Can Removable Media be infected?

Discussion in 'malware problems & news' started by poirot, Aug 5, 2007.

Thread Status:
Not open for further replies.
  1. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Can a removable media like a pen Drive with nothing else than documents and non OS files ,but perhaps with zipped downloaded programs, be infected by any kind of rootkit after being used in an
    infected computer?
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,

    It can be infected with something that can deliver a rootkit payload with an autorun executable, but not a rootkit itself, because the pen drive has no OS of its own (in this case) that can host and hide the OS - it communicates through the computer OS.

    Of course, the copying of the payload can be hidden from the user if this is the purpose of the software on the infected machine.

    The simplest solution is to simply turn the autorun off on all removable media. This way, files will be static and easily viewable and completely harmless until executed.

    Mrk
     
  3. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Thanks Mrkvonic,that's a good idea,i'll check my pen drives and try to find out how to work on the autorun of removables.
     
  4. eniqmah

    eniqmah Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    391
    Try MS's tweakui. You can disable and hide drives you don't want to run around in the system.
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,
    You can disable via registry directly - or perhaps use Group Policies (XP Pro) to the same effect.
    Mrk
     
  6. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Downloaded it,although i dont know if i'll use it,but i will use Image Resizer which i needed,so thanks Enigmah.

    The problem is i often-i'd say daily- use a removable to d/l or copy files or programs, so blocking it on a permanent basis could be impractical.
    Now for instance i used a pen connected to a formerly virus infested and possibly rootkitted pc which is a thing i dont do on a daily basis.
    No OS and no programs in the Pen,just a few text-html files,and before using it again in my PowerShadow protected pc i ran Antivir scan,including antirootkit Avira tool,and also Boclean file scan.
    I feel reasonably sfae this way.....but surely not a 100% .

    What do you think, Mrkvonic,about
    encrypting the 'resident' files on the removable
    (only when you deal with danger)
    so that when you're finished with the task
    you can just delete the non resident files/folders involved
    with the possibly infected pc?

    This way there is a certainty the encrypted files cannot be touched by an infected pc and then you delete the newly created files when you exit so that nothing wrong can happen when i use the removable in my computer again.
     
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,

    I don't see what the problem is.

    You only need to disable autorun feature - not the usb drives themselves... And if you wish to access the drive, then you can simply right-click on it in the My Computer, explore and such.

    Now, imagine the worst possible infected PC. It is aware of usb devices and copies the payload to it and even creates an autorun.inf file that is supposed to start installing it on another pc when you plug it there.

    If you do not have autorun enabled, nothing will happen.

    The user of the second pc will notice some extra files on the thumb drive and this could raise suspicion.

    Now, sci-fi scenario:

    On top of all this, the malware tries to infect files already on the drive, by corrupting them - or better - injecting or appending its code to the existing file.

    Although this is unlikely, how do you protect those files?

    Well, encryption could work. Read-only could work - setting the drive to read-only.

    Mrk
     
  8. eniqmah

    eniqmah Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    391
    HE wants the drive to pop up and display its contents. This saves a few mouse clicks.
    Thats fine, just get one of those USB with a write access lock.
     
  9. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,
    1. That's annoying.
    2. Risks outweigh benefits.
    Mrk
     
  10. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    I already disabled autorun and i've used a very simple quick little program (Osborne) to encrypt the sensitive areas of the removable, so no more anxiety now.
    Thanks to both enigmah and Mrkvonic ,who i dont want to become tired answering to this post as i plan to make a new thread and new questions asap about using Linux...
     
Loading...
Thread Status:
Not open for further replies.