Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USB Devices Can Infect Your Computer...Even After Formatting


  • Please log in to reply
19 replies to this topic

#1 buddy215

buddy215

  • Moderator
  • 13,255 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:36 PM

Posted 08 August 2014 - 11:32 AM

BBC News - USB devices can secretly infect computers, researchers say

 

.........latest research demonstrated a new level of threat - where a USB device that appears completely empty can still contain malware, even when formatted.

The vulnerability can be used to hide attacks in any kind of USB-connected device - such as a smartphone..........

 

More info in linked article

 

Mike McLaughlin, a security researcher from First Base Technologies, said the threat should be taken seriously.

"USB is ubiquitous across all devices," he told the BBC.

"It comes down to the same old saying - don't plug things in that you don't trust.".........            

bank_robbery.gif

Edited by buddy215, 08 August 2014 - 12:01 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

BC AdBot (Login to Remove)

 


#2 Victor2K

Victor2K

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 08 August 2014 - 02:02 PM

This makes me think to find something to keep my USB away from trouble, but which software can deliver protection in a trustable way?



#3 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:09:36 AM

Posted 08 August 2014 - 06:59 PM

 

but which software can deliver protection in a trustable way?

 

There is a prog called Ariad made by Didier Stevens that may meet your needs.

 

http://blog.didierstevens.com/programs/ariad/



#4 eq2675

eq2675

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 08 August 2014 - 09:54 PM

For years I've always placed a hidden / read only zero byte autorun.inf file on my keyring flash drive, as it's used in possibly 100's of PC's. Please post any workarounds to prevent this exploitation.



#5 rp88

rp88

  • Members
  • 3,046 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:36 PM

Posted 09 August 2014 - 08:54 AM

it seems one is safe to use one's own usb drives for backups, but keep them in your sight at all times or under physical lock and key.


Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:36 AM

Posted 09 August 2014 - 12:07 PM

Its good to realize that this threat doesn't result from malicious autorun files (type worm), the problem is that the firmware can be modified. This has two advantages: hard to detect (only the consequences/payload is visible in Windows, but not the actual malicious code as its located on the devices internal chip). And its hard to remove, the only way being flashing correct firmware to the device.

Read also: http://www.wired.com/2014/07/usb-security

This doesn't mean that all of a sudden your USB mass storage devices you've been using for years can't be trusted anymore. But now that this vulnerability is known, it can (and very likely will) be exploited by those with bad intentions. Hence the warning, if you don't know the source, don't trust it. USB firmware can be modified by an attacker to exhibit malicious behavior. While this may at one point be done remotely at this point I suspect said attacker will still need physical access to the device one way or another (in other words, you can't get an USB's firmware infected by using a drive-by download or infected website or some other common infection vector).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 saluqi

saluqi

  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:southern San Joaquin Valley, Calfornia
  • Local time:04:36 PM

Posted 10 August 2014 - 10:48 PM

From the comments on the link you provided, I gather there is some disagreement about whether and to what extent the firmware on a typical "thumb drive" can be modified.  I don't know enough about thumb-drive hardware, or the way in which the firmware operates, to judge the merits of the various comments.

 

We all learned years ago to disable the "autorun" function; I gather that is now done automatically in the newer OS versions (it was a Windows update quite some years ago).

 

Of course I am wondering if I am safe.  I have a half dozen or so flash drives.  I have two computers at home and three in the office.  Nobody else has physical access to my computers at home.  At the office I am the sole user of the two laptops (one very old and about to be retired).  The office desktop is used by my secretary (7 years on the job, very trustworthy) and occasionally by one other staff member to process payments in the secretary's absence.  He is relatively new (2 years) but I've known his family for years (his father was the pastor of a local church) and I'd say he is also trustworthy.  This is a very small town and one does get to know who is reliable and who is not <G>.

 

Anyway there is one thumb drive I use frequently for sneakernet between the new office laptop and the desktop, and rarely also to transfer extra backup copies of office files I keep on an external hard drive attached to one of my home computers.  Attached, that is, when I am uploading or downloading files, not at other times.  One 32 GB flash drive holds the factory-restore files for the office laptop (that drive resides in a fireproof office safe and of course is never used for anything else) and another (residing permanently in my desk drawer at home, I can't yet afford a safe) serves the same function for my home laptop.

