Flash Drives Are Deceptively Perfect For Viruses

Over the past few years, some of the world’s most dangerous and daring computer viruses have originated on infected USB drives. One even got into the computers inside Iran’s largest nuclear power plant, even though it’s not connected to any outside network. See, what makes flash drives such an ideal host is that most people don’t think twice about sticking one in their computer.

Indeed, if you found a flash drive lying outside your office, wouldn’t you open it up to try to see who it belonged to? But just viewing one folder on the drive is all it takes for a new breed of malware to infect your computer.

A security firm advises that you shouldn’t trade flash drives with other people, stick an unknown one in your computer, or pick one up off the ground and load it on your computer in to peer inside its contents.

Don’t Stick It In [Slate] (Thanks to Wayne!)

Comments

Edit Your Comment

  1. jshier says:

    THIS JUST IN: Floppy Disks Are Deceptively Perfect For Viruses!

    • theblackdog says:

      Beat me to it, I was going to say that this is just like when everyone used Diskettes to move files around.

    • Applekid ┬──┬ ノ( ã‚œ-゜ノ) says:

      Back in the day, I remember seeing an “anarchist cookbook” type text file that described how to make a floppy disk bomb. You were to disassemble the floppy disk, coat the media with a combination of nailpolish and phosphorous scraped from matchstick heads and reassemble.

      The idea was that as soon as you tried to read from the disk, the disk head would shoot out hot sparks that would set your computer on fire.

      Never tried it and don’t know if it would really work as well as it said (surely electronics which are baked at over 200 degrees C could withstand a few sparks), but, yeah.

      I guess you could wire the voltage lines on the USB plug to some kind of explosive since the USB hub will pump out +5V no problem just by plugging it in.

      • Shadowfax says:

        The article actually said to replace the cotton cleaning pads on either side of the magnetic disk with sandpaper, and then to take a wooden scraper and very carefully scrape off the heads of strike anywhere matches, and sprinkle them on the magnetic disk – – you could either use nail polish or floral adhesive spray as your fixative.

        It didn’t work by sending sparks into the floppy drive. It worked by setting the disk on fire.

        (I remember reading those stupid things back in junior high, absolutely CONVINCED that the feds were gonna come after me if anyone found out I was reading about how to make a land mine out of a film canister)

      • gman863 says:

        Damn. Add another item to the TSA’s list on carry-on no-no’s.

    • B says:

      Floppy disk?

    • ElizabethD says:

      ROFL! +1

    • guroth says:

      CDs were not widely used to distribute viruses for one important reason: they are not rewritable (except of course rewritable CDs, but those are far less common and not used by distribution companies).

      USB sticks, like their floppy disk cousins, are rewritable and so anyone can intercept a stick and put a virus on it, whereas a stamped CD would have to be infected at the stamping warehouse.

      So we now have a generation that never knew the floppy disk, and so are adopting USB sticks with the sense of security they had with CDs.

    • TheGreySpectre says:

      The reason Flash disks are better then other media (CDs, DVDs, Floppies) for virus distrobution has nothing to do with the rewrite-ability of the media. It has everything to do with how a USB device can auto execute code.

      • roothorick says:

        So can CDs. And DVDs. And SATA drives, if you plug them into a system that happens to have a hotplug-capable SATA host controller. Windows doesn’t care what it actually is; if it just got new media, it’s gonna pop open any autorun.inf it finds and very possibly execute code off the device. The only reason floppy disks aren’t vulnerable is because there’s no notification from the drive when a disk is inserted; the OS would have to actively check for a new disk every couple seconds, and Windows simply doesn’t do that.

        What was your point again?

  2. framitz says:

    You can NOT trust a flash drive fresh out of the package. There have been several incidents where new product was infected at the factory.

    Flash drives that contain ‘free’ software should always be scanned in a computer that has autorun disabled prior to use.

    • CTrees says:

      There’s a reason NMCI (in about the one good idea it ever had…) requires all external drives to be wiped, scanned, and certified as “safe” by their IT staff before being used on DoD computers.

    • Rommel says:

      Well I’m in luck, then. My autorun just went up and stopped working.

  3. balthisar says:

    If you’re on Windows, just hold down the Shift key as you insert the drive; the autorun file won’t run. Then to look at folders, right-click and select Explore instead of double-clicking. Hopefully by time you’ve gotten this far, your virus scanner is already on top of things.

    If you’re on a Mac, there’s not (yet) much to worry about.

