USB Drives Target for Virus Infections

By Aaron Heibert
published

Thumb drives are pretty popular with almost every computer user out there. They offer a compact storage solution for carting around work projects, personal documents, and IT staff use them to cart around useful tools on the job.

Because thumb drives are so popular and generally get used to move data between multiple systems frequently, especially in the IT world, they are also a prime target for attackers as means to get infections spread around with you doing most of the work for them. Although a lot of work places ban the use of thumb drives by its employees, it is still very hard to govern effectively – it is not like you are getting searched at the door when arriving and departing from work every day. Some companies actually install silent applications on their workstations that detect when a drive has been added to the system – the software then notifies administrators – but by then it can already be too late.

Attackers could get an infection out via standard mediums using exploits, bogus spam email, etc and the infection could be designed so that it does not affect your computer directly since its only purpose is to sit and wait for external drives to be plugged in. Once an external drive or other storage based device is plugged in, the virus goes to work and transfers malicious code to the device without you even knowing that it is taking place – now your thumb drive has become the attackers tool, a tool to transport whatever code he/she wants to whatever computer you plug that drive into next – possibly your workstation at the office.

Malicious code can be used to steal your personal information, sensitive company documents, allow external access to the infected system, or even spread an annoying virus to a company network via network shares – the possibilities are limitless.

Some people tend to think that because they have an ‘encrypted’ flash drive they should be safe – which is completely incorrect. Encrypted flash drives are only effective against loss or theft, and even then it is questionable. Questionable since it could have been infected when you last accessed it – opening the doors on the encryption to get something on the inside that modifies the protection of the device itself.

Another common place that a lot of people probably do not think about is digital photo kiosks. These places are prime distribution points for infections. Think about it, if you were up to no good with some know-how, you could infect the photo kiosk computers at a Wal-Mart then sit back and laugh as literally thousands upon thousands of people walk in and insert their memory cards.

So what can you do about protecting yourself against such activity? Although 100 percent awareness and measures are not always 100 percent effective, there are simple things you can do at least ensure a higher protection rate. Such as:

Take advantage of security features - Use passwords and encryption on your USB drive to protect your data, and make sure that you have the information backed up in case your drive is lost (see Protecting Portable Devices: Data Security for more information).

Keep personal and business USB drives separate - Do not use personal USB drives on computers owned by your organization, and do not plug USB drives containing corporate information into your personal computer.

Use and maintain security software, and keep all software up to date - Use a firewall, anti-virus software, and anti-spyware software to make your computer less vulnerable to attacks, and make sure to keep the virus definitions current (see Understanding Firewalls, Understanding Anti-Virus Software, and Recognizing and Avoiding Spyware for more information). Also, keep the software on your computer up to date by applying any necessary patches (see Understanding Patches for more information).

Do not plug an unknown USB drive into your computer - If you find a USB drive, give it to the appropriate authorities (a location’s security personnel, your organization’s IT department, etc.). Do not plug it into your computer to view the contents or to try to identify the owner.

Some tech savvy users even go the extra mile, by utilizing virtual machine technology. By using virtual machine software, such as VirtualBox, one could have a so-called ‘sealed-off’ copy of an operating system when checking downloaded files, email attachments, and external storage devices for infections – if an infect exists, it would not get any further than the virtual machine. If the virtual machine becomes infected, it can be easily restored from an image or snapshot. The data or device can then be cured before being used on the host operating system or other computer. Now this is going to the extreme, and not many average computer users will take these types of steps, however, it just goes to show how serious the threat is, and how serious some people take it.

Aaron Heibert
18 Comments Comment from the forums
  • smalltime0
    "you could infect the photo kiosk computers at a Wal-Mart then sit back and laugh as literally thousands upon thousands of people walk in and insert their memory cards."

