Friday, July 24, 2009

How to protect your computer from malware infested thumbdrive

I have seen virus infected thumbdrives especially on computers that is poorly administrated (i.e. Users given administrative privilege) and especially when the users have no clue of the dangers of internet and downloads suspicious files with executable extensions.
Combine this with not-so-frequently updated anti-virus software it is a foregone conclusion malware infection will occur.

This will lead to frequent system crashes and poor Windows Experience and end of the day people usually point fingers at Microsoft etc and not themselves as the cause of malware infection.

As the system gets laden with more and more viruses system crashes and lag occur as the malware attempts to make unauthorised connection to the internet depending on what it was originally designed for.
Most virus do not attempt to disable the computer for obvious reasons.
They want to stay undetected so they can steal data from the infected host or simply use the host as part of a bot network, however things get ugly when more different viruses comes into play.

A virus will compete with other programs including other Virus for system resources if the computer do not have sufficient resource to feed them lag occurs if other viruses attempt to interfere with system files hijacked by other viruses a clash will resulting in system crash and Blue Screen Of Death.

Malware spread via a number of medium Internet as well as Removable Drives.
As the topic is fairly big I shall only focus on how to prevent Virus on thumbdrive from entering your host system.

First of all when I insert a thumbdrive a good anti-virus will attempt to scan it, if the Virus signature match it database it wil immediately isolate the file to prevent it from running as shown below.

The good news is even if you don't have anti-virus you can prevent them from running and see if the thumbdrive is infected .

Lets take a look at the infected thumbdrive.
Go to Folder Options and make the following changes to enable you to see all the files present on a thumbdrive.
Select "Show Hidden Files and Folders"
Uncheck "Hide Extension For Known File Types"
Uncheck "Hide Protected System Files and Folders"
If you have a Linux/BSD/Solaris System Partition you can boot in it and attempt to take a look into your Windows Partition, all the System Files in the C:\ will show up (including both important Windows System Files and Malware).


Malware usually obscure themselves as system files so you will not be able to spot them if you do not set the setting shown above.
Take note REAL system files will also reveal themselves so DO NOT delete files if you are not sure they are Windows System Files or not.
Deleting Windows System Files can cause System to be UNBOOTABLE.

Soon you can see other virus showing up.( Note:SPENSER.EXE is no longer on the drive as the Anti-Virus removed it)


A strangely named file can be seen above probably another virus which attempted to copy itself to the thumbdrive but SPENSER.EXE beat it to hijacking of the autorun.inf so it doesn't do anything.

As I have said Viruses hijack system files for them to perform misdeeds on thumbdrive they usually hijack autorun.inf.
Note: autorun.inf is originally a system file to enable users to autolaunch installation programs upon insertion of removable drive.

Lets take a look at the infected thumbdrive's autorun.inf (Right Click Open with Notepad).

If you remembered earlier the system anti-virus detected SPENSER.EXE
Look at how SPENSER.EXE hijacked the autorun.inf in order to auto launch itself upon insertion of the thumbdrive.

So how can you prevent this?
It is simple. Simply disable autorun in Xp or autoplay in Vista.
If autoplay/autorun is disabled the system will ignore the autorun.inf hence preventing the virus from runnning effectively and if you remember Virus hide themselves as System Files so you will never launch it accidentally.
However this is only for generic virus.
Some Virus are powerpoint or word macros programmed so disable Macro in Office Software will do the trick.

No comments:

Post a Comment