London hit by malware-infected USB ruse
By Darren Murph 
posted Apr 26th 2007 10:15AM
posted Apr 26th 2007 10:15AM
Joining the infamous Chip & PIN terminal hacks as yet another way to siphon banking details from unlucky Londoners, a group of "malware purveyors" reportedly dropped off tempting Trojan-infused USB drives in a UK parking lot in hopes that unsuspecting individuals would take the bait and subsequently hand over their banking credentials. Supposedly, Check Point regional director Nick Lowe mentioned the wile at the Infosec trade show, but couldn't elaborate due to the ongoing investigation. Another insight suggested that such chicanery was becoming "the new phishing email," but hey, where's the love for those oh-so-vulnerable ATMs? Take note, dear Brits, that the free storage you're eying on the park bench could end up costing you quite a bit in the long run.
What we need is a nice little pocket USB flash drive wiper and then the problem is solved.
Eventually it wouldn't be worth the hardware you're leaving around.
or, you could use a mac and get some free storage
Or you could not have autorun enabled and not worry about it at all?
Come on, who is stupid enough to have autorun still enabled?
because disabling autorun involves editing the registry. most home users don't know:
a) what autorun is
b) they can disable autorun
c) how to disable autorun.
on top of that, when autorun is disabled, windows won't show the name of the CD in the drive, unless you booted with it in there. most home users don't like that.
This social engineering vector was postulated almost 3 years ago in 2600. What I want to know is, what took so long?
Log in as an administrator
Start -> Run -> type "gpedit.msc"
Click "Administrative Templates" -> "System"
Find "Turn off Autoplay"
Disable for all drives
Now your Windows is 100% secure ;)
I'm suprised the Mac zealots haven't hadd something to say about this.
Allow me...
HAH!
Thank you for that - it's reaffirmed my believe in humanity!
This exploit was originally used as a proof of concept roughly a year ago by some security firm. They littered an office parking lot with USB flash drives that would compromise the security of the office network, record keystrokes, etc. The theory is that some (if not most) of the employees who find these flash drives would simply plug them into their work machines out of curiosity. It worked, as enough employees loaded the malware on their machines. Didn't Engadget have a post on this? Anyways, it's funny how these security experts will publish an exploit where the main entry point is human stupidity, and how no one solves the problem leaving more and more people vulnerable to stupid PC tricks that were obviously gleamed off the web from a post about a security firm.
Right you are, here's an article about it:
http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1
I don't know anything about Windows' "AutoRun" settings for USB Mass Storage, but you can't claim that this isn't "free storage". No, you don't need a pocket flash wiper, you just need an OS that doesn't start arbitrary executables without confirmation as soon as you plug a drive.
Macs are not invulnerable. Get over it. I use a Mac, but I don't go around preaching the 'Way of OS X' like it was some freaking religion. If someone wanted to, they could take down your Mac, and probably do it faster than a windows machine. But a keydrive dropped in a parking lot will probably have a trojan for Windows on it, because that is where the numbers are.
I agree that Macs are not invulnerable, but don't exaggerate by saying you can take down a Mac faster than a Windows machine- that's just crazy talk.
It doesnt need to be on autorun. Humans are naturally curious, when we find a usb key, we will have a quick look around the files that are on it. If the thieves make a .exe that crashes, and give it a word document icon, then 99% of the public will run it.
Doesnt strike me as being the most efficient way of malware distribution mind, even if you can buy a cheap job lot of 16mb sticks from some wholesaler in china...
I wish some hackers would do that in *my* city ... I could use some free USB drives ...
Which for some reason you expect me to double-click? There is no autorun on OS X.
I have a bottle opener that looks just like that on my key ring, I know you people don't care, I just though I'd share that.
Previous comment directed @Moff btw (threading seems broken :/ )
Moff, I'd be interested in seeing how you would write such a Trojan. I'm not saying it's impossible, but I'd be willing to see how far it goes on my Mac Pro. I'd give you props if it actually worked.
You've suggested turning off Autorun-
cancel or allow?
allow
but vista fixed this right? right???
Idiots that play with items of PC hardware they find lying in the street deserve everything they get, if you ask me.
There is this neat little utility that has been around since the Win9x days, called TweakUI. Makes disabling autorun for drives or for types of media (CD-DVD/Removable) as simple as changing a checkbox. Doesn't involve the manually modifying the registry, is produced by Microsoft, and is free. It is part of a group called "Power Toys":
http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
"This social engineering vector was postulated almost 3 years ago in 2600. What I want to know is, what took so long?"
Waiting on the clearance sale for 16MB flash drives?
Neither Windows XP nor Vista will autorun any .exe files (or any files) on the USB drive when you plug it in. Instead if the USB drive has an autorun.inf file on the drive, windows will pop up some dialog asking the user what they want to do (look at pictures, browse files, run program etc.) and I think there is a further warning if you click to run the program.
So this only works through user intervention, and surely most users are savy enough these days to not run any program they don't know about?
I am more than a little skeptical as they "can't provide more information" since the case is pending. This was announced by a company with a vested interest in making people paranoid about this. That is not to say there isn't a threat, but I would suspend judgment until we know more about the case...particularly from a more neutral party. There are a whole lot of this tools on various websites such as hak5.org and usbhacks.com