USB Thumbdrives & Malware?

[Davej]

Ok, last night I ended up with a load of malware after downloading a few cpu temperature utilities. Another great waste of time. But this reminded me of a question I have been wondering about -- what methods of infection are used with USB thumbdrives? Am I safe transferring non-executable files between computers via thumbdrive?

 

[Paul]

Ok, last night I ended up with a load of malware after downloading a few cpu temperature utilities. Another great waste of time. But this reminded me of a question I have been wondering about -- what methods of infection are used with USB thumbdrives? Am I safe transferring non-executable files between computers via thumbdrive?

Something like AutoPlay ?

Microsoft, when they update stuff and made changes, didn't
always lean in the "consistently secure" direction. So there
might still be an exposure, if moving a USB key from infected
computer to clean computer. It really depends on whether malware
designs continue to attempt to exploit that or not.

A good AV, should step in when there is an opportunity for
something to AutoPlay. Without an AV, you're taking a risk.
Without an AV, you'll have to read those KB articles,
to figure out how to make sure that stuff is all turned
off. It really serves no essential purpose to have AutoPlay.
The user can click on stuff when they want it. Having programs
start by themselves is just stupid. Typically an installer
package is set up that way, so that when media is inserted,
the installer appears on the screen "like magic". Which would
be fine, if malware was prevented from doing that.

Paul

 

[Paul]

Ok, last night I ended up with a load of malware after downloading a few cpu temperature utilities. Another great waste of time. But this reminded me of a question I have been wondering about -- what methods of infection are used with USB thumbdrives? Am I safe transferring non-executable files between computers via thumbdrive?

Also, when you download something, you have the
option of uploading to Virustotal.com immediately.
That site hosts around 50 different AV scanners, which
can analyze a file and tell you if there is malware
present. It's not foolproof, because they probably
won't do a good job of labeling PUPS (Potentially
Unwanted Programs) or things like Toolbars. But for
those, Adwcleaner is an after-the-fact solution.

http://www.bleepingcomputer.com/download/adwcleaner/

Paul

 

[Davej]

Also, when you download something, you have the
option of uploading to Virustotal.com immediately.
That site hosts around 50 different AV scanners, which
can analyze a file and tell you if there is malware
present. It's not foolproof, because they probably
won't do a good job of labeling PUPS (Potentially
Unwanted Programs) or things like Toolbars. But for
those, Adwcleaner is an after-the-fact solution.

http://www.bleepingcomputer.com/download/adwcleaner/

Paul

This is a good website to know, thanks. I am wondering if the right thing to do is to take the suspect USB drive and open it in Linux and then try to use an online scanner to scan it. Another option might be to use VM or VirtualBox.

 

[Paul]

This is a good website to know, thanks. I am wondering if the right thing to do is to take the suspect USB drive and open it in Linux and then try to use an online scanner to scan it. Another option might be to use VM or VirtualBox.

If you want a benign environment to work in, boot
a Kaspersky rescue CD and scan the USB stick there.
Kaspersky runs Linux, and the malware should not
have any Windows Autoplay opportunities there.
That would be a way to protect your Good PC from damage
while examining the USB flash drive. You could even
use two flash drives, one with KAV on it, the other
being the "suspect" flash drive. As long as the file
systems are mountable, KAV should be able to scan it.

http://support.kaspersky.com/8092

You can, of course, also run that on the PC with the malware.

I was using that CD just yesterday :-( Got a little scare
from a web browser popup, so rebooted the Kaspersky disc
just to make sure there wasn't any "damage". Seems OK.
Whatever was on the website, seems to have modified something
in one of the browser caches, and cleaning every stinking
cache, fixed it up. That browser has a total of four caches,
with two being empty, one being the "regular" cache, and
one being a "startup" cache. And the "startup" cache had
been modified. It was some kind of Javascript attack.

Paul

 

[Davej]

If you want a benign environment to work in, boot
a Kaspersky rescue CD and scan the USB stick there.
Kaspersky runs Linux, and the malware should not
have any Windows Autoplay opportunities there.