    • justdragit says:

      Wow, you are a friggin’ genius! Wonder why no one has thought of that?

      Just the act of opening the folders to view them can release a virus/malware onto a PC. And most of your spyware/malware/virus scanners aren’t picking them up, at least not right away. There are 1000’s of spyware programs released daily and it’s hard to keep up with them.

    • PsiCop says:

      +1 on the “shift key” trick. I’m surprised the “security experts” cited in the Slate article, never mentioned it … ?

      As for Macs, the key word in your sentence is “yet.” There have been a few Mac exploits that actually got into the wild … but they’re still exceedingly rare. I own a Mac, and one of the reasons I bought it is because of the nearly-nonexistent incidence of virus threats for them. That, however, can always change, if the script kiddies, hackers, and other assorted vermin who create viruses, decide to branch into the Mac world aggressively.

      • ElizabethD says:

        PC fanatics have been saying for YEARS that Mac users are about to get hit with all sorts of viruses (virii?), but it just isn’t happening.

        I’ve used Macs of all shapes, sizes, and sophistication levels since the early 1980s and (knock on wood) have never had a virus on any of my machines.

        • trey says:

          the day macs get a sizable share of the business market is when you will see it, until then you can enjoy your autonomy.

          3.6 percent of the market is not going to be any fun for a hacker.

          if you could get businesses to by macs you would have a bigger problem… its all about statistics, and for macs, 3.6 percent is not worth the time investment of a hacker or hackers.

          http://community.winsupersite.com/blogs/paul/archive/2010/04/20/mac-q1-2010-pc-market-share-3-6-percent.aspx

          • BonzaiSamurai says:

            Exactly what I thought, however with the new Scan the check for deposit with Chase and iPhone and the popularity of iPhone I would think that would be a prime target.

        • Shadowfax says:

          PC users have been assuming for years that macs will actually get popular.

          No one’s going to bother writing a virus that will only infect elementary schools and people who like turtlenecks.

          Flame on ;)

        • PsiCop says:

          For the record I’m not a “PC fanatic.” I actually own a Mac, and one of the reasons I bought it, was so that I didn’t have to deal with the potential for malware. I’m a fan of Macs, and recommend them to people (depending on their needs).

          I’m just being realistic. It’s always possible for the script kiddies and vermin to go after Macs. No one can say that it will never happen. The truth is that it HAS been tried occasionally, such as here, but for whatever reason they never blossomed in the wild.

          Lastly, other commenters mentioned it, and I will agree, that Macs can be virus CARRIERS. It’s possible for someone with a Mac to get an infected file someplace, store it, then for a Windows user to acquire it, and become infected. Mac users can and should occasionally scan their Macs for viruses. Note, I don’t mean they should install a real-time background-running virus-scanning software package; but rather something like ClamXAV, and launch on-demand scans. Do so every week or two, especially if you share files with Windows users. The virus won’t necessarily infect the Mac but it can infect others.

      • TuxRug says:

        There’s actually a virus out there that has the ability to launch itself even if you have autorun disabled or hold the shift key. On systems from XP to Windows 7, without all the right patches, a virus can load itself by fooling Windows while it’s trying to draw the ICON.

    • crackblind says:

      Macs can be carriers of viri. The recycler virus will reside on the Mac and infect flash drives even if it doesn’t affect the Mac. For now the main reason for antivirus software on the Mac is to protect Windows machines.

    • TheGreySpectre says:

      This does not protect you from flash drives!

      Flash drives execute driver code when they are first inserted into the computer. This is separate from autorun. Viruses can be places in the driver code, that is what makes them such a good tool for virus distribution. It is also what seperates flash drives from CDs, DVDs, Blu-Rays and floppies, the fact that they always execute code regardless of autorun.

      • consumerfan says:

        Correct me if I’m wrong but if the target machine has infected driver code, that’s already an infected computer.

        You can’t infect a clean PC with a virus by plugging in a USB drive when AutoRun is switched off.

  4. Snowblind says:

    New drives are not all that safe either. Several manufacturers, such as Maxtor, have shipped drives with a pre-installed virus.

  5. IphtashuFitz says:

    Reminds me of this article I read a couple years ago:

    http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=208803634

  6. Platypi {Redacted} says:

    Must….resist….making….it….dirty….

    Not sure why, someone else will soon enough!

    • theycallmeGinger says:

      Don’t go grabbing a stick you don’t know and shoving it in any hole that fits! That’s how viruses are spread!

