USB flash drives continue to present a serious challenge to information security, for consumers and companies alike. You will be aware of this if you read our recent article on the Win32/Pronny worm, just one example of a piece of malicious software that is “in the wild” and actively seeking to spread via USB flash drives, doing damage and stealing data as it goes. Unfortunately, although the ability to block malicious code infection from USB flash drives has been around for as long as the drive themselves, there is one chink in traditional defenses that has only recently been addressed: protecting these drives from malware infections by unprotected hosts.
Before I elaborate on this particular problem, I want to be clear about the destructive power of malware infection via USB drive. One of the most infamous pieces of malware, Stuxnet, is widely believed to have been introduced into Iran’s Natanz nuclear facility in 2008 via a USB thumb drive. The malicious code on that flash drive damaged costly industrial equipment, centrifuges that play a critical role in Iran’s nuclear program.
So, the threat of infection from USB flash drives is widely known, and the defensive measures used to thwart such attacks are generally well understood (we will get into these in more detail in a moment). This might lead a reasonable person to ask: Why do the bad guys continue to write malicious code that spreads via USB drives? The simple answer is that this infection vector still works, probably because people keep plugging their USB drives into a variety of under-protected computer systems, when they are traveling, during sales presentations, at conferences, for tradeshow demos, and so on.
Of course, any computer system on which a USB flash drive can be mounted can be programmed to scan such drives with antivirus software, thus preventing infection of that host and removing the malware from the USB drive. Systems can also be configured not to run software automatically from a removable drive (autorun). However, many USB flash drives that use security features need autorun to execute the logon/private partition application when drive is inserted in the USB port. And let’s face it, at any given time, a certain percentage of devices are: not running current antivirus software; not configured to scan USB drives; and not set to block autorun. Therefore, an infected flash drive plugged into one of these devices could infect it and potentially spread malicious code throughout any network to which it is attached.
How would a USB flash drive get infected? In practice one sees both unintentional and intentional infection. Stuxnet is an example of the latter, where someone loaded malicious code onto the drive with the intent of getting that code onto a target system. Unintentional infection can occur when you place your USB flash drive into an inadequately protected system. Sure, you may detect the infection later, when you eventually place your drive into your own computer, but you could do a lot of damage before then.
Suppose you share your now infected flash drive with several people. Your USB flash drive is now an infectious malware delivery system. Consider the case reported earlier this year by ICS-CERT (that’s the federal government’s Industrial Control Systems Cyber Emergency Response Team). Responding to an incident “in the Nuclear Sector” the ICS-CERT team “evaluated six hard drives while on site and found indicators of malware related to the Mariposa botnet” It was determined that infection occurred like this:
“…an employee attended an industry event and used an instructor’s universal serial bus (USB) flash drive to download presentation materials to a laptop. The USB drive was infected with the Mariposa botnet and when the user connected the laptop to the corporate network upon returning to work, the virus spread to over 100 hosts on the enterprise network.” (ICS-CERT Incident Summary Report, June 28, 2012 PDF)
As if the infection of 100+ hosts on an enterprise network in the nuclear sector was not alarming enough, consider this: “interviews with the employee revealed that other nuclear industry personnel had also used the same infected USB drive at the industry event.” Now, either that instructor was intentionally spreading malware, which seems unlikely in this case, or his USB drive had picked up the infection somewhere, possibly using an infected machine at a hotel business center, airport lounge, Internet café, or any number of places where strong endpoint protection measures were not in place. In short, his USB flash drive had become an attack vector.
So how do you protect your USB flash drive against infection when it is not mounted on your own, well-protected system? You run antivirus from the drive itself. Installing AV software on a USB drive, independent of the host system, is now possible, thanks to some clever programming. For example, there is a product called ClevX DriveSecurity powered by ESET that is designed to run without installation on the computer: the portable antivirus engine runs directly from your USB flash drive. This enables on-the-fly, protective AV scanning of that drive for viruses, Trojans, and other threats, wherever you use the drive.
ClevX chose ESET NOD32 for their DriveSecurity product because of its relatively small footprint and effective heuristic detection, technologically a good fit for portable drives that are not always connected to the internet for signature updates (whenever DriveSecurity can connect to the web, the signatures get updated automatically).
The next time you encounter a situation where USB flash drives could be plugged into systems that may have less than stellar AV installed, consider protecting them in this manner, with their own AV. This will provide a valuable additional layer of defense (and possibly avoid the embarrassment of infecting others with your USB flash drive or even data-leak unpleasant public disclosures and expensive fines).
Author Stephen Cobb, ESET