Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
USB Malware
Message
<blockquote data-quote="struppigel" data-source="post: 922109" data-attributes="member: 86910"><p>Hello. The short answer is: Yes, USB malware is relevant.</p><p></p><p><span style="font-size: 15px"><span style="color: rgb(41, 105, 176)"><strong>The long answer:</strong></span></span></p><p></p><p>As noted by some other members it doesn't get that much news coverage which is because there isn't anything new to say about it. They aren't rare, though, they are a daily occurrence at my work place. It is mostly still the same old families that are spreading via USB drives, e.g., Gamarue and Dinihou. Some RAT's, ransomware, and stealers adopted this strategy too but it is one feature of many, so it doesn't get too much attention.</p><p></p><p>Yes, the infamous<span style="color: rgb(147, 101, 184)"><strong> autorun.inf </strong></span>method doesn't work anymore since Windows 7. Most USB spreaders today (including Dinihou, Gamarue) use a different method which requires the user to open one of the files on the USB flash drives.</p><p></p><p>USB worms today spread by placing<span style="color: rgb(147, 101, 184)"><strong> windows shortcut files</strong> </span>alongside your personal files on the drive. Then they hide the personal files. The shortcut files will look exactly like your personal files. So to you it will seem like those are the documents that you put there yourself. If you open them, the shortcuts will run the malware but also open your hidden personal files. You won't notice anything.</p><p>Shortcut icons usually have an arrow on the bottom left corner but even that is fixed by some of the worms using certain registry tweaks.</p><p></p><p><span style="color: rgb(41, 105, 176)"><strong><span style="font-size: 15px">Examples of USB worm infections</span></strong></span></p><p></p><p>Down below is an example of how a Spora infection looked like if you enable to view hidden files (taken from <a href="https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware" target="_blank">this article</a>). This was probably due to a bug but the first Spora versions not only did the shortcut infection on removable drives but also on the C: drive. Here the legitimate folders (Programs Files etc) here were hidden by the malware. The five files at the bottom that look like folders are malware shortcuts and execute the hidden malware executable that is marked in red here as well as open the actual folder with explorer to not raise suspicion.</p><p></p><p><img src="https://www.gdatasoftware.com/fileadmin/web/general/images/blog/2017/01_2017/G_DATA_spora_shortcuts_system_drive.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>From the perspective of a user, you are executing the malware merely by browsing the folders on your system. If anyone asked you if you executed something odd, you will probably deny that, since you only opened folders. You can also see that the arrow that normally indicates a shortcut icon is missing here.</p><p></p><p>For comparison this is a Try2Cry infection on a USB flash drive which does not remove the arrow from the shortcut icons. So it might occur to you that something is wrong.</p><p></p><p><img src="https://www.gdatasoftware.com/fileadmin/web/general/images/blog/2020/07_2020/try2cry_usb_hidden.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><span style="color: rgb(41, 105, 176)"><strong><span style="font-size: 15px">Other threats via USB</span></strong></span></p><p></p><p>USB worms are not the only threat, but others are less relevant in terms of how likely you might be affected by them.</p><p></p><p>Viruses (file infectors) may spread via USB flash drives. But this only happens if you have no working Antivirus program because almost all viruses are very old and well-detected by them.</p><p></p><p>Of course you may also put malware executables on your USB drive yourself (e.g. you backup a trojanized version of a legit program). But that's not a USB drive specific issue.</p><p></p><p>Attacks via Rubberducky only work if you plug in someone else's USB flash drive or allow others to do that.</p><p></p><p><span style="color: rgb(41, 105, 176)"><strong><span style="font-size: 15px">Protection from USB malware</span></strong></span></p><p></p><p>Don't plug your USB flash drive in public computers. </p><p>Don't plug unknown USB flash drives into your computer. </p><p>Use an Antivirus program.</p></blockquote><p></p>
[QUOTE="struppigel, post: 922109, member: 86910"] Hello. The short answer is: Yes, USB malware is relevant. [SIZE=4][COLOR=rgb(41, 105, 176)][B]The long answer:[/B][/COLOR][/SIZE] As noted by some other members it doesn't get that much news coverage which is because there isn't anything new to say about it. They aren't rare, though, they are a daily occurrence at my work place. It is mostly still the same old families that are spreading via USB drives, e.g., Gamarue and Dinihou. Some RAT's, ransomware, and stealers adopted this strategy too but it is one feature of many, so it doesn't get too much attention. Yes, the infamous[COLOR=rgb(147, 101, 184)][B] autorun.inf [/B][/COLOR]method doesn't work anymore since Windows 7. Most USB spreaders today (including Dinihou, Gamarue) use a different method which requires the user to open one of the files on the USB flash drives. USB worms today spread by placing[COLOR=rgb(147, 101, 184)][B] windows shortcut files[/B] [/COLOR]alongside your personal files on the drive. Then they hide the personal files. The shortcut files will look exactly like your personal files. So to you it will seem like those are the documents that you put there yourself. If you open them, the shortcuts will run the malware but also open your hidden personal files. You won't notice anything. Shortcut icons usually have an arrow on the bottom left corner but even that is fixed by some of the worms using certain registry tweaks. [COLOR=rgb(41, 105, 176)][B][SIZE=4]Examples of USB worm infections[/SIZE][/B][/COLOR] Down below is an example of how a Spora infection looked like if you enable to view hidden files (taken from [URL='https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware']this article[/URL]). This was probably due to a bug but the first Spora versions not only did the shortcut infection on removable drives but also on the C: drive. Here the legitimate folders (Programs Files etc) here were hidden by the malware. The five files at the bottom that look like folders are malware shortcuts and execute the hidden malware executable that is marked in red here as well as open the actual folder with explorer to not raise suspicion. [IMG]https://www.gdatasoftware.com/fileadmin/web/general/images/blog/2017/01_2017/G_DATA_spora_shortcuts_system_drive.png[/IMG] From the perspective of a user, you are executing the malware merely by browsing the folders on your system. If anyone asked you if you executed something odd, you will probably deny that, since you only opened folders. You can also see that the arrow that normally indicates a shortcut icon is missing here. For comparison this is a Try2Cry infection on a USB flash drive which does not remove the arrow from the shortcut icons. So it might occur to you that something is wrong. [IMG]https://www.gdatasoftware.com/fileadmin/web/general/images/blog/2020/07_2020/try2cry_usb_hidden.png[/IMG] [COLOR=rgb(41, 105, 176)][B][SIZE=4]Other threats via USB[/SIZE][/B][/COLOR] USB worms are not the only threat, but others are less relevant in terms of how likely you might be affected by them. Viruses (file infectors) may spread via USB flash drives. But this only happens if you have no working Antivirus program because almost all viruses are very old and well-detected by them. Of course you may also put malware executables on your USB drive yourself (e.g. you backup a trojanized version of a legit program). But that's not a USB drive specific issue. Attacks via Rubberducky only work if you plug in someone else's USB flash drive or allow others to do that. [COLOR=rgb(41, 105, 176)][B][SIZE=4]Protection from USB malware[/SIZE][/B][/COLOR] Don't plug your USB flash drive in public computers. Don't plug unknown USB flash drives into your computer. Use an Antivirus program. [/QUOTE]
Insert quotes…
Verification
Post reply
Top