Cyber Danger Lurks with USB Drives

Wednesday, July 28, 2010 @ 05:07 PM gHale


The dangerous use of USB thumb drives is under scrutiny even more now after the incident reported last week on the malware attack on Siemens programs.
The code on software/malware was to detect Siemens WinCC and PCS7 programs and their data, said Michael Krampe, director of media relations at Siemens Industry Inc.
To date, Krampe said, based on current information, the only platforms that may be affected are those where access to data or the operating system is possible via a USB interface.
Normally every plant operator ensures, as part of the security concept, that non-restricted access to critical SCADA system data via a USB interface is not possible, Krampe said.
Siemens learned about the malware program (Trojan) targeting the Siemens software Simatic WinCC and PCS 7 on July 14. The company immediately assembled a team to evaluate the situation and worked with Microsoft and the distributors of virus scan programs, to analyze consequences and the exact mode of operation of the virus.
The Trojan, which spread via USB sticks and uses a Microsoft security breach, can affect Windows computers from XP upward.
Siemens has now established through its own tests the software is capable of sending process and production data via the Internet connection it tries to establish. However, tests revealed this connection does not complete because the communication partners/target servers are apparently inactive.
USB thumb or flash drives have found their way into networks ranging from the Department of Defense to corporate America. The ubiquity of this technology combined with recent new device features has offered malware authors an ability to circumvent customary network access controls and protections. Users and operators need to understand these USB drives can threaten control system networks.
Because of the increasing reliance on commercial-off-the-shelf software and operating systems in control systems networks, ICS-CERT said USB thumb drives represent a significant malware attack vector for control system owners’ networks.
End users should also understand USB drives have been involved in cases involving the loss of sensitive information, said ICS-CERT officials.
USB drives have been a significant network attack vector for several years now, ICS-CERT officials said. An advance in USB technology, known as U3 (introduced in 2006), added additional vulnerability. U3 gives USB drives the ability to auto run applications when inserted into a computer running Microsoft Windows in the default configuration. U3 works by using a small 4 megabyte read only partition which registers with Microsoft Windows as a CD-ROM drive. The partition becomes a standard CD-ROM drive and U3 takes advantage of the Windows AutoPlay feature causing Windows to automatically run the U3 LaunchPad application. In addition, applications on the thumb drive which comply with the U3 specification can write files or registry information to the host computer. The specification requires the application remove registry information once you remove the drive from the host computer but this is not enforced by technical means. This feature has made USB thumb drives a significant vector of attack for many strains of malware. US-CERT officials have documented that malware such as Conficker have previously used USB drives as a replication vector.
US-CERT officials said USB network attacks have taken four major forms:
1. USB device used as data theft device using the “USB Switchblade” technique. In this mode, the attacker uses the USB drive to steal user website credentials cached in the victim’s browser or victim domain credentials cached LM or LAN Manager password hashes. This technique can also bypass workstation screensaver authentication controls.
2. The USB device used as part of a social engineering exercise. In this mode the attacker leaves infected USB drives scattered around a target organization’s premises (such as in the parking lot), hoping employees will insert the drives into their workstations. The USB drive in this example would contain a custom LaunchPad application that can steal user website and domain credentials and then send them to the attacker.
3. The U3 USB thumb drive’s LaunchPad application infected with malware. In this mode, malware infects the LaunchPad application on the thumb drive and uses the auto run feature of Microsoft Windows as a means of replicating itself to victim workstations and then to other machines on the targeted organization’s network.
4. A workstation previously compromised by malware copies itself to a USB flash drive. The USB flash drive then goes to a new machine and connects. The copied malware may have an icon designed to trick the user into thinking that it is a harmless media file, causing the user to execute the malware. An example is a USB drive that plugs into an infected business system and then transfers files to a control system computer, bridging the air gap between the systems.
ICS-CERT officials recommend control system owners implement these precautionary measures:
• Disable the CD-ROM auto run feature on every computer in the enterprise and control system networks.
• Establish strict policies for the use of USB thumb drives on all enterprise and control system networks.
• Caution users of this attack vector and remind them they should never plug in unknown USB’s into a business or personal computer.



Leave a Reply

You must be logged in to post a comment.