Small in size and convenient to use, USB thumb or flash drives have found their way into many networks ranging from the Department of Defense to corporate America. Unfortunately, the ubiquity of this technology combined with recent new device features has offered malware authors an unprecedented ability to circumvent customary network access controls and protections. It is important to emphasize to control system owners and operators that
this attack vector can threaten control system networks just as easily as enterprise networks. Due to the increasing reliance on commercial‐off‐the‐shelf software and operating systems in control systems networks, ICS‐CERT believes that USB thumb drives represent a significant malware attack vector for control system owners’ networks.a
Owner operators are also cautioned that USB drives have been involved in many cases involving the loss of sensitive information. Their small size and increasingly high storage capacity has been instrumental in the loss of or theft of sensitive information from enterprise networks.
USB drives have been a significant network attack vector for several years now. An advance in USB technology, known as U3 (introduced in 2006), has added additional vulnerability. U3 gives USB drives the ability to auto run applications when inserted into a computer running Microsoft Windows™ in the default configuration. U3 works by using a small 4 megabyte read only partition which registers with Microsoft Windows as a CD‐ROM drive. The partition is treated as a standard CD‐ROM drive and U3 takes advantage of the Windows AutoPlay feature causing Windows to automatically run the U3 LaunchPad application.b In addition, applications on the thumb drive which comply with the U3 specification are allowed to write files or registry information to the host computer. The specification requires that the application remove registry information once the drive is removed from the host computer but this is not enforced by technical means. This feature has made USB thumb drives a significant vector of attack for many strains of malware. US‐CERT has documented that malware such as Conficker have previously used USB drives as a replication vectorc.
USB network attacks have taken four major forms:
1. USB device used as data theft device using the “USB Switchblade” technique: In this mode, the attacker uses the USB drive to steal user website credentials cached in the victim’s browser or victim domain credentials cached LM or LAN Manager password hashes.d This technique can also be used to bypass workstation screensaver authentication controls.
2. The USB device is used as part of a social engineering exercise: In this mode the attacker leaves infected USB drives scattered around a target organization’s premises (such as in the parking lot), hoping employees will insert the drives into their workstations. The USB drive in this example would contain a custom LaunchPad application that can steal user website and domain credentials and then send them to the attacker.
3. The U3 USB thumb drive’s LaunchPad application is infected with malware: In this mode, malware has infected the LaunchPad application on the thumb drive and uses the auto run feature of Microsoft Windows as a means of replicating itself to victim workstations and then to other machines on the targeted organization’s network.e
4. A workstation that has been previously compromised by malware copies itself to a USB flash drive. The USB flash drive is then taken to a new machine and connected. The copied malware may have an icon designed to trick the user into thinking that it is a harmless media file, causing the user to execute the malware.f An example is a USB drive that is plugged into an infected business system and is then used to transfer files to a Control System computer, bridging the air gap between the systems.
ICS‐CERT recommends that control system owners immediately implement these precautionary measures:
1. Disable the CD‐ROM auto run feature on every computer in the enterprise and control system networks.g
2. Establish strict policies for the use of USB thumb drives on all enterprise and control system networks.
3. Caution users of this attack vector and remind them that unknown USB’s should never be plugged into a business or personal computer.
Using Caution with USB Drives
Cyber Security Tip ST08‐001
Microsoft Windows Does Not Disable AutoRun Properly
Technical Cyber Security Alert TA09‐020A
Original release date: January 20, 2009
Last revised: March 2, 2009
- a. http://arstechnica.com/security/news/2008/08/latest-uk-data-loss-due-to-misplaced-usb-thumb-drive.ars
- b. http://www.u3usb.com/history-of-u3-technology/
- c. http://www.us-cert.gov/cas/alerts/SA09-088A.html
- d. A good example of this is the so-called USB Switchblade attack. http://www.hak5.org/usb-switchblade see also http://blogs.securiteam.com/index.php/archives/614
- e. http://cyberinsecure.com/usb-autorun-malware-on-the-rise/ "Security firm ESET said that 10.3 per cent of malware detections last month were identified as files containing information on programs to be run automatically when removable media are inserted into a computer. Around a tenth of all malware is designed to use portable storage media, such as removable USB drives, as an attack and spread vector."
- f. http://www.symantec.com/connect/blogs/increase-usb-based-malware-attacks "Quite often there are familiar file icons such as Microsoft Windows icons for videos and images that are used to trick unsuspecting victims into thinking that an executable file is a harmless image or video. This infection method requires that the victim manually execute the malicious file from their computer to become infected."
- g. US-CERT Technical Cyber Security Alert TA09-020A, “Microsoft Windows Does Not Disable AutoRun Properly,” http://www.uscert.gov/cas/techalerts/TA09-020A.html