51

Assuming that I'm using a trusted USB flash drive (meaning that it's not some device that looks like a USB drive and whose purpose is to damage my PC), is it possible for my PC to get infected from some malware picked up by the USB if I'm running an antivirus program that doesn't allow any autorun.inf files to run from the USB drive? I have two PCs, one running Windows 10 and the other running Windows 8.1.

Jorge Luque
  • 614
  • 1
  • 5
  • 10
  • 1
    Iirc, this Defcon talk is one of a few that would be of interest to this subject: https://www.youtube.com/watch?v=NTrjBl6AW0s – Kaithar Nov 26 '15 at 22:07
  • 3
    Related (maybe even duplicate?): http://security.stackexchange.com/questions/102873/how-can-usb-sticks-be-dangerous – Nzall Nov 26 '15 at 22:32
  • so you're sure that the USB device you plugged in is not registering as a keyboard and sending key inputs to your computer: http://security.stackexchange.com/a/102874/2231 – HorusKol Nov 27 '15 at 14:51

3 Answers3

57

Short answer: YES

You can be infected even with a full patched Windows system and an updated antivirus. This happened before and can happen again.

A few years ago, the Stuxnet worm was specially engineered to attack the Iranian nuclear facilities. They got hit by using infected USB drives, without autorun.inf or executing anything by hand.

Those vulnerabilities are called zero day. The attacker knows it, but the vendor and antivirus companies does not. But those vulnerabilities are very prized, and will not be used on a low-value target, because as soon as the attack is detected, it's not a zero-day anymore.

If you are not a high-value target, you usually don't have to worry about being hit by a zero-day. Usually you will get hit by an social engineering attack, and probably will step onto the trap by yourself, like opening an executable file with the icon of a pdf or a picture...

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • 13
    USB sticks dropped in the car park works for low value targets, too. – Michael Hampton Nov 26 '15 at 15:26
  • @MichaelHampton But even if the USB stick dropped in the car park is picked up and plugged into the target computer, that won't be enough to compromise it. Either the target would need to have some unpatched vulnerability, or the USB stick would need to use a zero day vulnerability. – kasperd Nov 26 '15 at 15:45
  • 1
    Can you include an example of the type of zero-day that could infect a computer without any software being executed? – Mike Ounsworth Nov 26 '15 at 19:01
  • 8
    Mike: Stuxnet is an example which is listed in this answer. They used [a vulnerability with the rendering of shortcut icons](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568) to allow their payload to launch simply by viewing the drive's contents in Explorer. – mm201 Nov 26 '15 at 20:03
  • 6
    @mm201 Thanks. My point was that simply linking to something, or dropping a name does not help people who want to scan for quick information and does not really qualify as "included in the answer". The [Help Center](https://security.stackexchange.com/help/how-to-answer) is clear that you should include all relevant information so that your answer is self-contained. – Mike Ounsworth Nov 26 '15 at 21:56
  • 2
    Note: This is on the same scale of probability as your chance of being infected by opening a webpage. – user253751 Nov 27 '15 at 05:33
  • @kasperd it could also be a USB killer (if you don't know: It's the thing that can fry your motherboard in seconds). – John Dvorak Nov 27 '15 at 07:38
  • @JanDvorak Pay attention to the **bold** word in the question. – kasperd Nov 27 '15 at 08:57
  • 1
    This is exactly what I was thinking about when I read the title of this question. a good start is to read "Countdown to Zero Day" goes through the discovery of the Stuxnet and its development. One more thing to remember is only AV can detect what it knows from malicious signatures, but there is still elite undetectable arbitrary code, therefore, no AV signatures to detect. Stuxnet was one of those well-written code. – amrx Nov 29 '15 at 01:42
34

Yes,

  1. BadUSB turns benign (USB) devices into malicious monsters by reprogramming the controller chips. This is on a much lower level than the 'autorun' feature that you are talking about.
  2. USB Rubber Ducky is another, comparable threat.
  3. Like ThoriumBR said, any host machine can be exploited by some unknown zero-day vulnerability.

There are not many practical ways to protect against this [BadUSB] type of attack. Most of them heavily impact user-friendliness:

  • Blacklist USB devices
  • Prevent automatic installation of USB devices
  • Disable inactive USB ports
Michael
  • 5,393
  • 2
  • 32
  • 57
  • Surely there exist hosts with sufficient protection. I doubt one can directly row hammer a nuclear warhead to explode, for example. – Cees Timmerman Nov 26 '15 at 13:54
  • 1
    BadUSB can affect almost any USB flash drive, correct? But isn't Rubber Ducky a device that just _looks_ like a USB flash drive? (meaning that it couldn't infect what I'd consider a trusted USB flash drive in the question description above) – Jorge Luque Nov 26 '15 at 14:19
  • 1
    @JorgeLuque, Rubber Ducky is actually a keyboard, that looks like a USB. BadUSB is indeed worse, as any USB can be a BadUSB. – Michael Nov 26 '15 at 14:33
  • 1
    Does running Linux help against these issues in any way? – Gui Imamura Nov 27 '15 at 15:22
  • @GuiImamura short answer: yes. There is no reason to believe that any particular operating system is immune to these kinds of attacks. – Clearer Nov 27 '15 at 20:53
  • 1
    @Clearer Your short answer is "yes", but your long answer sounded like it was "no". Anyway do these malwares always target a specific OS, or can some of them infect any machine regardless of its OS? – Gui Imamura Nov 27 '15 at 23:31
  • @Michael: Not every device can be a "BadUSB", only devices that have in-band programming, which many devices do not, plus, even reprogramming the controller might not do you much good, as many controllers are basically glorified USARTS. – whatsisname Nov 28 '15 at 05:16
  • 1
    @GuiImamura My long answer should sound like a "no". Any particular USB device may target any particular system, whether that is based on Linux, Windows, Mac OS or any other operating system. It's all a matter of identifying some weakness and exploiting it. The short answer should have been a "no". My mistake. – Clearer Nov 29 '15 at 09:40
-11

As long as you don't manually find and run the infected file you should be okay, provided your antivirus does it's job.

As another answer mentions, it is fully possible, but very unlikely in your case, nothing more you can do as you are already taking the precautions for this particular threat.

rferguson
  • 3
  • 3
  • 6
    Not true. Many pieces of malware can circumvent antivirus solutions, and antivirus software will not detect 0-days. There is also _something more_ you can do - not plug in a flash drive at all or testing it on another machine first. See [BadUSB](https://srlabs.de/badusb/) for some examples. – WillS Nov 28 '15 at 06:05