25% of Worms Spread Via USB

An anonymous reader writes "In 2010, 25 percent of new worms have been specifically designed to spread through USB storage devices connected to computers, according to PandaLabs. This distribution technique is highly effective. With survey responses from more than 10,470 companies across 20 countries, it was revealed that approximately 48 percent of SMBs (with up to 1,000 computers) admit to having been infected by some type of malware over the last year. As further proof, 27 percent confirmed that the source of the infection was a USB device connected to a computer."

No, really?

[oodaloop]

Since pretty much everything is connected with USB these days, is this any kind of surprise? Were there any worms spread using a serial port?

Re:No, really?

Were there any worms spread using a serial port?

heh. oddly enough...

Re:No, really?

[TheRaven64]

I don't remember any worms spreading automatically via serial port. It would have been difficult, because there weren't many peripherals that had internal storage space and connected via RS-232, and computers connected with a null-modem cable typically had to run some custom software for file transfer.

I do, however, remember a lot of worms spreading via floppy disks. Boot sector viruses were especially common in the DOS days. If you let a floppy in the drive, the BIOS would try to boot from it the next time you turned your computer on. It was quite common for a worm to install itself on the boot sector of any inserted floppy so that when you booted from that floppy it installed itself on the hard drive and then printed a 'please eject floppy and reboot' type error. You'd eject the floppy and reboot, and the machine would start normally, only now you'd be infected.

Since USB drives have replaced floppy disks for offline file transfer, it's not surprising that this is a common attack vector.

Re:No, really?

[operagost]

None that I know of, but today's USB drive is yesterday's floppy.

Re:No, really?

[HiThere]

Well ... modems used to connect over the serial port. I seem to remember a few viruses that spread that way.

Re:No, really?

[DrgnDancer]

As someone already pointed out, it's faster for large data transfers, but I don't think that's a majority of the problem. It's mostly just convenience. Let's say I have a presentation to give to your company. It's the same presentation I give to every company that has shown an interest in my product. I could e-mail each and every company a copy of my presentation before I show up (and hope that the person I e-mailed it to remembers to put it on the presentation machine), or I can carry it on a thumb drive. Or maybe I was working on the presentation on the flight, and didn't have Internet access to send it to you. Or I'm a tech support guy who carries a bunch of diagnostic tools around with me. There's a ton of reasons why people carry these things around, speed not a huge factor for most of them.

Big surprise

[betterunixthanunix]

Hm, software vendors put enormous effort into preventing attacks over the Internet. Did anyone really think that virus writers were not going to find new attack vectors?

Re:Big surprise

[gstoddart]

Hm, software vendors put enormous effort into preventing attacks over the Internet. Did anyone really think that virus writers were not going to find new attack vectors?

How is this a "new" attack vector?

Microsoft has had auto-run on things like CDs and USB drives for years, and you usually need to turn it off. Otherwise, it would happily run any old shit you plug in without even asking.

When I plug my iPad into my Vista box, the auto-run dialog comes up and asks me if I want to either download pictures or open it like a file storage. There is no "do nothing" option, which I find kind of amusing, since I've usually turned off auto-run for everything.

I'm not even remotely surprised that USB is a popular attack vector -- they're the new floppies. Microsoft has defaulted to "easy" mode (run everything), which also happens to be the most trusting and dangerous mode you could get. I think this was kind of inevitable.

Re:Big surprise

[gad_zuki!]

>There is no "do nothing" option, which I find kind of amusing, since I've usually turned off auto-run for everything.

That's not what people call autorun, especially in the context of USB viruses. Autorun means when the OS just launches the .exe listed in the autorun.inf file automatically. That's how this stuff spreads. Vista and 7 no longer support this and throw a "What would you like to do" screen, which is fine by me.

Re:Big surprise

[AndrewNeo]

Er. The last version of Windows that "ran everything" was XP. Just because the dialog comes up in Vista or 7 does NOT mean that the actual autorun application is being executed. The dialog you see is for user convenience, and still has a link to the autorun application, but does not do it on it's own anymore. When you plug your iPad in, the "do nothing" is the X button in the corner. Nothing happens besides that dialog coming up. It would be nice if it offered iTunes in the list, though.

Re:Big surprise

[Sockatume]

What you're describing isn't autorun, but the XP-and-onwards "hey, there's new storage" prompt. While they're both annoying to some degree, Autorun executed any autorun.inf in the root of the new storage without prompting, making it a useful way of spreading viruses. The prompt you're referring to doesn't.

Re:Big surprise

[FoolishOwl]

I've seen the conspiracy theory pre-emptively denied, but this is actually the first time I've seen it asserted.

When I've seen lists of viruses, I've been puzzled that some of them -- a small proportion -- have the annotation that they have been seen "in the wild." Occasionally, I'll see hints that many viruses are only theoretical. Is it the case that the security companies are competing to invent computer viruses, then using those computer viruses, which exist only in their own labs, to inflate the ever-increasing numbers of computer viruses they supposedly defeat?

