25% of Worms Spread Via USB

An anonymous reader writes "In 2010, 25 percent of new worms have been specifically designed to spread through USB storage devices connected to computers, according to PandaLabs. This distribution technique is highly effective. With survey responses from more than 10,470 companies across 20 countries, it was revealed that approximately 48 percent of SMBs (with up to 1,000 computers) admit to having been infected by some type of malware over the last year. As further proof, 27 percent confirmed that the source of the infection was a USB device connected to a computer."

No, really?

[oodaloop]

Since pretty much everything is connected with USB these days, is this any kind of surprise? Were there any worms spread using a serial port?

Re:No, really?

Were there any worms spread using a serial port?

heh. oddly enough...

Re:No, really?

[m50d]

It surprises me, considering how slow sneakernet is compared to the internet.

Re:No, really?

[TheRaven64]

I don't remember any worms spreading automatically via serial port. It would have been difficult, because there weren't many peripherals that had internal storage space and connected via RS-232, and computers connected with a null-modem cable typically had to run some custom software for file transfer.

I do, however, remember a lot of worms spreading via floppy disks. Boot sector viruses were especially common in the DOS days. If you let a floppy in the drive, the BIOS would try to boot from it the next time you turned your computer on. It was quite common for a worm to install itself on the boot sector of any inserted floppy so that when you booted from that floppy it installed itself on the hard drive and then printed a 'please eject floppy and reboot' type error. You'd eject the floppy and reboot, and the machine would start normally, only now you'd be infected.

Since USB drives have replaced floppy disks for offline file transfer, it's not surprising that this is a common attack vector.

Re:No, really?

[operagost]

None that I know of, but today's USB drive is yesterday's floppy.

Re:No, really?

[JohannesJ]

Serial ports are I/O as well, but in there day , the devices to which they connected were not memory and didn't have any file or program /disk structure and no automatic execute me when plugged in notion like USB

Re:No, really?

[HiThere]

Well ... modems used to connect over the serial port. I seem to remember a few viruses that spread that way.

Re:No, really?

[hedwards]

Depends how much data. It's faster for me to take a USB HDD across town than it is to try and send 100gb of data over the wire, but for a couple MB of data, it's usually quicker to send it over the net, even if it does end up going around the world.

Re:No, really?

Well, twelve score and 19 years ago when we all wore onions on our belts, since that was the fashion at the time, most early viruses spread by floppy disk passing. Same situation, just different media. Hardly a surprise or anything new to anyone who has been involved with computing for more than a few years.

Which is why all these dang companies should pay experienced people what they're worth! :)

Re:No, really?

[DrgnDancer]

As someone already pointed out, it's faster for large data transfers, but I don't think that's a majority of the problem. It's mostly just convenience. Let's say I have a presentation to give to your company. It's the same presentation I give to every company that has shown an interest in my product. I could e-mail each and every company a copy of my presentation before I show up (and hope that the person I e-mailed it to remembers to put it on the presentation machine), or I can carry it on a thumb drive. Or maybe I was working on the presentation on the flight, and didn't have Internet access to send it to you. Or I'm a tech support guy who carries a bunch of diagnostic tools around with me. There's a ton of reasons why people carry these things around, speed not a huge factor for most of them.

Re:No, really?

[Mashiki]

Were there any worms spread using a serial port?

Yeah. There were a few back during the early 90's that would transfer themselves via serial link cables if you had two machines connected. The worm would actively scan for active transfer connections of any kind, then copy itself. USB meh, nothing really new. USB is the floppy disk of today, and a lot of virii, trojans, and worms were spread by floppy in the not too distant past.

Re:No, really?

[nobodie]

Here in China I routinely clean any USB that comes into my hands (linux duh, fedora 13,) It is not unusual to find 3 ,4 or 5 different viruses, aberrant autorun files and rootkit loaders on USB sticks. They are vicious too. Even the classroom computers which are not supposed to have persistence are occasionally breached and I have to use a portable virus/malware scanner to find it. The installed versions of Kaspersky cannot update and so fall quickly prey to the constantly evolving malware ecosystem, but the botnet programs can. Sad, so sad, that the security guys can't get past their own security but the bad guys can.

Big surprise

[betterunixthanunix]

Hm, software vendors put enormous effort into preventing attacks over the Internet. Did anyone really think that virus writers were not going to find new attack vectors?

Re:Big surprise

[gstoddart]

Hm, software vendors put enormous effort into preventing attacks over the Internet. Did anyone really think that virus writers were not going to find new attack vectors?

How is this a "new" attack vector?

Microsoft has had auto-run on things like CDs and USB drives for years, and you usually need to turn it off. Otherwise, it would happily run any old shit you plug in without even asking.

When I plug my iPad into my Vista box, the auto-run dialog comes up and asks me if I want to either download pictures or open it like a file storage. There is no "do nothing" option, which I find kind of amusing, since I've usually turned off auto-run for everything.

I'm not even remotely surprised that USB is a popular attack vector -- they're the new floppies. Microsoft has defaulted to "easy" mode (run everything), which also happens to be the most trusting and dangerous mode you could get. I think this was kind of inevitable.

Re:Big surprise

[gad_zuki!]

>There is no "do nothing" option, which I find kind of amusing, since I've usually turned off auto-run for everything.

That's not what people call autorun, especially in the context of USB viruses. Autorun means when the OS just launches the .exe listed in the autorun.inf file automatically. That's how this stuff spreads. Vista and 7 no longer support this and throw a "What would you like to do" screen, which is fine by me.

Re:Big surprise

[AndrewNeo]

Er. The last version of Windows that "ran everything" was XP. Just because the dialog comes up in Vista or 7 does NOT mean that the actual autorun application is being executed. The dialog you see is for user convenience, and still has a link to the autorun application, but does not do it on it's own anymore. When you plug your iPad in, the "do nothing" is the X button in the corner. Nothing happens besides that dialog coming up. It would be nice if it offered iTunes in the list, though.

Re:Big surprise

[gstoddart]

Er. The last version of Windows that "ran everything" was XP. Just because the dialog comes up in Vista or 7 does NOT mean that the actual autorun application is being executed.

That is good to know. I had explicitly gone in and turned all of it off, but I still see Windows try to respond to the new device, never sure how much to trust it.

When you plug your iPad in, the "do nothing" is the X button in the corner. Nothing happens besides that dialog coming up. It would be nice if it offered iTunes in the list, though.

Actually, I just discovered that after Windows has seen the device, you can then separately go into the Auto Play of the control panel and then select "Do Nothing".

Re:Big surprise

[Sockatume]

What you're describing isn't autorun, but the XP-and-onwards "hey, there's new storage" prompt. While they're both annoying to some degree, Autorun executed any autorun.inf in the root of the new storage without prompting, making it a useful way of spreading viruses. The prompt you're referring to doesn't.

Re:Big surprise

Which raises the age-old conspiracy theory that the security companies are the ones writing the viruses in the first place.

"Oh, look at the brave fireman save the kitty from the tree!" Didn't you ever wonder who's lobbing those kitties up into the trees in the first place?

.

Re:Big surprise

[hedwards]

Indeed, the main risk there is assuming the exe is still the same as the last time or absentmindedly clicking on it because you're not paying attention.

Re:Big surprise

[Score+Whore]

When I plug my iPad into my Vista box, the auto-run dialog comes up and asks me if I want to either download pictures or open it like a file storage. There is no "do nothing" option, which I find kind of amusing, since I've usually turned off auto-run for everything.

There's a more options link/button thing you can click on which brings up another dialog where you can specify the default behavior and one of the options is do nothing.

Re:Big surprise

[FoolishOwl]

I've seen the conspiracy theory pre-emptively denied, but this is actually the first time I've seen it asserted.

When I've seen lists of viruses, I've been puzzled that some of them -- a small proportion -- have the annotation that they have been seen "in the wild." Occasionally, I'll see hints that many viruses are only theoretical. Is it the case that the security companies are competing to invent computer viruses, then using those computer viruses, which exist only in their own labs, to inflate the ever-increasing numbers of computer viruses they supposedly defeat?

Re:Big surprise

[DrgnDancer]

iTunes has a check box option to open automatically when an iDevice is plugged in, and it will, but you'll still get the dialog box. It's kinda weird. When I plug in my phone I get both iTunes and the dialog. It's a tad annoying, but I can't find any way to make the dialog stop coming up. I believe the check box is in the general tab for the device itself (so you could set it up so that your tablet always opened iTunes, but your phone didn't, for instance).

Re:Big surprise

[mdielmann]

Microsoft has defaulted to "easy" mode (run everything), which also happens to be the most trusting and dangerous mode you could get.

So that's why the Easy Button is red...

