25% of Worms Spread Via USB 190
An anonymous reader writes "In 2010, 25 percent of new worms have been specifically designed to spread through USB storage devices connected to computers, according to PandaLabs. This distribution technique is highly effective. With survey responses from more than 10,470 companies across 20 countries, it was revealed that approximately 48 percent of SMBs (with up to 1,000 computers) admit to having been infected by some type of malware over the last year. As further proof, 27 percent confirmed that the source of the infection was a USB device connected to a computer."
No, really? (Score:4, Insightful)
Surprise? (Score:5, Insightful)
It's only going to surprise people who thought nobody would be stupid enough to enable autorun by default in a consumer OS.
Re: (Score:2, Insightful)
Honestly, that has been annoying the crap out of me since the very first release of Windows 95. How *anyone* could think that is a good idea continues to baffle me.
Then again, turning it off for all possible devices and situations is very satisfying :)
Re:Surprise? (Score:4, Insightful)
Yeah, autorun might be a security nightmare, but its a lot nicer for anyone who has had to do tech support with clueless users.
Re:Surprise? (Score:5, Funny)
Re: (Score:2, Interesting)
Oh, I do remember the days of DOS. I also remember that anyone too retarded to use a combination of dir and cd almost by definition did not get to touch a computer.
As for autorun being good for tech-support, I wonder how many calls could have been *prevented* by disabling it. And I've had my share of calls as well, so I know the drill ;-)
Re: (Score:2)
Whereas with DOS you had to be somewhat careful about taking disks in and out to avoid filesystem corruption.
Re: (Score:2)
Oh, I do remember the days of DOS. I also remember that anyone too retarded to use a combination of dir and cd almost by definition did not get to touch a computer.
Because...computer stores refused to take their money?
It must have been a nice world you lived in, because in actual reality clueless nublets with enough money and a good enough excuse (usually business-related) had computers long before many hobbyists. That's pretty much the origin of the embittered technical support dude.
And, from the same wa
Re:Surprise? (Score:5, Interesting)
Yes, but an equally useful thing would have simply been a 'Install program' menu item, that, when launched, looks on all removable media for autorun.inf files or whatever, and presents their devices, names, and icons in a little list where you pick one.
Automatically running it was just stupid. You can automate systems but still put a menu item to start the process.
Hell, in some cases, that would result in less steps. We've all had to walk someone through an install progress, and ended up first having to uninstall something else or update a driver and then reboot...at which point, to get autorun to work, they have to eject the damn CD and put it back in.
Re: (Score:3, Funny)
Or, go ahead and have an auto-install process, but don't make it "look for a file on any removable media and run any executable that it references."
Instead, when you insert a disc have the OS's package manager look for an installer file in the proper format, and then the package manager asks the user if they want to install the file. Don't have every software vendor writing their own installers.
Oh, Windows doesn't have a package manager? Well, we should fix that as well. There is no reason that software
Re: (Score:2, Informative)
Actually older versions of Windows did have such a menu item but it was removed in Vista, probably because very few people actually used it. Prior to Vista there was a control panel applet called "Add/Remove Programs". I first encountered it in Windows 9
Re: (Score:2)
You're implying that tech support for people who've been infected by a virus is easier...?
Re:Surprise? (Score:4, Insightful)
While I agree with you, this is unfortunately not the way the world works. It was more profitable to insist that everyone needs computers and that they are easy to use and require no training or knowledge and would just work.
So now we've got a few people who can't and never would be able to manage that who have computers and use them daily. Then we have a bunch more people who could manage that, except marketing (and even some IT pros that seem to give advice based on what would be ideal rather than what actually is) has told them that it just works and they don't need to have a clue what's actually happening or how to do anything because it will all just happen for them. So now, even though they could learn how it works and how to do things, they don't and are convinced they shouldn't have to and get upset when something doesn't just work, trouble and risk free.
