• On GameSpot: Wii Fit tells 10-year-old she's fat
advertisementGet the magic: HP TouchSmart
November 20, 2008 4:10 PM PST

USB devices spreading viruses

Posted by Elinor Mills
  • Font size
  • Print

USB thumb drives are convenient, popular and often free--and they're spreading viruses like sailors on shore leave.*

The US-CERT (Computer Emergency Response Team) issued a warning on Thursday that malicious code is increasingly propagating via USB flash drive devices.

Meanwhile, the U.S. Department of Defense has temporarily banned the use of thumb drives, CDs, and other removable storage devices because of the spread of the Agent.bzt virus, a variant of the SillyFDC worm, according to Wired.

We've seen this before with portable external storage devices. Floppy disks were the culprit in the early 1990s, followed by CDs. The fact that USB thumb drives are being used by so many people makes them an attractive target for virus writers.

"The bad guys are intentionally developing new flavors of malware designed to propagate through USB devices," said Gunter Ollmann, chief security strategist for IBM's ISS security division. "They are today's floppy drives."

(Credit: CNET News/James Martin)

But USB drives are even handier. Their small size makes them easy to slip into a pocket or carry on a lanyard around your neck. A common swag item in the tech industry, they also are mainstream consumer storage devices. They literally litter my desk drawers.

There are a couple of ways USB thumb drives can be used to spread viruses and other malicious software.

An infected computer can spread a virus to a clean USB thumb drive that is inserted. That USB drive will then be spreading the virus onto other computers if the operating system on those machines has an AutoRun-type feature enabled. The AutoRun function in Windows launches installers and other programs automatically when a flash drive or CD is inserted. The Mac has an equivalent function, according to Ollmann.

For that reason, people should disable any AutoRun features and manually launch programs when using a flash drive, he said. CERT has information about the dangers associated with AutoRun here, as well as tips specific to the safe use of USB drives here.

A virus also can be embedded in what looks like a normal file on a USB device, so that even if AutoRun is disabled, the computer will become infected when the file is opened.

Thumb drives aren't the only culprits; any device that plugs into a USB port--including gadgets like lights, fans, speakers, toys, even a digital microscope--can be used to spread malware, Ollmann said.

The devices can be infected during the manufacturing or supply chain process if quality control measures are not adequate, he said.

In addition to disabling AutoRun, Ollmann suggests that people use an antivirus tool to scan their USB devices before opening any files from them and be cautious with files on devices even if they come from trusted sources.

There's also the danger that the small devices can be lost, exposing the data on them to whoever happens to find them. A Swedish soldier was recently convicted of negligence after leaving a USB flash drive with classified information on it in a computer at a Stockholm university, according to an Associated Press report. And a British tax agency was forced to shut down its Web site after a contractor lost a flash drive containing confidential passwords and source code in a pub parking lot last month.

So, feel free to carry a USB memory stick, but be very careful where you put it.

*My sincere apologies if I offended anyone with this lead sentence. I struggled to find an analogy that works for infections spread by physical contact and which involve mobility, and airborne medical outbreaks just didn't work.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

Privacy & data protection,

Vulnerabilities & attacks

Tags:

USB,

thumb drives,

security,

viruses

Share:
Digg
Del.icio.us
Reddit
Recent posts from Security
McAfee: Google developer site being used to distribute malware
Fake CNN site from phishing e-mail hides a Trojan
Patch for critical Windows vulnerability coming
Latest problem import? Infected digital photo frames
Study: Data breaches rose in 2008
Fake celeb LinkedIn profiles lead to malware
Hackers hit MacRumors keynote coverage
Alarm systems at risk: UL establishes a higher security requirement for magnetic switches
Add a Comment (Log in or register) 20 comments
by n3td3v November 20, 2008 5:08 PM PST
"Meanwhile, the U.S. Department of Defense has temporarily banned the use of thumb drives, CDs, and other removable storage devices because of the spread of the Agent.bzt virus..."

