Visitors to the Consumer Electronics Show in Las Vegas this week might want to forgo freebie flash drives, or at least use them with caution. The SANS Internet Storm Center has published several anecdotal reports indicating that computer peripherals like USB flash drives and consumer electronics products like digital picture frames have been found infested with malware.
While a few reports of infectious devices hardly constitute an epidemic, the issue is being taken seriously by security researchers. "USB flash drives are everywhere these days," observed former Microsoft security researcher and author Jesper M. Johansson in an article in the January edition of Microsoft TechNet magazine. "At almost every conference, some vendor is giving them away like candy. Those drives may not have a lot of capacity, but you don't need a lot of storage space to take over an entire network... The technical details of the attack are actually quite simple. It all starts with an infected USB flash drive being inserted into a single computer. What happens then depends on the payload on that drive and, of course, how gullible the user is. "
Given the ongoing success of cyber attacks that rely on social engineering, it appears that gullibility is everywhere these days, too.
In mid-December, Kaspersky Lab senior virus analyst Aleks Gostev penned a blog post describing his experience with an infectious Compact Flash card for his digital camera. "We've already written more than once about viruses and worms which spread via removable storage media by launching automatically from autorun.inf," he said. "A number of users have also come across this type of malicious program. There are also a number of cases where hard disks, flash drives, MP3 players, and other devices were already infected with malware when shipped by the manufacturers."
In a report on the evolution of malware last year, Kaspersky Lab noted that in the first half of 2007, "so-called classic viruses demonstrated the most growth among all malware (+237%)," an increase attributed to the "highly widespread method of using flash drives to spread viruses." An example of this is a Skype worm spotted in September 2007 called Worm.Win32.Skipi.a that attempts to spread through Skype and through copying itself to attached flash drives.
Some of the anecdotal reports published by SANS speculate that the malware infections were made possible by poor manufacturer quality controls. Others suggest the malware might have been installed in retail outlets as a result of poor inventory oversight. And some suggest that malicious software may be installed post-sale, as purchased products that get returned to store shelves as a prank or malicious attack.
"We have heard of USB drives being used," said Kevin Haley, director of Symantec Security Response, in an e-mail. "They have been used for targeted attacks. And they have been used for 'commercials' for the spyware/trackware software the purchaser then attaches to the PC they want to spy on. They are not practical for mass attacks (you have to buy, prep, and distribute the drives). We don't believe it's a significant trend. It's not cost effective."
The bigger fear, said Haley, would be that a manufacturer might unwittingly put malware on a device of some sort.
That appears to be just what happened to the maker of the Victory LT-200 MP3 player, according to a blog post published on Friday by Kaspersky Lab researcher Roel Schouwenberg. The manufacturer "told us they were aware that a few months ago there was a partially infected batch of these MP3 players, and that they'd taken steps to fix the problem," he said.
"Whether it's a picture frame, a digital camera, or any USB, CF, SD, etc. memory card, the portable nature of these devices dredges up of memories of all the floppy boot viruses we used to have to deal with," said David Goldsmith of the SANS Internet Storm Center in a recent blog post. "Care should be taken when attaching storage devices to your computer to ensure you scan them for possible malware and handle them in as secure a fashion as is possible."