Sign in with
Sign up | Sign in

USB Drives Target for Virus Infections

By - Source: Tom's Hardware | B 18 comments

Thumb drives are pretty popular with almost every computer user out there. They offer a compact storage solution for carting around work projects, personal documents, and IT staff use them to cart around useful tools on the job.

Because thumb drives are so popular and generally get used to move data between multiple systems frequently, especially in the IT world, they are also a prime target for attackers as means to get infections spread around with you doing most of the work for them. Although a lot of work places ban the use of thumb drives by its employees, it is still very hard to govern effectively – it is not like you are getting searched at the door when arriving and departing from work every day. Some companies actually install silent applications on their workstations that detect when a drive has been added to the system – the software then notifies administrators – but by then it can already be too late.

Attackers could get an infection out via standard mediums using exploits, bogus spam email, etc and the infection could be designed so that it does not affect your computer directly since its only purpose is to sit and wait for external drives to be plugged in. Once an external drive or other storage based device is plugged in, the virus goes to work and transfers malicious code to the device without you even knowing that it is taking place – now your thumb drive has become the attackers tool, a tool to transport whatever code he/she wants to whatever computer you plug that drive into next – possibly your workstation at the office.

Malicious code can be used to steal your personal information, sensitive company documents, allow external access to the infected system, or even spread an annoying virus to a company network via network shares – the possibilities are limitless.

Some people tend to think that because they have an ‘encrypted’ flash drive they should be safe – which is completely incorrect. Encrypted flash drives are only effective against loss or theft, and even then it is questionable. Questionable since it could have been infected when you last accessed it – opening the doors on the encryption to get something on the inside that modifies the protection of the device itself.

Another common place that a lot of people probably do not think about is digital photo kiosks. These places are prime distribution points for infections. Think about it, if you were up to no good with some know-how, you could infect the photo kiosk computers at a Wal-Mart then sit back and laugh as literally thousands upon thousands of people walk in and insert their memory cards.

So what can you do about protecting yourself against such activity? Although 100 percent awareness and measures are not always 100 percent effective, there are simple things you can do at least ensure a higher protection rate. Such as:

Take advantage of security features - Use passwords and encryption on your USB drive to protect your data, and make sure that you have the information backed up in case your drive is lost (see Protecting Portable Devices: Data Security for more information).

Keep personal and business USB drives separate - Do not use personal USB drives on computers owned by your organization, and do not plug USB drives containing corporate information into your personal computer.

Use and maintain security software, and keep all software up to date - Use a firewall, anti-virus software, and anti-spyware software to make your computer less vulnerable to attacks, and make sure to keep the virus definitions current (see Understanding Firewalls, Understanding Anti-Virus Software, and Recognizing and Avoiding Spyware for more information). Also, keep the software on your computer up to date by applying any necessary patches (see Understanding Patches for more information).

Do not plug an unknown USB drive into your computer - If you find a USB drive, give it to the appropriate authorities (a location’s security personnel, your organization’s IT department, etc.). Do not plug it into your computer to view the contents or to try to identify the owner.

Some tech savvy users even go the extra mile, by utilizing virtual machine technology. By using virtual machine software, such as VirtualBox, one could have a so-called ‘sealed-off’ copy of an operating system when checking downloaded files, email attachments, and external storage devices for infections – if an infect exists, it would not get any further than the virtual machine. If the virtual machine becomes infected, it can be easily restored from an image or snapshot. The data or device can then be cured before being used on the host operating system or other computer. Now this is going to the extreme, and not many average computer users will take these types of steps, however, it just goes to show how serious the threat is, and how serious some people take it.

Display 18 Comments.
This thread is closed for comments
  • 0 Hide
    smalltime0 , November 6, 2008 7:48 PM
    "you could infect the photo kiosk computers at a Wal-Mart then sit back and laugh as literally thousands upon thousands of people walk in and insert their memory cards."

    Thats would be hilarious... and illegal, but hilaroius none the less.
  • 2 Hide
    one-shot , November 6, 2008 7:55 PM
    Hey, that's not funny. I work there. It's hard enough trying to teach the people how to use a working Kiosk. I can't imagine a broken one, makes me scared.
  • 1 Hide
    one-shot , November 6, 2008 7:58 PM
    Forgot to add...They would come back and blame me for the virus. Then they would ask me how to fix their PC. lol
  • -1 Hide
    Anonymous , November 6, 2008 8:16 PM
    i have never heard of a specific case of a usb drive having the ability to infect a computer. usb drives don't autorun. windows will ask you what you want to do, and an autorun inf can be authored to run malware, but you'd have to select it...

    this is not a good article. it should reference some kind of PROOF that this is even a remotely possible threat.
  • 0 Hide
    Anonymous , November 6, 2008 10:13 PM
    No, it does not autorun. On a usb drive, if you define an autorun.inf in a usb drive, the most it will do is add an extra option to windows' canned list of actions you can perform. the user has to *choose* the action though. MS did this on purpose specifically because they knew that usb drives would be a huge threat if you could make them automatically execute code. they can't. i was asked to make them do this for a trade show. i researched it (something the writer of the article didn't do), and found that you have to have the usb drive identify itself as a cdrom drive in order to actually auto run. in order to make it identify itself as such, you would have to be the usb drive manufacturer.
  • 0 Hide
    Anonymous , November 6, 2008 10:27 PM
    okay i just looked up hak5 and that's for bootable usb keys. a bootable key is no less secure than a windows cd. if you're trying to secure a workplace you simply disable usb drive booting. no sweat. BTW bootable usb is relatively new, and a lot of bioses don't support it. my last laptop would just fail to boot if I had my usb key (which was bootable, it booted into ghost for when i needed to reimage my test machine).

