| By Robert Vamosi |
New research on the Stuxnet worm suggests USBs will be an active malware vector in the future.
Turning off Autorun features in Windows might seem like a viable defense against USB-based malware, but turning off Windows Update for automatic drivers might be a better strategy.
USB drives can carry a dangerous payload
If you still believe that USB drives are not vulnerable to security threats, research presented last week at this year’s Black Hat D.C. security conference (home page) might change your mind. In his talk, “Beyond Autorun: Exploiting software vulnerabilities with removable storage,” IBM X-Force Advanced R&D researcher Jon Larimer showed several ways in which USB devices can, without a user’s knowledge, load malicious content. He showed how malware can execute on your PC even if you have disabled the Windows Autorun feature. (Microsoft Support article 967715 has instructions for disabling Autorun.)
Larimer was one among several presenters at Black Hat who examined the latest information about the Stuxnet worm, which is spread though USB devices — including external drives. Stuxnet is one of a new breed of computer worms that attack computer-controlled industrial machinery. In the most widely reported case, a Stuxnet worm damaged Seimens nuclear centrifuges by altering their frequencies and destablizing them. Now that this attack method has succeeded, Stuxnet probably won’t be the last worm to disable critical machinery. Nor will it the last to spread via USB drive.
A brief history of removable media–based malware
Malware infections through removable media are nothing new. If fact, most of the early personal-computer infections were passed by floppy disks because they were not yet connected to networks. In his presentation, Larimer gave the following historical summary of malware passed by disks, CDs, and USB devices:
- Elk Cloner: The earliest known malware to spread by removable media, this virus (Wiki page) was released in 1982 and attacked the Apple II OS.
- Brain: The first MS DOS floppy disk–based worm, Brain (Wiki page) showed up in 1986 and celebrated its 25 anniversary this week.
- Roron: In 2002, the Roron worm (page) made use of autorun.inf on networked drives.
- Bancos: In 2004, the Bancos worm (page) exploited CD-ROM discs.
- SillyFD-AA: The first malware to spread via USB, this 2007 worm (info page) did so by creating its own autorun.inf file.
Citing this example, Larimer stated that, even on Windows systems without Autorun enabled, external devices remain a viable malware vector for the near future.
Windows 7 restricts the use of Autorun
Autorun — specifically, the autorun.inf file — was originally designed to automatically execute programs from a CD. The Windows XP SP2 update extended Autorun’s capability to USB devices. But Windows 7 reversed this progression; Win7 allows AutoPlay for apps on optical media (CDs and DVDs) but not on USB devices. Larimer said he doesn’t know of any successful public exploits of the USB stack in Windows 7.
However, Win7’s AutoPlay still has a serious vulnerability. In normal use, AutoPlay pops up a dialog box and asks users what they’d like to do with media files it found on the removable device — play a music file, for example? But according to Larimer, AutoPlay also automatically reads and parses other types of files such as the vulnerable LNK file icon handler used by the Stuxnet worm. Thus, a malicious file need only execute such a vulnerability and bypass Autorun altogether.
Many ways to trigger malware on USB devices
Larimer outlined several ways that malware can exploit external drives. For example, when any device is inserted into a USB port, it gives the Windows operating system information needed to load the correct drivers. Windows then loads the driver through the Plug-and-Play manager. If no driver exists, Windows searches Windows Update for one.