Open source software security

USB Malware

30 November -0001

Remember the good old days when you traded C-64 games with your friends by carrying your floppy drive over to his or her house to copy disks? Back in those days very few people had the two drives you needed to copy a disk so the entire process was a bit clunky. The first sneakernet. Remember how, even in those days, people would warn you about virus infected disks? Yeah, the good old days. Well, those days may be back thanks to those handy USB keys that we all carry around.

USB drives are increasingly targeted for malware distribution. The problem with the drives is that they're designed to be auto-mountable (did I make that word up?) on Windows machines. This means they can be loaded with an autorun.inf file that can cause software to run when the USB drive is plugged into the system. This attack vector is making use of an old technique with a new device.

Numerous penetration test teams have reported (Security Focus, Trend Micro, The Register) the ease with which infected USB drives can be distributed as well. Placing a shiny USB key in a public place nearly guarantees that it will be picked up and plugged into a computer somewhere. Even an upstanding good Samaritan might attempt to look on a lost USB drive to find details to contact the owner.

Taking any unknown USB device and plugging it into your computer is a very dangerous proposition. The exposure risk is high. Given that most anti-virus software is signature based (meaning it has a database of known malware) a custom piece of malware could evade your detection and infect your machine.

So what are you to do when you come across a USB drive that you suspect could be infected with malware? The best approach is to avoid exposing the drive to a Windows environment. You can mount the drive on a Linux machine, or even better in a virtual environment, and then scan the drive for malware or oddities (including autorun features). You can also use forensic bootable CDs such as Helix to scan the drive before use. Above all, don't blindly plug the drive into your machine, regardless of how up to date you feel your antivirus software is!