    Thats would be hilarious... and illegal, but hilaroius none the less.
    Reply
  • one-shot
    Hey, that's not funny. I work there. It's hard enough trying to teach the people how to use a working Kiosk. I can't imagine a broken one, makes me scared.
    Reply
  • one-shot
    Forgot to add...They would come back and blame me for the virus. Then they would ask me how to fix their PC. lol
    Reply
  • i have never heard of a specific case of a usb drive having the ability to infect a computer. usb drives don't autorun. windows will ask you what you want to do, and an autorun inf can be authored to run malware, but you'd have to select it...

    this is not a good article. it should reference some kind of PROOF that this is even a remotely possible threat.
    Reply
  • No, it does not autorun. On a usb drive, if you define an autorun.inf in a usb drive, the most it will do is add an extra option to windows' canned list of actions you can perform. the user has to *choose* the action though. MS did this on purpose specifically because they knew that usb drives would be a huge threat if you could make them automatically execute code. they can't. i was asked to make them do this for a trade show. i researched it (something the writer of the article didn't do), and found that you have to have the usb drive identify itself as a cdrom drive in order to actually auto run. in order to make it identify itself as such, you would have to be the usb drive manufacturer.
    Reply
  • okay i just looked up hak5 and that's for bootable usb keys. a bootable key is no less secure than a windows cd. if you're trying to secure a workplace you simply disable usb drive booting. no sweat. BTW bootable usb is relatively new, and a lot of bioses don't support it. my last laptop would just fail to boot if I had my usb key (which was bootable, it booted into ghost for when i needed to reimage my test machine).

    a bootable usb key is not anything as frightening as a usb key that can execute code without user intervention upon insertion into a running windows box.

    and from what can tell, there is no such usb key. i would love to know if there was one, i clicked on this story because I thought it was invalidating my preconceptions... but it doesn't. it tells me that there is a threat and then gives no concrete evidence. the best i get is from somebody who made a comment? and hak5 is a minor threat. bootable usb is a pain. bootable cds are easier to get working and therefore a greater threat imho. there is such little likelihood that anyone will unwittingly boot a hak5 usb key in an environment that has the most basic security.

    i feel like this article is scuttlebutt and scaremongering.
    Reply
  • jsievers
    Here's the best explanation of this issue that I seen
    http://autorun.synthasite.com/index.php
    I have seen shell commands in the autorun.inf infect computers by just clicking on the drive in My Computer.
    Reply
  • WheelsOfConfusion
    But... I keep all my porn on my thumbdrive! D:
    Reply
  • miltoxbeyond
    I fix PCs for extra cash and I have seen a rather nasty virus (especially prone to XP since it doesn't have UAC) that would copy itself to the recycle bin of any disk attached to the computer, execute with windows on logon and completely hide itself from all spyware scanners. I caught the bastard when I was fixing two computers transferring files between two pc's for the same customer (one was a reinstall so it was blank) and the virus suddenly appeared on the second brand new installed computer. Plus without reformatting the drive the file stays hidden. I realized the virus spread to my thumb drive when I plugged the flash drive into my testing machine with vista
    and vista requested permission to run the autorun...

    I denied and checked out the files and found how the virus spread. Oh did I mention it cripples XP virus scanners. It hides inside the recycling bin so it usually is invisible. I got rid of the virus by loading up a PE environment and deleting the files manually from the hard disks (all of them, since it copied itself to ALL attached drives).

    People complain about UAC in vista, or just complain about vista entirely, but it really helps to prevent spyware.
    Reply
  • miltoxbeyond
    Oh forgot to mention it also does a real bastard of a job killing any taskmanager running near instantly, ensures registry blocks for the task manager and several other annoying restrictions are enforced in the registry (if you delete the settings it reappears almost instantly. If you do delete the setting and alt-control-del the comp task manager starts, then is killed by the program).

    Anyways. Yes thumb drives are a risk. I've seen it happen. Some computers have the setting turned off for auto-play. others just automatically execute it. I've worked with hundreds of computers(seriously, way too many) so I can vouch for it.
    Reply