USB devices spreading viruses

Defense Department suspends use of USB drives as experts warn of USB-related virus outbreaks.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

USB thumb drives are convenient, popular and often free--and they're spreading viruses like sailors on shore leave.*

The US-CERT (Computer Emergency Response Team) issued a warning on Thursday that malicious code is increasingly propagating via USB flash drive devices.

Meanwhile, the U.S. Department of Defense has temporarily banned the use of thumb drives, CDs, and other removable storage devices because of the spread of the Agent.bzt virus, a variant of the SillyFDC worm, according to Wired.

We've seen this before with portable external storage devices. Floppy disks were the culprit in the early 1990s, followed by CDs. The fact that USB thumb drives are being used by so many people makes them an attractive target for virus writers.

"The bad guys are intentionally developing new flavors of malware designed to propagate through USB devices," said Gunter Ollmann, chief security strategist for IBM's ISS security division. "They are today's floppy drives."

CNET News/James Martin

But USB drives are even handier. Their small size makes them easy to slip into a pocket or carry on a lanyard around your neck. A common swag item in the tech industry, they also are mainstream consumer storage devices. They literally litter my desk drawers.

There are a couple of ways USB thumb drives can be used to spread viruses and other malicious software.

An infected computer can spread a virus to a clean USB thumb drive that is inserted. That USB drive will then be spreading the virus onto other computers if the operating system on those machines has an AutoRun-type feature enabled. The AutoRun function in Windows launches installers and other programs automatically when a flash drive or CD is inserted. The Mac has an equivalent function, according to Ollmann.

For that reason, people should disable any AutoRun features and manually launch programs when using a flash drive, he said. CERT has information about the dangers associated with AutoRun here, as well as tips specific to the safe use of USB drives here.

A virus also can be embedded in what looks like a normal file on a USB device, so that even if AutoRun is disabled, the computer will become infected when the file is opened.

Thumb drives aren't the only culprits; any device that plugs into a USB port--including gadgets like lights, fans, speakers, toys, even a digital microscope--can be used to spread malware, Ollmann said.

The devices can be infected during the manufacturing or supply chain process if quality control measures are not adequate, he said.

In addition to disabling AutoRun, Ollmann suggests that people use an antivirus tool to scan their USB devices before opening any files from them and be cautious with files on devices even if they come from trusted sources.

There's also the danger that the small devices can be lost, exposing the data on them to whoever happens to find them. A Swedish soldier was recently convicted of negligence after leaving a USB flash drive with classified information on it in a computer at a Stockholm university, according to an Associated Press report. And a British tax agency was forced to shut down its Web site after a contractor lost a flash drive containing confidential passwords and source code in a pub parking lot last month.

So, feel free to carry a USB memory stick, but be very careful where you put it.

*My sincere apologies if I offended anyone with this lead sentence. I struggled to find an analogy that works for infections spread by physical contact and which involve mobility, and airborne medical outbreaks just didn't work.