back to article Chemical giant foils infected USB stick espionage bid

An attempt to infiltrate the corporate systems of Dutch chemical giant DSM by leaving malware-riddled USB sticks in the corporation's car park has failed. Instead of plugging the discarded drives into a workstation, which would have infected the machine, the worker who first found one of the devices handed it in to DSM's IT …


This topic is closed for new posts.
  1. mark 63 Silver badge

    I thought microsoft had switched off that autorun business.

    I noticed a friends machine was still doing it the other day - so maybe its not retroactive, just new OS's

    why not?

    or would the marks in the car park have then had to click on "big tits.jpg.exe" ?

    1. Comments are attributed to your handle

      Either way, there are exploits that work without using Autoruns. For example, the exploit involving Windows displaying maliciously-crafted icons.

      1. Andy Fletcher


        No-one ever seems to understand why I switch that "feature" off.

    2. Test Man

      They had switched off the listing of an AutoRun entry in the AutoPlay dialog for USB sticks and other similar media. However, optical discs (CDs, DVDs, Blu-rays, etc.) are not affected. Therefore, any USB sticks that are specifically developed to identify themselves as optical media won't be affected either.

      1. Paul Crawford Silver badge

        This is why I disable autorun on all possible media!

        Autorun was a dumb idea - if you know so little about computers to be able to find and run a setup.exe file on some new software, you have no bloody business running arbitrary software in the first place! Learn, or get a knowledgeable person to help you (paid if necessary).

      2. Tom 13

        In addition to different media types and depending on the age of the system

        a USB stick might be registered in autoplay because it was inserted into the system before the patch was applied and a user set one of the choices as the default for that USB stick.

    3. Anonymous Coward
      Anonymous Coward

      We live in a scary world.

    4. Beaver6813


      Increasingly the method used by USB sticks is unpatched/unknown buffer overflows in the USB drivers (so turning off Autorun does nothing for these specific attacks). Because of the privleages given to these drivers they can easily escalate themselves to admin level and install in the background.

      1. Anonymous Coward
        Anonymous Coward

        Re: Overflows

        That is believable, as when developing a USB device many years ago and using the Windows XP's own USB stack, I was able not only to blue screen the machine, but also to corrupt the MBR!

        Should have kept the USB micro-controller software, could have been more profitable than what I got working!

  2. Crisp

    Free USB sticks?

    Thank you very much hackers :D

    1. Will Godfrey Silver badge

      Re: Free USB sticks?

      Very much my thought too. Just a quick reformat to ext2 without even looking at it, sounds a good plan to me.

      1. Jordan Davenport

        Re: Free USB sticks?

        Choice of filesystems aside, that was my first thought as well, but then I had second thoughts. The malware could be crafted into the firmware of the flash drives themselves rather than written to a partition, potentially affecting any OS. While that may be a much more sophisticated attack and therefore less likely, it's still a possibility, and I wouldn't recommend using the flash drive without at least rewriting a new firmware, if even possible.

        1. Comments are attributed to your handle
          Thumb Up

          Re: Free USB sticks?

          Yup. It would be so simple for someone to craft a keyboard emulating device hidden in a flashdrive. I remember about a year ago there was a story on the Reg about doing this, but hidden in a mouse instead.

          1. Crazy Operations Guy

            Re: Free USB sticks? - keyboard emulating device

            CommVault did this to attendees at VMWorld 2011. They handed out these devices that look exactly like standard thumb drives but were keyboards that sent the 'internet' special key and using accessibility functions, would type their URL into the address bar and hit enter.

            I will never trust those wankers *ever* for pulling that kind of shit.

            Just change the URL burned into the device and you have an instant infection vector.

  3. AOD
    Thumb Up

    More of this sort of thing...

    What a refreshing change to hear about users that aren't clueless numpties and a switched on IT department.

    1. Fibbles

      Re: More of this sort of thing...

      It probably happens a lot more often than we realise but "Security Threat Appears. Everyone Does Their Jobs Adequately. Nothing Goes Titsup." doesn't really make for a good headline.

    2. Charles Manning

      Good realtions between IT and others

      You won't get good results where the IT people call the users clueless numpties and the users think of the IT department as arrogant draconian wankers. Instead, the user will pick up the USB stick and just use it.

      The first step to good security is to make sure that everyone sees that they are on the same side trying to reach the same goals.

      Being polite helps security.

  4. Anonymous Coward
    Anonymous Coward

    A More Effective Form of Temptation...

    ... would be a specially-crafted, malware-ridden DVD in a protective sleeve, rubber-glued between the pages of a legitimate porn publication, left to be found in the carpark. Use a Lightscribe DVD to make it look professional. Somewhere on the DVD it should say, "Double-click 'gallery.exe' to display photos."

    1. Lockwood

      Re: A More Effective Form of Temptation...

      It took me a moment to realise that the glue was to make it look like it was included with the publication.

      My first thought was "Eiww!"