Re:Big surprise

[DrgnDancer]

Or more likely they have their own research labs, and they have white and gray hat hackers who send them exploits that they discover. HTis allows them to try and stay ahead of the game, instead of reacting to every new virus several hours or days after it's been released by someone malicious. If a white hat sends the AV company the latest virus he's written and the AV company said, "oh, that's vera nice... we'll include it in a definition file if anyone bad ever discovers it" how would you feel?

Re:Big surprise

[wbo]

When I plug in my phone I get both iTunes and the dialog. It's a tad annoying, but I can't find any way to make the dialog stop coming up.

It sounds like iTunes doesn't properly register itself as an AutoPlay handler and is instead relying on some other way of detecting when a device is plugged in. If it did then you could configure Windows (either via the Control Panel, or through the application - in this case iTunes) to always open iTunes when that particular device is inserted and you wouldn't see the AutoPlay dialog box when you plug in the device.

Unfortunately there is not much you can do to about the extra dialog box except to set the default action to "Do Nothing" and click the check box to always perform that action. This will effectively disable AutoPlay for that device but it may be better than waiting for Apple to implement things the correct way.

Re:Big surprise

[mjwx]

There is no "do nothing" option, which I find kind of amusing,

The do nothing option is that red X in the top right hand corner of the dialogue box. A bit obscure but what do you expect from MS.

Re:Big surprise

[toddestan]

iTunes installs it's own service (well, several actually), one of which is responsible for monitoring for any iDevices being plugged into the computer. That's just one of the many reasons why I hate Apple's shitty Windows software.

Hard to believe it's only that many

[dmmiller2k]

Only 25%?

Re:Hard to believe it's only that many

[Joce640k]

There's not been much point in doing it until now - it was too easy to infect machines without it.

I expect all new viruses from now on will include USB as standard (as well as all the other vectors).

personal hygeine.

[gavsta]

someone should teach people to wash their hands properly before handling them IMHO.

Re:personal hygeine.

[JustOK]

it's raining out. worms are spreading via Undulating Slimy Bodies.

Surprise?

[Joce640k]

It's only going to surprise people who thought nobody would be stupid enough to enable autorun by default in a consumer OS.

Re:Surprise?

[Jedi+Alec]

Honestly, that has been annoying the crap out of me since the very first release of Windows 95. How *anyone* could think that is a good idea continues to baffle me.

Then again, turning it off for all possible devices and situations is very satisfying :)

Re:Surprise?

[Darkness404]

Remember the days of DOS and having to try to walk someone through installing something through DOS (with a CLI mind you) and how many people couldn't just type the drive right? Misspelled Install every single time, etc?

Yeah, autorun might be a security nightmare, but its a lot nicer for anyone who has had to do tech support with clueless users.

Re:Surprise?

[oodaloop]

Oh, whoops! Was I standing on your lawn? Sorry 'bout that.

Re:Surprise?

[Jedi+Alec]

Oh, I do remember the days of DOS. I also remember that anyone too retarded to use a combination of dir and cd almost by definition did not get to touch a computer.

As for autorun being good for tech-support, I wonder how many calls could have been *prevented* by disabling it. And I've had my share of calls as well, so I know the drill ;-)

Re:Surprise?

[jedidiah]

> Remember the days of DOS and having to try to walk someone through installing something
> through DOS (with a CLI mind you) and how many people couldn't just type the drive right?
> Misspelled Install every single time, etc?
>
> Yeah, autorun might be a security nightmare, but its a lot nicer for anyone who has had to do tech support with clueless users.

If you can't poke around a disk with a GUI and find the thing that says "RUN ME", you really shouldn't be using a computer.

Stick to TVs and whatnot.

Re:Surprise?

[DavidTC]

Yes, but an equally useful thing would have simply been a 'Install program' menu item, that, when launched, looks on all removable media for autorun.inf files or whatever, and presents their devices, names, and icons in a little list where you pick one.

Automatically running it was just stupid. You can automate systems but still put a menu item to start the process.

Hell, in some cases, that would result in less steps. We've all had to walk someone through an install progress, and ended up first having to uninstall something else or update a driver and then reboot...at which point, to get autorun to work, they have to eject the damn CD and put it back in.

Re:Surprise?

[Joce640k]

You're implying that tech support for people who've been infected by a virus is easier...?

Re:Surprise?

[hedwards]

This is precisely why antivirus software gives you the option to automatically scan the drives for viruses every time you insert them.

Re:Surprise?

[hedwards]

Indeed, the manual for DOS being larger than the Bible probably didn't hurt either. One of the nice things about Macs at that point in time was that they'd require you to unmount the disk before ejecting it. Granted you did have the paperclip option, but it was generally only used for emergencies.

Whereas with DOS you had to be somewhat careful about taking disks in and out to avoid filesystem corruption.

Re:Surprise?

[Jimmy+King]

While I agree with you, this is unfortunately not the way the world works. It was more profitable to insist that everyone needs computers and that they are easy to use and require no training or knowledge and would just work.

So now we've got a few people who can't and never would be able to manage that who have computers and use them daily. Then we have a bunch more people who could manage that, except marketing (and even some IT pros that seem to give advice based on what would be ideal rather than what actually is) has told them that it just works and they don't need to have a clue what's actually happening or how to do anything because it will all just happen for them. So now, even though they could learn how it works and how to do things, they don't and are convinced they shouldn't have to and get upset when something doesn't just work, trouble and risk free.

The best solution, of course, would be to get it through to people that computers are actually not simple and are very complex and require some level of understanding and research to use effectively and safely. That's a lot easier said than done, though, since no one wants to hear our opinion on the situation. The ones that do want to hear it likely don't need us to tell them.

Re:Surprise?

[Joce640k]

Antivirus programs are a band-aid at best. Try running a few of the viruses that appear in your inbox every day*, it usually takes about a week for the antivirus vendors to catch up and detect them, if ever.

* Preferably in a virtual machine...

Re:Surprise?

And that's why home users shouldn't be using a 9 year old operating system.

Re:Surprise?

[hairyfeet]

You've obviously never worked tech support. Trying to walk a totally clueless user by phone through installing software can be a fricking nightmare! So yeah, while we can see in hindsight it was a bad idea, at least on CDs I could see why they did it. BTW for those that have to deal with clueless users by phone? Let you old pal Hairyfeet hook up up with Ninite which is a fricking Godsend. More than 90 of the most common apps, including Chrome, Firefox, Flash, Java, .NET, even free AV, and all you have to do is tell them which boxes to check and then run. That's it! Oh and for those working corp they have a pay version that sets those and any other apps you want on an on site server to save bandwidth.

And for those that still have XP boxes on their networks (which I would be switching to Windows 7 right about now, its better on security and really stable) allow me to give you the reg fix for disabling autorun. Ironically you can point an autorun.inf on a flash at it and use it to disable autorun on any PC it is plugged in to. But ultimately I'd say the problem with Windows, or any other OS for that matter, is still PEBKAC by far. Just look at how many clueless users would pick up a flash drive out of the parking lot and plug it into a PC in the office? Hell I still get one or two a week that fall for that fake Windows dialog box on websites. To quote the Gump "Stupid is as stupid does" and anyone that hasn't killed autorun at this point is nuts.

Re:Surprise?

You mean *fewer* steps.

Re:Surprise?

[hesaigo999ca]

When I go to windows xp and select the autorun section, there is no disable, only ask me what to do option...is there somewhere in particular you go to disable the autorun devices, and once disabled, is there a way to force (like for a mouse) that the auto detected device can get the drivers installed...?

Re:Surprise?

[Rich0]

Or, go ahead and have an auto-install process, but don't make it "look for a file on any removable media and run any executable that it references."

Instead, when you insert a disc have the OS's package manager look for an installer file in the proper format, and then the package manager asks the user if they want to install the file. Don't have every software vendor writing their own installers.

Oh, Windows doesn't have a package manager? Well, we should fix that as well. There is no reason that software should need its own install executables. An installer needs to get files into the right (ie standards-driven) process on the drive, and initialize global settings. There is no reason that a centralized package manager can't do that (just look at any linux distro). As a bonus uninstalls become trivial without any vendor support.

Re:Surprise?

How is this any better?

Instead of autorunning on device connect, you are giving a clueless user a menu option to run the autorun from the device.

"UAC reports that a device is trying to perform 'Import Skynet' on your local terminal. Click Yes to authorize this action"

Re:Surprise?

[wbo]

Yes, but an equally useful thing would have simply been a 'Install program' menu item, that, when launched, looks on all removable media for autorun.inf files or whatever, and presents their devices, names, and icons in a little list where you pick one.

Actually older versions of Windows did have such a menu item but it was removed in Vista, probably because very few people actually used it. Prior to Vista there was a control panel applet called "Add/Remove Programs". I first encountered it in Windows 95.

Most people used it to uninstall software but the applet also had an "Add Software" button that would scan all removeable media for an installer and offer to execute it.

