USB Device Nightmare Becomes Reality

• By Doug Gale
• 12/12/08

Nightmares can seem frighteningly real. But as we awake and realize that the dream isn't real we recognize it for what it is ... a nightmare. A little more than a year ago I wrote a column about how malware can be transferred between USB memory devices and a PC. I started that article with a fictional account of attending a conference and using a USB Flash Drive to infect a widely used computer to capture corporate data on attendees' Flash Drives. The technology is easy and described in a number of tutorials cited in the article.

But as a security expert at a large campus in the United States tells the story, my account is no longer fictional: The nightmare has become reality.

"One of the groups on campus hosted a conference at an off-site location, and about 500 of the 1,000 attendees ended up with infected USB drives. They had brought their presentations on the USB drives, and the group hosting the conference had a system (provided by the center that the conference was at) that was used to keep copies of the presentations. Either the system arrived infected or was infected by someone early on in the process, and anyone who stuck a USB drive in the system got a "present" on their drive. The malware was set up to autorun, so the attendees more than likely infected their systems when they got back to their office or home (or both). The malware was not detected by many AV products at the time, including the major players, so that helped the infection spread. It's fairly well detected now."

That incident is not nearly as embarrassing as Telstra's distribution of malware-infected USB drives at this year's AusCERT security conference.

Houston, We Have a Problem
Symantic reported (PDF link) that in the second half of 2007 the percentage of malicious code that was propagated as shared executable files had increased from 14 percent to 40 percent as a result of the increased use of removable media. (More than 120 million USB flash drives are purchased every year.) ESET, a security firm, estimated that more than 10 percent of all malware detected in March of 2008 was designed to use portable storage media such as USB drives.

Attack Strategies
The attacks follow two general strategies. The first exploits the "autorun" feature in Windows and the U3 feature on some smart drives to allow a program to run automatically when a removable drive is inserted into a computer. That was the strategy used in my 2007 article.

The problem isn't just U3-capable flash drives, however. A second strategy embeds malware disguised as a normal file on a USB device and makes use of social engineering to cause the user to open the file. This bypasses the fact the "autorun" won't work with "regular" USB flash drives. And as you might expect, there is a tutorial on the Internet, How To: Quick Intro to Hacking Autorun for USB Flash Drives, that describes how to install a user defined program named "Fun Game" on a normal USB flash drive. This was the technique used by a network security firm to audit the security of a client bank. They scattered 20 USB flash drives in locations such as the bank parking lot where they might be found by the client's employees. 15 were picked up by employees who then executed embedded files on bank computers, which then transmitted sensitive bank information back to the security firm.

Not Just a Higher Ed Problem
Higher Education is not alone in dealing with this problem. Because of a rapidly spreading worm (Agent.btz, a varient of SillyFDC) the U.S. Defense Department last month suspended the use of thumb drives, CDs, flash media cards, and all other removable data storage devices from their networks in an effort to halt the spread. The edict, which was reported to come from the commander of U.S. Strategic Command, applies to both the secret SIPRNet and unclassified NIPRNet and directs users to "cease usage of all USB storage media until the USB devices are properly scanned and determined to be free of malware." According to Ryan Olson, director of rapid response for the iDefense computer security firm, "The USB ban should be effective in stopping the worm."

Higher Education Responses
While many campuses are relying on aggressive anti-malware policies for desktop protection, others are addressing the problem by trying to make sure that the USB devices themselves are clean. Cornell is a proponent of this strategy. After their security office detected a serious, widespread malware outbreak with the potential to infect all Windows computers on campus, they initiated "walk-in clinics" for cleaning USB devices. They found that one in every six USB devices checked at the clinics was infected! For the technically inclined they have posted instructions on how to check and clean a USB device as well as how to disable Windows Autorun.

Recommendations
The US-CERT (Computer Emergency Response Team) issued a warning Nov. 20 that malware was increasingly propagating via USB flash drive devices and described the common attack vectors. They encouraged users to do the following to help mitigate the risks:

• Install antivirus software and keep the virus signatures up to date.
• Do not connect an unknown or untrusted USB drive to your computer.
• Disable AutoRun or AutoPlay features for removable media.
• Review the Using Caution with USB Drives Cyber Security Tip for more information on protecting your USB flash drive.
• Review The Dangers of Windows AutoRun Vulnerability Analysis Blog entry for more information regarding AutoRun.

While a number of vendors, such as IronKey, are developing secure USB memory devices, they are unlikely to be adopted by most of our faculty and students owing to cost. This means that we must rely on the recommendations of the CERT and aggressive campus education programs.