While this will be obvious to many, it still bears mentioning; Blackberries and other smart-phones can be carriers for worms and viruses when USB storage is enabled.

I ran into a case earlier this week. Our HIPS software was alerting to an auto-run virus on an IT staffer’s F drive, which usually indicates a USB drive. When asked about it, he indicated the only thing he used was his Blackberry. He had a micro SD card installed and used it to move pictures and movies between computers.

Explorer in Windows wouldn’t display the autorun.inf nor the virus executable so I plugged the Blackberry into my Mac, which showed both files. VirusTotal.com verified the executable as a virus and we manually removed it and he’s now going through all of his computers to find out which ones have the virus.

Our primary antivirus software didn’t detect the virus at all. Luckily the supplemental AV in our HIPS software triggered on the autorun.inf and prevented execution of the virus executable. We implemented strict rules regarding auto running anything from a USB drive after Conficker. Since then, the HIPS software does its own scan of the entire USB drive before permitting access to it, including access by the primary AV software. So far this has protected us significantly, because the primary AV rarely flags the autorun.inf files, but the supplemental does.

Another win for defense in depth.

For more information about this topic

• Conficker FUD?
• More on conficker
• Network worms are still effective
• The Future of AV?
• AV must innovate or die
• Your AV *still* sucks and you know it…
• Your AV sucks and you know it…
• Surviving Big Yellow
• Modern Antivirus Sucks
• Conficker Hits French MoD