 

None of those thumb drives has ever been connected to an "outside" computer ... except the sneakernet one, which has downloaded files to the computers of our respected auditors in their offices on, I think, two occasions.  The files downloaded were QuickBooks backup files.

 

Question arising, is this still safe, or do I need to dedicate a new (and cheap) flash drive to the auditors, to be discarded after each use (once a year, normally)?

 

Thanks,


Edited by saluqi, 10 August 2014 - 10:48 PM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:36 AM

Posted 11 August 2014 - 02:40 AM

Question arising, is this still safe, or do I need to dedicate a new (and cheap) flash drive to the auditors, to be discarded after each use (once a year, normally)?

 

My take on it: its still safe, this vulnerability is proof-of-concept, no malicious exploits have yet been seen, so if you had those devices and nobody had significant physical access to them once this was published, you should be fine. :)


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:36 AM

Posted 11 August 2014 - 08:22 AM

Manufacturers might even take the step of making the firmware hard coded (read only). Well, with how little a flash chip costs these days it is a totally logical step to avoid a totally avoidable vulnerability... when was the last time you updated your USB flash drive firmware anyway?



#10 Frozwire

Frozwire

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 12 August 2014 - 11:10 PM

An average user might have even no idea of what a firmware have something to do with a flash drive storage.


"Encryption...is a powerful defensive weapon for free people. It offers a technical guarantee of privacy, regardless of who is running the government... It's hard to think of a more powerful, less dangerous tool for liberty...” - Esther Dyson


#11 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:36 PM

Posted 13 August 2014 - 12:14 AM

it seems one is safe to use one's own usb drives for backups, but keep them in your sight at all times or under physical lock and key.

That's how I store mine, mainly to prevent theft, however this also prevents unauthorized use or modification of files. 

 

Four are TrueCrypt protected, some of the others has their own password lock built in & a couple that I use for diagnosing & cleaning other's computers. These are the ones that concerns me & are never attached to my main computers to prevent contamination, rather I use my 10 year old notebook to format these as needed & download fresh tools to use later (or copy back from the Downloads folder). 

 

Being that one is used solely for the disinfection of computers, I format after this with the USB Stick Format option of Linux Mint after each use. 

 

Can the firmware become infected by the disinfection of computers? Or does the quarantine folder prevent this? 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#12 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:36 AM

Posted 13 August 2014 - 12:35 AM

As far as I know Cat this isn't in the wild... yet. 

 

But if the device was attacked in this manner your quarantine folders would do nothing, as the the formatting, content and structure of the data on the device is irrelevant. If I understand this threat correctly.



#13 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:36 PM

Posted 13 August 2014 - 01:33 AM

In that case, I hope it doesn't become widespread. 

 

We've had more than our share of infection scares, many successful, looking at all of the new posts, seems that more & more are headed to to one of the Security forum. Just looked again, it's 2:30AM here & over half the pages of new content is about infections. Though the local time means nothing, this is a global forum. 

 

We don't need anymore new major outbreaks of infections, period. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#14 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:07:36 PM

Posted 13 August 2014 - 01:34 AM

 

 

An average user might have even no idea of what a firmware have something to do with a flash drive storage.

Very True, many doesn't keep their SSD firmware upgraded, let alone a USB firmware upgrade or re-flash. 

 

At the pricing of these devices, I'd just fix it with a hammer & stump, as the USB drive may never be trustworthy again. 

 

Cat


Edited by cat1092, 13 August 2014 - 01:51 AM.

Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:36 AM

Posted 13 August 2014 - 02:05 AM

Can the firmware become infected by the disinfection of computers? Or does the quarantine folder prevent this? 

 

Impossible to tell because that would imply the there is actually malware using this vulnerability. :) As it isn't, there's no way to tell how an exploit will be deployed. In any case, the quarantine folder would not have any influence on it.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users