Eighties throwback worm spreads via memory sticks Miscreants have created a strain of malware which uses memory sticks as a vector for infection. The SillyFD-AA worm spreads by copying itself from infected machines onto removable drives such as USB memory sticks before automatically running when the device is next connected to a computer. The malware, which is also capable …
Last time I messed with auto-run on a USB stick, I found the only OS supported method by which I could effect an auto-run (if memory serves) was to double click the drive in Explorer. Unlike loading a CD, simply connecting the device prompts Windows to display that annoying "you've got all sorts of different things on here, what the hell do you expect me to do with them?" pop-up.
This method of spreading isn't new - quite a few recent (and many not so recent) viruses use this method, along with the usual other methods, to spread.
And, as usual, it's all been nicely configured by Microsoft by default to ensure that it's easier for viruses to spread...
Auto-run for devices is enabled by default, hiding file extensions for known types is enabled by default, hiding hidden files is enabled by default (which does make sense, them being marked as "hidden" and all). All we need is a "feature" or technology in MS's browser to automatically install and run software from any old website that has full access to your local system and we'll be well away. Oh, wait - that's in place already.
All we need now is a "search" feature that can't be bothered to actually search your hard disk properly for unwanted files and... oh wait, that's also in place already. Just install the new "desktop search" which, erm, apart from being very, very slow also manages to break the normal "search assistant" search when installed. The really useful thing about this new search is that's it's been commingled with MS Office 2007 such that you can't use the search facilities of Office 2007 without installing it.
With the history of floppy disk viruses and more recently Sony's root kit music CDs – why would anyone add auto-start/play for any removable media to their OS?
And if the security issue wasn't enough –the real PITA of telling Windows to not run anything just because I have put a USB drive with various different things in is enough for me to disable it
Umm... no autorun, but infected boot sectors--yes. As unlike most stick drives, people used to boot from floppy back then. Then of course you can add to it an altered directory tree or partition table, or variety of other hardware level vector points much like root-kits now. All of the lazy windows garbage and denser than snot CPU code specs have deluted our intelligence of computers and have turned us all into helpless sheep. Ba-a-a-a-a-d M$... must st-a-a-a-ay aw-a-a-y from the Scotch and West Virginians. (j/k)
Back in 2004, when I wrote the article for 2600 detailing the threat posed by Microsoft operating system's default autorun in connection with USB memory sticks, I knew (as an old school virus writer) that someone invariably would use this attack vector. What surprises me is that it has taken three years for it to show up in the wild.
Now perhaps people will run regedit and zero out the autorun entry for removable media as they should have back then. For details search for postings in full disclosure.
=;^)
The solution to the problem is to put the flags "user,noexec" in the /etc/fstab entries for USB disk-like devices. That way, users can mount them without being root (this saves you having to get up everytime someone brings in their camera full of holiday snaps which they want to show everyone), but they can't execute anything from there.
Or whatever the Windows equivalent is.
<quote>Unlike loading a CD, simply connecting the device prompts Windows to display that annoying "you've got all sorts of different things on here, what the hell do you expect me to do with them?" pop-up.</quote>
I see you haven't had any experience with the likes of U3's crap that come with Sandisk keys nowadays, eh? These keys behave like CDs with autorun and all, quite annoying. When the key is inserted (OpenSuSE), the system asks what to do with the CD and USB storage device that were just inserted... In Windows, it executes the U3 program (I don't remember if a "CD" shows up in Explorer) and also asks those "what to do" questions. If you're not quick, it seems like the U3 thing closes this dialog. Or something. I just want to control my own damn key to carry stuff like a glorified floppy, can't I, please! :-)
So I guess it wouldn't be too hard for the virus writers to do something on that line? Could they "repartition" the key to have a "mini CD" in there to autorun?
Cheers
J
Sorry my learned friend, but you obviously work on an OS with far greater security capabilities than Windows, and you're on top of it too. Windows simply does not have the equivalent functionality. It expects (and often demands) that you be root to do almost anything - including start your browser.
As the previous posters have written, the risk of infecting networks via USB devices, or CDs, or floppy disks is not new. What has changed is that the storage capacity of these portable devices has increased exponentially. So, as well being able to download massive amounts of sensitive data, executable code can be launched from the device. It's a two pronged attack that needs an integrated solution: i.e. endpoint security software that can block or tightly regulate USB use AND control the applications that are able to run on the network, preferably with the ability to audit whatever is being downloaded and uploaded via USB ports.
After reading all of the comments above and the original statement from Graham Clueley @ Sophos ref USB Virus risks....the one key point that everybody has conveniently overlooked, is the "Pro-active" approach to USB device security. I personally have depolyed thousands of seats of the Securewave Sanctuary Device and Appliacation Control solution that fixes exactly this issue ! And as far as I am aware is the only product of its kind. To draw an anolgy, why would you allow "any" device the opportunity to autorun in your corporate environment, rather than those that are "authorised".
After all...when I go shopping, I dont take a list of all of the products that I dont want to buy, but rather a list of all the items that I DO want to buy. The whitelist approach is the only way to fix this issue. Wake up Readers !!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