Re:Big surprise

[DrgnDancer]

Or more likely they have their own research labs, and they have white and gray hat hackers who send them exploits that they discover. HTis allows them to try and stay ahead of the game, instead of reacting to every new virus several hours or days after it's been released by someone malicious. If a white hat sends the AV company the latest virus he's written and the AV company said, "oh, that's vera nice... we'll include it in a definition file if anyone bad ever discovers it" how would you feel?

Surprise?

[Joce640k]

It's only going to surprise people who thought nobody would be stupid enough to enable autorun by default in a consumer OS.

Re:Surprise?

[Jedi+Alec]

Honestly, that has been annoying the crap out of me since the very first release of Windows 95. How *anyone* could think that is a good idea continues to baffle me.

Then again, turning it off for all possible devices and situations is very satisfying :)

Re:Surprise?

[Darkness404]

Remember the days of DOS and having to try to walk someone through installing something through DOS (with a CLI mind you) and how many people couldn't just type the drive right? Misspelled Install every single time, etc?

Yeah, autorun might be a security nightmare, but its a lot nicer for anyone who has had to do tech support with clueless users.

Re:Surprise?

[oodaloop]

Oh, whoops! Was I standing on your lawn? Sorry 'bout that.

Re:Surprise?

[Jedi+Alec]

Oh, I do remember the days of DOS. I also remember that anyone too retarded to use a combination of dir and cd almost by definition did not get to touch a computer.

As for autorun being good for tech-support, I wonder how many calls could have been *prevented* by disabling it. And I've had my share of calls as well, so I know the drill ;-)

Re:Surprise?

[DavidTC]

Yes, but an equally useful thing would have simply been a 'Install program' menu item, that, when launched, looks on all removable media for autorun.inf files or whatever, and presents their devices, names, and icons in a little list where you pick one.

Automatically running it was just stupid. You can automate systems but still put a menu item to start the process.

Hell, in some cases, that would result in less steps. We've all had to walk someone through an install progress, and ended up first having to uninstall something else or update a driver and then reboot...at which point, to get autorun to work, they have to eject the damn CD and put it back in.

Re:Surprise?

[Jimmy+King]

While I agree with you, this is unfortunately not the way the world works. It was more profitable to insist that everyone needs computers and that they are easy to use and require no training or knowledge and would just work.

So now we've got a few people who can't and never would be able to manage that who have computers and use them daily. Then we have a bunch more people who could manage that, except marketing (and even some IT pros that seem to give advice based on what would be ideal rather than what actually is) has told them that it just works and they don't need to have a clue what's actually happening or how to do anything because it will all just happen for them. So now, even though they could learn how it works and how to do things, they don't and are convinced they shouldn't have to and get upset when something doesn't just work, trouble and risk free.

The best solution, of course, would be to get it through to people that computers are actually not simple and are very complex and require some level of understanding and research to use effectively and safely. That's a lot easier said than done, though, since no one wants to hear our opinion on the situation. The ones that do want to hear it likely don't need us to tell them.

Re:Surprise?

[hairyfeet]

You've obviously never worked tech support. Trying to walk a totally clueless user by phone through installing software can be a fricking nightmare! So yeah, while we can see in hindsight it was a bad idea, at least on CDs I could see why they did it. BTW for those that have to deal with clueless users by phone? Let you old pal Hairyfeet hook up up with Ninite which is a fricking Godsend. More than 90 of the most common apps, including Chrome, Firefox, Flash, Java, .NET, even free AV, and all you have to do is tell them which boxes to check and then run. That's it! Oh and for those working corp they have a pay version that sets those and any other apps you want on an on site server to save bandwidth.

And for those that still have XP boxes on their networks (which I would be switching to Windows 7 right about now, its better on security and really stable) allow me to give you the reg fix for disabling autorun. Ironically you can point an autorun.inf on a flash at it and use it to disable autorun on any PC it is plugged in to. But ultimately I'd say the problem with Windows, or any other OS for that matter, is still PEBKAC by far. Just look at how many clueless users would pick up a flash drive out of the parking lot and plug it into a PC in the office? Hell I still get one or two a week that fall for that fake Windows dialog box on websites. To quote the Gump "Stupid is as stupid does" and anyone that hasn't killed autorun at this point is nuts.

Re:Surprise?

[Rich0]

Or, go ahead and have an auto-install process, but don't make it "look for a file on any removable media and run any executable that it references."

Instead, when you insert a disc have the OS's package manager look for an installer file in the proper format, and then the package manager asks the user if they want to install the file. Don't have every software vendor writing their own installers.

Oh, Windows doesn't have a package manager? Well, we should fix that as well. There is no reason that software should need its own install executables. An installer needs to get files into the right (ie standards-driven) process on the drive, and initialize global settings. There is no reason that a centralized package manager can't do that (just look at any linux distro). As a bonus uninstalls become trivial without any vendor support.

Re:Surprise?