What I don't understand is why people keep complaining about the autorun functionality, since in Vista and later autorun files are not executed by default. Instead when an autorun file is detected a dialog box is displayed asking the user if they wish to execute the autorun, open a explorer window to browse the files on the disk/device, or do nothing.

Re:Surprise?

[idontgno]

Oh, I do remember the days of DOS. I also remember that anyone too retarded to use a combination of dir and cd almost by definition did not get to touch a computer.

Because...computer stores refused to take their money?

It must have been a nice world you lived in, because in actual reality clueless nublets with enough money and a good enough excuse (usually business-related) had computers long before many hobbyists. That's pretty much the origin of the embittered technical support dude.

And, from the same waaaayback era, don't forget that autorun isn't a new concept. Back in the day, it was called booting from floppy. That's actually how you did software installations in a lot of cases, back in the pre-Windows era. And, surprise surprise, boot sector viruses were pretty prevalent.

Re:Surprise?

[DavidTC]

Um, it's so obviously better I don't know how to explain it.

And the fact you apparently think I said anything about prompting just shows you didn't read what I said. I, in no way, suggested Windows should prompt for anything at all.

Re:Surprise?

[DavidTC]

Less has always been used in English with counting nouns, you imaginary-prescriptive grammar asshat.

As far as we have been able to discover, the received rule originated in 1770 as a comment on 'less': This Word is most commonly used in speaking of a Number; where I should think Fewer would do better. "No Fewer than a Hundred" appears to me, not only more elegant than "No less than a Hundred," but more strictly proper. (Baker 1770). Baker's remarks about 'fewer' express clearly and modestly -- 'I should think,' 'appears to me' -- his own taste and preference....Notice how Baker's preference has been generalized and elevated to an absolute status and his notice of contrary usage has been omitted." -Merriam-Webster, definition of 'less', 1995

You're not just one of those fucktards who not only thinks grammar rules exist independent of grammar as used, but you're one of the superfucktards who've latched onto made up rules, like those asshats who complain about split infinities or ending sentences with prepositions.

Those aren't even actual rules, they're just stylistic choices that got elevated to rules by idiots like you. If you're going to bitch about people breaking 'the rules', at least try to find real grammar rules people are breaking, like saying 'should of' instead of 'should've'..

Re:Surprise?

[DavidTC]

Instead, when you insert a disc have the OS's package manager look for an installer file in the proper format, and then the package manager asks the user if they want to install the file.

Well, no. I don't want that.

I'm all for package management, but a major problem of the 'prompting' concept is that users just agree to them.

It'd really rather install instructions were 'Put in the CD, then click Start/Install Program'. Make the user have to deliberately initiate an installation. Not be prompted, but actually have to do something, where an inserted CD literally does nothing except maybe make the menu item appear.

Of course, if there's a package manager, 'Install from CD' should be inside that instead, along with 'Install from internet repository' and whatnot. Or even the package manager GUI should check removable media first when launched, and then prompt, but you have to run it yourself.

I actually wrote a post here a while back about how software installs on Window should work, with package management, but can't possibly find it.

But, generally, I though that Windows should come with a dozen or so repositories, and web sites that supply software shouldn't have links to programs, they should have links to XML files or whatever that download that program from a repository, (And possibly add the repository if it's not added yet, after a quick check of some online blacklists.) and that's how people should be used to installing software, not downloading programs and running them. You fire up the package manager and look for software normally, and if you come across software online, you click something and get sent to the package manager where that software now shows up.

Downloading and running stuff should be a crazy weird thing that never happens. And, as you point out, they shouldn't be doing that with CDs either.

Re:Surprise?

[Medievalist]

Remember the days of DOS and having to try to walk someone through installing something through DOS (with a CLI mind you) and how many people couldn't just type the drive right? Misspelled Install every single time, etc?

Yeah, autorun might be a security nightmare, but its a lot nicer for anyone who has had to do tech support with clueless users.

I know exactly what you mean! That's why I pre-emptively kill anyone who approaches me as if they even might ask me for some technical support.

I know it's hard on their families, but it makes my stress levels so much more manageable! I highly recommend you take up a policy of pre-emptive murder... sure there are some problems, and occasionally you kill somebody who just wanted to offer you a sandwich, but overall it's really worth it.

Re:Surprise?

[quantumphaze]

irregardless irregardless irregardless

(Totally worth any flamebait mods)

Re:Surprise?

[toddestan]

Yes, but an equally useful thing would have simply been a 'Install program' menu item, that, when launched, looks on all removable media for autorun.inf files or whatever, and presents their devices, names, and icons in a little list where you pick one.

Actually, Windows 95 had something like that, though you had to go through the Control Panel instead of the Start Menu. At some point, not sure when, it was removed.

Some thoughts...

[mcgrew]

The basic technique used is as follows: Windows uses the Autorun.inf file on these drives or devices to know which action to take whenever they are connected to a computer. This file, which is on the root directory of the device, offers the option to automatically run part of the content on the device when it connects to a computer.

By modifying Autorun.inf with specific commands, cyber-crooks can enable malware stored on the USB drive to run automatically when the device connects to a computer, thus immediately infecting the computer in question.

I just did a little googling, and it appears you can easily shut it off.

From CNET:

Unlike with CDs, Autoplay on a USB flash drive will run a program immediately, no questions asked. Quoting Leo "USB Thumbdrives or flash drives are a non-obvious but easy way to spread malware." The only thing most malicious software needs is for you to run the program. The Windows Autoplay feature, for flash drives, hands this service to the bad guys on a silver platter.

Why does MS insist on lax security? Autorun should be off by default, not on. This is just plain stupid. It's not a bug, it's a design error. CNET adds that if you're running XP, TweakUI will work.

And, it looks to me like TFA is a slashvertisement. Its bottom line:

To prevent this, Panda Security has developed Panda USB Vaccine, a free product which offers a double layer of preventive protection, disabling the AutoRun feature on computers as well as on USB drives and other devices.

At least it's free.

Re:Some thoughts...

Why does MS insist on lax security? Autorun should be off by default, not on. This is just plain stupid. It's not a bug, it's a design error

Its intended to simplify the computing experience for new users. e.g. "Insert CD in and the software will install by itself". Or "Just insert the CD to view the wedding pictures/movie/etc". While it does have legitimate reasons to exist, I agree that it should be off by default.

Re:Some thoughts...

[countertrolling]

At least it's free.

So is AntiVir :-) For some reason I don't trust Panda

But you know what really sucks? There's no real, physical write protection on these USB sticks, so there's no way for me to protect it from an infected machine. Every time I come home from a job. I have to clean the damn thing.

Re:Some thoughts...

[kainosnous]

Why does MS insist on lax security? Autorun should be off by default, not on. This is just plain stupid. It's not a bug, it's a design error.

It's not a bug, it's a MS-feature. There is a trade-off to be made when it comes to security and usability. The two share an inverse relationship. Windows chooses usability even at the cost of security. Sure, they could turn off autorun by default. They don't so that any user can put in a disk or USB drive and expect something to happen specific to the content on that device. Would users still be able to figure out that they can click on that CD icon-thingy? probably. However, MS can sell it as a feature boasting about how easy it is to use. It's more of that mentality which gives you "I can just put a picture in that folder and it's instantly available to everybody on the block! Windows 7 was my idea!"

Personally, I think of this sort of thing as a huge mis-feature. However, this has also given them the largest part of the computer market and makes people believe that Linux is just for hackers. They've done a great job of making people think that viruses are just a natural part of computing anyway, and then they can sell more software to clean up those viruses. It baffles me how such a decision works, but the cold hard truth is that it has worked quite well.

</anti_windows_rant>

Re:Some thoughts...

[AndrewNeo]

Autorun has been off by default since Vista.

Re:Some thoughts...

[camperdave]

Autorun has been off by default since Vista.

Which doesn't help in the corporate or education sectors, because the powers that be *ABSOLUTELY WILL NOT* switch from XP with IE6.

Re:Some thoughts...

[QuantumBeep]

Use one of those thumb-drive-shaped USB to SD Card adapters. Same size, cost, and capacity, plus a write protect switch.

Re:Some thoughts...

[swb]

Why does MS insist on lax security?

Security increases complexity and it makes IT more difficult to use. The suits bitch and then want to switch to something else that's not so "hard".

Really, MS is just pandering to what corporations want -- software that just works, so that they can hire minimally competent employees and pay them the lowest possible wage without having to hire bothersome "specialists" who question the boss' IT judgment.

Business opportunity..

[al3k]

Trojan Hacker edition significantly lowers the chance of UTD's (usb transmitted diseases)

I could never get it to work

[bluefoxlucid]

Windows has always refused to autorun USB devices for me. CDs I had to stab it repeatedly in the face to get left alone, but USB drives I put considerable effort into and all I got was this stupid pop-up dialog "WHAT DO YOU WANT TO DO? VIEW PICTURES?"