There is no security through obscurity.
Reply to this comment
by Peleg72 November 25, 2008 2:34 AM PST
Obscurity? It is more like inanity.
Instead of limiting the US army personal and by that reducing the organization?s efficiency there is a solution to this "disease".
Malware is defiantly not a new threat and I wonder why any time a big organization like the US army faces such an attack, their immediate response is not reasonable.
The US Army Must maintain its mobility and also to secure its sensitive information.
SanDisk Enterprise recently released a secure USB drive with McAfee malware protection.
I read all about it in their <a href="http://www.sandisk-enterprise.com/blog"> secure USB drive blog </a>"
Thinking of it, any private person who faces malware would protect himself from why and not stopping to use his computer, right? so why not the US Army does so?
:) So guys (from the US Army) talk to SanDisk they might save you some trouble.
by DaClyde November 20, 2008 5:25 PM PST
The continued incompetence by DoD IT people is staggering. They have piles of regulations that they refuse to enforce consistently, don't provide the training or staff in the areas that are having the most problems and are very big on ignoring preventative security policies, preferring to crack down AFTER a problem has arisen.

There's nothing that has happened on a DoD network that properly applied group policies or updated virus scanners wouldn't have caught or prevented. And nothing will change after whatever caused this crack down. This knee-jerk ban would practically cripple certain DoD projects that depend on removable media if actually enforced on all levels.

And CDs? Seriously?
Reply to this comment
by tech_crazy November 20, 2008 5:28 PM PST
"Thumb drives aren't the only culprits; any device that plugs into a USB port--including gadgets like lights, fans, speakers, toys, even a digital microscope--can be used to spread malware, Ollmann said. "

Seriously, lights and fans? All they hook up to are the power pins in the USB connector.
Reply to this comment
by blueshore November 20, 2008 6:41 PM PST
Partially right. Some USB hardware has some flash memory to store drivers (like the Sprint or at&t USB modem cards), Other are just using the power pins. But it makes you wonder if it is possible to infiltrate a flash memory into a fan or a light (or a mug warmer).

Revenge of the Furby?
by Mr. Dee November 20, 2008 5:44 PM PST
The network at the institution I attended was brought to its knees because of thumb drives. The viruses kept propagating because everybody plugged in the thumb drives in every computer willy nilly. Symantec was never updated or the server was not distributing definitions properly. The server itself was brought down a few times, even when Symantec EndPoint did remove the viruses, malware and Trojans they left back residue of Administrative privileges being disabled through group policy, we had to repair it with a tool called RRT. Thumb drives when cleaned kept getting reinfected because persons laptops including mine were infected and the cycle just continued. I just came to a point where I said, I am not putting my thumb drive in any computer on campus. The only computer I did put my thumb drive in was a friends MacBook Pro and that was just for OS X. Her boot camp installation of XP even got infected, thank goodness I created a bunch of system restore points for her. So every time she got infected and Trojans disabled admin privileges I simply restored to an early point in time before the virus infected the system and created a new system restore point. I did this also for my friends XP and Vista note books. I also told them to stop plugging in the Ethernet cables in their laptops and use the wi-fi instead. A majority of the lab PC's were running Windows 2000 Professional which does not include Auto-Run like XP, but when thumb drives are plugged in they must be initialized and the vulnerabilities take advantage of that window of opportunity, so the system still gets infected. One particular worm called Brontok is known for propagation on the network and there are different variants. So even when you did catch one with your AV you still didn't catch because another variant had already been created. Its quite obvious that the problem is not Windows 2000, because even friends running Vista 64 bit with all its built in security features such as Standard Admin account, ASLR, Patch Guard, Driver Signing, Windows Defender, Firewall on and AV on top of that was still vulnerable.
Reply to this comment
by catch23 November 20, 2008 6:04 PM PST
BS. Vista running at standard user would do jack. At least nothing that will compromise the system.
Peddle your worthless FUD elsewhere.
by Mr. Dee November 20, 2008 7:13 PM PST
catch23, I am just telling real experiences, no lies.
by alegr November 20, 2008 9:43 PM PST
"Standard Admin"? WHat's that? Ther is Administrator and Limited User. Under UAC, Administrator session runs mostly under Restricted token, unless a process starts with elevation, which removes restriction. But this is a kludge anyway. Just use Limited User accounts.
by Penguinisto November 21, 2008 7:05 AM PST
Heya folks - y'all do know that malware doesn't need to run under elevated privileges to operate as a zombie or as an SMTP spam-pump, right?

