Infections spreading through removable drives are still here for long, in every place where computers may be used by several persons :
cybercafes, media libraries, schools, associations, offices…
Spreading scheme :
- A clean key is connected to an infected PC (active infection)
- The malware will automatically create a copy of its malicious code on the key
To avoid being spotted, infection files have « hidden » attribute (H), so they can’t be seen by users.
According to the different variant versions, these files are not the same; but very often, there will be an « autorun.inf » file which will allow automatic launching of the infection when the key is connected.
The computer is now infected and will contaminate every peripheral connected to it.
If you’re lucky, infection will rapidly be detected, and you’ll be able to stop spreading; but sometimes, symptoms are not immediately noticeable.
It’s a windows function, associated to double click when we open a media, file or folder, or when we connect a removable media : Automatic Execution.
When we double-click on a media, or drive, to open it, windows will search for the Autorun.inf file.
If not found, the media will simply open, but if it’s found, the instructions it contains, will be automatically executed.
This function is mostly used for CD-Rom drives to automatically launch a programm on the CD or DVD, but it can be used for any type of media, including for malicious intentions.
When we double-click on the letter of the volume to open, windows will find the Autorun.inf file, and execute the file AdobeR.exe, which will infect the whole system.
If we do not double-click, but use right click and choose « open » or « explore », we by-pass the instructions of the autorun.inf, it’s a very convenient and easy way of avoiding infection.
To read the contents of an autorun.inf, open it with windows Notepad.
NB: All removable media can be infected : USB keys (or pendrives), external drives, MP3 players, digital cameras, flash cards, etc..
According to the different variations, in adition to the AutoRun.inf and .exe files, there may be other files with numerous attributes.
The infection may come with related files such as executable files with a folder icon, inciting users to open it to see what’s inside (may be Georges Clooney or Matt Damon with a cup of Nespresso, what else? )
and so, launch the infection. This is another method used by hackers, to by-pass deactivation of the Autorun.
Visible effects of this malware (depending on variations, of course)
- The start page of the web browser may be modified
- The title of an internet page may be modified (Hacked by Godzilla …)
- Access to the registry or to the task manager, may be denied
- UAC may be deactivated
- Opening an infected key, we may see files and folders are only shortcuts.
But if we display hidden files and folders, it’s quite different :
There are still the shortcuts, but the real files and folders are now visible, and we can see the malware here, is itunesHelper.vbe; if we also display the details, we can see it’s 68mo (quite big)
Invisible effects :
ItunesHelper.vbe is a keylogger, it registers what users type, and transmits the information to the hacker, who so, will be able to use logins and passwords to connect himself to social networks, e-mail addresses, and the best of all, bank accounts …
What to do with these ?
Mostly, hackers do not use these logins by themselves, but resell them for spamming campaigns, for example, in which many firms are interested.
So, don’t be surprised to be called on the phone, by a company, you’ve never heard of before, generally at dinner time.
How to avoid this type of infection?
- 1 : Deactivate autorun
As we have seen, autorun executes the instructions contained in the autorun.inf file. By deactivating it, the malware can’t be launched.
Deactivating autonrun, may be done trough the control panel, or directly in the registry (but this method requires a skill generally far beyond that of an average user.
Example of deactivation through the control panel under Windows 8 :
NB : You must do it for every account on the computer.
- 2 : Do not use double click
As we have also seen, if yo open your media with a right click, and choose « open » or « explore », The Autorun.inf file is by passed, and the malware cannot be launched (unless you’re too nosy, and want to see if Georges Clooney’s inside the folder on your pendrive)
Stage 3 above, is replaced by a new stage 3, and the PC is not infected.
To avoid your key to contaminate other PCs, you must vaccinate it
Vaccination does not prevent your key from being infected, but avoid it to contaminate other devices.
It consists in creating a false and harmless autorun.inf file.
which cannot be launched, deleted, or re-written; so the infection cannot be launched.
Vaccinate with Bitdefender USB Immunizer
Download Bitdefender USB Immunizer from this link and execute it
The tool recognizes immediately the removable medias to vaccinate (colored in green if already vaccinated, red if not)
Click on the red devices, they will be vaccinated
To activate automatic vaccination :
Click on “parameters” (the cogwheel on top-right)
On seeing the page under, set the cursor on « on », that’s all.
If « hidden » files are displayed, you can notice the vaccine
If you try to open or modify this autorun.inf file, you get this :