We see an increase in USB-Based Malware Attacks lately - See here and here for more info.
Unfortunately, in the last few weeks, I have seen many cases where the enabled autorun feature caused A LOT of problems afterwards. This means that many are not aware of the dangers yet.
For example.. Some scenarios I have seen in the last couple of weeks are:
* Computer gets infected with Win32/Sality.NAR (NOD32 detection). This is a polymorphic file infector which searches local and network drives for files with the .exe extension and infects them by adding a new section that contains the viruscode.
It also copies itself into the root folders of removable drives using a random filename and creates an autorun.inf file to make sure it runs whenever it is inserted into another computer. It also disables most AV scanners by terminating their services/processes, disables Taskmanager, disables Regedit and much more to prevent it being detected or disinfected.
In this case, the user had an USB flashdrive and used it to transfer removal tools etc in order to remove this infection, since no scanners would work. What happened was, since this virus also spreads via removable media, his USB flashdrive became infected > result > His other computer was infected as well!
* Computer gets infected with W32/AutoRun-OY - This one also spreads via removable drives. This computer is used at home and every user has its own account. Mom, dad, son and daughter. Son loves to play games, but also loves to download games + cracks via illegal resources.
And that's how the computer at home gets infected with W32/AutoRun-OY. No detection since the Antivirus application that was installed was only a trial and was already expired for more than a year. Dad works for a big company and he tranfers his database+files from the computer at work to an USB flashdrive so he can proceed with his work at home.
The usb flashdrive gets infected when he inserts it into the infected computer at home. Since no scanner (because it's outdated) gives an alert and blocks the malware, there's no sign that the computer + Flashdrive is infected.
Dad goes back to work, inserts the flashdrive into his computer at work and... it gets infected as well. No alert, nothing! It appears that the computer at work didn't even have an Antivirus installed !! And, worst part of all was... Virut was also present! See here for more info. This is imho a lost case, and especially for business owned computers, it is irresponsible to clean this up manually. Format and reinstall is the fastest and especially the safest solution here.
So, who is to blame here? Imho, everyone is. The son who is responsible for visiting illegal sites in order to download his games + cracks, plus the fact that the Antivirus was outdated, plus the fact that dad uses an USB flashdrive containing corporate information and inserts it into the personal computer (see here how to protect your data), plus the fact that the computers at work didn't even have any protection/AV installed.
Anyway, this is so irresponsible, especially when company owned computers are involved.
* And today, I have another case where someone gets infected with W32/AutoRun-OY, where mom uses an usb flashdrive to transfer files to use at work and is already complaining about the fact that there are "problems". This thread is still in progress and I really hope this isn't a lost case.
No wonder the Military bans disks and USB drives
This appears to be a common problem nowadays - that's why it is so important to prevent spreading similar infections by disabling Autorun.
To disable autorun, please read the following tutorials:
http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/ (applies for XP Pro since XP Home has no gpedit.msc present)
http://www.engadget.com/2004/06/29/how-to-tuesday-disable-autorun-on-windows/ (aplies for XP Home. Same can be used for XP Pro)
http://www.howtogeek.com/howto/windows-vista/disable-autoplay-in-windows-vista/ (applies for Vista)
Some malware removal tools already disable Autorun by default. Don't complain about this. This is an extra security measure and you should have it disabled. If you really want to enable this again - then it's your own responsibility. Don't complain afterwards if you get infected and are responsible for infecting a lot of other computers as well.
Update: Extra instructions to disable autorun (by US CERT) can be found here.
0 comments:
Post a Comment