Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Windows Worms IT

25% of Worms Spread Via USB 190

An anonymous reader writes "In 2010, 25 percent of new worms have been specifically designed to spread through USB storage devices connected to computers, according to PandaLabs. This distribution technique is highly effective. With survey responses from more than 10,470 companies across 20 countries, it was revealed that approximately 48 percent of SMBs (with up to 1,000 computers) admit to having been infected by some type of malware over the last year. As further proof, 27 percent confirmed that the source of the infection was a USB device connected to a computer."
This discussion has been archived. No new comments can be posted.

25% of Worms Spread Via USB

Comments Filter:
  • No, really? (Score:4, Insightful)

    by oodaloop ( 1229816 ) on Thursday August 26, 2010 @09:34AM (#33381046)
    Since pretty much everything is connected with USB these days, is this any kind of surprise? Were there any worms spread using a serial port?
    • Surprise? (Score:5, Insightful)

      by Joce640k ( 829181 ) on Thursday August 26, 2010 @09:37AM (#33381086) Homepage

      It's only going to surprise people who thought nobody would be stupid enough to enable autorun by default in a consumer OS.

      • Re: (Score:2, Insightful)

        by Jedi Alec ( 258881 )

        Honestly, that has been annoying the crap out of me since the very first release of Windows 95. How *anyone* could think that is a good idea continues to baffle me.

        Then again, turning it off for all possible devices and situations is very satisfying :)

        • Re:Surprise? (Score:4, Insightful)

          by Darkness404 ( 1287218 ) on Thursday August 26, 2010 @09:58AM (#33381342)
          Remember the days of DOS and having to try to walk someone through installing something through DOS (with a CLI mind you) and how many people couldn't just type the drive right? Misspelled Install every single time, etc?

          Yeah, autorun might be a security nightmare, but its a lot nicer for anyone who has had to do tech support with clueless users.
          • by oodaloop ( 1229816 ) on Thursday August 26, 2010 @10:08AM (#33381442)
            Oh, whoops! Was I standing on your lawn? Sorry 'bout that.
          • Re: (Score:2, Interesting)

            by Jedi Alec ( 258881 )

            Oh, I do remember the days of DOS. I also remember that anyone too retarded to use a combination of dir and cd almost by definition did not get to touch a computer.

            As for autorun being good for tech-support, I wonder how many calls could have been *prevented* by disabling it. And I've had my share of calls as well, so I know the drill ;-)

            • Indeed, the manual for DOS being larger than the Bible probably didn't hurt either. One of the nice things about Macs at that point in time was that they'd require you to unmount the disk before ejecting it. Granted you did have the paperclip option, but it was generally only used for emergencies.

              Whereas with DOS you had to be somewhat careful about taking disks in and out to avoid filesystem corruption.
            • Oh, I do remember the days of DOS. I also remember that anyone too retarded to use a combination of dir and cd almost by definition did not get to touch a computer.

              Because...computer stores refused to take their money?

              It must have been a nice world you lived in, because in actual reality clueless nublets with enough money and a good enough excuse (usually business-related) had computers long before many hobbyists. That's pretty much the origin of the embittered technical support dude.

              And, from the same wa

          • Re:Surprise? (Score:5, Interesting)

            by DavidTC ( 10147 ) <slas45dxsvadiv.vadiv@NoSpAm.neverbox.com> on Thursday August 26, 2010 @10:48AM (#33381900) Homepage

            Yes, but an equally useful thing would have simply been a 'Install program' menu item, that, when launched, looks on all removable media for autorun.inf files or whatever, and presents their devices, names, and icons in a little list where you pick one.

            Automatically running it was just stupid. You can automate systems but still put a menu item to start the process.

            Hell, in some cases, that would result in less steps. We've all had to walk someone through an install progress, and ended up first having to uninstall something else or update a driver and then reboot...at which point, to get autorun to work, they have to eject the damn CD and put it back in.

