Millions of IPs Remain Infected by USB Worm Years After its Creators Left It for Dead
hubie writes:
Ability of PlugX worm to live on presents a vexing dilemma: Delete it or leave it be:
A now-abandoned USB worm that backdoors connected devices has continued to self-replicate for years since its creators lost control of it and remains active on thousands, possibly millions, of machines, researchers said Thursday.
The worm-which first came to light in a 2023 post published by security firm Sophos-became active in 2019 when a variant of malware known as PlugX added functionality that allowed it to infect USB drives automatically. In turn, those drives would infect any new machine they connected to, a capability that allowed the malware to spread without requiring any end-user interaction. Researchers who have tracked PlugX since at least 2008 have said that the malware has origins in China and has been used by various groups tied to the country's Ministry of State Security.
For reasons that aren't clear, the worm creator abandoned the one and only IP address that was designated as its command-and-control channel. With no one controlling the infected machines anymore, the PlugX worm was effectively dead, or at least one might have presumed so. The worm, it turns out, has continued to live on in an undetermined number of machines that possibly reaches into the millions, researchers from security firm Sekoia reported.
The researchers purchased the IP address and connected their own server infrastructure to "sinkhole" traffic connecting to it, meaning intercepting the traffic to prevent it from being used maliciously. Since then, their server continues to receive PlugX traffic from 90,000 to 100,000 unique IP addresses every day. [...]
"We initially thought that we will have a few thousand victims connected to it, as what we can have on our regular sinkholes," Sekoia researchers Felix Aime and Charles M wrote. "However, by setting up a simple web server we saw a continuous flow of HTTP requests varying through the time of the day."
They went on to say that other variants of the worm remain active through at least three other command-and-control channels known in security circles. There are indications that one of them may also have been sinkholed, however.
Read more of this story at SoylentNews.