Use VOTiVO

[JimWise]

That is why I spray all of my USB ports with VOTiVO.

Defective by Design

Autorun is ridiculous. It's about as smart as automatically eating any medication you come across.

captcha: automata

Re:Defective by Design

[FoolishOwl]

That's a pretty good analogy. I'd change it to, "automatically eating any cookies you come across," as that's a slightly less obviously stupid thing to do, and thus more likely, outside of the club scene anyway.

First order of business

[daveime]

First thing I do with any USB ...

Create a directory called "autorun.inf", then attrib +R +S +H +A on it.

I've found this pretty effective, as unless the virus is running with admin privileges, it can't overwrite the directory with a file of the same name.

Also, it's easy to detect if you *do* later contract a virus, as you can verify if the autorun.inf is a directory or a file from DOS before clicking on the options popup.

Re:First order of business

[Joce640k]

It's pretty much a given that viruses have admin privileges - how would they infect a machine if they didn't?

Re:First order of business

[gstoddart]

It's pretty much a given that viruses have admin privileges - how would they infect a machine if they didn't?

Sadly, some of the users have disabled UAC or simply say "Yes" whenever prompted because they don't fully understand what is being asked of them.

I fear that in some of these cases, users explicitly grant the virus escalated privileges.

Re:First order of business

[gbjbaanb]

or simply say "Yes" whenever prompted

yeah, stupid users. When the dialog pops up saying "Smiley central wants to install stuff, is this ok?", they say "yes" because they actually want loads of stupid smileys.

Now, if the popup said "there's a virus, are you sure you want to install this", then they might take more notice, but until then, user-installed nasties are not going to go away.

Re:First order of business

[toddestan]

That's true, but few viruses bother to try and remove the read-only or system attributes from a file if they can't overwrite it. This technique can also work against some malware where deleting it causes it to simply recreate itself, though less effective now because most of them randomize the file names.

Floppies all over again

[mbone]

15 years ago it was floppies. I worked then at a Government installation that was found to be massively infected - by floppies. Same vector, different medium.

X2 on the autorun

[pablo_max]

Seriously, why are people so silly to leave this on.

In my company so many PC were infected this way, with folks passing around USB keys. I think I was the only one who had autorun off and scanned every time anything USB is plugged in.
Hell, we even infected our customers because of that crap.

Re:X2 on the autorun

[0123456]

Seriously, why are people so silly to leave this on.

Because Microsoft make it insanely difficult to turn off? From what I remember on XP, I had to change it in the control panel, edit some registry variables and then run another program from the command line to tell it that yes, I really, really did want it disabled.

Re:X2 on the autorun

[TheRaven64]

And even once you do that, the next service pack, or occasionally the next security update, enables it again. Or, at least, did for me with Windows 2000. I never ran newer Windows versions on my own machine, so hopefully they've fixed that stupidity since.

Re:X2 on the autorun

[hairyfeet]

Or you could just, oh I don't know, copypasta this into a reg file and pas it around? Guys here like to bitch about Windows, but it is a hell of a lot easier just to cook up a reg file to do whatever you need than the 50 ways you have to deal with the same kinds of actions in Linux. For all the bitching about the reg it really is an easy way to manage multiple PCs, especially with being able to deal out changes with Group Policy.

Re:X2 on the autorun

Or you could just, oh I don't know, copypasta this into a reg file and pas it around? Guys here like to bitch about Windows, but it is a hell of a lot easier just to cook up a reg file to do whatever you need than the 50 ways you have to deal with the same kinds of actions in Linux. For all the bitching about the reg it really is an easy way to manage multiple PCs, especially with being able to deal out changes with Group Policy.

Yes because Linux and Unix have never had any possible way to manage multiple workstations. Why, *nix admins were so stupid that they hand-configured hundreds of machines, sometimes staying up day and night for weeks until the job is done. Thank God that Microsoft came along and invented the registry, leading the masses of admins out of a profound Dark Age and into a realm of light and understanding. Before Microsoft did this there was simply no way at all, ever, not ever ever ever, nope not even possible, not nearly, nobody ever could have done it, no way at all whatsofreakin'ever to remotely manage multiple machines in Unix. True Microsoft innovation, I tell ya.

Look, please stop spreading FUD. You like Windows and think it's great? Good for you. Not my place to talk you out of something that works well for you. Show me the same respect by not commenting on Linux/Unix until you have the first clue about how they work. Honestly it just makes you look like an idiot.

Re:X2 on the autorun

[DrgnDancer]

Be realistic here. Most users don't know what the registry is, let alone how to edit it. This is a viable solution for corporate desktops, but it's hardly "easy" in the sense that it's something I'd think to do after I first installed my machine at home (or mor likely got it home preinstalled). It's not much of a problem now of course, SP2 to XP disabled this feature and neither Vista nor 7 have it, but until XP SP2 it was a difficult thing for a normal home user to disable.

Re:X2 on the autorun

[hairyfeet]

Explain how exactly is this "FUD"? Sure, if you have a whole metric fuckton of twinkie RHEL machines they are easy as hell to manage, but what do you do when you have a mix of different distros? some are Debian, some are RHEL, some do things their own way,etc.

What I was pointing out is for the most part Windows is Windows is Windows. You basically only have two kinds of Windows anymore-2K/XP, and Vista/7, which means it is quite easy to control a shitload of Windows machines without having to know much if anything about them. How do you fix a machine by email? I just send them a .reg, tell them "clicky clicky and reboot" and I'm done.

I'm not saying one is better than the other, I'm saying certain jobs are easier with A than with B. On servers? Linux is great. It is fast, it is cheap, it has all the tools you need built into the repos and ready to go. But dealing with a shitload of different desktop hardware? Royally sucks ass. No different than how MSFT makes a decent server but you'll never be able to squeeze the performance out of the hardware that you could with a stripped down Linux server. Certain jobs are better with a screwdriver, others a hammer.

Why fanbois are determined to take a server OS and jam it onto the desktop is beyond me, when there are so many better uses for it like Servers, embedded devices, routers, etc. I don't try to run Windows on my phone, so why would you try to run Linux on the desktop?

USB and floppies verboten

[commodore64_love]

My former company banned both. When you inserted a floppy, the computer refused to read it. And when a USB was inserted, security showed up to scan your PC.

It was also impossible to install any software, unless it was a simple *.exe program that sat on your desktop. Anything as elaborate as firefox was impossible to install.

Re:USB and floppies verboten

So if you couldnt read floppies or sticks, how did the exe get on your desktop?

Re:USB and floppies verboten

Maybe you have ever heard of a thing called "the internet". It's basically a series of tubes.

Re:USB and floppies verboten

[gstoddart]

So if you couldnt read floppies or sticks, how did the exe get on your desktop?

Right click and save from a web-page?

Re:USB and floppies verboten

[troll8901]

Probably developed in-house.

A company with an IT department that instantly shows up when you plug an USB drive ... is a rich company. Probably with in-house apps.

The easiest way to distribute/update apps in the company is to literally copy the EXE file onto the desktop (as vs deploying it using Active Directory).

USB worms

This is a perfect example:
http://www.youtube.com/watch?v=MgS5I0mWCrQ

A weird encounter in a library one time

My wife was using her laptop in the library once, and a guy came up to her and asked if he could test his USB drive in her computer. She got a weird vibe from him, so she said no. He got insistent, and she still said no. Instead of asking anyone else, or using the library's computers, he left. I've always figured he was trying to do something nefarious.

Re:A weird encounter in a library one time

I've always figured he was trying to do something nefarious.

Well, who wouldn't want to plug his USB drive into a lady's computer?

And get her potential sensitive pictures in the process after planing a trojan?

there is nothing new under the sun

[buddyglass]

Way back in the day it was infected floppy disks. Given people now use USB drives like we used to use floppy disks, it only makes sense that malware would (once again) use them as a distribution method.

Re:there is nothing new under the sun

[helix2301]

Yes, but on a floppy disk you could use the tab on the side to make the disk read only so the virus would not infect the disk. It's much more difficult to do that on a usb jump drive.

Re:there is nothing new under the sun

[CrashandDie]

It's much more difficult to do that on a usb jump drive.

When USB drives started to appear (back in the day of 64MB and 128MB being a "woah factor"), they would usually include a small switch that you could use to allow or prevent writing to the disk. I've *never* heard of anyone using it.

Low tech

[rnturn]

Wasn't Michelangelo (sp?) transmitted via infected floppy disks back in the late '80s/early '90s? SneakerNet will never really die. The media just changes.

News flash

[jridley]

Autorun is completely evil. You're an idiot if you don't disable it as soon as you unbox your computer. That is all.

Re:News flash

[gstoddart]

Autorun is completely evil. You're an idiot if you don't disable it as soon as you unbox your computer. That is all.

