USB Drives Prime Target for Silent Infections

Status
Not open for further replies.

smalltime0

Distinguished
Apr 29, 2008
309
0
18,780
"you could infect the photo kiosk computers at a Wal-Mart then sit back and laugh as literally thousands upon thousands of people walk in and insert their memory cards."

Thats would be hilarious... and illegal, but hilaroius none the less.
 

one-shot

Distinguished
Jan 13, 2006
1,369
0
19,310
Hey, that's not funny. I work there. It's hard enough trying to teach the people how to use a working Kiosk. I can't imagine a broken one, makes me scared.
 
G

Guest

Guest
i have never heard of a specific case of a usb drive having the ability to infect a computer. usb drives don't autorun. windows will ask you what you want to do, and an autorun inf can be authored to run malware, but you'd have to select it...

this is not a good article. it should reference some kind of PROOF that this is even a remotely possible threat.
 
G

Guest

Guest
No, it does not autorun. On a usb drive, if you define an autorun.inf in a usb drive, the most it will do is add an extra option to windows' canned list of actions you can perform. the user has to *choose* the action though. MS did this on purpose specifically because they knew that usb drives would be a huge threat if you could make them automatically execute code. they can't. i was asked to make them do this for a trade show. i researched it (something the writer of the article didn't do), and found that you have to have the usb drive identify itself as a cdrom drive in order to actually auto run. in order to make it identify itself as such, you would have to be the usb drive manufacturer.
 
G

Guest

Guest
okay i just looked up hak5 and that's for bootable usb keys. a bootable key is no less secure than a windows cd. if you're trying to secure a workplace you simply disable usb drive booting. no sweat. BTW bootable usb is relatively new, and a lot of bioses don't support it. my last laptop would just fail to boot if I had my usb key (which was bootable, it booted into ghost for when i needed to reimage my test machine).

a bootable usb key is not anything as frightening as a usb key that can execute code without user intervention upon insertion into a running windows box.

and from what can tell, there is no such usb key. i would love to know if there was one, i clicked on this story because I thought it was invalidating my preconceptions... but it doesn't. it tells me that there is a threat and then gives no concrete evidence. the best i get is from somebody who made a comment? and hak5 is a minor threat. bootable usb is a pain. bootable cds are easier to get working and therefore a greater threat imho. there is such little likelihood that anyone will unwittingly boot a hak5 usb key in an environment that has the most basic security.

i feel like this article is scuttlebutt and scaremongering.
 

miltoxbeyond

Distinguished
Jan 7, 2007
42
0
18,530
I fix PCs for extra cash and I have seen a rather nasty virus (especially prone to XP since it doesn't have UAC) that would copy itself to the recycle bin of any disk attached to the computer, execute with windows on logon and completely hide itself from all spyware scanners. I caught the bastard when I was fixing two computers transferring files between two pc's for the same customer (one was a reinstall so it was blank) and the virus suddenly appeared on the second brand new installed computer. Plus without reformatting the drive the file stays hidden. I realized the virus spread to my thumb drive when I plugged the flash drive into my testing machine with vista
and vista requested permission to run the autorun...

I denied and checked out the files and found how the virus spread. Oh did I mention it cripples XP virus scanners. It hides inside the recycling bin so it usually is invisible. I got rid of the virus by loading up a PE environment and deleting the files manually from the hard disks (all of them, since it copied itself to ALL attached drives).

People complain about UAC in vista, or just complain about vista entirely, but it really helps to prevent spyware.
 

miltoxbeyond

Distinguished
Jan 7, 2007
42
0
18,530
Oh forgot to mention it also does a real bastard of a job killing any taskmanager running near instantly, ensures registry blocks for the task manager and several other annoying restrictions are enforced in the registry (if you delete the settings it reappears almost instantly. If you do delete the setting and alt-control-del the comp task manager starts, then is killed by the program).

Anyways. Yes thumb drives are a risk. I've seen it happen. Some computers have the setting turned off for auto-play. others just automatically execute it. I've worked with hundreds of computers(seriously, way too many) so I can vouch for it.
 

hemelskonijn

Distinguished
Oct 8, 2008
412
0
18,780
brrr now we need to be scared again ...lets buy norton and while where at it a new machine so we have enough power to run norton (and vista i presume)
 

miltoxbeyond

Distinguished
Jan 7, 2007
42
0
18,530
Yeah windows defender was also crippled. Couldn't execute. The virus intercepted any launch attempts. Renaming also didn't work because of all the dependent files... I tried to use it as an alternative since task manager didn't work to kill the program but the virus didn't let it start.
 

ToddAndMargo

Distinguished
Nov 7, 2008
3
0
18,510
One option not discussed in the article is to use "Write Protected" thumb drives. PQI offers a few but have really fragile switches that tend to
break. Kanguru has some with nice switches. Both drives are on the
slow side.
 

sanctoon

Distinguished
Jul 29, 2008
77
0
18,630
For me this is old news, i work for a local small town IT company maintaining most of the small business and home users computers.

There's a virus called OnlineGamesTrojan(by nod32 anyway) or something like that, that spreads like wildfire through the use of thumb drives, and like miltox said it hides itself in the recycler folder of all infected drives.

Its easy to remove, but not easy to contain the infection, people are just not careful enough. For the last year or what there's been pc's and thumb drives coming in my workshop with that bull**** infection.

Funny thing is, a lot of them gets infected through our local photo kiosk just down the street. I have even cleaned their pc's from viruses quite a few times.
 

BallistaMan

Distinguished
May 20, 2008
103
0
18,680
miltox, any particular side effects that you noticed from it? I'm fixing up a client's computer tomorrow (Vista) that I'm already quite sure has an infection on some level. It'd be nice to know if there's something like that on there that hides from the usual scans. The last system I dealt with (XP) that knocked out the scanners/task manager ended up getting a reformat. The last successful scan it had found well over 500 nasties - way more including the usual cookies and such. Naturally the owner decided to let most of them stay on...>_
 

jlwitt

Distinguished
Nov 19, 2008
6
0
18,510
Well, you can just lock down all USB storage devices by changing the file permissions of the USBSTOR.SYS file to deny system. It will detect the device but won't mount the drive. It's an easy fix to push out over a network as an admin.

Another option to shut all USB drives is a registry change of:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\UsbStor
change Start to hex of 4.

An option for the photo kiosk is to set USB to be read only.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\StorageDevicePolicies
Create a DWORD of WriteProtect and set to 0

USB Drives don't need to be a problem in the business world.
 

erech2k2

Distinguished
Jul 17, 2010
1
0
18,510
I'm currently experiencing this beast that has somehow found it's way on just about every USB flash drive I own. The main file that seems to be the ringleader is riuofu.exe which all signs point to being in my docs/settings folder, but even after enabling view all files and folders still can't locate it. Another file is bl1 that loads in the temp folder. There are several other versions of this incredibly annoying worm. jsievers' link does give some insight on how it works. I'm going to disable the autorun and try to scan for this worm. Wish me luck.
 
Status
Not open for further replies.