Can Removable Media be infected?

Can a removable media like a pen Drive with nothing else than documents and non OS files ,but perhaps with zipped downloaded programs, be infected by any kind of rootkit after being used in an
infected computer?

 

Hello,

It can be infected with something that can deliver a rootkit payload with an autorun executable, but not a rootkit itself, because the pen drive has no OS of its own (in this case) that can host and hide the OS - it communicates through the computer OS.

Of course, the copying of the payload can be hidden from the user if this is the purpose of the software on the infected machine.

The simplest solution is to simply turn the autorun off on all removable media. This way, files will be static and easily viewable and completely harmless until executed.

Mrk

 

Thanks Mrkvonic,that's a good idea,i'll check my pen drives and try to find out how to work on the autorun of removables.

 

Try MS's tweakui. You can disable and hide drives you don't want to run around in the system.

 

Hello,
You can disable via registry directly - or perhaps use Group Policies (XP Pro) to the same effect.
Mrk

 

Downloaded it,although i dont know if i'll use it,but i will use Image Resizer which i needed,so thanks Enigmah.

The problem is i often-i'd say daily- use a removable to d/l or copy files or programs, so blocking it on a permanent basis could be impractical.
Now for instance i used a pen connected to a formerly virus infested and possibly rootkitted pc which is a thing i dont do on a daily basis.
No OS and no programs in the Pen,just a few text-html files,and before using it again in my PowerShadow protected pc i ran Antivir scan,including antirootkit Avira tool,and also Boclean file scan.
I feel reasonably sfae this way.....but surely not a 100% .

What do you think, Mrkvonic,about
encrypting the 'resident' files on the removable
(only when you deal with danger)
so that when you're finished with the task
you can just delete the non resident files/folders involved
with the possibly infected pc?

This way there is a certainty the encrypted files cannot be touched by an infected pc and then you delete the newly created files when you exit so that nothing wrong can happen when i use the removable in my computer again.

 

Hello,

I don't see what the problem is.

You only need to disable autorun feature - not the usb drives themselves... And if you wish to access the drive, then you can simply right-click on it in the My Computer, explore and such.

Now, imagine the worst possible infected PC. It is aware of usb devices and copies the payload to it and even creates an autorun.inf file that is supposed to start installing it on another pc when you plug it there.

If you do not have autorun enabled, nothing will happen.

The user of the second pc will notice some extra files on the thumb drive and this could raise suspicion.

Now, sci-fi scenario:

On top of all this, the malware tries to infect files already on the drive, by corrupting them - or better - injecting or appending its code to the existing file.

Although this is unlikely, how do you protect those files?

Well, encryption could work. Read-only could work - setting the drive to read-only.

Mrk

 

HE wants the drive to pop up and display its contents. This saves a few mouse clicks.
Thats fine, just get one of those USB with a write access lock.

 

Hello,
1. That's annoying.
2. Risks outweigh benefits.
Mrk

 

I already disabled autorun and i've used a very simple quick little program (Osborne) to encrypt the sensitive areas of the removable, so no more anxiety now.
Thanks to both enigmah and Mrkvonic ,who i dont want to become tired answering to this post as i plan to make a new thread and new questions asap about using Linux...