Symantec: Increase in USB-Based Malware Attacks

Symantec is currently observing an increase in malicious applications that use USB flash drive devices as a propagation method.

At the moment, there are two popular methods that malicious applications use to infect USB flash drives:

Simple file copy method

With this method, a malicious application that is installed on an infected computer simply makes copies of itself to all storage devices that are attached to the infected computer. A copy of the malicious code will be placed on network shares, local drives, and removable media (such as USB flash drives) that are connected to the computer. Usually the malicious application will also attempt to copy itself to peer-to-peer (P2P) file-sharing shared folders as well.

AutoRun.inf modification method

With this infection method, the malicious application modifies or creates an autorun.inf file on all of the network shares, local drives, and removable media (including USB flash drives) that are connected to the computer. When an infected USB flash drive is inserted into another computer, the copy of the malicious application is automatically executed. Under a default configuration of Windows, this infection method does not require any interaction from the victim other than physically attaching the media to the computer.

How to mitigate this threat

There are many policy- and configuration-based mitigations that can be used to adequately limit the propagation of these threats. Network administrators are advised to:

• Ensure that antivirus software is configured to scan all removable media when it is connected to a computer.
• Disable AutoRun functionality for removable media, which should be possible using endpoint security systems. For personal computers, there are many detailed tutorials on how to disable AutoRun. Also, holding down the SHIFT key while inserting a USB flash drive can temporarily disable AutoRun.
• If removable drives are not required, endpoint security systems can distribute policies to prevent removable media from being recognized.
• User education should be a priority to educate network users about these threats.

Source/full report: Symantec Security Intel Analysis Team

This alert is a summary of the Symantec alert, I advice you to read the full report.
Smokey

November 20, 2008 - Posted by Smokey | Advisories, Alerts, General, Malware, Security, Vulnerabilities | AutoRun.inf, How to mitigate, infected USB flash drives, infection methods, local drives, malicious applications, malicious code, network shares, peer-to-peer (P2P) file-sharing, removable media, Simple file copy method, storage devices, symantec, treats, USB-Based Malware Attacks | No Comments Yet