Viruses that Spread using an UFD

I live in Indonesia, and somehow… There’s a lot of local viruses that uses autorun.inf to spread and infect other computers through USB Flash Disks…
Mainly, the viruses modifies registry, disable safe mode, and block AVs… Common techniques, but quite effective… And quickly spreads… 'Coz half of comp users here are using UFDs but, lack of security awareness… x_x

Do other countries have problems with viruses that spread using an UFD?
Thx…

Yes, the entire World is hit by this plague. It’s caused by micro$ofts brain-dead “security”-model .

For more info :
http://wiki.hak5.org/wiki/USB_Switchblade
http://wiki.hak5.org/wiki/USB_Hacksaw

disabling autorun won’t really help against this, it will just use “shellexecute” instead so when you explore the
drive the payload will run .

OK… So, what’s the best way to evade this plague?
Always update antivirus and antimalware, use CFP, and be cautious?

While the USB Switchblade does require a system running Windows 2000, XP, or 2003 logged in with Administrative privledges

It seems the first thing to do is to never log yourself with administrative privileges.

No, the only solution is :
NEVER let anyone insert a flash-drive in your computer.
Most AV’s are useless against this attack for the simple reason that the programs used
are NOT “viruses” but legitimate tools and only a few AV’s flag them as a threat .
HIPS may offer you better protection against this attack than any AV does atm .
It’s the way the tools are combined that turns them into a nasty “infection” .
If somebody succeeds in installing this on your computer you are 100% owned …

I suppose no right-minded person would allow another to plug a usb flash drive or to install whatever CD.

But some traveling professionnals do it themselves with their own usb drives, the question now being how to protect yourself from what you write on this drive.

The problem is not only with flash-drives, mp3-player (including iPods),
cameras that are treated by windows as a disk, etc can be used to launch this attack .
The only 100% secure solution is to not allow external drives to be mounted at all,
not very “user-friendly” …

That’s ultimately not user-frendly…nn; So, UFD is like a double-edged sword… Tough choice though, to use or not to use it. Btw, does CFP also include this problem into account?

(:WAV) hi fellow indonesian
steps to secure your PC by “expert” (read: spam) :

  1. use CFP3 w/ Defense+ , its HIPS/Defense+ will block every unknown executable
  2. install AV/AS/Anti whatever & do regular update, use only 1 real time scanner each, but you can have on
    demand scanners as much as you like.
  3. love your comp more than your sisters/brothers, never let anyone touch it
  4. buy a “big” (i mean BIG) hammer ;D

oh, read this:
http://www.udaramaya.com/details/2666/Trio_Aplikasi_Keamanan_Gratis_Terbaik

it’s in indonesian, the article says that there are 3 must have security softwares if you use MS windows :

  1. firewall
  2. AV
  3. AS
    and he recommend :
    CFP3 w/Defense+
    Avira-Antivir
    Spyware Terminator
    (:NRD)
    Ganda

(:SPAM) too
How 'bout love your computer more that your girlfriend/wife? (:TNG)
What’s the point of buying a big hammer? To smash your comp’s monitor when it fails you?

Nice to meet you too, Ganda…
Well, I use CFP 2.4 and I’ll wait till CFP 3 reaches its final state…

I also use Avira Antivir and Spybot S&D+BOClean (not ST, though)… I’ll wait till I have 1 GB if I want to use ST…

that’s a long story 88) ;D

duh’, what “final state” ??? it’s final already (:NRD)

oh, yy might wanna try Comodo BOClean as well.

Well, if you use your own UFD or other device on your own computer it shouldn’t be a problem
as long as you are careful about what other computers you use the device on, it could get infected there .
Also, most of these attacks don’t work on a heavily restricted account so if you need other people
to be able to mount external drives on your machine you could set up an account for that purpose .

IMO Defense+ isn’t a very userfriendly solution either and I’m kinda tired of being told to just
use this or that magic software . How many programs do I need to install to prevent programs from running ?
It’s a very backwards way of solving the problem with the ■■■■■■ security on windows IMO …

Hi Gordan,i was just wondering if you knew of any way you could scan a UFD with an AV before allowing it to do any damage to your machine.

I see you say disabling autorun wont help it will just use “shellexecute” instead,so is there no way to prevent this other than being careful what you plug into your USB port.

:-TD Matty

Disabling “autorun” will prevent the attack from launching automatically when you insert the drive .
(or you can hold down “Shift” when you insert the drive, that will/should temporarily disable “autorun” )

“shellexecute” happens when you perform the action specified in the autorun.inf file.
Normally, a script-kiddie will make it so that when you “explore” the UFD his payload will run .
So, the trick is to make sure that autorun isn’t allowed to happen and then wait until the AV
has scanned the drive . Don’t explore or click on the drive in “My Computer” or do anything else
until the AV has scanned the drive .
But again, there is no guarantee that the AV will even “realise” something bad is on the UFD …

(:LGH) LOL …I’ll need really loooong hands, or a nice secretary to hold the shift for me (:TNG) , coz I have to go around the desk to insert the drive.

I’ve found some tool (not very new), called “Flash_Disinfector",

on techsupportforum.com but I can’t tell you how good it is or if it works for all UFD types.

Gordon is really right with everything, but especially:

This has been already suggested: USB Removable Media Security Application
https://forums.comodo.com/which_product_do_you_want_comodo_to_develop_next/usb_removable_media_security_application-t14627.0.html
but I’d like to see a similar product by Comodo, updated periodically.

Just hold your shift key down, then tape it in place. Now you’re free to walk around and insert the drive ;D

@ tormod:
Won’t work. It will activate Windows StickyKeys program…nn;
Anyway, can we add a registry key in the registry that contains permission for USB Drives? I once read about it in a book. But I forgot which book and how to do it.

Well… Putting glue in your USB ports should work :smiley: