More than I bargained for

My girlfriend recently bought an mp3 playerthrough eBay. The slim 8GB player, dubbed ”MP3 Player“ by the no-namebrand vendor, reminded me of some other well known player – I… I… Ijust can’t remember the name. But, since it was offered at half theprice of an iPod, we thought that it wasn’t such a bad deal and orderedit. Last week it was finally delivered and while checking it out Iconnected it through USB to my laptop. A moment later my NortonInternet Security informed me that the removable device was infectedwith Backdoor.Graybird.Using a hidden autorun.inf file the back door tried to infect the PCthe player was connected to – if the user was careless enough to openthe drive unprotected. ;-) Not that I believed that we would no longersee any Backdoor.Graybirds after the farewell from the authors.

Nor did I believe that everyone would learn from the mistakes othermanufacturers suffered in similar cases (see previous Symantec blogs: "Playing on a blog near you." and "Would you like a virus with that?").I guess we have to face it: more and more USB devices will becomeinfected by malware in the future. Some unintentionally during carelessmanufacturing, and others deliberately infected by the attackers.

There are just too many ways to prepare USB drives to autorun andinfect machines. Some attacks rely heavily on social engineering, suchas the method of adding an extra “open with” menu entry as shown in thescreenshot here:

If the user doesn’t notice the extra menu entry, he or she will runthe malware instead of opening the drive. So, be wary of any unknownUSB device that you plug in your machine; in fact, you should always bevigilant with any new device that you use.