/P
by nopinktoday November 20, 2008 6:06 PM PST
Pretty creepy. So now every time I plug in my PSP to my desktop, ima pray to the heavens for no Trojans.

No more Trojans mommy!
Reply to this comment
by lkrupp November 20, 2008 6:23 PM PST
"Seriously, lights and fans? All they hook up to are the power pins in the USB connector."

That's the beauty of FUD. It doesn't have to make sense.
Reply to this comment
by Perry_Clease November 20, 2008 6:26 PM PST
"Pretty creepy. So now every time I plug in my PSP to my desktop, ima pray to the heavens for no Trojans."

Well if a sailor was wearing a Trojan then he wouldn't spreading/getting viruses while on shore leave. :)

"My sincere apologies if I offended anyone with this lead sentence. I struggled to find an analogy that works for infections spread by physical contact and which involve mobility, and airborne medical outbreaks just didn't work."

I spent over 20 years in the US Navy and never once spread a virus. :)

For an analogy that "covers" your bases, how about; Spreading a virus like a sick kid with the flu and coughing while on a transcontinental flight.
Reply to this comment
by benjwah November 20, 2008 6:35 PM PST
Sweden has soldiers?
Reply to this comment
by dmm November 21, 2008 8:03 AM PST
Yeah, that's what the secret information was.
by cyberspittle November 20, 2008 10:12 PM PST
Does this affect Linux computers? No? Hmmm.
Reply to this comment
by imacpwr November 21, 2008 12:14 AM PST
Conveniently forgot to mention whIch OS this is affecting.....??? When is the USA government ever going to get smart and switch to a safe(r) operating system. Heck, anything would be safer than M$...!!
Reply to this comment
by celticbrewer November 21, 2008 8:23 AM PST
Anyone care to post the link to the research showing that macs have more vulnerabilities than PCs?

I'm sure if businesses and the government switched to another OS (including Linux, cyberspittle), the malware writers would quickly churn out programs for those OSes. NOTHING that is networked or that allows peripherals is, or ever will be, totally secure. Deal with it!
by afterhours November 21, 2008 8:04 AM PST
Picking on sailors? No offense taken -- I'm sure you could point to one or two instances where they outmatched, say, journalism students on a Saturday night, or office workers at a Christmas party, or Congressmen in the Page lounge, or...
Reply to this comment
by strongheartshadow November 27, 2008 1:42 PM PST
I read the story and I noticed just how quick some guy was to jump on the Department of Defense.
Maybe the reader did not notice that the soldier was Swedish. They are not part of our Military!
The Tax collector was British! He's not our's either! Quite possibly the DOD is responding cautiously; that's not a bad thing..

As for brains it's good thing that person is not handling security in this country. We would be in a real mess!
Reply to this comment
advertisement

In the news now

June target: Chrome for Mac, Linux

Google has revealed its goal for releasing Mac OS X and Linux versions of its browser. Also, cutting-edge Chrome sports early work to enable extensions.


Amazon, Apple and the price of music

Record labels aren't cutting deals, sources say. If downloads are cheaper on Amazon than iTunes, then they're likely a loss leader.


Gadget extravaganza in Las Vegas

CES 2009 is in full swing. Highlights so far include Palm's WebOS and Pre device, Microsoft's Windows 7 beta, and much more.


About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
Site map
Latest news
Business tech
Green tech
Wireless
Security
Popular topics
Apple iPhone
Apple iPod
CES
Cell phones
Dell
GPS
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
Corrections
Customer Help Center
RSS
CNET Widgets
About CNET