The Null Device

Hey, free flash drive!

Computer criminals have found a new way of distributing bank-account-stealing trojans: by scattering USB flash drives in car parks. Some percentage of the population (perhaps the same that opens email attachments) would pick up these shiny flash disks, take them home and insert them into their Windows PCs, not having disabled autorunning beforehand.

Sooner or later, the default Windows configuration will refuse to autorun content on a strange flash drive, and this won't work. Unless, of course, the criminals have special USB units manufactured containing an active processor which uses DMA to probe and interfere with the host PC's memory. They could possibly use the same facilities they use to make fake ATM front panels to manufacture them. The units could even contain an empty, perfectly innocent flash drive to deflect suspicion; after all, there's no limit to how many devices something on the end of a USB connector can appear to be.

There are 2 comments on "Hey, free flash drive!":

Posted by: toby Wed Apr 25 23:39:06 2007

Or a buffer overflow exploit hidden in any number of file types. Porn, music, and excel spreadsheets; I'm sure most people would check what's there first.

It's a relatively expensive approach. I'm surprised that it has any appeal. I guess if you steal the flash drives...

Posted by: acb http://dev.null.org/acb/ Thu Apr 26 09:11:25 2007

Flash drives are cheap. And I'm sure the Russian Mafia or whoever have access to chip fabbing plants and such they could use to knock out thousands of units containing a microcontroller and a quantity of Flash (some of which looks like a drive). And the design wouldn't be hard; the basic components (microcontroller cores, USB stacks and so on) are well known.

Want to say something? Do so here.

Post pseudonymously

Display name:
URL:(optional)
To prove that you are not a bot, please enter the text in the image into the field below it.

Your Comment:

Please keep comments on topic and to the point. Inappropriate comments may be deleted.

Note that markup is stripped from comments; URLs will be automatically converted into links.