2

Last week I was told by our security department that my PC (running windows 7) was infected by a trojan and that it needed to be re-imaged. So re-imaged it was! Given the fact that I had been using this PC for a while, visited thousands of web pages and used USB key to

3 days later, the security department notified me again that my PC is infected with malware and that my PC will (again) need to be re-imaged. Since I do not want to reimage my PC every 3 days, I want to figure out the infection vector (assuming it is the same malware)

Possible infection vectors I found:

  • Visiting a compromised web site
  • Downloading a trojan hidden in legitimate software (I did not download/install more that 3 pieces of software since the reimaging, so that should be easy to find)
  • Connecting my iPhone to the USB port of my computer to charge it.

Can the latter be the cause of infection, even if the drive was not mounted? If so, is there a way to check/disinfect it?I found lots of tools for autorun.inf related malware, but these require the media to be mounted as a drive.

Edit: I have not been told what the exact malware was, nor when or how it was detected.

Vincent Hubert
  • 123
  • 4
  • My question is does your local computer have an anti-virus (besides Windows Security Essentials) on it? I've seen Windows Security Essentials fail a few times and recommend paid versions of Anti-Viruses. I particularly like Kaspersky especially since it will scan USB drives before letting them fully mount. – Travis Pessetto May 16 '14 at 14:59
  • Local computer has an anti virus. (Trend micro) – Vincent Hubert May 16 '14 at 15:41
  • What about a P2P client (such as BitTorrent, LimeWire, FrostWire, etc)? I know my school's network sometimes detects computers with these on as "infected computers." – Travis Pessetto May 16 '14 at 15:53
  • No P2P client. These are usually "frowned upon" in the workplace. – Vincent Hubert May 16 '14 at 16:42
  • Yes, I know it is generally frowned upon in the workplace to use P2P, but I figured it is best not to assume. The software you use, is open source, freeware, shareware or paid commercial? I would rule out viruses from open source or paid commercial applications (thought there is a slight chance they can carry one). Compromised websites is also common, but I don't see why either of these wouldn't be stopped by the anti-virus you have installed. It is also possible that Trend Micro's virus signature database is being picked up as a virus. – Travis Pessetto May 16 '14 at 17:05
  • Followup: This was actually a (double) false positive. I installed an application (http://snoopwpf.codeplex.com/) that was picked up as malware. I guess some heuristics of the malware detection triggered something. Too bad I re-imaged my PC needlessly. This is what I suspected, (it was one of the few apps I reinstalled) but it's always hard to go back to corporate infosec telling them it is false positive without any proof. – Vincent Hubert May 16 '14 at 17:33

3 Answers3

2

This is a rather broad question with a deceptive title. The short answer: HIGHLY unlikely your iPhone is the cause of your machine becoming infected. I will answer WHY I make this statement. The instances of iPhone based malware are pale in comparison to say Android, irrelevant, but true. To explain this, one need understand that in order to sell ANYTHING via Apple's iStore, a developer needs to pay fees, provide EXTENSIVE identification papers (license, state ID, etc).

Even if you were using say an Android it is STILL unlikely your phone is the medium. Further explanation on this: So a virus/malware author makes an Android based piece of malware. You have an APK, maybe some bad java/javascripts, these affect the infected device. The calls the malware will make, are targeted. So Android based malware would NEVER run on say Windows.

Now before someone states: "You're wrong" let me clarify this... Neither Android, nor iPhone based malware WILL RUN on a Windows machine. However, a dropper will. A dropped will/can go out to the internet and get a specific piece of malware of disaffect the infected machine. For example:

Dropper --> hey what kind of machine am I on? --> save to POST --> POST to C&C
C&C --> oh, alright so you need this version ... here download it

Now let's look at the premise of what you asked: "Can someone on my phone, copy itself to a shared drive... Then execute to infect?" Highly unlikely. Most malware authors tend to target that which they are good at. This means, most authors targeting say iPhones, are going to usually stick with targeting iPhones (cocoa, etc., whatever they're familiar with). Unlikely they'd risk detection by 1) exploiting an iPhone, only to shove in Windows based executables which would trigger all sorts of warnings causing detection quicker.

Pretty long answer so far. Now the initial (root case) of the question is: "How am I getting infected." Without knowing WHAT it was you got infected by (e.g. ZBot, Zues, NIMDA, SDBOT, etc.) anything else answered is kind of moot. You can get infected by many things, visiting a site, XSS, USB keys, and so on.

munkeyoto
  • 8,682
  • 16
  • 31
  • Actually, I was wondering, if malware could infect the iphone the same way it infects a USB key. The iphone not being actively involved in the infection process, but rather passively, like a autorun.inf worm. I can access pictures on the phone, so I guess that malware could be present & hiddent as well. Now can it get executed to infect? – Vincent Hubert May 16 '14 at 14:25
  • This depends on the settings of the phone. E.g. if you are running bluetooth with a weak password, and are in close proximity to an infected computer it's possible – munkeyoto May 16 '14 at 14:28
  • 1
    An iPhone isn't recognized as a storage device by default, so no autorun. A malware on it would need to modify the entire USB stack of the phone to make it appear as a standard storage device like a flash drive, which would be difficult since Apple restricts app capabilities so much (even if a malicious app is installed, it's sandboxed and has no way of touching the phone's USB stack). –  May 16 '14 at 15:19
  • @André, that is the answer I was expecting, thanks – Vincent Hubert May 16 '14 at 17:28
  • The malware would have to subvert the iPhone's firmware to the point that it alters its behavior when plugged in -- to report itself as a USB storage with an autorun.inf file that the windows host would then have to be stupid enough to execute. Not impossible, but not even remotely trivial to do, highly prone to detection during the iTunes Store's vetting process, and a very limited success chance. I suspect most malware writers will go for easier targets, especially since there are so goddamn many out there. – Shadur May 17 '14 at 09:58
  • @André, please post your comment as answer, I will mark it. – Vincent Hubert May 20 '14 at 13:09
2

An iPhone doesn't appear as a mass storage device, there's no way to put files on it (other than taking pictures with the iPhone itself) and autorun doesn't work with it.

A malware would need to modify the iPhone's USB stack to make it appear as a standard storage device (like a flash drive) and then put itself on it with an autorun.inf, but even then, Windows 7 and later ask users before running autoruns.

But because Apple restricts app's capabilities so much (each one of them runs in a sandbox, can't access other app's folders nor write to system folders) this is most likely impossible.

Lighty
  • 2,368
  • 1
  • 23
  • 36
0

Look at other devices in your network. Several weeks ago I read about a digital tv recorder that was infected via telnet. It's not likely that this has happened, but any device that has internet access is a potential source of malware. If not now, be aware that this is going to happen soon.

SPRBRN
  • 7,379
  • 6
  • 33
  • 37