Malware delivered on flash drives via infected files isn’t new, and it’s a problem that you can mitigate by exercising caution and using a good antivirus package. But when the flash drive itself is malicious, well, all bets are off.
BadUSB, a toolkit put out by a pair of security researchers last fall, shows how flash drives can be modified for nefarious purposes. Using attacks like BadUSB, a prospective malware distributor could modify the firmware on the flash drive itself to fool a PC into thinking the flash drive is a different kind of device.
For example, as IDG News Service's Lucian Constantin explained, “a USB thumb drive connected to a computer can automatically switch its profile to a keyboard—and send keystrokes to download and install malware—or emulate the profile of a network controller to hijack DNS settings.”