            • Re: (Score:3, Funny)

              by Rich0 ( 548339 )

              Or, go ahead and have an auto-install process, but don't make it "look for a file on any removable media and run any executable that it references."

              Instead, when you insert a disc have the OS's package manager look for an installer file in the proper format, and then the package manager asks the user if they want to install the file. Don't have every software vendor writing their own installers.

              Oh, Windows doesn't have a package manager? Well, we should fix that as well. There is no reason that software

            • Re: (Score:2, Informative)

              by wbo ( 1172247 )

              Yes, but an equally useful thing would have simply been a 'Install program' menu item, that, when launched, looks on all removable media for autorun.inf files or whatever, and presents their devices, names, and icons in a little list where you pick one.

              Actually older versions of Windows did have such a menu item but it was removed in Vista, probably because very few people actually used it. Prior to Vista there was a control panel applet called "Add/Remove Programs". I first encountered it in Windows 9

          • You're implying that tech support for people who've been infected by a virus is easier...?

        • Re: (Score:3, Insightful)

          Comment removed based on user account deletion
      • This is precisely why antivirus software gives you the option to automatically scan the drives for viruses every time you insert them.
        • Antivirus programs are a band-aid at best. Try running a few of the viruses that appear in your inbox every day*, it usually takes about a week for the antivirus vendors to catch up and detect them, if ever.

          * Preferably in a virtual machine...

      • Microsoft isn't a nobody and they enabled autopwn, I mean autorun by default.
    • Re: (Score:3, Interesting)

      by Anonymous Coward

      Were there any worms spread using a serial port?

      heh. oddly enough... [thedailywtf.com]

    • Re:No, really? (Score:5, Informative)

      by TheRaven64 ( 641858 ) on Thursday August 26, 2010 @10:05AM (#33381404) Journal

      I don't remember any worms spreading automatically via serial port. It would have been difficult, because there weren't many peripherals that had internal storage space and connected via RS-232, and computers connected with a null-modem cable typically had to run some custom software for file transfer.

      I do, however, remember a lot of worms spreading via floppy disks. Boot sector viruses were especially common in the DOS days. If you let a floppy in the drive, the BIOS would try to boot from it the next time you turned your computer on. It was quite common for a worm to install itself on the boot sector of any inserted floppy so that when you booted from that floppy it installed itself on the hard drive and then printed a 'please eject floppy and reboot' type error. You'd eject the floppy and reboot, and the machine would start normally, only now you'd be infected.

      Since USB drives have replaced floppy disks for offline file transfer, it's not surprising that this is a common attack vector.

      • Re: (Score:3, Funny)

        by HiThere ( 15173 )

        Well ... modems used to connect over the serial port. I seem to remember a few viruses that spread that way.

    • Re: (Score:2, Funny)

      by operagost ( 62405 )
      None that I know of, but today's USB drive is yesterday's floppy.
    • I shouldn't be plugging the dog or the cat into the USB port.

    • by Mashiki ( 184564 )

      Were there any worms spread using a serial port?

      Yeah. There were a few back during the early 90's that would transfer themselves via serial link cables if you had two machines connected. The worm would actively scan for active transfer connections of any kind, then copy itself. USB meh, nothing really new. USB is the floppy disk of today, and a lot of virii, trojans, and worms were spread by floppy in the not too distant past.

  • Big surprise (Score:3, Interesting)

    by betterunixthanunix ( 980855 ) on Thursday August 26, 2010 @09:36AM (#33381058)
    Hm, software vendors put enormous effort into preventing attacks over the Internet. Did anyone really think that virus writers were not going to find new attack vectors?
    • Re:Big surprise (Score:5, Insightful)

      by gstoddart ( 321705 ) on Thursday August 26, 2010 @10:04AM (#33381384) Homepage

      Hm, software vendors put enormous effort into preventing attacks over the Internet. Did anyone really think that virus writers were not going to find new attack vectors?

      How is this a "new" attack vector?

