In case you missed it, a USB exploit called BadUSB was announced at BlackHat this year. It unveils a method of re-writing the firmware of a USB device in such a way as to create undetectable, malware capable of anything, on Windows machines, MACs and Linux devices, and you don’t have any tools to stop it. (See: Wired: Why the Security of USB is Fundamentally Broken ).

This exploit goes beyond the simple autorun mechanism for removable drives or the icon search that Windows Explorer performs on files; it lies in the code which computers run to INSTALL the device when it is inserted coupled with the lack of any digital signature on that code. We’re talking about the kind of access which can alter files, intercept network communications, perform ANY task which a keyboard can perform (which you have to admit is pretty much any task), even alter a computer’s BIOS code. Deleting or formatting a stick will have no affect on the malware, and it cannot be detected by antivirus or malware scanners.

At this time, the only way to insure that a PC has not been infected is to never insert a USB stick into it, or allow anyone else to do so when you’re not around. And if you ever plug one of your USB devices into another computer, you might as well throw it away, as you can never trust it again. Even if every USB device manufacturer fixed this right now, it could take years before old devices are gone, and by then firmware and bios code could be compromised across the globe in ways no one can imagine.

That was frightening news. Now it’s worse, because other researchers have now announced plans to release the code to do exactly that. Researchers Adam Caudill and Brandon Wilson have posted their code on GitHub, so now anyone can convert a USB stick into a USB Bubonic Plague.

Good luck.

Source: Wired: The Unpatchable Malware That Infects USBs Is Now on the Loose )