Possible to malware someone in this manner,

[dollx]

in this day and age? :

putting a virus onto their DVD while you borrow it from them, then return it so that the virus will be installed next time they put it into their computer. I'm not interested in if this applies just to DVDs though, but also if it could ve done with UMDs.

For the record, I'm not planning to do this to anyone. I'm actually considering lending someone else my stuff.

Also, could something similar be done with USB memory sticks? Would paying some computer workshop to scan for malware on a USB memory stick or a DVD/UMD be a surefire way to rat out all and any malware? Or would a simple avast scan or something be enough? Maybe use some more advanced scanner like a rootkit scanner...?

 

[chimaxi83]

Yes.

 

[mechBgon]

Examples of such malware have existed for years, including the CD/DVD vector. One straightforward countermeasure is to disable AutoPlay: http://www.mechbgon.com/build/autoplay.html

If you want to take it further, enable either Parental Controls, or Software Restriction Policy (in conjunction with a low-rights user account for normal daily uses, as opposed to an Admin-level account). Either one will block the execution of unauthorized executables. http://www.mechbgon.com/srp

Also use antivirus software as a backup measure that should present a visible alert so you know something's up.

 

[SecurityTheatre]

Yes.

It's worth pointing out that USB keys generally do not auto-run, so you would have to click on (and likely execute) some file that contains the malware.

 

[PrincessFrosty]

I think you can just put an autorun ini file onto a usb key configured to point to an executable on it?

 

[lxskllr]

I think you can just put an autorun ini file onto a usb key configured to point to an executable on it?

Yup. AFAIC, autorun should be disabled for all devices. The security risk far outweighs the minor convenience of manually opening the drive and opening/executing its contents.

 

[smackababy]

It's worth pointing out that USB keys generally do not auto-run, so you would have to click on (and likely execute) some file that contains the malware.

And it is as easy as making the executable icon a folder.

 

[John Connor]

I always disable auto play when I first install the OS. The best way to do that is through Group policy. You enter gpedit.msc into run. If the OS isn't capable of running group policy than you will have to go into the control panel to turn off auto play. Avira anti-virus has the option to turn off auto play.

http://support.microsoft.com/kb/967715

 

[Savatar]

Some USB sticks are especially dangerous since, even if you disable autoplay, it will install the USB's drivers on your system when it's plugged in (before you even browse the files). Certain malware has been known to load using this technique, which makes it very hard to prevent. You don't have that problem with DVDs - just disable autorun/autoplay... but the same cannot be said for USB drives.

 

[bononos]

Theres usb stick drive innoculator programs that will prevent these types of worms. They typically create an empty autorun.inf and do things to the fat to make sure that the hidden file cannot be modified. Panda's is compatible with ntfs.

But if you're going to be lending to people whom you don't trust, they can always format the drive and put whatever stuff they want on it.