That would be a way to protect your Good PC from damage
while examining the USB flash drive. You could even
use two flash drives, one with KAV on it, the other
being the "suspect" flash drive. As long as the file
systems are mountable, KAV should be able to scan it.

http://support.kaspersky.com/8092

You can, of course, also run that on the PC with the malware.

I was using that CD just yesterday :-( Got a little scare
from a web browser popup, so rebooted the Kaspersky disc
just to make sure there wasn't any "damage". Seems OK.

Whatever was on the website, seems to have modified something
in one of the browser caches, and cleaning every stinking
cache, fixed it up. That browser has a total of four caches,
with two being empty, one being the "regular" cache, and
one being a "startup" cache. And the "startup" cache had
been modified. It was some kind of Javascript attack.

Paul

Hmmm... browser cache? File folders? I'm not familiar. Or do you mean the HTML5 local storage?

I gave a Kasperkey CD a try today but at the end of the scan of the USB thumbdrive it got caught in some sort of repeating loop and kept checking the same files over and over. I can't even find those filenames on the thumbdrive. It was a whole long list of Rxxxx.htm names. Strange.

 

[Paul]

Hmmm... browser cache? File folders? I'm not familiar. Or do you mean the HTML5 local storage?

I gave a Kasperkey CD a try today but at the end of the scan of
the USB thumbdrive it got caught in some sort of repeating loop
and kept checking the same files over and over. I can't even find
those filenames on the thumbdrive. It was a whole long list of
Rxxxx.htm names. Strange.

The cache in question, was in Seamonkey.

C:\Documents and Settings\username\Local Settings\Application Data\Mozilla\SeaMonkey\Profiles\<random>.default
Cache
mozilla-media-cache
OfflineCache
startupCache <--- file in here

It was the last one, that seemed bigger than it should be.
Throwing away the contents caused it to regenerate. The
regenerated file was smaller.

*******

Kaspersky scans archives, such as ZIP, 7Z, RAR or the like.
The path names shown in the display, will include the filenames
coming out of the archive. It's too bad that damn display wasn't
wider, so the whole pathname could be seen. They could
even have used a two line display, like show the ZIP name on one
line, and the currently scanned file inside the ZIP in a second line.
Just so the user would know it was "stuck in an archive".

Kaspersky is protected against archive bombs (intentional efforts
to feed a logically too-large archive, into the scanner). But when
it deals with real archives, it can become overwhelmed. I've had
the scanner spend hours and hours, with an archive with about
60,000 files zipped in it. If you know there are archives like
that on the media, really big archives, it might be better
to move them somewhere for safe keeping.

If you really needed to scan a large archive, but didn't want
Kaspersky rescue scanner "going exponential", you could unzip
your archive into a separate partition, and just let it dine
on the separate files.

I've actually had Kaspersky scanner *crash* on a too-large
ZIP, so I've moved those to my data disk. Now, when C: needs
to be scanned, it takes a lot less time. I'm down to anywhere
from ten to twenty minutes for C:. When the time goes higher
than that, it's time to houseclean C: again

And whatever was hiding in my startupCache, Kaspersky didn't
notice. It didn't flag the file. I guess browser hijackers
aren't high on their list.

Paul

 

[Davej]

No safer (or unsafe) than using any other method of transferring files.
Network, USB stick, DVD, CD, ZIP disk, floppy or tape its all the same.
An infection is generated by executed code. The type of media plays no
part.

No, the problem is that I need to research how to turn off autorun and autoplay.

http://www.redmondpie.com/how-to-disable-autorun-autoplay-in-windows-7-and-windows-8/

The problem with c-net is that it now produces a loader file. You download and scan the loader file and there is nothing there. You execute the loaderfile and it downloads and installs a pile of crap.

 

[Davej]

[...]

Looking at http://www.virustotal.com -- many downloadable copies of filezilla seem to be infected, including sourceforge.net and filezilla-project.org