U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.
TLP:WHITE

USB USAGE

Released: 
Monday, April 26, 2010 - 16:30

Overview

Small in size and convenient to use, USB thumb or flash drives have found their way into many networks ranging from the Department of Defense to corporate America. Unfortunately, the ubiquity of this technology combined with recent new device features has offered malware authors an unprecedented ability to circumvent customary network access controls and protections. It is important to emphasize to control system owners and operators that
this attack vector can threaten control system networks just as easily as enterprise networks. Due to the increasing reliance on commercial‐off‐the‐shelf software and operating systems in control systems networks, ICS‐CERT believes that USB thumb drives represent a significant malware attack vector for control system owners’ networks.a

Owner operators are also cautioned that USB drives have been involved in many cases involving the loss of sensitive information. Their small size and increasingly high storage capacity has been instrumental in the loss of or theft of sensitive information from enterprise networks.

Vulnerability Analysis

USB drives have been a significant network attack vector for several years now. An advance in USB technology, known as U3 (introduced in 2006), has added additional vulnerability. U3 gives USB drives the ability to auto run applications when inserted into a computer running Microsoft Windows™ in the default configuration. U3 works by using a small 4 megabyte read only partition which registers with Microsoft Windows as a CD‐ROM drive. The partition is treated as a standard CD‐ROM drive and U3 takes advantage of the Windows AutoPlay feature causing Windows to automatically run the U3 LaunchPad application.b In addition, applications on the thumb drive which comply with the U3 specification are allowed to write files or registry information to the host computer. The specification requires that the application remove registry information once the drive is removed from the host computer but this is not enforced by technical means. This feature has made USB thumb drives a significant vector of attack for many strains of malware. US‐CERT has documented that malware such as Conficker have previously used USB drives as a replication vectorc.

USB network attacks have taken four major forms:

1. USB device used as data theft device using the “USB Switchblade” technique: In this mode, the attacker uses the USB drive to steal user website credentials cached in the victim’s browser or victim domain credentials cached LM or LAN Manager password hashes.d This technique can also be used to bypass workstation screensaver authentication controls.

2. The USB device is used as part of a social engineering exercise: In this mode the attacker leaves infected USB drives scattered around a target organization’s premises (such as in the parking lot), hoping employees will insert the drives into their workstations. The USB drive in this example would contain a custom LaunchPad application that can steal user website and domain credentials and then send them to the attacker.

3. The U3 USB thumb drive’s LaunchPad application is infected with malware: In this mode, malware has infected the LaunchPad application on the thumb drive and uses the auto run feature of Microsoft Windows as a means of replicating itself to victim workstations and then to other machines on the targeted organization’s network.e

4. A workstation that has been previously compromised by malware copies itself to a USB flash drive. The USB flash drive is then taken to a new machine and connected. The copied malware may have an icon designed to trick the user into thinking that it is a harmless media file, causing the user to execute the malware.f An example is a USB drive that is plugged into an infected business system and is then used to transfer files to a Control System computer, bridging the air gap between the systems.

Mitigation

ICS‐CERT recommends that control system owners immediately implement these precautionary measures:

1. Disable the CD‐ROM auto run feature on every computer in the enterprise and control system networks.g

2. Establish strict policies for the use of USB thumb drives on all enterprise and control system networks.

3. Caution users of this attack vector and remind them that unknown USB’s should never be plugged into a business or personal computer.

References

Using Caution with USB Drives
Cyber Security Tip ST08‐001
Produced 2008
http://www.us‐cert.gov/cas/tips/ST08‐001.html

Microsoft Windows Does Not Disable AutoRun Properly
Technical Cyber Security Alert TA09‐020A
Original release date: January 20, 2009
Last revised: March 2, 2009
http://www.us‐cert.gov/cas/techalerts/TA09‐020A.html

Back to Top