Proactive IT Security
 

Ghosts from the past resurface through USB sticks

2008-11-14 [Malware discussion, Mobile and wireless technologies, Spreading mechanisms]

Security Information Week 46, 2008

Introduction

The increasing use of USB sticks and their storage capacity constitute major security issues. Problems that were dominant with floppy disks (anyone still remember those?) resurface. Floppies were the main spreading vector of malicious software (mainly viruses) in the stone age of personal computers. We now see an increasing growth of malware where USB sticks are used as one of the spreading mechanism. Unlike floppy disks however, USB sticks are a spreading mechanism, which is far more powerful.

Fortunately there are actions that can be taken to mitigate this risk. Unfortunately some of these actions may result in what is perceived as more cumbersome working conditions, which are often the case with security in general. Ease-of-use and smooth functionality are unfortunately often in direct conflict with the need for security.

How it works

An USB stick is small, it is cheap and it has substantial storage capacity. All of these characteristics have improved and will continue to do so every month these days. This makes USB stick an extremely "nice" tool to use for e.g.

  • installing programs in the organization
  • transferring data between the organization's computers (e.g. between working place and home)
  • transferring data from your computer to another temporarily (e.g. to show your presentation for an external audience)
  • backup device for smaller amounts of data

The usage is only limited by imagination.

One of the "features" in modern Windows operating systems is that devices like CDs, DVDs, USB sticks etc. can run programs automatically under certain conditions. This is the default setting of the operating system and it is obviously quite neat that your audio CD starts playing automatically when it is inserted in the CD drive. The requirement for this to happen is that a special file - autorun.inf - is available in the root directory of the device that is connected to the computer. This file contains information about the commands that should be executed.

Enough said...

This is obviously a major security risk, as this technique also enables malicious software that is present on the device to run. The PC that the device is connected to may thus be infected.

In "the good old days of floppy disks" the normal infection scenario was that the PC had to be booted from an infected floppy disk in order to be infected. The malicious program then had one particular payload aimed at the infected PC.
These days - as we know - malware often consists of several parts and have several propagation techniques built-in. The initial USB-infected PC may therefore infect the entire network and infect subsequent clean USB sticks that are connected. The malware can of course also perform all other kinds of actions that the author had intended when she wrote her piece of malicious program code.

A very small case study

Norman recently had a customer that was very security conscious in its network configuration. No computer in the network was connected to the Internet. Nevertheless suddenly the whole network was infected!

The conscious reader already knows the answer:
It turned out that the culprit was an infected USB stick that had been connected to one of the PCs in the network.

A special type of malware - "slurping"

One particular type of malware that utilizes USB stick, is the ones that uses so-called "slurping". This is malware that runs from an USB stick and copies (stealthily) data from a PC/network to the USB stick. This type of data leakage will often be a targeted attack and can obviously be very dangerous for the organization that is targeted.

Slurping is discussed in more details in another security article.

Other types of unintended information disclosure

One may argue that perhaps the greatest danger of USB sticks is the one that results from sloppy use. Since these are so small and have quite big storage capacity, they are popular to use to transport data to and from computers. These two characteristics also imply that they are easy to loose/misplace and significant amounts of confidential data may be placed into the hands of the finder - which of course can be anyone, within or outside the organization.

We will discuss data leakage in more depth in a special article later.

Protection techniques

As mentioned above, there are several techniques that can be used to protect yourself and your organization from the dangers that USB sticks represent. Unfortunately this will often conflict with the users' need for what is perceived as the easiest way to perform the day-to-day task. As usual - any organization will have to find its own best balance between security, different users' needs and organizational efficiency.

Here are some of the actions that can be implemented to mitigate the dangers that USB sticks represent:

  • Corporate policy that forbids attaching storage devices to USB ports
  • Software products that only allows pre-defined devices or no devices, to be attached to any ports in the corporate network
  • Disabling autorunning programs on USB devices. This requires changing settings in Registry, which most users will find cumbersome and even scary. However, it is quite easy for an organization to make a program that changes the necessary key(s). Microsoft has several technical articles about how to do this, search for autorun disable usb in Microsoft TechNet and select the operating system etc. that are relevant for you. Any other search engine will also provide you with lots of results with these search words.
  • Physical disabling of any USB ports. This is a quite drastic measure, but it provides the best security.