MobileRead Forums - View Single Post - Does Kindle spread USB virus like USB flash drive?

Hellmark · 02-14-2011, 01:22 PM

An infected computer can infect files on an external device. Infected files on that device will not automatically infect a non infected computer, with few exceptions.

A U3 branded drive, can possibly infect a computer, under a handful of circumstances. It is unlikely, but still possible. The U3 device autoruns an application that lets you run apps from the drive and keep sensitive info on the drive, and not the computer. So, you can run firefox from the U3 drive, and all saved passwords, etc are stored on the drive. This lets you keep things persistently across multiple computers, even public ones, with out an issue. This has the autorun feature because it has a partition that mimics a CD drive (which autorun was meant for CDs). A few years back, the IPTV show Hak.5 started spot lighting the Switchblade and Hacksaw projects that hacked U3 drives to change what was on the partition to run other software of their own creation. 99% of the time, the drive was owned by the hacker (or script kiddie) and was used to steal passwords, CD keys, cookie info, etc from computers they got physical access to. They would just pop it in, and a few seconds later, have a bunch of info and be off. This being said, it is technically possible to have a virus change the U3 partition to add a virus on someone unknowingly. It isn't common, because it would require the target to have a u3 drive and for them to go to other computers with the drive. It would be a slow method to distribute a payload, and so generally isn't seen as worthwhile. On Vista and Windows 7 computers, autorun isn't fully automatic any more, so you can stop it from happening on a per instance basis.

It is also possible for autorun on non U3 devices. This has seen some usage through conficker, and related viruses. Disabling autorun will fix this.

The other way, is if you have your computer set to show previews or thumbnails of files on the drive. When you open up the drive, the computer will open the files completely to generate the thumbnail. There have been various exploits to security holes in this system over the years, that allowed a malformed image to create a buffer overflow that would allow for code to be executed. This is more common than the U3 method, since so many more have this feature than u3 drives, plus once the system is infected they can use the computer's network connection to spread via emails, networked drives, etc. There have been a few viruses that have exploited autorun

If you are worried about a device being infected, simply scan it immediately after plugging in the device. Do not try and view it or anything until after you've scanned it. Holding shift while inserting the device should prevent autorun. You may have to hold it for a bit after insertion, to be sure (I've had to hold it as long as 20 or so seconds). If you use XP or earlier, you can disable autorun by instructions included on this link.

As far as MS disabling autorun by default in XP and earlier, I am surprised they've finally are going to release an update to do that. MS has been known to allow for gaping security holes for years, so it wouldn't effect a "feature". Anyone remember the netsend message from the Win2k and early XP days? MS had a tool included in all NT based systems that would allow people to send a message to other computers on the network. This was quite useful for system and network admins to notify people of impeding changes. However, by default MS had this enabled and allowed to accept messages from anywhere, even the internet. Obviously, nefarious types used this to their advantage, and started spamming random IP addresses, since it was trivial to hit large numbers of computers at once, and automatically. It wasn't until XP Service Pack 2 that MS changed it to only allow net send messages from your local network. Plus they see XP as dead now, so are more unlikely to do much for it. Heck, it is more useful for them to say "Upgrade to 7, so you can avoid this nasty security issue". It should be noted that the update to disable autorun by default is OPTIONAL. It will not be done unless you manually goto Windows Update and select the update that disables it.

02-14-2011, 01:22 PM	#26
Hellmark Wizard Posts: 2,592 Karma: 4290425 Join Date: Jun 2009 Location: Foristell, Missouri, USA Device: Nokia N800, PRS-505, Nook STR Glowlight, Kindle 3, Kobo Libra 2	An infected computer can infect files on an external device. Infected files on that device will not automatically infect a non infected computer, with few exceptions. A U3 branded drive, can possibly infect a computer, under a handful of circumstances. It is unlikely, but still possible. The U3 device autoruns an application that lets you run apps from the drive and keep sensitive info on the drive, and not the computer. So, you can run firefox from the U3 drive, and all saved passwords, etc are stored on the drive. This lets you keep things persistently across multiple computers, even public ones, with out an issue. This has the autorun feature because it has a partition that mimics a CD drive (which autorun was meant for CDs). A few years back, the IPTV show Hak.5 started spot lighting the Switchblade and Hacksaw projects that hacked U3 drives to change what was on the partition to run other software of their own creation. 99% of the time, the drive was owned by the hacker (or script kiddie) and was used to steal passwords, CD keys, cookie info, etc from computers they got physical access to. They would just pop it in, and a few seconds later, have a bunch of info and be off. This being said, it is technically possible to have a virus change the U3 partition to add a virus on someone unknowingly. It isn't common, because it would require the target to have a u3 drive and for them to go to other computers with the drive. It would be a slow method to distribute a payload, and so generally isn't seen as worthwhile. On Vista and Windows 7 computers, autorun isn't fully automatic any more, so you can stop it from happening on a per instance basis. It is also possible for autorun on non U3 devices. This has seen some usage through conficker, and related viruses. Disabling autorun will fix this. The other way, is if you have your computer set to show previews or thumbnails of files on the drive. When you open up the drive, the computer will open the files completely to generate the thumbnail. There have been various exploits to security holes in this system over the years, that allowed a malformed image to create a buffer overflow that would allow for code to be executed. This is more common than the U3 method, since so many more have this feature than u3 drives, plus once the system is infected they can use the computer's network connection to spread via emails, networked drives, etc. There have been a few viruses that have exploited autorun If you are worried about a device being infected, simply scan it immediately after plugging in the device. Do not try and view it or anything until after you've scanned it. Holding shift while inserting the device should prevent autorun. You may have to hold it for a bit after insertion, to be sure (I've had to hold it as long as 20 or so seconds). If you use XP or earlier, you can disable autorun by instructions included on this link. As far as MS disabling autorun by default in XP and earlier, I am surprised they've finally are going to release an update to do that. MS has been known to allow for gaping security holes for years, so it wouldn't effect a "feature". Anyone remember the netsend message from the Win2k and early XP days? MS had a tool included in all NT based systems that would allow people to send a message to other computers on the network. This was quite useful for system and network admins to notify people of impeding changes. However, by default MS had this enabled and allowed to accept messages from anywhere, even the internet. Obviously, nefarious types used this to their advantage, and started spamming random IP addresses, since it was trivial to hit large numbers of computers at once, and automatically. It wasn't until XP Service Pack 2 that MS changed it to only allow net send messages from your local network. Plus they see XP as dead now, so are more unlikely to do much for it. Heck, it is more useful for them to say "Upgrade to 7, so you can avoid this nasty security issue". It should be noted that the update to disable autorun by default is OPTIONAL. It will not be done unless you manually goto Windows Update and select the update that disables it.