    2. Anonymous Coward
      Anonymous Coward

      Re: A More Effective Form of Temptation...

      A disc with "xxx home movies" written on it might do the trick too.

  5. JimmyPage Silver badge

    Straw poll ?

    How many readers here can honestly say their IT departments would have caught this.

    I know ours would (no default access on any machine to the USB port. Plus software to only allow company encrypted sticks to be used where needed).

    1. Anonymous Coward
      Anonymous Coward

      Re: Straw poll ?

      Certainly not our lot. When I first arrived, they delivered me a freshly imaged PC and then customised it using files from a USB stick.... Of course, all of the PC guys' USB sticks were infected with a fairly new trojan, not detected by the corporate AV product. I discovered it because the trojan was trying to connect somewhere in Brazil but luckily, using a protocol not allowed through our firewall.

      1. Anonymous Coward
        Anonymous Coward

        Re: Straw poll ? - Real-World Tech Use of USB Sticks

        Back in the days of floppy diskettes, a tech infected 27 computers of a state agency because he failed to engage the write protect switch on his tech floppy.

        USB sticks now lack a write protect switch because the manufacturers make more profit when they omit the switch.

        My response is to use full-sized SDMMC cards, which, so far, still include a write-protect ("lock") switch, housed inside gizmos which convert them to USB use.

        Caveats: (1) Many SDMMC/USB converters ignore the lock switch setting! You have to test your converter before using it. (2) The converters' contacts become flakey after a few months. You see this when you attempt to boot from your multi-purpose, multi-boot SDMMC, and discover the BIOS sometimes does not recognize your storage device.

        1. Tom 13

          Re: Straw poll ? - Real-World Tech Use of USB Sticks

          Way, way back in the day I worked at a facility where one of the variants of the Stoned virus was a known and accepted risk. It was an mbr variant that infected floppies and hard drives. The admins couldn't ever get everyone to bring in all of their floppies for him to scan, so even if he dedicated an entire weekend to cleaning the hard drives on the PCs and scanning all the floppies in the building, within a few weeks an infected floppy would reappear from home and re-infect the network. He did eventually manage to get a line item added to the budget for a TSR program that he could run from the login script, but it was about a year after I started working there. And it was a known problem when I started.

          I remember it because as a power user, I was trained to scan all floppies I received immediately upon inserting them in my system. Back in those days, if you were the DTP guy, it wasn't unusual to think your system was Stoned even without the virus on your system.

  6. Phil Edwards

    @AC: "Use a Lightscribe DVD to make it look professional"

    You've clearly never looked too closely at the 'print' quality of a Lightscribed disc recently...

  7. Anonymous Coward
    Anonymous Coward

    Home workers..?

    Hmmm. If I was the IT there, I would be worried about the other pen drives that didn't get handed in and got taken home instead, priming home worker's machines to capture the password to the VPN. Just sayin'.

    1. JimmyPage Silver badge

      Re: Home workers..?

      I wouldn't. But then we use Citrix with an RSA key.

  8. Tom_

    missed opportunity

    It would have been neat to set up some new user accounts and carefully let the malware run on them, so it sent out passwords to those accounts only. Then they could have watched for people trying to log into those accounts and maybe learned more about who was trying to hack them.

  9. Anonymous Coward
    Anonymous Coward

    Quarantine in the security gatehouse.

    A nearby nuclear power station used to have a stand-alone PC in the security gatehouse for the purpose of checking floppy disks for viruses. No disks were to bought on site without checking them.

    They also had a 'No cameras' rule, but that was eventually abandoned after everyone started using camera phones... that, and by them there was little of interest to bogeymen/terrorists on site.

    1. Charles 9

      Re: Quarantine in the security gatehouse.

      I'm surprised they didin't foil camera phones by scattering infrared LEDs at key points around the site. IR emitters are typically invisible to us but quite visible to camera phones.

  10. Don Jefe

    God Love the Dutch

    How many US or UK workers would have turned this into their IT dept before taking a peek? Not many I would guess. We are so used to govt secrets being left on the train or just 'lost' we're almost required to have a quick look. Worst case it's a bunch of spreadsheets, best case it is pics of the missus...

    My money says the person who found it had a quick look too.

  11. Esskay


    5 USB sticks - $50

    Asking Fred the cleaner to scatter them in the car park after hours - $5

    Giving Dave from marketing a fiver if he can find one and hand it in - $5

    Getting a massive raise & promotion for publicly saving your company from a "cyber-terrorist" - priceless...

    Seriously though, good job by the IT crew for figuring it out - and for the staff member whose first thought was "IT should see this" instead of "free USB stick LOL"

  12. nuked


    Given how much big pharm companies spend on espionage this 'attack' sounds a little primitive for a competitor or any other well-funded organisation.

    Just saying.

  13. Anonymous Coward
    Anonymous Coward

    Whatever you do ...

    Whatever you do ... don't ever mention Windows and malware in the same sentence ...

This topic is closed for new posts.

Other stories you might like