USB Auto-Infection

One method of infecting a computer is through the use of AUTORUN.INF on a USB drive. This is a file that contains commands to automatically execute when the device is attached to a computer. If your computer is set to automatically execute that file, that setting can cause problems.

An example is when a USB picture frame device has malware on it, and it automatically runs the malware when the picture frame cable is connected to your computer. This happened last year, and there is some malware out there that will infect your computer. The US military has banned user-owned USB drives for this reason.

Most AV programs should be able to ‘catch’ the attempt at an installation of malware from an infected USB drive, since many of those infections are ‘known’ by a current AV program. You can also do a manual anti-virus scan of USB-attached drives.

You should be aware that there are more than just the USB “thumb drives” that might be a risk. There were many reports this year about infected devices such as photo frames that attach to your computer via USB. Those photo frames are a popular gifting item during the holidays.

Passing around infected USB thumb drives is a great way to do penetration of business systems. Some penetration testers have done that as part of their ‘war games’ against a business by dropping some infected USB thumb drives in the business parking lot or entrance area. (Of course, those war games were done with the permission of the business. You’d want to be careful about doing that yourself.)

Great social engineering way to get into a system….most people will plug the USB drive into their system out of curiosity.

There is a setting on your computer to disable auto-run via your Local Security Policy. On a Windows XP system: Use Start, Run, GPEDIT.msc . Then click down to “Computer Configuration”, then “Administrative Templates”, then “System”. In the right panel, double-click “Turn of AutoPlay“. Click on the “Enabled” button, and use the dropdown in “Turn off Autoplay on” to set it to “All drives”.

On a Vista system: use the “Start” button (the round Window icon), then type in “autoplay” and press Enter. That should get you to the “Control Panel, AutoPlay” dialog (which is another way to get there). In that screen, make the setting for “Software and Games” to “Take no action”. Also set the “Mixed content” choice to “Take no action”. (You could also set “Take No Action” on the other choices also if you want to be very conservative.)

Note that in a corporate/managed system, your network administrators may have already set this for you. If they haven’t, strongly encourage them to do so. This will cause CD’s to not auto-play, but that is a small price to pay.

Leave a Reply

Name and email are required. Your email address will not be published.