The best solution, of course, would be to get it through to people that computers are actually not simple and are very complex and require some level of understanding and research to use effectively and safely. That's a lot easier said than done, though, since no one wants to hear our opinion on the situation. The ones that do want to hear it likely don't need us to tell them.
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Antivirus programs are a band-aid at best. Try running a few of the viruses that appear in your inbox every day*, it usually takes about a week for the antivirus vendors to catch up and detect them, if ever.
* Preferably in a virtual machine...
What do you mean nobody? (Score:2)
Re: (Score:3, Interesting)
heh. oddly enough... [thedailywtf.com]
Re:No, really? (Score:5, Informative)
I don't remember any worms spreading automatically via serial port. It would have been difficult, because there weren't many peripherals that had internal storage space and connected via RS-232, and computers connected with a null-modem cable typically had to run some custom software for file transfer.
I do, however, remember a lot of worms spreading via floppy disks. Boot sector viruses were especially common in the DOS days. If you let a floppy in the drive, the BIOS would try to boot from it the next time you turned your computer on. It was quite common for a worm to install itself on the boot sector of any inserted floppy so that when you booted from that floppy it installed itself on the hard drive and then printed a 'please eject floppy and reboot' type error. You'd eject the floppy and reboot, and the machine would start normally, only now you'd be infected.
Since USB drives have replaced floppy disks for offline file transfer, it's not surprising that this is a common attack vector.
Re: (Score:3, Funny)
Well ... modems used to connect over the serial port. I seem to remember a few viruses that spread that way.
Re: (Score:2, Funny)
Remind me (Score:2)
I shouldn't be plugging the dog or the cat into the USB port.
Re: (Score:2)
Were there any worms spread using a serial port?
Yeah. There were a few back during the early 90's that would transfer themselves via serial link cables if you had two machines connected. The worm would actively scan for active transfer connections of any kind, then copy itself. USB meh, nothing really new. USB is the floppy disk of today, and a lot of virii, trojans, and worms were spread by floppy in the not too distant past.
Re: (Score:2)
Re:No, really? (Score:4, Insightful)
As someone already pointed out, it's faster for large data transfers, but I don't think that's a majority of the problem. It's mostly just convenience. Let's say I have a presentation to give to your company. It's the same presentation I give to every company that has shown an interest in my product. I could e-mail each and every company a copy of my presentation before I show up (and hope that the person I e-mailed it to remembers to put it on the presentation machine), or I can carry it on a thumb drive. Or maybe I was working on the presentation on the flight, and didn't have Internet access to send it to you. Or I'm a tech support guy who carries a bunch of diagnostic tools around with me. There's a ton of reasons why people carry these things around, speed not a huge factor for most of them.
Big surprise (Score:3, Interesting)
Re:Big surprise (Score:5, Insightful)
How is this a "new" attack vector?
Microsoft has had auto-run on things like CDs and USB drives for years, and you usually need to turn it off. Otherwise, it would happily run any old shit you plug in without even asking.
When I plug my iPad into my Vista box, the auto-run dialog comes up and asks me if I want to either download pictures or open it like a file storage. There is no "do nothing" option, which I find kind of amusing, since I've usually turned off auto-run for everything.
I'm not even remotely surprised that USB is a popular attack vector -- they're the new floppies. Microsoft has defaulted to "easy" mode (run everything), which also happens to be the most trusting and dangerous mode you could get. I think this was kind of inevitable.
Re: (Score:3, Insightful)
>There is no "do nothing" option, which I find kind of amusing, since I've usually turned off auto-run for everything.
That's not what people call autorun, especially in the context of USB viruses. Autorun means when the OS just launches the .exe listed in the autorun.inf file automatically. That's how this stuff spreads. Vista and 7 no longer support this and throw a "What would you like to do" screen, which is fine by me.
Re: (Score:3, Informative)
Er. The last version of Windows that "ran everything" was XP. Just because the dialog comes up in Vista or 7 does NOT mean that the actual autorun application is being executed. The dialog you see is for user convenience, and still has a link to the autorun application, but does not do it on it's own anymore. When you plug your iPad in, the "do nothing" is the X button in the corner. Nothing happens besides that dialog coming up. It would be nice if it offered iTunes in the list, though.
