Symantec is currently observing an increase in malicious applications that use USB flash drive devices as a propagation method. Just as a clarification for any of our readers that are not familiar with the term “USB flash drive,” a USB flash drive is typically a removable portable storage device that uses a USB (universal serial bus) port to interface to a computer. USB ports are part of most modern computers and they are designed to allow many peripherals to be easily connected (plug-and-play) to a computer through a standardized interface. These USB flash drive storage devices are very useful and are becoming fairly ubiquitous in the workplace.
The USB flash drive storage medium is designed to be portable, making it easy to connect to many computers in its lifetime. This, unfortunately, exposes the flash drive to the risk of infection. There are many malicious applications that propagate simply by making a copy of themselves on all drives that are attached to a computer. The portability of the USB device and its small form factor can also make it easy for attackers to plug it into computers that they have limited physical access to, potentially granting them remote access at a later time.
At the moment, there are two popular methods that malicious applications use to infect USB flash drives:
Simple file copy method
With this method, a malicious application that is installed on an infected computer simply makes copies of itself to all storage devices that are attached to the infected computer. A copy of the malicious code will be placed on network shares, local drives, and removable media (such as USB flash drives) that are connected to the computer. Usually the malicious application will also attempt to copy itself to peer-to-peer (P2P) file-sharing shared folders as well. With this method, a malicious file is often named with a sensational filename to lure a victim into launching the file and causing malicious code to be executed. Quite often there are familiar file icons such as Microsoft Windows icons for videos and images that are used to trick unsuspecting victims into thinking that an executable file is a harmless image or video. This infection method requires that the victim manually execute the malicious file from their computer to become infected.
AutoRun.inf modification method
Microsoft Windows and some other operating systems have a functionality that is called “AutoRun” (sometimes also referred to as Autoplay). AutoRun functionality is basically designed to perform some actions that are automatically executed when removable media is inserted or removed from a computer.
On Microsoft Windows platforms, “autorun.inf” is the file that contains instructions for the AutoRun functionality. The autorun.inf file can instruct AutoRun to use a certain type of icon; add menu commands; and among other things, start an executable.
With this infection method, the malicious application modifies or creates an autorun.inf file on all of the network shares, local drives, and removable media (including USB flash drives) that are connected to the computer. When an infected USB flash drive is inserted into another computer, the copy of the malicious application is automatically executed. Under a default configuration of Windows, this infection method does not require any interaction from the victim other than physically attaching the media to the computer.
Increasing trend of drive-infecting malicious code
Symantec has recently observed that both of the above methods are becoming an increasingly popular propagation method for malicious code. We have noticed the following percentile increase in several pieces of malicious code that Symantec antivirus currently blocks:
This trend is substantiated in vol. XIII of the Symantec Internet Security Threat Report (quoted from page 56, Propagation mechanisms subsection of the Malicious Code Trends section):
"In the second half of 2007, 40 percent of malicious code that propagated did so as shared executable files (table 9), a significant increase from 14 percent in the first half of 2007. Shared executable files are the propagation mechanism employed by viruses and some worms that copy themselves to removable media. As stated in the “Malicious code types” section above, the increasing use of USB drives and media players has resulted in a resurgence of malicious code that propagates through this vector.
This vector lost popularity among malicious code authors when the use of floppy disks declined and attackers instead concentrated on other more widely used file transfer mechanisms such as email and shared network drives. However, as use of removable drives has become more widespread, attackers have again begun to employ this propagation technique. Although current removable drives differ from floppy disks, the principle remains the same, enabling attackers to make simple modifications to old propagation techniques.”
How to mitigate this threat
There are many policy- and configuration-based mitigations that can be used to adequately limit the propagation of these threats. Network administrators are advised to:
• Disable AutoRun functionality for removable media, which should be possible using endpoint security systems. For personal computers, there are many detailed tutorials on how to disable AutoRun. Also, holding down the SHIFT key while inserting a USB flash drive can temporarily disable AutoRun.
• If removable drives are not required, endpoint security systems can distribute policies to prevent removable media from being recognized.
• User education should be a priority to educate network users about these threats.