Even though Vlk has noted the potential of this threat and the need for improved detection of it I thought I would still perform the test.
While I was drifting off to sleep it occurred to me that this threat must have existed since the year dot.
Before I proceed let me advise others reading through this … don’t do this at home.
Anyway …
- I turned off all avast protection.
- I recovered from my store a piece of malware.
- I renamed the malware to 1.ini (as requested by solcroft)
- created the bat file to start 1.ini
- placed the files on a USB drive
- I turned back on avast protection
I could have gone to the trouble to make it autorun - I did not - I will return to it in a moment.
- I started the bat file from the USB drive.
The result was the malware file (1.ini) was opened (without any warning from avast) and - on my system - was instantly displayed as a screenful of hex characters in my favorite text editor.
After that I then made a “right click” on the USB drive and selected the avast scan from the context menu. avast immediately produced its warning popup window and alarm reporting the infected 1.ini file.
Why did it not perform as solcroft expected? I had to go lookup the start command to find out why.
To be fair to solcroft in most systems it probably would. In my system I have associated .ini files with my favorite text editor since it recognizes the format of .ini files and gives me a nice color coded display of them. However, anyone could avoid the specific .ini file issue by simply associating the .ini file with Notepad.exe. The start command simply opens up the program specified for the filetype … so as it says in the help file …
start WORD.DOC
would open up the program associated with .DOC files. In my case, for 1.ini, it opened my text editor.
The autorun issue.
As I noted earlier in the thread this test required me to turn off avast protection in order to introduce the malware into my system. As reported above, avast’s quickscan picked up the infected 1.ini file. solcroft did specify that the USB device should be autorun. With this there would be no chance for the user to scan the device before it started executing whatever was on it. I believe that the malware filetype would have to be one that was considered innocuous by avast and not have a managing program associated with the filetype - solcroft may have done more research on other filetype exposure.
This exposure has existed since autorun came along - it could even have been done with a diskette (if the user did not bother to scan the diskette). I am a little surprised that it has not been closed yet.
This is not the first concern that has been raised with autorun and USB devices. Were I running a home system where my children were inviting friends over and sharing information on USB devices I suspect I would not permit autorun on the system.
I am glad to see the response from avast that they will be seeking a solution and I look forwarding to seeing it in the next release.
In the meantime - the other avast shields, the Webshield, the P2P scanner and the Internet Mail scanner can all help prevent the malware getting into our systems in the first place - along with using quickscan.exe on all files downloaded. Still best to be very wary about whose USB keychain devices you allow on your system.