USB Mass Storage Device Viruses from Africa

Though the title makes USB viruses sound very exotic, I have found that they are in fact more common in Africa than elsewhere. Ask yourself: how often have you connected a USB pen drive to a friend’s computer and come back home with a nasty virus inside? I’d gather internet café machines and other shared resources (conference room machines) are good hot spots for these pesky little things, but I have never, not once had this problem myself! You wouldn’t think an entire continent would suffer any more than everywhere else.

This is however the case. Working closely with researchers all over the world, I have yet to see as many USB virus infections as I do on the machines that are working in or coming back from Africa. This applies to countries as varied as Congo and Sierra Leone to the "western" regions near South Africa. But then consider this fact: There is no wide-spanning internet access in Africa yet.

[autorun]
open=FeastIvalFeast.exe

;wenta mal ahlak yabnel mekaka lol ma2sodaksh enta ya
zaky yalla kol sana wenta tayebjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj.
action=Open folder to view files
shellopen=Open
shellopencommand=FeastIvalFeast.exe
shellopendefault=1

The viruses are as simple as an .exe (usually with preceding extension such as .pdf.exe) that an Autorun.inf file links to. See the example above gathered from the field. Then the .exe replicates itself and its backdoors throughout the system and any new USB devices connected thereafter. I’d be thankful for any interpretation of the comment though I’m not sure what language it is.

The infection relies on the improper handling of USB mass storage devices on Microsoft Windows, and as every other "feature" has a name; Auto-run or Autoplay. To properly disable auto-run in Windows XP you must run gpedit.msc and turn off Auto-play for removable drives (can be applied to CDs and other peripherals as well). This does not work on machines under an AD domain unless specified to do so, making it a real treat for virus writers. There are registry hacks (below from techrepublic) to turn off Auto-run, but they are less than solid:

  1. Navigate through the Registry Editor to HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer 
  2. Create a DWORD named NoDriveTypeAutoRun 
  3. Set the value to 000000FF 

My point of writing this, however, is more about the realization that Jurassic Park meme "Life finds a way" also pertains to computer viruses. This kind of virus is no more eloquent than the old 3.5" floppy viruses we had as kids but that was years ago, way before everyone had internet, and the preferred way of sharing information was the sneakernet. Now, if you could track these simple viruses, which could be a simple crowdsourcing task, you’d see the immense work of a long living human chain across the African continent sometimes stretching as far as Oslo, Norway; and you gotta wonder what could be done if they carried something more useful than viruses with them. The USB pendrives are to inter-state Africa what the internet is to our world.

And a warning to the worried: USB viruses will only advance with processes running unscrutinized as Human Interface Devices (irongeek.com) that is; as keyboards, mouse and peripherals as opposed to blockable mass storage devices.

3 thoughts on “USB Mass Storage Device Viruses from Africa”

  1. You asked:

    “Ask yourself: how often have you connected a USB pen drive to a friend’s computer and come back home with a nasty virus inside? “

    And my answer is:

    ALL THE FUCKING TIME!!!!

    Sorry for yelling. This is very annoying. I don’t get your advice on stopping Autorun- would that stop USB viruses?

    In any case, I am more concerned about the Internet viruses. In any case, I never thought they are more frequent in Africa than elsewhere… For some reason, I thought they were “most popular” in USA and Russia. :D

  2. Wow.. Didn’t know it was that common in Europe as well.

    The problem is that Microsoft sees it as a "feature" to allow Autorun to run software applications as native applications, which just as easily could be a virus installing itself to the hard disk drive. This is considered malpractice.

    These simple hacks only work in Windows operating systems, but potentially ANY system STUPID ENOUGH to allow auto-running potentially malicious binaries (with elevated rights) are vulnerable.

    Yes, Mira. Run gpedit.msc or do the registry hack. It provides at least some level of protection to allow you to SCAN the USB drive before opening any of its content..

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.