I can't even blame end users for that one.

Microsoft has consistently opted to ignore security in favor of ease of shooting yourself in the foot. I lay the blame squarely at their feet for deciding to essentially run anything that they encounter and hope that it isn't malicious.

As much as we don't like to, to a lot of people the computer is an appliance. They're just not fully aware of all of this stuff.

Re:News flash

[AndrewNeo]

Or upgrade to Vista. Vista! Vista (and 7) do not autorun applications by default.

Re:News flash

[causality]

I can't even blame end users for that one.

Microsoft has consistently opted to ignore security in favor of ease of shooting yourself in the foot. I lay the blame squarely at their feet for deciding to essentially run anything that they encounter and hope that it isn't malicious.

That's why I'd like to see some product liability for Microsoft so long as they insist on selling Windows to the clueless on the basis of its "ease of use". Either accept liability for any damages caused by security vulnerabilities in Windows, or, start marketing Windows as software designed for experienced and knowledgable users and not recommended for beginners. Because as it stands now, Microsoft profits from selling to the clueless but Microsoft does not have to bear the cost of the problems they experience (or the costs of third parties who receive spam from their infected machines). That makes Microsoft little more than a sophisticated parasite.

As much as we don't like to, to a lot of people the computer is an appliance.

Those people happen to be wrong. I'd say the unending problems they experience from trying to treat it like an appliance is pretty strong evidence that it is not, in fact, a mere appliance. It's really that simple.

Their refusal to catch on to this simple and self-evident fact is the only reason why there is any discussion at all about this. Otherwise people tend not to discuss obvious things like grass being green or the sky being blue...

They're just not fully aware of all of this stuff.

People tend to be "just not fully aware" of anything that would imply they should put forth more effort or take on more responsibility. Examples include learning something about the tool you use on a daily basis or taking responsibility for whether it becomes a botnet zombie instead of viewing this as something that "just happens", as though it were normal and not out of order.

So there you have it, the two complementary sides to this equation. Microsoft promises "easy to use!" and "more secure than ever" with little to back that up with. Most of its customers are only too happy to believe this even when it isn't so believable because it absolves them of responsibility. It's a sort of feedback loop or self-sustaining cycle.

Re:News flash

[gstoddart]

Because as it stands now, Microsoft profits from selling to the clueless but Microsoft does not have to bear the cost of the problems they experience (or the costs of third parties who receive spam from their infected machines). That makes Microsoft little more than a sophisticated parasite.

Well, given that the marketing department trumped privacy and security, you're correct.

"As much as we don't like to, to a lot of people the computer is an appliance."

Those people happen to be wrong. I'd say the unending problems they experience from trying to treat it like an appliance is pretty strong evidence that it is not, in fact, a mere appliance.

Oh, I don't know. Apple has made a fair amount of money in selling one that they claim to be a lot closer to an appliance that you don't need to know the innards of in order to use it. I don't know it it's truly that easy to use or that much secure -- but the people I know with Macs are just as happy to not deal with most of the crap involved in running a Windows machine (and, several of those have Masters degrees in CS, so we're not talking about stupid people here). I've personally never gotten to play with OSX, so I can't speak to it.

I can see that as computers become ubiquitous, people will begin to see them as just that. Essentially like a TV -- they don't care how it works, as long as when they click the button it does what they expect.

I think if Microsoft would stop doing things like allowing marketing to be sure they can sell advertising instead of allowing browsing to be private and secure by default, we'd be making some progress.

Re:News flash

[causality]

Oh, I don't know. Apple has made a fair amount of money in selling one that they claim to be a lot closer to an appliance that you don't need to know the innards of in order to use it. I don't know it it's truly that easy to use or that much secure -- but the people I know with Macs are just as happy to not deal with most of the crap involved in running a Windows machine (and, several of those have Masters degrees in CS, so we're not talking about stupid people here). I've personally never gotten to play with OSX, so I can't speak to it.

About the folks with CS degrees, the ability to tinker does not necessarily imply the willingness to do so. I am also more than capable of administering any Windows system or network of Windows systems, but those require a lot more maintainence, babysitting, and cause a lot more headaches than the Linux systems I run. Generally, Linux just works. Windows can just work too but you're going to put a lot more effort into making sure it stays that way.

I like to say it this way: on Linux, if something does break, it broke for a very good reason. I can find out what that reason is. It'll stay broken until I fix it. When I fix it, it will stay fixed. That has never been my experience on Windows.

Regarding Apple, they've done a much better job of designing a product for a non-technical audience who really do want something more like an appliance. I think designing a good GUI with a solid, proven Unix implementation under the hood has a lot to do with that.

You're not alone in knowing people who bought an OSX machine and went from not liking their computer to actually enjoying it. The folks I've talked to who said that were not technically inclined and mostly just wanted to read e-mail and browse the Web. For them, Windows has been too flimsy and too high-maintainence and generally a lot more trouble than they thought worthwhile.

A big part of that involved its numerous security issues, either directly or indirectly in the form of problems with A/V software and antispyware utilities and all the other anti-something-or-another scanners one must run on that platform to have a barely-acceptable level of security.

I can see that as computers become ubiquitous, people will begin to see them as just that. Essentially like a TV -- they don't care how it works, as long as when they click the button it does what they expect.

Windows is a very poor design for that crowd. It's getting better but it's not nearly there yet. It bears mentioning that I would be reluctant to recommend Linux for that crowd as well. The difference is that most Linux distributions do not target non-technical users and do not claim to be something one can use with no understanding. The closest thing to that is Ubuntu/Kubuntu and they don't claim to be some magical silver bullet. They just represent the progress that's been made towards reaching this audience.

I think if Microsoft would stop doing things like allowing marketing to be sure they can sell advertising instead of allowing browsing to be private and secure by default, we'd be making some progress.

I think if no single vendor ever reached anything remotely approaching 90% marketshare then the decisions of individual marketing departments would be irrelevant. Interoperability would also receive more emphasis as a goal, since no single vendor running the show means that going with any proprietary format/standard risks alienating a large number of potential customers.

Re:News flash

[jridley]

In the case of Vista, "upgrade" is a matter of definition.

I had 7 on my machine for a couple of months but it drove me crazy, they made some GUI changes that I just found highly irritating and slowed me down too much, so I went back to XP.

Once again Linux

[Murdoch5]

I agree with this 100%, the amount of times I plug my USB Stick into my Linux box and have the virus scan freak out is amazing. Then again it's always nice to know that my usb is effecting me.

Re:Once again Linux

[mcgrew]

Virus scan on a Linux box? Huh? What am I missing here?

Re:Once again Linux

mixed environment, he doesn't want to be a carrier?

Re:Once again Linux

[Murdoch5]

I have a virus software just for when I want to scan things like USB keys and cd's before sending them to people when there not from me, better to be sure there not getting effected from someone else.

Re:Once again Linux

[mcgrew]

Ah, good thinking. Thank you for that.

Re:Once again Linux

[QuantumBeep]

Is this some horrifying new strain of this?

Re:Once again Linux

[CharlyFoxtrot]

Virus scan on a Linux box? Huh? What am I missing here?

You can use ClamAV on OSX or Linux. In case you get an usb drive that you might have to connect to a Windows PC at some point. No use being a carrier.

PS -- a little more googling shows...

[mcgrew]

If you're running Windows 7 it appears that you're ok. But what took MS so long to fix this gaping hole?

Re:PS -- a little more googling shows...

[AndrewNeo]

To their credit they did fix it in Vista.

Re:PS -- a little more googling shows...

Judging from its sales figures, nobody noticed that.

Re:PS -- a little more googling shows...

[VGPowerlord]

To their credit, they fixed this in Windows XP.

Yes, XP. Specifically, Windows XP SP2.

It no longer just runs the Autorun program, but instead gives you a dialog that asks what you want to do, with some default choices. The former Autorun command appears at the top of said list.

The only thing Windows 7 did was remove said dialog when you attach non-optical media.

Re:PS -- a little more googling shows...

[FoolishOwl]

To be fair, I think part of what people hated about Vista was that Microsoft finally implemented some decent security. Users complained about being asked to enter passwords to authorize software installation and the like. Vista was a tremendous resource hog, but it looked to me like Microsoft decided to upgrade security and stability first, then optimized performance later in Windows 7. That's the responsible thing to do, and I think Microsoft got burned for doing the right thing for a change.

Re:PS -- a little more googling shows...

They only partially fixed it after the conficker outbreak, since effectively disabling it was impossible in XP, even with GPO's.
See also: http://support.microsoft.com/kb/967715/

Re:PS -- a little more googling shows...

[sco08y]

To their credit, they fixed this in Windows XP.

Yes, XP. Specifically, Windows XP SP2.

So, even after all the problems with boot sector viruses, this default behavior persisted through Windows 95, 98, ME, 2K, and XP.

