Five tips for avoiding removable media malware

With the growth of widespread network-delivered malware infections, we tend to forget that sometimes the old methods are still effective. Find out what you can do to protect yourself from the hands-on threat of removable media malware.

In the 1990s, people who used computers on a regular basis were much more cognizant of the potential danger of viruses that could move from computer to computer via removable media like floppy disks. But as this Washington Post article amply demonstrates, the threat has not gone away just because it is often easier to infect computers over the network instead. In fact, if your organization is well protected from network threats, a determined attacker may take advantage of the relatively low level of protection used for other means of infection -- like removable media.

Even for those of us who aren't likely targets of such attacks, the development of malware that uses removable media as an infection vector may catch us in the crossfire. Here are some steps you can take to reduce your vulnerability to malware that infects Windows computers via USB flash media and other removable media.

Note: These tips are based on an entry in our IT Security blog.

1: Disable AutoRun

The most common mechanism used to infect removable media and, through that, to infect computers, is Windows AutoRun. This is distinct from AutoPlay, which automatically starts up your media player and starts playing audio or video media from, for instance, a CD or DVD. AutoRun does things like start installers when installation media is attached to the system somehow, such as the CDROM tray or a USB port. These things can be run manually from Windows Explorer -- and if your malware needs to be run manually too, you will be much less likely to get your computer infected.

2: Implement restrictive removable media policy

The most foolproof way to protect yourself against malware that infects computers via removable storage media is to disallow all removable media usage. If no removable media can be used with your computers, no infected removable media will be used with your computers. Because this is not always an option, there are other alternatives, including limiting removable media to specific items that have been checked and approved and disallowing their use anywhere else where they might pick up infections to bring back to the network.

3: Check all removable media on a secured system before use

If you have a computer that is set up to safely check for malware that could affect the rest of the systems you want to protect, it can help ensure the safety of your IT resources. You can set up a system with any AutoRun capabilities deactivated and that preferably is not even subject to infection by the same malware that could affect the systems you want to protect. UNIX-like OSes such as BSD UNIX and Linux-based systems, serve well in this capacity when protecting a Windows network.

Keep the system segregated from any network resources so it can't transmit any malware on tested media across the network. Make sure there's no unnecessary software running on it so there will be less opportunity for it to get infected as well. It is best to boot from read-only media or to reimage the boot drive between uses. Run malware scans on the media and check out its contents -- including the autorun.inf file -- while it is connected to the secured system. Combined with a restrictive removable media policy, an effective level of protection can be achieved.

4: Choose to ban all removable media

Depending on how far you want to go, you could simply disconnect the data cables for various removable media reading devices and lock the case so they can't be reconnected without a key. You could also remove the devices entirely (and still lock the case) or even semi-permanently plug or destroy the interface used to plug in external devices, such as by filling sockets with epoxy or clipping the pins on a motherboard where the cable for a system case USB port is attached.

5: Implement the basics

Of course, educating your users and ensuring that you have anti-malware scanning running on the systems you want to protect is one of the most important steps you can take, and can easily mean the difference between being safe and merely thinking you are safe.

Additional resources