      Microsoft has had auto-run on things like CDs and USB drives for years, and you usually need to turn it off. Otherwise, it would happily run any old shit you plug in without even asking.

      When I plug my iPad into my Vista box, the auto-run dialog comes up and asks me if I want to either download pictures or open it like a file storage. There is no "do nothing" option, which I find kind of amusing, since I've usually turned off auto-run for everything.

      I'm not even remotely surprised that USB is a popular attack vector -- they're the new floppies. Microsoft has defaulted to "easy" mode (run everything), which also happens to be the most trusting and dangerous mode you could get. I think this was kind of inevitable.

      • Re: (Score:3, Insightful)

        by gad_zuki! ( 70830 )

        >There is no "do nothing" option, which I find kind of amusing, since I've usually turned off auto-run for everything.

        That's not what people call autorun, especially in the context of USB viruses. Autorun means when the OS just launches the .exe listed in the autorun.inf file automatically. That's how this stuff spreads. Vista and 7 no longer support this and throw a "What would you like to do" screen, which is fine by me.

      • Re: (Score:3, Informative)

        by AndrewNeo ( 979708 )

        Er. The last version of Windows that "ran everything" was XP. Just because the dialog comes up in Vista or 7 does NOT mean that the actual autorun application is being executed. The dialog you see is for user convenience, and still has a link to the autorun application, but does not do it on it's own anymore. When you plug your iPad in, the "do nothing" is the X button in the corner. Nothing happens besides that dialog coming up. It would be nice if it offered iTunes in the list, though.

        • Er. The last version of Windows that "ran everything" was XP. Just because the dialog comes up in Vista or 7 does NOT mean that the actual autorun application is being executed.

          That is good to know. I had explicitly gone in and turned all of it off, but I still see Windows try to respond to the new device, never sure how much to trust it.

          When you plug your iPad in, the "do nothing" is the X button in the corner. Nothing happens besides that dialog coming up. It would be nice if it offered iTunes in the lis

        • Indeed, the main risk there is assuming the exe is still the same as the last time or absentmindedly clicking on it because you're not paying attention.
        • iTunes has a check box option to open automatically when an iDevice is plugged in, and it will, but you'll still get the dialog box. It's kinda weird. When I plug in my phone I get both iTunes and the dialog. It's a tad annoying, but I can't find any way to make the dialog stop coming up. I believe the check box is in the general tab for the device itself (so you could set it up so that your tablet always opened iTunes, but your phone didn't, for instance).

      • Re: (Score:3, Informative)

        by Sockatume ( 732728 )

        What you're describing isn't autorun, but the XP-and-onwards "hey, there's new storage" prompt. While they're both annoying to some degree, Autorun executed any autorun.inf in the root of the new storage without prompting, making it a useful way of spreading viruses. The prompt you're referring to doesn't.

      • When I plug my iPad into my Vista box, the auto-run dialog comes up and asks me if I want to either download pictures or open it like a file storage. There is no "do nothing" option, which I find kind of amusing, since I've usually turned off auto-run for everything.

        There's a more options link/button thing you can click on which brings up another dialog where you can specify the default behavior and one of the options is do nothing.

      • Microsoft has defaulted to "easy" mode (run everything), which also happens to be the most trusting and dangerous mode you could get.

        So that's why the Easy Button is red...

  • The basic technique used is as follows: Windows uses the Autorun.inf file on these drives or devices to know which action to take whenever they are connected to a computer. This file, which is on the root directory of the device, offers the option to automatically run part of the content on the device when it connects to a computer.

    By modifying Autorun.inf with specific commands, cyber-crooks can enable malware stored on the USB drive to run automatically when the device connects to a computer, thus immedia

    • by mcgrew ( 92797 ) * on Thursday August 26, 2010 @09:59AM (#33381350) Homepage Journal

      If you're running Windows 7 it appears that you're ok. [samlogic.net] But what took MS so long to fix this gaping hole?

      • Re: (Score:3, Insightful)

        by AndrewNeo ( 979708 )

        To their credit they did fix it in Vista.