Re:PS -- a little more googling shows...

I shouldn't have to enter a fucking password except to:

1- Log onto the machine.
2- ACCESS something that my logon credentials don't give me access to.

So bothering home users to enter goddamned passwords when they want to install a program is the wrong way to go about security. But I'm not a snooty administrator, so I don't get a boner from my machine asking me for passwords to do things.

Granted, I should also be able to force the computer to do this if I so choose, but it shouldn't be the default. If I AM an administrator, I do want my users to be denied if they try to do something they shouldn't be doing, and I do want a button to click that says "enter administrator password to allow this action to complete" so they don't have to log out just for me to allow them to install AIM or something.

But for normal personal computers, that's not how security should be implemented. If I'm too stupid to know what to install or not, what does having to enter a password do? Because I'm also too stupid to know when not to enter the password. It just irritates me and slows down the installation of good and bad programs.

UAC, at least the alert nature of it, is pretty good, but needs to be tweaked. Every file or bit of code should have a scope. A script on a webpage shouldn't be allowed to do anything to the system until you say it is OK. Instead, we hope our web browsers are smart enough to catch this. But this should be built into the OS, not the applications. It could probably be easily implemented via the class system that's already on the machine. Every class of file has things it can do, or will be prompted, or simply cannot do.

Here is a great example of why browsers (etc.) can't be trusted: I was trying to figure something out one time, and I was searching on the google for the answer. I came across a link that seemed like a perfect solution. When I clicked the link, it took me to a page that looked identical (enough) to Google's "this site may harm your computer" page. I, of course, clicked the "get me out of here button". Which, of course, was really me agreeing to install some fucking malware. (You never saw someone unplug a network cable so fast...) A for effort on Google's behalf, and it is great that browsers force the user to click something before installing something, but if that can be faked and obfuscated like it was, then it is a fail. But still, not their problem. My OS should be handling that shit, and the barrier shouldn't be just my knowledge of a password.

They way security should be implemented is that files should not be executable until they are installed on the machine. And THE OPERATING SYSTEM should own and control the installer. And that system owned installer should prompt the user about what it is doing, as opposed to the current system where we trust the installer that we downloaded to ask us questions. The OS installer should say "this thing is trying to install a toolbar into your browser! Is that what you expect?" or "this thing says it is a flash plugin, but it is trying to write to your system32 folder. are you really, really sure that's what you want?"

I guess SELinux does a lot of this kind of thing. Unfortunately, its operation seems to be voodoo. The security works, but the configuration and access control is fucked up. If I want to install something and SELinux won't let me, I have to turn it off. Lot of good that does- no better than making me enter the admin password.

Far as I can tell, no operating system handles security all that well. (and no, just because your NeXT machine doesn't get viruses doesn't mean it is secure. Just that it is uninteresting to malware creators.)

We are getting close, but more goddamned passwords aren't the answer.

Re:PS -- a little more googling shows...

[FoolishOwl]

The point of authentication is that the agent being authenticated is external to the system -- and that requires information that isn't present in the system. Passwords are the simplest way to implement this, since the system is confirming the password matches a hash, but doesn't store the password directly.

The examples given of how you'd prefer things handled are variants of the familiar OK/Cancel dialogue boxes. There's no authentication, which means that there's no external information required -- so it's easily bypassed, as with the commonly available utilities to automatically "Click OK." A malware author could easily bypass even the display of the prompt, so long as the prompt doesn't require external information.

Hardware write protection (few, but they exist)

[Fencepost]

There are still a few USB drives out there with hardware write protect switches, but they're hard to find and you'll probably have to order online. I have what may at this point be the best listing available at http://www.fencepost.net/2010/03/usb-flash-drives-with-hardware-write-protection/, culled from a variety of searches, message boards, and one German computer magazine (c't) which has its own listing.

In the US, the most likely drives to find in stores if you're looking are a couple of Imation models (Pivot and Clip), plus lingering supplies of the older Swivel models (the swivel isn't all that sturdy, pockets will beat it up over time). I've not seen these widely in stores, but you may find the Clip in college bookstores - I suspect that's their target for the style.

Re:Hardware write protection (few, but they exist)

[denis-The-menace]

I call it a write protect switch.
I carry my utils, patches and SW on a Kanguru FlashBlu 2 16GB USB drive to fix people's PCs.

You never know what crap they have on there.
An infected PC could modify one (or more) EXEs on an ordinary USB drive. Autorun disabled or not

Re:Hardware write protection (few, but they exist)

Just use an SD card with a flash drive sized adapter. Then you can use the switch on the SD card.

Re:Hardware write protection (few, but they exist)

[greyelf23]

If you're looking for a usb flash drive with write protect switch to carry around in your pocket I can recommend the Victorinox Flash series of (tiny) pocket knives. Quite handy to have with you as they come with flashlight, ball point pen, scissors, and knife (very small but nice e.g. for opening packages). The flash drive can be easily detached and the whole thing is very sturdy in my experience!

Re:Hardware write protection (few, but they exist)

Sadly, the few times I had taken such a write protected drive to print something, the machines in the shop threw an error and refused to read until switching the protection off (I think they all ran XP). I don't particularly care, but unless I remember to manually delete the malware from under linux, I'm risking infecting (and re-infecting) windows machines I interface with.

I thought USB devices were safe

[Robert+Bowles]

If you get it from the store, and its in a blister pack, they're pretty much guaranteed to be secure.

Re:I thought USB devices were safe

[Ukab+the+Great]

Good News: Assuming a certain level of competence where the windows machines formatting the drives in China were not recycled from somewhere else, had their hard drives given a clean wipe, and weren't hooked up to the Internet and used to browse Pr0n on lunch break, then yes drives in the blister pack are secure.

Bad News: It's highly dangerous to assume a certain level of competence.

Moral Of The Story: When you buy a flash drive, immediately format it and bypass and "value-added gravy" the manufacturer tries to shove down your throat.

Autorun is not needed to infect

[mysteryvortex]

I seem to recall being able to insert a floppy disk, type "dir a:", and get a virus under MS DOS. You probably don't need autorun turned on to get infected.

Off the top of my head, a buffer overflow in the code that reads and displays embedded icons would be a juicy target, along with the file system parsing code.

-Mysteryvortex

Re:Autorun is not needed to infect

[0123456]

Off the top of my head, a buffer overflow in the code that reads and displays embedded icons would be a juicy target, along with the file system parsing code.

Presumably the current Windows Explorer 'load DLLs from the current directory' exploit would be enough... put an image or video file on the disk and a DLL which will be loaded when that directory is viewed, and the user (and possibly the entire PC) is owned even without autorun.

"D:\Setup.exe"

[DocSavage64109]

Like the parent said. Remember in the old days, you'd have instructions like "Insert disk, click start->run, type "D:\setup.exe", press enter". Anyone who had more than one cd-rom drive or hd would have to work out for themselves what drive letter they should type -- that's assuming they even knew what a drive letter was!

Re:"D:\Setup.exe"

[jedidiah]

Fortunately, this thing called the GUI that was introduced to the world in 1984 solved most of those problems.

No need to search for the disk.
Searching for something to run is pretty straightforward.

Knowing what a program looks like in a GUI will probably be declared a "burden" by some. However, you can't completely abdicate responsibility for a sophisticated tool without severe consequences.

Sooner or later, something like Email Phishing will require the end user to plug their brain back in.

Re:"D:\Setup.exe"

[Joce640k]

That could have been solved with an OS prompt which said something like, eg. "Do you want to install program XXX from the CD you just inserted?"

Simply running whatever code is on the USB drive is braindead. There were viruses at least 15 years before Windows XP, anybody with half a brain should have been able to see what was coming.

Still, this is the company which gave us autorun emails ... USB is a minor pecadillo compared to that.

Re:"D:\Setup.exe"

[DocSavage64109]

Ok, you type out your GUI steps to install a cd without autorun that work on w95-xp that hopefully all users can follow.

Re:"D:\Setup.exe"

[Joce640k]

A decent OS would have made it easy to do.

If it's not easy to do in Windows then it's a problem with the design of Windows. Why can't windows detect a 'software installation' CD (or USB stick) and say "Do you want to install program XXX from the CD?".

Autorun was a dismal idea, the current system isn't any better (the annoying/confusing popup dialog which asks you what to do).

Re:"D:\Setup.exe"

[AvitarX]

Double Click "my Computer"

Double Click the CD drive that has the name of the program you are trying to install under it

Double click the file named "setup".

That gets XP, I'm not sure about 95-me taking on volume names, but generally the directions are the same as far as i remember.

Re:"D:\Setup.exe"

[freakmn]

Judging from the users I've dealt with, if it says XXX, they will hit yes. No matter what.

News Flash?

