AVAST Software warns USB devices are now responsible for one out of every eight malware attacks.
PRAGUE, Czech Republic, November 3, 2010 – AVAST Software, developer of the award-winning
avast! antivirus program, is detecting a growing number of malware attacks targeting the AutoRun
function in Windows and plug-in USB devices. Researchers found that, of the 700,000 recorded
attacks on computers in the avast! CommunityIQ system during the last week in October, one out of
every eight attacks – or 13.5% – came via USB devices.
The key attack point for malware is the „AutoRun‟ feature in Microsoft Windows operating systems
(OS). AutoRun alerts computer users when a new device such as a memory stick is connected and is
designed to help them choose what application should run with the new files.
“AutoRun is a really useful tool, but it is also a way to spread more than two-thirds of current malware.
The threat of USB-distributed malware is much more widespread than just the Stuxnet attacks on
enterprise computers – which were also spread via infected memory sticks,” said Virus Lab analyst
Jan Sirmer. “Cyber-criminals are taking advantage of people‟s natural inclination to share with their
friends and the growing memory capacity of USB devices. Put these two factors together and we have
an interesting scenario.”
This feature is misused when a USB device infected by “INF:AutoRun-gen2 [Wrm]”, avast!‟s generic
detection term for this type of malware worm, is connected to a computer. The infected device – most
commonly a memory stick, but potentially any device with a mass-storage capacity such as a PSP,
digital camera, some cellular phones, and mp3 players – starts an executable file which then invites a
wide array of malware into the computer. The incoming malware copies itself into the core of the
Windows OS and can replicate itself each time the computer is started.
Out of the total AutoRun-gen2 attacks, 84% of the attempts were repelled by the on-access scans in
the avast! System Shield. The malware was detected at the time when the USB device was initially
connected. The remaining 16% were discovered during scans of the computer hard-drives.
CommunityIQ is a select group of avast! users that automatically send data on the malware they
encounter to the Virus Lab. As a cross-section of avast!‟s global user pool of over 130 million, the
CommunityIQ represents a statistically significant sample of current malware dangers. The submitted
data is then analyzed and incorporated into avast! protective shields and the virus database sent to all
The low cost of USB memory sticks makes it easy for friends and work colleagues to exchange large
media files and creates a convenient target for cyber criminals. “In a work environment, staff will often
bring in their own USB memory sticks to move files around,” Mr. Sirmer comments. “This can bypass
gateway malware scanners and leave the responsibility for stopping malware just on the local
machines‟ antivirus software.”
Detecting AutoRun-gen2 is complicated by the growing memory of USB devices and more complex
obfuscation techniques. “A full scan can take up to an hour for a one terabyte device, so people will
skip this entirely or just go for a quicker on-access scan,” said Mr. Sirmer. This danger is poised to
increase with the introduction of the new USB 3 standard. In parallel with these technological
improvements, the writers of AutoRun malware are developing new code and ways how to obfuscate
their work. “Once I found „y0u c4nt st0p us‟ in the middle of some code,” quipped Mr. Sirmer. “They
know they are in the lead.”
USB safety pointers
1. Be aware. Around 60% of malware can now be spread via USB devices. This is an under-
appreciated threat to home and business computers.
2. Don’t start attached. Turning on a PC with a USB device attached can result in malware
being loaded directly to the computer ahead of some antivirus programs starting up.
3. Scan first, look second. Make sure “on-access auto-scans” are enabled in in your antivirus