Symantec
is currently observing an increase in malicious applications that use
USB flash drive devices as a propagation method. Just as a clarification
for any of our readers that are not familiar with the term “USB flash
drive,” a USB flash drive is typically a removable portable storage
device that uses a USB (universal serial bus)
port to interface to a computer. USB ports are part of most modern
computers and they are designed to allow many peripherals to be easily
connected (plug-and-play) to a computer through a standardized
interface. These USB flash drive storage devices are very useful and are
becoming fairly ubiquitous in the workplace.
The USB flash drive storage medium is designed to be
portable, making it easy to connect to many computers in its lifetime.
This, unfortunately, exposes the flash drive to the risk of infection.
There are many malicious applications that propagate simply by making a
copy of themselves on all drives that are attached to a computer. The
portability of the USB device and its small form factor can also make it
easy for attackers to plug it into computers that they have limited
physical access to, potentially granting them remote access at a later
time.
At the moment, there are two popular methods that malicious applications use to infect USB flash drives:
Simple file copy method
With this method, a malicious application that is
installed on an infected computer simply makes copies of itself to all
storage devices that are attached to the infected computer. A copy of
the malicious code will be placed on network shares, local drives, and
removable media (such as USB flash drives) that are connected to the
computer. Usually the malicious application will also attempt to copy
itself to peer-to-peer (P2P) file-sharing shared folders as well. With
this method, a malicious file is often named with a sensational filename
to lure a victim into launching the file and causing malicious code to
be executed. Quite often there are familiar file icons such as Microsoft
Windows icons for videos and images that are used to trick unsuspecting
victims into thinking that an executable file is a harmless image or
video. This infection method requires that the victim manually execute
the malicious file from their computer to become infected.
AutoRun.inf modification method
Microsoft Windows and some other operating systems have a functionality that is called “AutoRun” (sometimes also referred to as Autoplay). AutoRun functionality is basically designed to perform some actions that are automatically executed when removable media is inserted or removed from a computer.
Microsoft Windows and some other operating systems have a functionality that is called “AutoRun” (sometimes also referred to as Autoplay). AutoRun functionality is basically designed to perform some actions that are automatically executed when removable media is inserted or removed from a computer.
On Microsoft Windows platforms, “autorun.inf” is the
file that contains instructions for the AutoRun functionality. The
autorun.inf file can instruct AutoRun to use a certain type of icon; add
menu commands; and among other things, start an executable.
With this infection method, the malicious
application modifies or creates an autorun.inf file on all of the
network shares, local drives, and removable media (including USB flash
drives) that are connected to the computer. When an infected USB flash
drive is inserted into another computer, the copy of the malicious
application is automatically executed. Under a default configuration of
Windows, this infection method does not require any interaction from the
victim other than physically attaching the media to the computer.
Increasing trend of drive-infecting malicious code
Symantec has recently observed that both of the
above methods are becoming an increasingly popular propagation method
for malicious code. We have noticed the following percentile increase in
several pieces of malicious code that Symantec antivirus currently
blocks:
This trend is substantiated in vol. XIII of the Symantec Internet Security Threat Report (quoted from page 56, Propagation mechanisms subsection of the Malicious Code Trends section):
"In the second half of 2007, 40 percent of malicious code that propagated did so as shared executable files (table 9), a significant increase from 14 percent in the first half of 2007. Shared executable files are the propagation mechanism employed by viruses and some worms that copy themselves to removable media. As stated in the “Malicious code types” section above, the increasing use of USB drives and media players has resulted in a resurgence of malicious code that propagates through this vector. This vector lost popularity among malicious code authors when the use of floppy disks declined and attackers instead concentrated on other more widely used file transfer mechanisms such as email and shared network drives. However, as use of removable drives has become more widespread, attackers have again begun to employ this propagation technique. Although current removable drives differ from floppy disks, the principle remains the same, enabling attackers to make simple modifications to old propagation techniques.”