David Dallet’s weblog

(If you’re not using MS Windows at all, you can skip this article, except if you want to say “Cool! One thing I’m sure to avoid…”.)

This article is a sort of reaction to the interesting article I just read on Slashdot.

Though quite interesting, the topic is a little different from what I’m going to speak about…

I won’t deal with devices with pre-install malware now, instead I’ll write about the danger about plugging external storage devices (USB keys, hard disks, some phones too, etc…) into different places.

No special action except connecting your device to a compromised computer is required.

Here is how this threat works:

* When you connect your device to the compromised computer (for example at a cyber, a school, on the computer of a friend, etc…), your device become infected (I won’t detail this step, because there is nothing really surprising about it).

* After, when you connect your device to your computer, if you have Microsoft Windows and if you have not disable (excuse me, fully disable, using the registry and not using XP’s menus) the autorun feature, Microsoft Windows search for a special file on your key. This file is named “AUTORUN.INF” (that is the same file used to launch an installer or any program when you put a CD/DVD on your drive), and this file may be hidden.
* If the file is found, MS Windows reads it and just does what the AUTORUN.INF tells to do (usually: launch an other executable file on the same device).
* If you have *fully* disabled the AUTORUN.INF feature at the insertion of a device, but double-clicked on the icon of your device… Bingo! You’ve given the right to lauch what AUTORUN.INF tells to launch automatically (do I need to say “without your consent”?).
* Once the executable file containing the virus is launched… You’re just infected (nothing special to tell about it too), and the virus will probably go on any usb key, external hard drive, etc that you are likely to connect… (So take care if you re-install MS Windows…)

Of course, I probably don’t need to precise to you that most antivirus are efficient only with a restricted number of virus, and that some virus may be “unknown” for your antivirus during a long time…

The question you may ask yourself is “Is this threat a real risk? Does it happen often?”.

I’ve been three times in contact with this threat.

The first time, a friend called me because he had a problem with this computer. In fact, he had the “adober.exe” virus/trojan. (You can note that the name is particularly choosen to be “normal” for people who check what process are running… Even if the Adobe Acrobat Reader executable has a different name…)

The second and the third time, the virus really come to my keys… But since I use Linux on my computer (and I was using it at this time too), I just had an occasion to think that I was lucky…

And I find that things are easier since I use only Linux at home. (Although I’m considering using other OS, FreeBSD for example, but using virtualisation…)