[wbo]

Yes, but an equally useful thing would have simply been a 'Install program' menu item, that, when launched, looks on all removable media for autorun.inf files or whatever, and presents their devices, names, and icons in a little list where you pick one.

Actually older versions of Windows did have such a menu item but it was removed in Vista, probably because very few people actually used it. Prior to Vista there was a control panel applet called "Add/Remove Programs". I first encountered it in Windows 95.

Most people used it to uninstall software but the applet also had an "Add Software" button that would scan all removeable media for an installer and offer to execute it.

What I don't understand is why people keep complaining about the autorun functionality, since in Vista and later autorun files are not executed by default. Instead when an autorun file is detected a dialog box is displayed asking the user if they wish to execute the autorun, open a explorer window to browse the files on the disk/device, or do nothing.

there is nothing new under the sun

[buddyglass]

Way back in the day it was infected floppy disks. Given people now use USB drives like we used to use floppy disks, it only makes sense that malware would (once again) use them as a distribution method.

PS -- a little more googling shows...

[mcgrew]

If you're running Windows 7 it appears that you're ok. But what took MS so long to fix this gaping hole?

Re:PS -- a little more googling shows...

[AndrewNeo]

To their credit they did fix it in Vista.

Re:PS -- a little more googling shows...

[VGPowerlord]

To their credit, they fixed this in Windows XP.

Yes, XP. Specifically, Windows XP SP2.

It no longer just runs the Autorun program, but instead gives you a dialog that asks what you want to do, with some default choices. The former Autorun command appears at the top of said list.

The only thing Windows 7 did was remove said dialog when you attach non-optical media.

Re:PS -- a little more googling shows...

[FoolishOwl]

To be fair, I think part of what people hated about Vista was that Microsoft finally implemented some decent security. Users complained about being asked to enter passwords to authorize software installation and the like. Vista was a tremendous resource hog, but it looked to me like Microsoft decided to upgrade security and stability first, then optimized performance later in Windows 7. That's the responsible thing to do, and I think Microsoft got burned for doing the right thing for a change.

Hardware write protection (few, but they exist)

[Fencepost]

There are still a few USB drives out there with hardware write protect switches, but they're hard to find and you'll probably have to order online. I have what may at this point be the best listing available at http://www.fencepost.net/2010/03/usb-flash-drives-with-hardware-write-protection/, culled from a variety of searches, message boards, and one German computer magazine (c't) which has its own listing.

In the US, the most likely drives to find in stores if you're looking are a couple of Imation models (Pivot and Clip), plus lingering supplies of the older Swivel models (the swivel isn't all that sturdy, pockets will beat it up over time). I've not seen these widely in stores, but you may find the Clip in college bookstores - I suspect that's their target for the style.

Re:I thought USB devices were safe

[Ukab+the+Great]

Good News: Assuming a certain level of competence where the windows machines formatting the drives in China were not recycled from somewhere else, had their hard drives given a clean wipe, and weren't hooked up to the Internet and used to browse Pr0n on lunch break, then yes drives in the blister pack are secure.

Bad News: It's highly dangerous to assume a certain level of competence.

Moral Of The Story: When you buy a flash drive, immediately format it and bypass and "value-added gravy" the manufacturer tries to shove down your throat.

Re:"D:\Setup.exe"

[jedidiah]

Fortunately, this thing called the GUI that was introduced to the world in 1984 solved most of those problems.

No need to search for the disk.
Searching for something to run is pretty straightforward.

Knowing what a program looks like in a GUI will probably be declared a "burden" by some. However, you can't completely abdicate responsibility for a sophisticated tool without severe consequences.

Sooner or later, something like Email Phishing will require the end user to plug their brain back in.

How to disable Autorun in Windows. . .

[Fantastic+Lad]

Autorun is one of Microsoft's more frustrating contributions to the world.

But what is still more idiotic, is how user-unfriendly the path is to shutting it off. Microsoft's very own page on the issue...

http://support.microsoft.com/kb/967715

-FL

Again no word of Microsoft or Windows

[devent]

I posted it already on another news about a Windows bot net. The trojan/usb infection is only on Microsoft Windows. Please mention that. I and people with Macs couldn't care less. So I just post again and again and again:

It's 25 percent of new Windows worms. Approximately 48 percent of Windows SMBs (with up to 1,000 computers) admit to having been infected by some type of malware over the last year. Linux and MacOS SMBs are still save and will be save.

I would say Dell was right:

"6) Ubuntu is safer than Microsoft Windows: The vast majority of viruses and spyware written by hackers are not designed to target and attack Linux." from http://www.theregister.co.uk/2010/06/14/dell_ubuntu_windows_security/

How-To Disable Autorun

[bloobamator]

Wow. The instructions for disabling Autorun are hideous: http://support.microsoft.com/kb/967715. Is this really how one disables it?

This one looks slightly less hideous: http://www.us-cert.gov/cas/techalerts/TA09-020A.html.

I apologize in advance for the noob question.