25%? Seems kind of low, for a type of social engineering "exploit", the ubiquity of USB devices, ease of use vs security conundrum, etc. Now tell us the source of the malware on the device, and then we might have a story - from the factory, favorite uncle's p0rn server, etc.

It also means 75% of worms are spread via other means.

So what's the real story??

Could a malware have more than vector?

[blcss]

Suppose something was written to spread via both the Internet and USB autorun? The more vectors, the stronger it would be.

Re:Could a malware have more than vector?

Jeeze. Imagine the implications of this. If someone plugged that USB device into a computer that was also connected to the internet, it could spread like crazy!

Further...

47.8% of all statistics are made up on the spot!

Re:Further...

[Yvan256]

Actually, 25% doesn't sound made up at all. They tested four USB drives.

Industrial Espionage

[DarthVain]

I once heard that the easiest way to conduct industrial espionage was to make a virus that would make a back door to the security systems, load it onto a USB thumb drive, casually walk to the outside smoking area of the company building you wish to infect, have a smoke, covertly drop the USB thumb drive somewhere in the area. For extra points, take a generic thumb drive and put the company logo on the side for authenticity. 10$ says some idiot will pick it up and plug it into his system when he gets back to his office to see what is on it, or who it might belong to. Bypassing all firewalls and security (at least initially).

Now remotely connect to your hearts content and start downloading.

Re:Industrial Espionage

[Fantastic+Lad]

Advice:

"Don't eat surprise food you find on the ground unless it's a strawberry and was growing there."

"Don't plug in surprise computer media you find on the ground unless you have autoplay turned off."

-FL

Re:Industrial Espionage

[Joce640k]

You don't even need to do that, just drop a few of them around the car park...

Re:Industrial Espionage

Don't forget that disabling autorun does not protect you from the linkrun vulnerability.
http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx

Re:Industrial Espionage

[DrgnDancer]

One of the Federal agencies got hit by this several years back. A group scattered infected drives around in the parking lot of a Federal Building and at least one person picked one up and infected the network. Another group tried it at DoJ, but failed because the employees turned the drives in. (See? Sometimes user education DOES work.)

Re:Industrial Espionage

[DarthVain]

Pfft whatever.

The people working at DoJ probably didn't know what the magic sticks were or couldn't figure out where to stick them, so just gave them to security... :)

Re:Industrial Espionage

[xenapan]

*runs over your USB drive*

How to disable Autorun in Windows. . .

[Fantastic+Lad]

Autorun is one of Microsoft's more frustrating contributions to the world.

But what is still more idiotic, is how user-unfriendly the path is to shutting it off. Microsoft's very own page on the issue...

http://support.microsoft.com/kb/967715

-FL

Re:How to disable Autorun in Windows. . .

Except that using that method a worm/virus can easily re-enable it by setting the relevant registry keys back. A more thorough way to disable it is explained at this US-CERT page, and it doesn't depend on having an up-to-date version of windows that has been patched to properly honor the relevant registry keys (earlier versions don't do it properly).

Another way to mitigate the issue on external drives is to make a bogus "AUTORUN.INF" directory on the drive, put a file in it, and make both of them read-only. Then if a worm tries to install it's own autorun.inf file to spread the infection it will have to be smart enough to see the one you've put there, turn on the write flags, delete the old one, and then copy over its autorun.inf file. So far I haven't seen any that are smart enough to do that, so for now it immunizes the device.

Re:How to disable Autorun in Windows. . .

[SheeEttin]

TweakUI (an XP powertoy) has nice little checkboxes that allow you to change autorun by drive, by device type, and also add or remove autorun actions.

The other 75%...

[Esvandiary]

... had already died from a Concrete Donkey.

Re:The other 75%...

[alphax45]

Worms ref?

Photo kiosks are common vector

[hipifreq]

My own experience with USB viruses was pretty thankfully not horrible, but annoying and disheartening. I brought a USB key full of pictures to a local store to have them printed, and when I got back home and put the stick in I was infected. Nothing serious, and easily detected and cleaned, but still annoying. I called the store to let them know, and asked to speak to someone in IT. After I while I talked briefly to a tech, let him know what I experienced, and suggested they turn autorun off, as it wasn't necessary. Shame on me, because two weeks later I went to print more pictures from USB, and yet again my key was infected. This time I had turn off autorun for USB (different and harder to turn off than for CD I found) and found the infection before it spread to my desktop. No I have what another user suggested in a directory named autorun.inf with all the flags on (system file, read-only, etc). Works for me. What I wondered about at the time is what one can do when you know of a virus vector, have informed that infected party, and they take no steps to prevent it. Are there places out there where knowing you have a virus, know you're spreading it, and don't do anything is illegal?

Re:Photo kiosks are common vector

[tlhIngan]

Are there places out there where knowing you have a virus, know you're spreading it, and don't do anything is illegal?

You could sue for negligence, as they have technically failed in their duty of care upon your telling them. Won't get much, but it could be enough to pay for a PC repair service with backup option - few hundred bucks at least.

Again no word of Microsoft or Windows

[devent]

I posted it already on another news about a Windows bot net. The trojan/usb infection is only on Microsoft Windows. Please mention that. I and people with Macs couldn't care less. So I just post again and again and again:

It's 25 percent of new Windows worms. Approximately 48 percent of Windows SMBs (with up to 1,000 computers) admit to having been infected by some type of malware over the last year. Linux and MacOS SMBs are still save and will be save.

I would say Dell was right:

"6) Ubuntu is safer than Microsoft Windows: The vast majority of viruses and spyware written by hackers are not designed to target and attack Linux." from http://www.theregister.co.uk/2010/06/14/dell_ubuntu_windows_security/

Re:Again no word of Microsoft or Windows

[je+ne+sais+quoi]

If I had mod points, I'd mod you up. This absolutely needs to be emphasized. Since Windows is 90% of the desktop computers though, I can see why people forget that. I always find a lot of sys. admins think that I need to install virus software on my mac or linux machine because I need to protect other people from getting infected files from USB discs. Brother, if you choose an OS that implicitly trusts any device that's plugged into it like windows does with autorun, you're the problem, not me. You change your OS to something more secure, or at least turn autorun off, and only then will you have the right to lecture me on how I should use my precious processor cycles to save people who make bad software decisions. However, on the other hand, I can see the pragmatic viewpoint that like as not, we are stuck with windows and not everyone is computer literate so I perhaps should be doing it, but I'd rather just not let other people plug their USBs into my computer than run anti-virus to tell the truth (I installed Norton once, after I decided I didn't like and uninstalled it, months later I was still finding weird files it had install all over the place).

Re:Again no word of Microsoft or Windows

[couchslug]

That's Insightful, it shouldn't be Interesting because other then MSFT fantards the intelligent expectation of Windows is that it is as fucked up as a concrete bicycle.

Windows is not secure in common use, cannot be made secure in common use, and running it with the expectation that it won't be exploited is as smart as using a cutting torch in your lap.

"Wah, my 'Doze is broken!"

Don't run a shit OS, and don't respond to those who remind you not to run a shit OS as if that statement is a troll.

Re:Again no word of Microsoft or Windows

[daveime]

Yes, and spending your entire life in a Sensory Deprivation Tank is probably "saver" than being a bullfighter. Your point is ?

Re:Again no word of Microsoft or Windows

Sooner or later there will be viruses/malware targeting
linux. Linux will be harder to sucessfully attack, but it ispossible.

Re:Again no word of Microsoft or Windows

[quote]6) Ubuntu is safer than Microsoft Windows: The vast majority of viruses and spyware written by hackers are not designed to target and attack Linux.[/quote]
And they couldn't, because Ubuntu doesn't let you do stupid things like install ActiveX controls untended or autorun things from flash drives.
Even if a worm somehow ends up on a Ubuntu system, it would be damn difficult to infect the system unless you would type in your password without giving it a second thought any time gksudo pops up.

Oh, and Ubuntu users get automatic updates hours after they get patched for core OS elements, meaning worms have a very limited timespan to infect hosts if they use a known vulnerability.

Re:Again no word of Microsoft or Windows

[devent]

My point is pretty obvious. Don't use Microsoft Windows for anything where money depends on. Also, in the topic of the article, don't use Windows for SMB systems, so you don't fall in the 48% which are infected and don't fall in the other 52% that are spending a lot of money or just were lucky this time.

In extend, my point is, please mention in every security report that it's Microsoft Windows so even the last MSfanboy realize that Windows is just an insecure system to play some games and nothing more.

My last point is of course "6) Ubuntu is safer than Microsoft Windows: The vast majority of viruses and spyware written by hackers are not designed to target and attack Linux." http://www.theregister.co.uk/2010/06/14/dell_ubuntu_windows_security/ Even the statement contains some truth (in fact, none viruses and spyware are targeting Linux), it doesn't tell you why the viruses and spyware are not targeting Linux and it don't have anything to do that Linux have such a small market, because Linux's market share everywhere else but the desktop is huge and sometimes more then the of Windows.

