How do viruses spread by open network shares on Windows machines?
Posted on 2009-04-12
I have been reading about the conflicker virus, and wonder about the reference of it infecting distant machines through open network shares. I cannot find a way for a virus to invoke a remote execution to infect a distant machine. Because of Microsoft's "helpful" behavior, I can see how a virus may trick a user into executing it, but I don't see how it can execute itself. I have Googled and read many discussions, but never found out a specific answer to my question.
The share I am talking about is a data share; the entire drive is NOT shared ,and the OS directories (including OS extensions by installed programs) are not shared. Clearly, if I share the entire drive, or the OS or Program directory, an OS or program DLL or EXE can be replaced, and eventually executed by normal calls from the OS.
Possibly the problem is the terms used, spread and infection are being used interchangeably. In my mind, spreading means the virus payload is being placed on a device, such as a removable storage or shared network directory, but is not active. Infected to me means the virus is active. If a virus just spreads, a good and up-to-date pre-execution virus scanner will block infection.
What concerns me is the implication that a virus can push itself from one machine to another and infect that machine without overt user action on the targeted machine, i.e., not just place a copy of the payload in the shared directory, but actually remotely cause the activation of that payload.
Any insight into this mechanism of infection would be appreciated.