Panda Security has released a sobering, if not downright frightening, study that suggests a quarter of new worms reach computers through USB devices such as cell phones, external hard drives, DVDs, flash memory and MP3 players, according to the eWEEK story on the report.
This is both a mobility and security story. Many, though not all, of the devices through which the malware is traveling are closely associated with consumer and corporate mobility. The survey was huge: It drew responses from 10,470 small- and medium-size businesses (SMBs) in 20 countries. Forty-eight percent of respondents said they had been infected during the past year, and 27 percent of those got the bug through a USB-connected device.
It is an insidious problem. The viruses often are self-executing and invisible to owner of the infected device. Panda says that e-mail still is the leading malware-delivery method, but the USB approach is growing. The story provides more details, and mentions "USB Vaccine," a free preventative.
The seriousness of unprotected USB-connected devices couldn't conceivably be driven home any more clearly than this DailyTech story detailing how an infected flash drive plugged into a laptop in the Middle East two years ago created what the story-which is based on a post in the journal Foreign Affairs-called "the most dangerous cyber attack in U.S. history." The infection enabled foreign governments access to both classified and unclassified U.S. systems. Russia is suspected as being behind the initiative.
This is an frightening world. This post at Brickhouse Security post describes how easily travelers, or anyone else who uses such devices, can get themselves into trouble:
The way that this malware works is that once installed on a computer, the virus or malware will immediately infects [sic] anything inserted into the computer. That means when you insert a USB drive into an infected computer, the viruses will automatically go onto the USB drive, and later, when inserted into a different computer, it will infect it as well. This is exactly how this type of malware spreads. They don't call it a virus for nothing.
Early last month, Network Security Edge's Sue Marquette Poremba and interview subject Mark Lobel-who is a principal at PricewaterhouseCoopers and an ISACA white paper project development team member-created a nice overview of mobile security threats. It's a big landscape, to be sure, and USB devices weren't mentioned by name. But they certainly fit the second point, which was that "mobile device security is usually neglected."
The Panda survey validates this point-and the experience in the Middle East drives home how dangerous this can be.