As I demo'd, any time a drive letter is mounted, Explorer will check to see if it's auto-runnable.  It is filesystem-agnostic.

A FAT-formatted USB stick will autorun.

[Chavo]

If its file system agnostic then why does the USB drive have to be FAT formatted?

I'm sure I created and placed my autorun.inf file correctly when I was testing my usb drive and it did not autorun but I don't remember offhand what file system it is formatted in, I'll check tomorrow.

[Quik]

I'm almost certain that there are ways to make a drive auto-execute something. Give me a day or two to test my theory, and I'll get back to you.

[MyndFyre]

If its file system agnostic then why does the USB drive have to be FAT formatted?

It doesn't *have* to be FAT-formatted.  However, USB drives are typically FAT-formatted because of the quick-eject nature of the drive.  You can only format them to NTFS if you tell the system to require you to use the "Eject" feature of the "Safely Remove Hardware" icon (since NTFS is journaling, removing while there are still cached actions to be done can leave the file system in an inconsistent state).

I was merely mentioning FAT for illustrative purposes.  I demonstrated that this was the behavior using NFS (Network File System) as well.

[Newby]

It doesn't *have* to be FAT-formatted.  However, USB drives are typically FAT-formatted because of the quick-eject nature of the drive.  You can only format them to NTFS if you tell the system to require you to use the "Eject" feature of the "Safely Remove Hardware" icon (since NTFS is journaling, removing while there are still cached actions to be done can leave the file system in an inconsistent state).

I ejected it once without ejecting (FAT32) and I lost data. :/

[iago]

According to the guys on that security list (that I referenced), it will iff it's formatted as a CDFS.  At least, that's how I understand it. 

The guys on the security list, or your understanding, are wrong.  As I demo'd, any time a drive letter is mounted, Explorer will check to see if it's auto-runnable.  It is filesystem-agnostic.

Well, I was going off what unTactical said.  Perhaps everything CAN run a program when you plug it in, which would probably be even worse.

Maybe it's possible that there's some half-thought-out security measure that prevents non-CDFS from auto-executing a program? 

[Chavo]

If its file system agnostic then why does the USB drive have to be FAT formatted?

It doesn't *have* to be FAT-formatted.  However, USB drives are typically FAT-formatted because of the quick-eject nature of the drive.  You can only format them to NTFS if you tell the system to require you to use the "Eject" feature of the "Safely Remove Hardware" icon (since NTFS is journaling, removing while there are still cached actions to be done can leave the file system in an inconsistent state).

I was merely mentioning FAT for illustrative purposes.  I demonstrated that this was the behavior using NFS (Network File System) as well.

The two parts of my reply went hand in hand, you can't answer half of it and ignore the rest!   Especially when your answer to that question contradicts the statement in the latter part of my post!

As this screenshot shows, autorun.inf is clearly modifying the label for my usb drive just fine, but it is definately not autorun-ing the specified executable or changing the default action of the drive.  I don't doubt you are right, but obviously its not working here

[Warrior]

http://blogs.msdn.com/windowsvistasecurity/archive/2006/10/03/USB-Blocking-in-Release-Candidate-1.aspx
Bitlocker ftw