    a bootable usb key is not anything as frightening as a usb key that can execute code without user intervention upon insertion into a running windows box.

    and from what can tell, there is no such usb key. i would love to know if there was one, i clicked on this story because I thought it was invalidating my preconceptions... but it doesn't. it tells me that there is a threat and then gives no concrete evidence. the best i get is from somebody who made a comment? and hak5 is a minor threat. bootable usb is a pain. bootable cds are easier to get working and therefore a greater threat imho. there is such little likelihood that anyone will unwittingly boot a hak5 usb key in an environment that has the most basic security.

    i feel like this article is scuttlebutt and scaremongering.
  • 1 Hide
    jsievers , November 7, 2008 1:25 AM
    Here's the best explanation of this issue that I seen
    http://autorun.synthasite.com/index.php
    I have seen shell commands in the autorun.inf infect computers by just clicking on the drive in My Computer.
  • 0 Hide
    WheelsOfConfusion , November 7, 2008 2:35 AM
    But... I keep all my porn on my thumbdrive! D:
  • 0 Hide
    miltoxbeyond , November 7, 2008 4:20 AM
    I fix PCs for extra cash and I have seen a rather nasty virus (especially prone to XP since it doesn't have UAC) that would copy itself to the recycle bin of any disk attached to the computer, execute with windows on logon and completely hide itself from all spyware scanners. I caught the bastard when I was fixing two computers transferring files between two pc's for the same customer (one was a reinstall so it was blank) and the virus suddenly appeared on the second brand new installed computer. Plus without reformatting the drive the file stays hidden. I realized the virus spread to my thumb drive when I plugged the flash drive into my testing machine with vista
    and vista requested permission to run the autorun...

    I denied and checked out the files and found how the virus spread. Oh did I mention it cripples XP virus scanners. It hides inside the recycling bin so it usually is invisible. I got rid of the virus by loading up a PE environment and deleting the files manually from the hard disks (all of them, since it copied itself to ALL attached drives).

    People complain about UAC in vista, or just complain about vista entirely, but it really helps to prevent spyware.
  • 0 Hide
    miltoxbeyond , November 7, 2008 4:37 AM
    Oh forgot to mention it also does a real bastard of a job killing any taskmanager running near instantly, ensures registry blocks for the task manager and several other annoying restrictions are enforced in the registry (if you delete the settings it reappears almost instantly. If you do delete the setting and alt-control-del the comp task manager starts, then is killed by the program).

    Anyways. Yes thumb drives are a risk. I've seen it happen. Some computers have the setting turned off for auto-play. others just automatically execute it. I've worked with hundreds of computers(seriously, way too many) so I can vouch for it.
  • 0 Hide
    hemelskonijn , November 7, 2008 8:26 AM
    brrr now we need to be scared again ...lets buy norton and while where at it a new machine so we have enough power to run norton (and vista i presume)
  • 0 Hide
    WheelsOfConfusion , November 7, 2008 12:35 PM
    miltox, what about Windows Defender?
  • 0 Hide
    miltoxbeyond , November 7, 2008 4:56 PM
    Yeah windows defender was also crippled. Couldn't execute. The virus intercepted any launch attempts. Renaming also didn't work because of all the dependent files... I tried to use it as an alternative since task manager didn't work to kill the program but the virus didn't let it start.
  • 0 Hide
    ToddAndMargo , November 7, 2008 6:18 PM
    One option not discussed in the article is to use "Write Protected" thumb drives. PQI offers a few but have really fragile switches that tend to
    break. Kanguru has some with nice switches. Both drives are on the
    slow side.
  • 0 Hide
    sanctoon , November 7, 2008 6:27 PM
    For me this is old news, i work for a local small town IT company maintaining most of the small business and home users computers.

    There's a virus called OnlineGamesTrojan(by nod32 anyway) or something like that, that spreads like wildfire through the use of thumb drives, and like miltox said it hides itself in the recycler folder of all infected drives.

    Its easy to remove, but not easy to contain the infection, people are just not careful enough. For the last year or what there's been pc's and thumb drives coming in my workshop with that bull**** infection.

    Funny thing is, a lot of them gets infected through our local photo kiosk just down the street. I have even cleaned their pc's from viruses quite a few times.
  • 0 Hide
    BallistaMan , November 7, 2008 10:11 PM
    miltox, any particular side effects that you noticed from it? I'm fixing up a client's computer tomorrow (Vista) that I'm already quite sure has an infection on some level. It'd be nice to know if there's something like that on there that hides from the usual scans. The last system I dealt with (XP) that knocked out the scanners/task manager ended up getting a reformat. The last successful scan it had found well over 500 nasties - way more including the usual cookies and such. Naturally the owner decided to let most of them stay on...>_
  • 0 Hide
    jlwitt , November 19, 2008 6:44 PM
    Well, you can just lock down all USB storage devices by changing the file permissions of the USBSTOR.SYS file to deny system. It will detect the device but won't mount the drive. It's an easy fix to push out over a network as an admin.

    Another option to shut all USB drives is a registry change of:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\UsbStor
    change Start to hex of 4.

    An option for the photo kiosk is to set USB to be read only.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\StorageDevicePolicies
    Create a DWORD of WriteProtect and set to 0

    USB Drives don't need to be a problem in the business world.
  • 0 Hide
    erech2k2 , July 17, 2010 4:25 AM
    I'm currently experiencing this beast that has somehow found it's way on just about every USB flash drive I own. The main file that seems to be the ringleader is riuofu.exe which all signs point to being in my docs/settings folder, but even after enabling view all files and folders still can't locate it. Another file is bl1 that loads in the temp folder. There are several other versions of this incredibly annoying worm. jsievers' link does give some insight on how it works. I'm going to disable the autorun and try to scan for this worm. Wish me luck.