      • by VGPowerlord ( 621254 ) on Thursday August 26, 2010 @10:43AM (#33381852)

        To their credit, they fixed this in Windows XP.

        Yes, XP. Specifically, Windows XP SP2.

        It no longer just runs the Autorun program, but instead gives you a dialog that asks what you want to do, with some default choices. The former Autorun command appears at the top of said list.

        The only thing Windows 7 did was remove said dialog when you attach non-optical media.

        • by sco08y ( 615665 )

          To their credit, they fixed this in Windows XP.

          Yes, XP. Specifically, Windows XP SP2.

          So, even after all the problems with boot sector viruses, this default behavior persisted through Windows 95, 98, ME, 2K, and XP.

    • Autorun has been off by default since Vista.

      • Autorun has been off by default since Vista.

        Which doesn't help in the corporate or education sectors, because the powers that be *ABSOLUTELY WILL NOT* switch from XP with IE6.
    • by swb ( 14022 )

      Why does MS insist on lax security?

      Security increases complexity and it makes IT more difficult to use. The suits bitch and then want to switch to something else that's not so "hard".

      Really, MS is just pandering to what corporations want -- software that just works, so that they can hire minimally competent employees and pay them the lowest possible wage without having to hire bothersome "specialists" who question the boss' IT judgment.

  • Windows has always refused to autorun USB devices for me. CDs I had to stab it repeatedly in the face to get left alone, but USB drives I put considerable effort into and all I got was this stupid pop-up dialog "WHAT DO YOU WANT TO DO? VIEW PICTURES?"
  • First thing I do with any USB ...

    Create a directory called "autorun.inf", then attrib +R +S +H +A on it.

    I've found this pretty effective, as unless the virus is running with admin privileges, it can't overwrite the directory with a file of the same name.

    Also, it's easy to detect if you *do* later contract a virus, as you can verify if the autorun.inf is a directory or a file from DOS before clicking on the options popup.

    • It's pretty much a given that viruses have admin privileges - how would they infect a machine if they didn't?

      • It's pretty much a given that viruses have admin privileges - how would they infect a machine if they didn't?

        Sadly, some of the users have disabled UAC or simply say "Yes" whenever prompted because they don't fully understand what is being asked of them.

        I fear that in some of these cases, users explicitly grant the virus escalated privileges.

        • or simply say "Yes" whenever prompted

          yeah, stupid users. When the dialog pops up saying "Smiley central wants to install stuff, is this ok?", they say "yes" because they actually want loads of stupid smileys.

          Now, if the popup said "there's a virus, are you sure you want to install this", then they might take more notice, but until then, user-installed nasties are not going to go away.

  • 15 years ago it was floppies. I worked then at a Government installation that was found to be massively infected - by floppies. Same vector, different medium.

  • Seriously, why are people so silly to leave this on.

    In my company so many PC were infected this way, with folks passing around USB keys. I think I was the only one who had autorun off and scanned every time anything USB is plugged in.
    Hell, we even infected our customers because of that crap.

    • by 0123456 ( 636235 )

      Seriously, why are people so silly to leave this on.

      Because Microsoft make it insanely difficult to turn off? From what I remember on XP, I had to change it in the control panel, edit some registry variables and then run another program from the command line to tell it that yes, I really, really did want it disabled.

      • And even once you do that, the next service pack, or occasionally the next security update, enables it again. Or, at least, did for me with Windows 2000. I never ran newer Windows versions on my own machine, so hopefully they've fixed that stupidity since.
      • Comment removed based on user account deletion
        • Be realistic here. Most users don't know what the registry is, let alone how to edit it. This is a viable solution for corporate desktops, but it's hardly "easy" in the sense that it's something I'd think to do after I first installed my machine at home (or mor likely got it home preinstalled). It's not much of a problem now of course, SP2 to XP disabled this feature and neither Vista nor 7 have it, but until XP SP2 it was a difficult thing for a normal home user to disable.

