RealTime IT News

Do You Know Where That USB Drive Has Been?

The latest trick from malware writers is a retro form of virus propagation. For some time now, e-mail has been the standard form of delivery and spreading of malicious code by getting users to click on malicious links. But in the pre-Internet days, viruses typically spread from one computer to another via the floppy disks people used to share data and applications.

That old method is coming back, with a modern twist. Now the bad guys are targeting USB storage devices, most notably USB thumb drives, by taking advantage of the nature of the drive and a major weakness in Windows.

When a removable media like a thumb drive or CD-ROM are placed in a computer's USB port or optical drive, respectively, a program can be automatically executed through the autorun.inf file. Windows' AutoRun facility is programmed to seek this file and execute whatever instructions are in it.

In the case of an application install CD, the installer starts up the installation process. In the case of INF/Autorun, it installs malware on the user's system, such as a Trojan, rootkit or keystroke logger.

INF/Autorun first appeared on the monthly threat report from ESET Software, developer of the NOD32 antivirus program, in June of 2007, accounting for 2.17 percent of all malware encountered by the company and its customers that month.

By last month, just nine months later, it now accounts for 10.3 percent of detections, making it the most prevalent form of malware the company saw all month. Why did it become so popular? Because it works so well, said Randy Abrams, director of technical education at ESET.

"AutoRun is the biggest Microsoft security hole right now," he said. "The stuff in e-mail and links exploit user ignorance. Autorun prevents an educated user from having much of a chance."

While it is possible to shut off AutoRun, iTunes prompts the user to turn it on, so music CDs automatically play when placed in the CD-ROM drive. Users don't even think about the consequences and say yes.

But Abrams claims leaving AutoRun active dramatically lowers security. "It would not be at all unreasonable to call iTunes a potentially dangerous application," he said, because of the way iTunes tries to get users to turn on AutoRun without disclosing what Abrams called "the very real, extensive, and well known dangers."

Abrams advice? Shut off AutoRun on your computer and leave it off despite iTunes' prompting. "That helps a whole bunch. Microsoft should have done this a long time ago. Even Microsoft's own security experts say so," said Abrams.

Other security dangers of note

Some of the other pests of note in ESET's March 2008 report: Win32/Adware.Virtumonde continues to be a major nuisance by burying its hooks so deeply into a computer it becomes impossible to remove. Virtumonde isn't malicious but it is annoying. It bombards the user with pop up advertisements. Because of the way it installs itself, removal is quite a task.

ESET has also noticed the emergence of Mebroot, a rootkit that uses classic boot sector virus techniques. It moves the Master Boot Record to another sector and copies its own code to sector 0, where the MBR is supposed to be. It then patches ntoskrnl.exe and maintains persistence by storing its data in disk sectors rather than in files, while making no registry changes. Viruses are often caught because they make entries into the Windows registry. This makes Mebroot tough to detect and eradicate.