When federal government systems are hit with malware, the incidents often receive no public reporting. However, the slew of infections from removable drive based worms have become so bad on the U.S. Dept of Defense’s infrastructure that they’ve banned usb drives altogether, according to Wired’s reporter Noah Shachtman. It’s unfortunate that these drives are not being properly scanned, and that doing so must not be a part of process to this point.
The military’s policy decision is somewhat unsurprising, considering that the Gammima worm that made it onto the international space station this past August also spread using the Usb autostart technique. Worms have been very effectively spreading using this technique to deliver password stealing components since early 2007, and it’s about time policies are clamping down on the slack. Quick releases of worm variants evading anti-virus scanners continue to use the same autostart technique today. Of course, users running ThreatFire have been protected from these AV-evading autostart worms since they installed it.
Update (11/25/2008): The US-CERT posted information about what they are calling two popular “methods”. Basically, the post describes removable drive-based infection vectors — both to the removable drives, when worms copy themselves to the media from an infected system, and from the removable drives, when a worm abusing Windows’ autoplay functionality executes itself on the system. Nice to see awareness increasing — Autoplay can be dangerous!
It’s not always a waste of time anymore. In addition to running TF, you can scan your usb drives on a system with Autoplay disabled with your anti-virus scanner. The scanning solutions have, for the most part, caught up with the two year old technique.