  • My former company banned both. When you inserted a floppy, the computer refused to read it. And when a USB was inserted, security showed up to scan your PC.

    It was also impossible to install any software, unless it was a simple *.exe program that sat on your desktop. Anything as elaborate as firefox was impossible to install.

  • by buddyglass ( 925859 ) on Thursday August 26, 2010 @09:51AM (#33381268)
    Way back in the day it was infected floppy disks. Given people now use USB drives like we used to use floppy disks, it only makes sense that malware would (once again) use them as a distribution method.
  • Wasn't Michelangelo (sp?) transmitted via infected floppy disks back in the late '80s/early '90s? SneakerNet will never really die. The media just changes.
  • Autorun is completely evil. You're an idiot if you don't disable it as soon as you unbox your computer. That is all.

    • Autorun is completely evil. You're an idiot if you don't disable it as soon as you unbox your computer. That is all.

      I can't even blame end users for that one.

      Microsoft has consistently opted to ignore security in favor of ease of shooting yourself in the foot. I lay the blame squarely at their feet for deciding to essentially run anything that they encounter and hope that it isn't malicious.

      As much as we don't like to, to a lot of people the computer is an appliance. They're just not fully aware of all of

      • I can't even blame end users for that one.

        Microsoft has consistently opted to ignore security in favor of ease of shooting yourself in the foot. I lay the blame squarely at their feet for deciding to essentially run anything that they encounter and hope that it isn't malicious.

        That's why I'd like to see some product liability for Microsoft so long as they insist on selling Windows to the clueless on the basis of its "ease of use". Either accept liability for any damages caused by security vulnerabiliti

    • Or upgrade to Vista. Vista! Vista (and 7) do not autorun applications by default.

  • by Fencepost ( 107992 ) on Thursday August 26, 2010 @10:07AM (#33381432) Journal

    There are still a few USB drives out there with hardware write protect switches, but they're hard to find and you'll probably have to order online. I have what may at this point be the best listing available at http://www.fencepost.net/2010/03/usb-flash-drives-with-hardware-write-protection/ [fencepost.net], culled from a variety of searches, message boards, and one German computer magazine (c't) which has its own listing.

    In the US, the most likely drives to find in stores if you're looking are a couple of Imation models (Pivot and Clip), plus lingering supplies of the older Swivel models (the swivel isn't all that sturdy, pockets will beat it up over time). I've not seen these widely in stores, but you may find the Clip in college bookstores - I suspect that's their target for the style.

    • I call it a write protect switch.
      I carry my utils, patches and SW on a Kanguru FlashBlu 2 16GB USB drive to fix people's PCs.

      You never know what crap they have on there.
      An infected PC could modify one (or more) EXEs on an ordinary USB drive. Autorun disabled or not

  • I once heard that the easiest way to conduct industrial espionage was to make a virus that would make a back door to the security systems, load it onto a USB thumb drive, casually walk to the outside smoking area of the company building you wish to infect, have a smoke, covertly drop the USB thumb drive somewhere in the area. For extra points, take a generic thumb drive and put the company logo on the side for authenticity. 10$ says some idiot will pick it up and plug it into his system when he gets back to

    • Advice:

      "Don't eat surprise food you find on the ground unless it's a strawberry and was growing there."

      "Don't plug in surprise computer media you find on the ground unless you have autoplay turned off."

      -FL

    • You don't even need to do that, just drop a few of them around the car park...

    • One of the Federal agencies got hit by this several years back. A group scattered infected drives around in the parking lot of a Federal Building and at least one person picked one up and infected the network. Another group tried it at DoJ, but failed because the employees turned the drives in. (See? Sometimes user education DOES work.)

      • Pfft whatever.

        The people working at DoJ probably didn't know what the magic sticks were or couldn't figure out where to stick them, so just gave them to security... :)

  • by Fantastic Lad ( 198284 ) on Thursday August 26, 2010 @10:29AM (#33381704)

    Autorun is one of Microsoft's more frustrating contributions to the world.