  7. Alvis says:

    There is no problem with flash drives.

    The problem is users who don’t configure Windows PCs to properly deal with removable drives. Microsoft should have never enabled Auto-exec by default.

  8. Tim says:

    That’s not what she said.

  9. Benanov says:

    I just always mount flashdrives noexec. I think that’s even the default for…my…OS…

    Another win for desktop operating systems that think of these things by default.

  10. Benanov says:

    I just always mount flashdrives noexec. I think that’s even the default. (Wait, it’s *not* on your computer? What insecure pile of code are you running?)

    Hmm, I guess I’m so out of touch with reality. I’m more concerned if a device is going to *work*, not if it’s going to pwn my system when I plug it in. (Firewire iPods loaded w/ exploit code notwithstanding, at least if you still have Firewire DMA turned on.)

    It’s nicer over here in the Free World.

    • Minj says:

      Does everyone in your world repeat themselves?

      • Benanov says:

        Mis-clicks are a terrible thing. Apologizing for double posts requires edit capability which this blog didn’t give me by the time I noticed.

    • edosan says:

      We didn’t hear you the first time.

    • Rena says:

      Mhm, I always see these articles and just find myself wondering what kind of system just goes about running executables found on a newly-connected device without being told. Security flaws are one thing but to do this by design? What.

  11. smo0 says:

    Stop giving them ideas!

    “Ohai there usb flash drive on the ground… where did you come from?”

    Moments earlier…. in another part of the office….

    “Muahahaha I’ll infect this drive with a virus and leave it for some unsuspecting person!”

  12. d0x360 says:

    Target just made it so none of the computers can use flash drives which..makes things a real pain in the ass.

    What companies need to do is disable auto run on flash drives, then force a virus scan everytime its plugged in. Problem solved.

    • Etoiles says:

      My previous employer disabled all of the CD / DVD drives in our computers, and blocked access to about 2/3 of the ‘net (including forbidding Flash installations)… but left the USB ports completely 100% accessible and on auto-run.

      (This was particularly genius, as we specifically requested clients to send us materials on CD-ROM, and as we routinely needed websites, including our authorized travel site, that were Flash-based. Oh, paranoia…)

  13. apd09 says:

    I admit to being guilty of this. I found a flash drive in the parking lot of my building, opened it, and discovered it belonged to one of the members of the undercover police unit located in my building. I know this because the drive had warrants on it they received from judges as well as cases against people. I called the name of an officer on a warrant and left a message telling him I found it.

    I decided to bring it up to their office and was given the third degree by the secretary about opening the drive and how I knew they were even in the building to begin with. I had to explain to her that its not hard to figure out when there are dogs that go in and out of the building all day plus people going in and out with duffel bags. She made me give my name and phone number for them to call me and discuss what I saw. I thought I was doing the nice thing as opposed to telling the person whose house was going to be searched.

    It ended up being fine and the officer thanked me and actually said it was not his but he knew whose it was and he would talk with them.

    On a side note, a guy in my office last month was in the parking lot and found a bullet laying on the ground. These cops seem to have a problem with dropping sensitive materials in our parking garage.

  14. KillerBee says:
  15. jiarby says:

    Change this article from flash drive to floppy diskette.. and then change the date from 2010 to 1995 and things seem about the same. The scam is the same… just the technology is newer.

    Same thing with nigerian scams. We used to get them by fax. Now they come in e-mail.

    Stupid is as stupid does… no matter the technology or decade involved.

    • trey says:

      wow, i had no idea those Nigerians had been doing this with faxes… they are some tricky bastards!

      and to think that someone somewhere fell for an unsolicited fax from the Nigerians makes me chuckle.

      • jiarby says:

        yep…

        AND, all those Snopes hoaxes and email jokes forwarded from your gullible Uncle used to come by fax too!

  16. ostaguph says:

    I never knew that balthisar, that’s a good tip. But it’s even better to just disable autorun altogether.

    http://antivirus.about.com/od/securitytips/ht/autorun.htm

  17. ostaguph says:

    I never knew that balthisar, that’s a good tip. But it’s even better to just disable autorun altogether.

    http://antivirus.about.com/od/securitytips/ht/autorun.htm

  18. jp7570-1 says:

    You gotta wonder about the industries that make custom-printed flash drives as promotional giveraways (conferences, etc.). That market’s gotta suck now.

    • Etoiles says:

      Heh, I just ordered a whole bunch this week for a special program.