Re: (Score:2)
That is good to know. I had explicitly gone in and turned all of it off, but I still see Windows try to respond to the new device, never sure how much to trust it.
Re: (Score:2)
Re: (Score:2)
iTunes has a check box option to open automatically when an iDevice is plugged in, and it will, but you'll still get the dialog box. It's kinda weird. When I plug in my phone I get both iTunes and the dialog. It's a tad annoying, but I can't find any way to make the dialog stop coming up. I believe the check box is in the general tab for the device itself (so you could set it up so that your tablet always opened iTunes, but your phone didn't, for instance).
Re: (Score:3, Informative)
What you're describing isn't autorun, but the XP-and-onwards "hey, there's new storage" prompt. While they're both annoying to some degree, Autorun executed any autorun.inf in the root of the new storage without prompting, making it a useful way of spreading viruses. The prompt you're referring to doesn't.
Re: (Score:2)
There's a more options link/button thing you can click on which brings up another dialog where you can specify the default behavior and one of the options is do nothing.
Re: (Score:2)
Microsoft has defaulted to "easy" mode (run everything), which also happens to be the most trusting and dangerous mode you could get.
So that's why the Easy Button is red...
Re: (Score:3, Insightful)
I've seen the conspiracy theory pre-emptively denied, but this is actually the first time I've seen it asserted.
When I've seen lists of viruses, I've been puzzled that some of them -- a small proportion -- have the annotation that they have been seen "in the wild." Occasionally, I'll see hints that many viruses are only theoretical. Is it the case that the security companies are competing to invent computer viruses, then using those computer viruses, which exist only in their own labs, to inflate the ever-i
Re: (Score:3, Informative)
Or more likely they have their own research labs, and they have white and gray hat hackers who send them exploits that they discover. HTis allows them to try and stay ahead of the game, instead of reacting to every new virus several hours or days after it's been released by someone malicious. If a white hat sends the AV company the latest virus he's written and the AV company said, "oh, that's vera nice... we'll include it in a definition file if anyone bad ever discovers it" how would you feel?
Some thoughts... (Score:2)
The basic technique used is as follows: Windows uses the Autorun.inf file on these drives or devices to know which action to take whenever they are connected to a computer. This file, which is on the root directory of the device, offers the option to automatically run part of the content on the device when it connects to a computer.
By modifying Autorun.inf with specific commands, cyber-crooks can enable malware stored on the USB drive to run automatically when the device connects to a computer, thus immedia
PS -- a little more googling shows... (Score:5, Informative)
If you're running Windows 7 it appears that you're ok. [samlogic.net] But what took MS so long to fix this gaping hole?
Re: (Score:3, Insightful)
To their credit they did fix it in Vista.
Re:PS -- a little more googling shows... (Score:4, Insightful)
To be fair, I think part of what people hated about Vista was that Microsoft finally implemented some decent security. Users complained about being asked to enter passwords to authorize software installation and the like. Vista was a tremendous resource hog, but it looked to me like Microsoft decided to upgrade security and stability first, then optimized performance later in Windows 7. That's the responsible thing to do, and I think Microsoft got burned for doing the right thing for a change.
Re:PS -- a little more googling shows... (Score:4, Informative)
To their credit, they fixed this in Windows XP.
Yes, XP. Specifically, Windows XP SP2.
It no longer just runs the Autorun program, but instead gives you a dialog that asks what you want to do, with some default choices. The former Autorun command appears at the top of said list.
The only thing Windows 7 did was remove said dialog when you attach non-optical media.
Re: (Score:2)
To their credit, they fixed this in Windows XP.
Yes, XP. Specifically, Windows XP SP2.
So, even after all the problems with boot sector viruses, this default behavior persisted through Windows 95, 98, ME, 2K, and XP.
Re: (Score:2)
Autorun has been off by default since Vista.