Re:Again no word of Microsoft or Windows

[jrumney]

It's 25 percent of new Windows worms.

OK the headline is misleading, that makes it 24.99978% of new worms overall. Happy now?

Still allergic to identifying Windows malware

Still allergic to identifying Windows malware as Windows malware, I see. It's not "computers" that are affected, it's "Windows computers."

Remind me

[Runaway1956]

I shouldn't be plugging the dog or the cat into the USB port.

Gotta be picky, it's Thursday after all...

[bagofbeans]

As further proof, 27 percent confirmed that the source of the infection was a USB device connected to a computer.

Actually that's evidence, not proof.

48 percent of SMBs?

[Karellen]

SMBs? Huh? Does that even make sense?

Re:48 percent of SMBs?

[quantumphaze]

Super Mario Bros?

But does it run on Linux??!

[mspohr]

Since I run only Linux and Mac, I am concerned that again I am missing all of the fun of dealing with malware.

How is this "news for nerds"? Do real nerds still run Windows?

Re:But does it run on Linux??!

[udoschuermann]

No, real nerds have never run Windows, not as their primary O/S at least. Their nerd cred would be forever shot if they did, and the smiling face of billg would haunt them in their sleep forever.

Re:But does it run on Linux??!

[Fnord666]

Do real nerds still run Windows?

No, but I'm guessing that most of us are the "IT guy/girl" for someone else who is.

Re:But does it run on Linux??!

[mspohr]

I think you are right. Even if we don't run Windows, we have to deal with those who do and the spam and security breaches that they cause. I work a lot in Africa where Windows malware is pervasive and I am constantly exchanging USB sticks with Windows users. These don't cause me any problems but I will frequently notice "extra" files and directories that get added to the USB stick. I delete these on Linux and this usually works but sometimes these things get passed around a lot and someone gets infected from one Windows machine to another before I have a chance to clean it up.

This is a lot like public health immunizations. You can be immune yourself but when there is a large reservoir of infections, the epidemic will continue with consequences for everyone.

Apparently there s more to usb

[orogorhotmail.com]

Having been badly hit with a worm we did hire a security consultant, and the thing that was tickling me is how comes the worm wasn t hit by on access scan. His response was that as we were infected by a usb key (we re sure of this), there s something specific about usb which makes it so that on it the on access scan won t work, or at least wont work in time, if there s autorun on a computer the worm can be run, go to memory (it bypassed oas), steal some credentials, spread via network, save itself on computer drives with your credentials so it can survive a reboot. From there attach itself to critical windows services that can t be unloaded, attach itself to antiviruses so they don t see it. Spread some more.....

Auto run is not everything

[Twillerror]

Certainly auto run is an issue here, but the bigger issue that typically these drives may have installation files and write access.

Unlike program files or the various write protected folders on Linux these guys will be wide open.

If I've already gotten malware on your box and I see a nice little fully writeable USB key or external drive I'm going to look for an .exe or other executable to infect. Hell maybe even write a .JPEG, .PDF, .SWF, or any other non exe that could have an attack depending on what box it gets plugged into and loaded up.

If I find it I can just write into her like back in the day. Unlike floppies there isn't some kind of boot sector generally.

Floppies where about either getting your snippet of code into a .exe or onto the boot sector. Then praying the user left the disk in ( or forcing a restart while it was still in ). If you got into an .exe hoping the user gave it to a friend who used it.

Also, are these worms? Sounds more like your traditional STD type virus versus air born.

So even with Macs you could write out an HTML file with a known attack for Safari and see if they give it to a friend. Ultimately OSs need some sort of virus software to at least detect weird behavior like this.

I smell a PR firm at work.

[elb]

With survey responses from more than 10,470 companies across 20 countries, it was revealed that approximately 48 percent of SMBs (with up to 1,000 computers) admit to having been infected by some type of malware over the last year. As further proof, 27 percent confirmed that the source of the infection was a USB device connected to a computer.

Horsesh*t. I do PM / UX at a website whose users are SMBs. Most of my life is spent talking to SMB owners: interviewing them, usability testing with them, dealing with customer support issues, etc. While these people are, in general, certainly not dumb, most of them (1) have a limited idea of how to use their computers (they're too busy and they often outsource IT functions, even if only to the Geek Squad) (2) have a limited understanding of what 'malware' is (3) would have no way of knowing that the malware came from a USB device and were probably just making that up (4) were probably using sketchy cheap malware-infested software they downloaded from the internet rather than paying for a reliable package since they tend to be very cost-conscious and (5) were probably trying to explain why there's all that pr0n stashed on their hard drives.

In other words, self-reporting by "SMBs" (owners? IT people? who?) about malware incidents in the past year is likely a complete line of bull poo concocted by a PR firm trying to be a "thought leader" and getting people to their blog post / website (our firm does this, although we at least make them be reasonably methodologically rigorous).

My company has also conducted surveys of SMBs, both for UX / Product reasons and PR "thought leader" reasons. You can buy a DB / mailing list of vetted business owner / mananger / C-level email addresses for conducting research like this. That list can in fact include owners / managers / IT people at what you think of when someone says "SMB" i.e. a small business with a few employees up to I think 1,000 employees. That list could also include a whole bunch of sole proprietors of companies like "Angela's Passion Parties" or "JayBob's Babysitting and Handywork". We don't know anything about who responded to this survey or whether they were actually the people who had to deal with the problem.

USB autoplay is hugely helpful for a great many people. Don't be so credulous of this story and start attacking what has been a great advancement in personal computing that's saved a lot of normal people a lot of frustration with their peripherals.

Move along, nothing to see here.

Re:I smell a PR firm at work.

Alternatively, you could be a virus writer who doesn't want to see a comfortable execution route shut down.

I have no idea if you are (probably not), but uncontrolled autoexec capabilities have been a risk for years and it would be nice if a user is actually able to choose if he/she wants it (or at least wants it executed)..

REALLY? Re:No, really?

25% eh. Sounds like bullshit to me. Ought to sound like bullshit to you too. Think about it a minute. What this is is another press release trying to get a company's name in the press. Shame on /.ters for believing such nonsense.

Darwin strikes!

[udoschuermann]

I think I'll put something like "FORMAT C: /X /Y" in an autorun.inf file of all my removable devices. That'll learn 'em!

What do you mean nobody?

[George_Ou]

Microsoft isn't a nobody and they enabled autopwn, I mean autorun by default.

number of viruses != number of infections

[wealthychef]

Realize the 25% number is the number of viruses. It does not necessarily mean that 25% of worm infections are caused via USB.

well, shoot

[zogger]

..and here I thought they just liked the taste of my corn, squash and tomatoes..learn new stuff ever' day.... /me heads to the farm n feed for USB spray.....

what about USB keyboards as more systems drop ps2

[Joe+The+Dragon]

what about USB keyboards? as more systems drop ps2 you will need to have usb ports.

Intel could HELP the west

[WindBourne]

Many of the USB devices ARRIVE infected. So, if Intel were to re-open the plant in Colorado Springs, have it do USB flash drives, and then sell them to the DOD and most groups in the gov. as well as in EU, with all bits accounted for. It would be a bit more expensive, BUT it is an opportunity to re-create manufacturing in the USA/West while securing the computers.

Locked sockets

[Zoxed]

One thing I noticed when visiting a large European organisation for the first time over 15 years ago was that the Windows PC on the most critical network did have floppy drives but with a special lump of plastic locked in so that the casual user could not insert a floppy but tech. support could.
The same place now has standard Windows PCs with USB ports but they not physically disabled.

the stores don't own / do tech work o Photo kiosks

[Joe+The+Dragon]

the stores don't own / do tech work on the Photo kiosks it's out side independent contractors / sub contractors.

Solution.

[bananaendian]

This is a Windows-only problem. Solution here.

Import the following to registry:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:blahenterrandomlettershere"

It will cause windows to ignore anything inside autorun.inf by replacing the content with non-existing entry ie. null.

Delete this branch from registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

It will wipe away any cached mountpoints and their autorun information.

Disclaimer: This will disable the USB autorun related vector for malicious code as well as any other mounted media or network resource. 'Autoplay' and all its features will still function the way you set them. This fix will break anything that depends on code inside autorun.inf ie. say goodbye to nice 'automatic installation', drive media renaming or placing nice icons to itself etc. Mostly useless stuff. Some special usb-sticks with software features built on autorun might not work anymore. Sad.

How-To Disable Autorun

[bloobamator]

Wow. The instructions for disabling Autorun are hideous: http://support.microsoft.com/kb/967715. Is this really how one disables it?

This one looks slightly less hideous: http://www.us-cert.gov/cas/techalerts/TA09-020A.html.

I apologize in advance for the noob question.