Infected USB Devices on the Rise

You can plug lots of handy items into your computer's USB port, from mobile storage devices to printers. If you're not careful, you can also plug in a piece of malware, as well. That threat is growing rapidly: One USB-borne piece of malware known as INF/Autorun has been at the top of the threat charts two months in a row.

USB-equipped devices are a convenience particularly to mobile workers, but they are also a growing threat because of the way computers inherently trust them, according to Randy Abrams, director of technical education at ESET, a maker of security software. "When you plug a USB device into a computer, in order to make the consumer experience better and easier, Microsoft [operating systems] will automatically run programs," he told us. "It should start the install automatically so the customer doesn't have to know anything to get the program installed."

That's a danger, he said, because the autorun feature is "completely blind" to the programs it runs. "So I can put bad programs on CDs and USB devices, and as soon as you plug them in, it's going to automatically install that bad software."

Feature or Vulnerability?

The autorun feature may be a convenience for customers, but for security experts it's anathema, Abrams said. "Microsoft's own security experts say that autorun is a bad thing," and he should know -- he worked for the Redmond giant for a dozen years, nearly half of them spent making sure that the company didn't release any infected software.

"I'm not a Microsoft hater, but this is just a completely insane feature," he said. "It's like the customers are in a hockey game, and what Microsoft has done is remove the customer's offensive line and defensive line. The customer is like the goalie, so Microsoft has taken off the goalie's safety equipment, put extra pucks on the ice, and told the opposing team to have fun."

Abrams cited a litany of USB-related infections, old and new. McDonalds in Japan gave away malware-ridden MP3 players. Global companies sold infected picture frames, GPS systems, and video iPods. Just a week ago, HP shipped infected USB keys with its ProLiant servers. "Autorun is an easy way to exploit a system vulnerability because it's not going to be patched, since Microsoft calls it a feature," he said.

Few Mitigation Measures

It's easy to assume that the malware-laden devices were infected deliberately but, as Abrams joked, "Never blame on malice that which is easily explained by incompetence." He said that as manufacturing systems increasingly are connected to the Internet, formerly isolated computers now can get infected and then become digital Typhoid Marys.

"If you're making video iPods and you want to take one out of every 20 off the assembly line and plug it into a PC to test it, if that PC has been on the Internet and has been infected, it can transfer that infection to the iPod," Abrams said. "Ironically, the few units you do quality control on are the only ones that are infected."

Abrams said that mitigating the risks of INF/autorun and its ilk won't be easy. High-quality antivirus software that's kept up to date will help. Another measure is to not plug in a USB drive while using administrative privileges, which won't prevent infection, but will decrease the damage an infection can do.

The best bet is to disable autorun, "which Microsoft makes as difficult as possible," he said, forcing users to make several Registry edits. That measure, he said, will give you "a fighting chance" against malware on the USB device.