Re: (Score:2)
Which doesn't help in the corporate or education sectors, because the powers that be *ABSOLUTELY WILL NOT* switch from XP with IE6.
Re: (Score:2)
Why does MS insist on lax security?
Security increases complexity and it makes IT more difficult to use. The suits bitch and then want to switch to something else that's not so "hard".
Really, MS is just pandering to what corporations want -- software that just works, so that they can hire minimally competent employees and pay them the lowest possible wage without having to hire bothersome "specialists" who question the boss' IT judgment.
"D:\Setup.exe" (Score:2)
Re: (Score:3, Insightful)
Fortunately, this thing called the GUI that was introduced to the world in 1984 solved most of those problems.
No need to search for the disk.
Searching for something to run is pretty straightforward.
Knowing what a program looks like in a GUI will probably be declared a "burden" by some. However, you can't completely abdicate responsibility for a sophisticated tool without severe consequences.
Sooner or later, something like Email Phishing will require the end user to plug their brain back in.
Re: (Score:2)
Re: (Score:2)
A decent OS would have made it easy to do.
If it's not easy to do in Windows then it's a problem with the design of Windows. Why can't windows detect a 'software installation' CD (or USB stick) and say "Do you want to install program XXX from the CD?".
Autorun was a dismal idea, the current system isn't any better (the annoying/confusing popup dialog which asks you what to do).
Re: (Score:2)
That could have been solved with an OS prompt which said something like, eg. "Do you want to install program XXX from the CD you just inserted?"
Simply running whatever code is on the USB drive is braindead. There were viruses at least 15 years before Windows XP, anybody with half a brain should have been able to see what was coming.
Still, this is the company which gave us autorun emails ... USB is a minor pecadillo compared to that.
I could never get it to work (Score:2)
First order of business (Score:2)
First thing I do with any USB ...
Create a directory called "autorun.inf", then attrib +R +S +H +A on it.
I've found this pretty effective, as unless the virus is running with admin privileges, it can't overwrite the directory with a file of the same name.
Also, it's easy to detect if you *do* later contract a virus, as you can verify if the autorun.inf is a directory or a file from DOS before clicking on the options popup.
Re: (Score:2)
It's pretty much a given that viruses have admin privileges - how would they infect a machine if they didn't?
Re: (Score:2)
Sadly, some of the users have disabled UAC or simply say "Yes" whenever prompted because they don't fully understand what is being asked of them.
I fear that in some of these cases, users explicitly grant the virus escalated privileges.
Re: (Score:2)
or simply say "Yes" whenever prompted
yeah, stupid users. When the dialog pops up saying "Smiley central wants to install stuff, is this ok?", they say "yes" because they actually want loads of stupid smileys.
Now, if the popup said "there's a virus, are you sure you want to install this", then they might take more notice, but until then, user-installed nasties are not going to go away.
Floppies all over again (Score:2)
15 years ago it was floppies. I worked then at a Government installation that was found to be massively infected - by floppies. Same vector, different medium.
X2 on the autorun (Score:2)
Seriously, why are people so silly to leave this on.
In my company so many PC were infected this way, with folks passing around USB keys. I think I was the only one who had autorun off and scanned every time anything USB is plugged in.
Hell, we even infected our customers because of that crap.
Re: (Score:2)
Seriously, why are people so silly to leave this on.
Because Microsoft make it insanely difficult to turn off? From what I remember on XP, I had to change it in the control panel, edit some registry variables and then run another program from the command line to tell it that yes, I really, really did want it disabled.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Be realistic here. Most users don't know what the registry is, let alone how to edit it. This is a viable solution for corporate desktops, but it's hardly "easy" in the sense that it's something I'd think to do after I first installed my machine at home (or mor likely got it home preinstalled). It's not much of a problem now of course, SP2 to XP disabled this feature and neither Vista nor 7 have it, but until XP SP2 it was a difficult thing for a normal home user to disable.
Re: (Score:2)
Off the top of my head, a buffer overflow in the code that reads and displays embedded icons would be a juicy target, along with the file system parsing code.
Presumably the current Windows Explorer 'load DLLs from the current directory' exploit would be enough... put an image or video file on the disk and a DLL which will be loaded when that directory is viewed, and the user (and possibly the entire PC) is owned even without autorun.
USB and floppies verboten (Score:2)
My former company banned both. When you inserted a floppy, the computer refused to read it. And when a USB was inserted, security showed up to scan your PC.
It was also impossible to install any software, unless it was a simple *.exe program that sat on your desktop. Anything as elaborate as firefox was impossible to install.
Re: (Score:2)
Right click and save from a web-page?
there is nothing new under the sun (Score:4, Funny)
Re: (Score:2)
It's much more difficult to do that on a usb jump drive.
When USB drives started to appear (back in the day of 64MB and 128MB being a "woah factor"), they would usually include a small switch that you could use to allow or prevent writing to the disk. I've *never* heard of anyone using it.
Low tech (Score:2)
News flash (Score:2)
Autorun is completely evil. You're an idiot if you don't disable it as soon as you unbox your computer. That is all.
Re: (Score:2)
I can't even blame end users for that one.
Microsoft has consistently opted to ignore security in favor of ease of shooting yourself in the foot. I lay the blame squarely at their feet for deciding to essentially run anything that they encounter and hope that it isn't malicious.
As much as we don't like to, to a lot of people the computer is an appliance. They're just not fully aware of all of
Re: (Score:2)
That's why I'd like to see some product liability for Microsoft so long as they insist on selling Windows to the clueless on the basis of its "ease of use". Either accept liability for any damages caused by security vulnerabiliti
Re: (Score:2)
Or upgrade to Vista. Vista! Vista (and 7) do not autorun applications by default.
Hardware write protection (few, but they exist) (Score:3, Interesting)
There are still a few USB drives out there with hardware write protect switches, but they're hard to find and you'll probably have to order online. I have what may at this point be the best listing available at http://www.fencepost.net/2010/03/usb-flash-drives-with-hardware-write-protection/ [fencepost.net], culled from a variety of searches, message boards, and one German computer magazine (c't) which has its own listing.
In the US, the most likely drives to find in stores if you're looking are a couple of Imation models (Pivot and Clip), plus lingering supplies of the older Swivel models (the swivel isn't all that sturdy, pockets will beat it up over time). I've not seen these widely in stores, but you may find the Clip in college bookstores - I suspect that's their target for the style.
Re: (Score:2)
I call it a write protect switch.
I carry my utils, patches and SW on a Kanguru FlashBlu 2 16GB USB drive to fix people's PCs.
You never know what crap they have on there.
An infected PC could modify one (or more) EXEs on an ordinary USB drive. Autorun disabled or not
Industrial Espionage (Score:2)
I once heard that the easiest way to conduct industrial espionage was to make a virus that would make a back door to the security systems, load it onto a USB thumb drive, casually walk to the outside smoking area of the company building you wish to infect, have a smoke, covertly drop the USB thumb drive somewhere in the area. For extra points, take a generic thumb drive and put the company logo on the side for authenticity. 10$ says some idiot will pick it up and plug it into his system when he gets back to
Re: (Score:2)
Advice:
"Don't eat surprise food you find on the ground unless it's a strawberry and was growing there."
"Don't plug in surprise computer media you find on the ground unless you have autoplay turned off."
-FL
Re: (Score:2)
You don't even need to do that, just drop a few of them around the car park...
Re: (Score:2)
One of the Federal agencies got hit by this several years back. A group scattered infected drives around in the parking lot of a Federal Building and at least one person picked one up and infected the network. Another group tried it at DoJ, but failed because the employees turned the drives in. (See? Sometimes user education DOES work.)
Re: (Score:2)
Pfft whatever.
The people working at DoJ probably didn't know what the magic sticks were or couldn't figure out where to stick them, so just gave them to security... :)
How to disable Autorun in Windows. . . (Score:3, Informative)
Autorun is one of Microsoft's more frustrating contributions to the world.
