Digital gifts that keep on giving

Care should be taken when plugging holiday gift gadgets into your personal computer and laptop, said security researchers at Sans.org, Microsoft, and Kaspersky in recent blog posts. Reports of strange files being found on USB storage devices increased over the holiday season. Reporting Monday on the SANS' Internet Storm Center blog, director Marcus Sachs said, "In years past this would have been limited to iPods and USB memory sticks, but now it includes digital photo frames, GPS devices, external hard drives, and of course digital cameras."

The unofficial Sans.org investigation started on Christmas after researcher David Goldsmith received an ADS Digital Photo Frame - 8". He soon discovered that the built-in 128MB of storage included file cfhskjn.exe. When he tried running the mystery file, he received several error messages.

Others have noticed odd behavior with storage devices as well. Kaspersky antivirus reports purchasing a Kensington memory card in Napal which contained Worm.VBS.Small.n, a computer worm. A second Kaspersky blog mentions Victory LT-200, an MP3 player that includes (at no extra charge) the malware Worm.Win32.Fujack.aa.

Coincidentally, the January 2008 issue of Microsoft TechNet magazine includes a report on "island hopping", the act of using USB storage devices to infect personal computers. The author of the article, Jesper M. Johansson, said many USB controllers are Direct Memory Access (DMA) devices that bypass the operating system and directly read and write memory on the computer. "Bypass the OS and you bypass the security controls it provides--now you have complete and unfettered access to the hardware. This renders device control implemented by the OS completely ineffective. I am unaware of any hacking tools that currently use this technique, but I very much doubt that this has not already been done."

Kaspersky said most removable media exploits in the wild use the Windows autorun functionality. Kaspersky said the autorun vector is not perfect. In Windows XP SP2 the autorun.inf feature is disabled and the user is asked whether or not to run the file. A similar process occurs within Windows Vista. In both cases, however, researchers note that the user can still infect themselves by selecting Run setup.exe.