    But what is still more idiotic, is how user-unfriendly the path is to shutting it off. Microsoft's very own page on the issue...

    http://support.microsoft.com/kb/967715 [microsoft.com]

    -FL

  • by devent ( 1627873 ) on Thursday August 26, 2010 @10:53AM (#33381968) Homepage
    I posted it already on another news about a Windows bot net. The trojan/usb infection is only on Microsoft Windows. Please mention that. I and people with Macs couldn't care less. So I just post again and again and again:

    It's 25 percent of new Windows worms. Approximately 48 percent of Windows SMBs (with up to 1,000 computers) admit to having been infected by some type of malware over the last year. Linux and MacOS SMBs are still save and will be save.

    I would say Dell was right:

    "6) Ubuntu is safer than Microsoft Windows: The vast majority of viruses and spyware written by hackers are not designed to target and attack Linux." from http://www.theregister.co.uk/2010/06/14/dell_ubuntu_windows_security/ [theregister.co.uk]

    • If I had mod points, I'd mod you up. This absolutely needs to be emphasized. Since Windows is 90% of the desktop computers though, I can see why people forget that. I always find a lot of sys. admins think that I need to install virus software on my mac or linux machine because I need to protect other people from getting infected files from USB discs. Brother, if you choose an OS that implicitly trusts any device that's plugged into it like windows does with autorun, you're the problem, not me. You cha
    • That's Insightful, it shouldn't be Interesting because other then MSFT fantards the intelligent expectation of Windows is that it is as fucked up as a concrete bicycle.

      Windows is not secure in common use, cannot be made secure in common use, and running it with the expectation that it won't be exploited is as smart as using a cutting torch in your lap.

      "Wah, my 'Doze is broken!"

      Don't run a shit OS, and don't respond to those who remind you not to run a shit OS as if that statement is a troll.

    • Yes, and spending your entire life in a Sensory Deprivation Tank is probably "saver" than being a bullfighter. Your point is ?

  • As further proof, 27 percent confirmed that the source of the infection was a USB device connected to a computer.

    Actually that's evidence, not proof.

  • SMB [wikipedia.org]s? Huh? Does that even make sense?

  • Since I run only Linux and Mac, I am concerned that again I am missing all of the fun of dealing with malware.

    How is this "news for nerds"? Do real nerds still run Windows?

    • Do real nerds still run Windows?

      No, but I'm guessing that most of us are the "IT guy/girl" for someone else who is.

      • by mspohr ( 589790 )
        I think you are right. Even if we don't run Windows, we have to deal with those who do and the spam and security breaches that they cause. I work a lot in Africa where Windows malware is pervasive and I am constantly exchanging USB sticks with Windows users. These don't cause me any problems but I will frequently notice "extra" files and directories that get added to the USB stick. I delete these on Linux and this usually works but sometimes these things get passed around a lot and someone gets infected
  • Certainly auto run is an issue here, but the bigger issue that typically these drives may have installation files and write access.

    Unlike program files or the various write protected folders on Linux these guys will be wide open.

    If I've already gotten malware on your box and I see a nice little fully writeable USB key or external drive I'm going to look for an .exe or other executable to infect. Hell maybe even write a .JPEG, .PDF, .SWF, or any other non exe that could have an attack depending on what box i

  • With survey responses from more than 10,470 companies across 20 countries, it was revealed that approximately 48 percent of SMBs (with up to 1,000 computers) admit to having been infected by some type of malware over the last year. As further proof, 27 percent confirmed that the source of the infection was a USB device connected to a computer.

    Horsesh*t. I do PM / UX at a website whose users are SMBs. Most of my life is spent talking to SMB owners: interviewing them, usability testing with them, dealing wit

  • Realize the 25% number is the number of viruses. It does not necessarily mean that 25% of worm infections are caused via USB.

You know you've landed gear-up when it takes full power to taxi.

Working...