In May it was reported that IBM handed out some USB drives that were infected. A month later I spoke at a security conference that I will not name. I gave the AV (audio/visual) technician a USB key with my presentation on it to copy to the laptop they were using for the presentations. About a month later I pulled out the USB key and found that it had more files on it than when I gave it to the technician. It turns out the presentation computer had an autorun virus. A pretty nasty one at that…
This incident was completely avoidable if Microsoft would have done the right thing. There is a patch to fix autorun for Windows XP and Windows Vista, but Microsoft refuses to roll it out as the critical security update that it truly is. Windows Activation, formerly Windows Genuine Advantage is not truly a security patch, but they push it out through Microsoft Update. Fixing autorun could have prevented my thumb drive, and everyone else’s who plugged into that laptop, from becoming infected.
Pushing out the autorun fix to XP and Vista is long overdue and would probably be the single biggest thing Microsoft can do today to curb the spread of bots and other malicious software. Microsoft can make security conferences more secure. Autorun is Microsoft’s Typhoid Mary. Microsoft has the vaccine and has been far too stingy with it.
Until Microsoft gets it right, you can patch your XP or Vista machine. I provided the links at http://www.eset.com/blog/2009/08/25/now-you-can-fix-autorun.
Unless your USB device has a write protect, you can’t do much to prevent it from getting infected when you put it in another computer, but you can prevent it from infecting your computer.
Director of Technical Education
Author ESET Research, We Live Security