      When you need to make sure the participants all receive about 800mb worth of *.pdf files and images, it’s so damn much easier to just hand them a printed USB flash drive while they’re there. Especially if your internal e-mail policy places a 10 mb limit on attachments and your ftp sites are… irregular.

  19. davekoob says:

    Write protected flash drives FTW?

    http://www.pqi.com.tw/product2.asp?cate1=18&proid=31

  20. Big Mama Pain says:

    Can’t plug them into computers on military bases; although, I think the concern there might be information going OUT, not something infecting the computer.

  21. erratic_behavior says:

    Here’s a free tool from Panda Security to prevent autorun entries on usb devices from launching when plugged in.

    http://research.pandasecurity.com/panda-usb-and-autorun-vaccine/

  22. Hi_Hello says:

    hahaha that cat is trying to spread rabies to the computer via the usb drive.

  23. fencepost says:

    While this won’t keep flash drives plugged into your systems from carrying things in, as long as you don’t need to modify the contents of your own flash drive you can use one with a hardware write protection switch to keep it from getting infected when you connect to another PC. While rare these days, there are still a few brands that still have switches.

    The only one you’re likely to find in stores (my opinion) is the Imation Clip, and you’re probably going to find it at college bookstores if anywhere. Beyond that, the Imation Pivot, Kanguru FlashBlu, a specific PQI model and a couple of Ritek models all have write protection switches.

    Self-promoting, the most current list I’m aware of that’s in English is here: http://www.fencepost.net/2010/03/usb-flash-drives-with-hardware-write-protection/ (along with a link to the c’t magazine listing in German).

  24. Bystander says:

    I have a friend with a Taxi and Limousine company and he finds those things pretty often so we took my old Dell and have it configured as a Virus Trap and we’ve caught a bunch of Virusi and have returned a lot of Media to (usually) grateful customers.(whew)

  25. HogwartsProfessor says:

    Wow, thanks for posting this. I use my flash drive all the time. Mostly I go back and forth from my work computer to my home computer, and my IT guy is pretty good at keeping viruses out of the system. I run scans all the time at home too and never open the drive through the autorun.

    It stays on a lanyard around my neck, so it’s pretty unlikely anyone would sabotage it. I’m more afraid of losing it.

  26. Rectilinear Propagation says:

    “…or pick one up off the ground and load it on your computer in to peer inside its contents.”

    What about the 5 second rule?

  27. TheGreySpectre says:

    The difference in flash drives and other media is turning off autorun does not protect you with a flash drive. Viruses can be implemented in the driver code that is run when you plugin the drive.

    • GoodBytes says:

      Well don’t use an old version of Windows.
      If you use Vista or Win7 you need to have the driver digital signed and approved by Microsoft, else it’s a no go. They won’t install.

  28. Spook Man says:

    A security blog I use to read did just that. He was hired by a company to try and hack into their computer systems and their network.

    So he bought 20 cheap usb drives, put a backdoor trojan on it which installed the instant it was inserted (thanks to auto-load) and place them outside the company in parking lots, smoke break areas, etc.

    By the end of the week, 12 of the 20 had been found and plugged into the pc’s within the company. I wanna say one was even the CEO of the company.

    Needless to say, when he reported his finds after just one week, they were surprised by how quickly he had hacked into their systems and then even more shocked by the method he got in. A very QUICK policy change took effect almost immediately.

  29. gman863 says:

    Most decent anti-virus programs have an option that scans removable media (flash drives, SD Cards, etc.) as soon as they are inserted into the PC.

    I have used the free edition of AVG anti-virus (www.avg.com/free) for years. The flash drive scan is enabled in AVG’s default settings.

    As a geek, I’ve found the majority of viruses and malware screwing up a PC are due to not installing Windows automatic updates, not keeping their anti-virus software current or not using an updated browser (the current version of Explorer is IE8 – if you’re still running IE5 or IE6 you’re much more likely to have shit infect your PC). This applies equally to home users and managed networks. While most IT people know their stuff, many focus solely on server security at the expense of the damage potential at individual workstation PCs.

  30. dilbert69 says:

    If you’re really curious, stick it into a nonconnected computer and wipe the hard drive afterwards.

  31. banmojo says:

    Makes sense. If someone inclined to sticking fleshy appendages into their bodily cavities happened to find a severed fleshy appendage on the side of the road, I would hope they would have the sense to dispose of it properly, rather than inserting said appendage into a personal bodily cavity. Then again, people can do some really dumb stuff, so ….