But what is still more idiotic, is how user-unfriendly the path is to shutting it off. Microsoft's very own page on the issue...
http://support.microsoft.com/kb/967715 [microsoft.com]
-FL
Again no word of Microsoft or Windows (Score:4, Interesting)
It's 25 percent of new Windows worms. Approximately 48 percent of Windows SMBs (with up to 1,000 computers) admit to having been infected by some type of malware over the last year. Linux and MacOS SMBs are still save and will be save.
I would say Dell was right:
"6) Ubuntu is safer than Microsoft Windows: The vast majority of viruses and spyware written by hackers are not designed to target and attack Linux." from http://www.theregister.co.uk/2010/06/14/dell_ubuntu_windows_security/ [theregister.co.uk]
Re: (Score:2)
Re: (Score:2)
That's Insightful, it shouldn't be Interesting because other then MSFT fantards the intelligent expectation of Windows is that it is as fucked up as a concrete bicycle.
Windows is not secure in common use, cannot be made secure in common use, and running it with the expectation that it won't be exploited is as smart as using a cutting torch in your lap.
"Wah, my 'Doze is broken!"
Don't run a shit OS, and don't respond to those who remind you not to run a shit OS as if that statement is a troll.
Re: (Score:2)
Yes, and spending your entire life in a Sensory Deprivation Tank is probably "saver" than being a bullfighter. Your point is ?
Gotta be picky, it's Thursday after all... (Score:2)
Actually that's evidence, not proof.
48 percent of SMBs? (Score:2)
SMB [wikipedia.org]s? Huh? Does that even make sense?
But does it run on Linux??! (Score:2)
How is this "news for nerds"? Do real nerds still run Windows?
Re: (Score:2)
No, but I'm guessing that most of us are the "IT guy/girl" for someone else who is.
Re: (Score:2)
Auto run is not everything (Score:2)
Certainly auto run is an issue here, but the bigger issue that typically these drives may have installation files and write access.
Unlike program files or the various write protected folders on Linux these guys will be wide open.
If I've already gotten malware on your box and I see a nice little fully writeable USB key or external drive I'm going to look for an .exe or other executable to infect. Hell maybe even write a .JPEG, .PDF, .SWF, or any other non exe that could have an attack depending on what box i
I smell a PR firm at work. (Score:2)
Horsesh*t. I do PM / UX at a website whose users are SMBs. Most of my life is spent talking to SMB owners: interviewing them, usability testing with them, dealing wit
number of viruses != number of infections (Score:2)
Re: (Score:2)
There's not been much point in doing it until now - it was too easy to infect machines without it.
I expect all new viruses from now on will include USB as standard (as well as all the other vectors).
Re: (Score:2)
it's raining out. worms are spreading via Undulating Slimy Bodies.
Re:I thought USB devices were safe (Score:5, Insightful)
Good News: Assuming a certain level of competence where the windows machines formatting the drives in China were not recycled from somewhere else, had their hard drives given a clean wipe, and weren't hooked up to the Internet and used to browse Pr0n on lunch break, then yes drives in the blister pack are secure.
Bad News: It's highly dangerous to assume a certain level of competence.
Moral Of The Story: When you buy a flash drive, immediately format it and bypass and "value-added gravy" the manufacturer tries to shove down your throat.
Re: (Score:2)
Virus scan on a Linux box? Huh? What am I missing here?
Re: (Score:2)
Virus scan on a Linux box? Huh? What am I missing here?
You can use ClamAV [clamav.net] on OSX or Linux. In case you get an usb drive that you might have to connect to a Windows PC at some point. No use being a carrier.
Re: (Score:2)
Ah, good thinking. Thank you for that.
Re: (Score:2)
You could sue for negligence, as they have technically failed in their duty of care upon your telling them. Won't get much, but it could be enough to pay for a PC repair service with backup option - few hundred bucks at least.
Re: (Score:2)
Actually, 25% doesn't sound made up at all. They tested four USB drives.