Thursday, November 20, 2008

Rootkits, Trojans -- they may 'own' your USB thumbdrive

A topic that I might have brought up before (too lazy to go find it) and which really hit home over this last weekend - USB portable storage devices and current malware are a match made in virus heaven.

Friend of mine called me in a panic - his main computer slowed down so he thought he might clean it up a bit. Made a full backup of his photo's and documents to a portable USB drive. Started the cleanup, saw some odd behavior, downloaded an alternate virus scanner trial, found nasty nasty stuff that he could not clean up, rebuilt the OS after formatting the drive -- and started to restore his files from that backup.

Remember that backup? The one he took from what was likely an already infected system? The second he inserted that drive into a USB port - wham! Infected again. That's when he finally called me . . .

Much like virus infections that spread via 5.25 and 3.5 diskettes in days of yore, a new generation of backdoor Trojans, Rootkits, Keyloggers, Botnet/Zombie infections and other malware use USB drives as an infection vector.

This is exceptionally nasty for consultants that use USB drives as their portable toolkit. They stick their drive into an infected computer, which infects their portable drive, which in turn infects the very next computer into which they insert said drive if Autoplay is turned on . . .

Solutions do exist though. My personal solution - which I use in my business - is to use USB thumb drives with a Write Protection Switch (a physical slider switch on the side of the drive that sets the drive to read-only mode and cannot be bypassed by software) while in the field. I also keep a full redundant backup of my software toolkit in safe storage. (Not to mention I scan my thumb drives after every client visit.)

So you set the drive to read/write when copying data to it from a safe computer. Switch the thing to read only while using it in other computers.

The only trouble is that if you need to write/save a file to the drive while visiting another computer - you had better make darn sure that a) that other computer is running a current and trustworthy anti-malware suite and b) that your own computer at your home or office has autoplay turned off and c) that afterwards you think very hard about using that drive in any other computer before getting it scanned from a safe location.

The other problem is that finding a USB drive with a physical "Write Protection Switch" is fairly difficult. I've got two different brands in my toolkit now. It took some serious google-fu to locate them and even more effort to find a vendor that sold the models. (Iomega and Kanguru for those curious - the Kanguru is fast and secure, but much more pricy.)

I've said it before, here it is again (and updated for Vista users):






I've often wished that the Autoplay feature was turned off by default in Windows. It would also be nice if there was an easy way to turn it off somewhere in the user settings . . . but it's a tad more complicated.

Autoplay is not really needed anyway, it's annoying when you insert a CD that you just want to browse, and it's been the vector for virii several times in the past. Just remember that if you turn it off, and you insert a CD from which you want to install something, you will need to browse to that CD and find the Setup program manually instead of waiting for the Autoplay setup to start automatically. I like having to start setup manually better anyway, gives me more control over my system.

To turn Autoplay off, find the heading for your operating system below.


Windows XP Home

1) Create a new TXT file and open it in Notepad.

2) Paste the code below into your new text file.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000FF

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"


3) Save the file, close it in Notepad, and rename the file to end in the ".reg" extension.

4) Double click the REG file to import the setting into your registry. Click OK when it asks if this is something you want to do . . .

5) Reboot and done for Windows XP Home.


Windows XP Professional

1) Click Start, Run and enter GPEDIT.MSC

2) Go to Computer Configuration, Administrative Templates, System.

3) Locate the entry for "Turn Off Autoplay" and Enable it for All Drives.

4) Close the Policy Editor and reboot . . . done for Windows XP Professional!


Windows Vista

Note: Be certain you have installed Vista Service Pack 1 and have all the most recent patches before applying this change.

1) Create a new TXT file and open it in Notepad.

2) Paste the code below into your new text file.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000FF

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"


3) Save the file, close it in Notepad, and rename the file to end in the ".reg" extension.

4) Right click the new REG file and select "Run as Administrator" to import the setting into your registry. Click OK when it asks if this is something you "really" want to do . . .

5) Reboot and done for Windows Vista!

For more information, see Microsoft's KB article on AutoRun/AutoPlay at http://support.microsoft.com/kb/953252