Unruly USB: Devices Expose Networks to Malware
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Unruly USB: Devices Expose Networks
to Malware
It’s pretty easy for organizations to get so wrapped up about what goes out on USB
drives that they forget to protect against what comes in their environments via
USB. And with attacks inflicting increasingly greater damage following
uncontrolled connection, it’s time that organizations got serious
about this threat.
February 2011
WP-EN-02-14-11
Unruly USB: Devices Expose Networks to Malware
Introduction
The news today is chock full of stories about sensitive
information being carried out the institutional perime-
» It’s Not Just USB
ter on ‘simple’ USB devices. These powerful portable
While we’ve focused much of our attention on the
drives rightfully worry IT as a means for devastating
ubiquitous USB flash drive, organizations need to
data loss at the hands of malicious insiders. But it’s
think about threats that extend from all forms of re-
pretty easy for organizations to get so wrapped up
movable media in use today. These include:
about what goes out on USB drives that they forget to
»» CD drives
protect against what comes in their environments via
»» DVD drives
USB. And with attacks inflicting increasingly greater
»» Blu-ray drives
damage following uncontrolled connection, it’s time
»» FireWire
that organizations got serious about this threat.
»» eSATA connected devices
»» Consumer products such as picture frames
»
After all, according to researchers, as many as one
in four malware attacks1 is carried out through a USB
device. In the past year, we’ve seen Stuxnet raise its
ugly head and Conficker continue to circulate through
the USB vector. Recently the US Army admitted that
Evolution of USB as an
an infected USB stick was responsible for causing
one of the biggest cybersecurity breaches in military
Attack Vector
The more users depend on USB and portable de-
history. And yet the proliferation of USB devices only
vices to store and move data, the more tantalizing
continues to skyrocket by billions each year.
a target these devices become for hackers look-
ing for an easy way to infect a large number of
In order to keep organizations secure from threats, IT
machines. And as the USB format becomes more
departments must bring greater scrutiny and control
complex with a greater number of features to ex-
over how the network is exposed to potentially infect-
ploit, the bad guys are finding increasingly creative
ed portable payloads. But let’s get real: they can’t
ways to use USB against their victims.
do so by gluing USB ports shut. Portable devices as
business tools are here to stay. IT leaders who refuse
to recognize that fact will be seen throughout their or-
ganizations as inhibitors to success. The key to USB
security is balancing productivity with protection.
1. ComputerWorld, 1-in-4 worms spread through infected USB devices, Gregg Keizer (August 26, 2010) 1
Unruly USB: Devices Expose Networks to Malware
»Why USB Malware Is
But as USB platforms evolved, so did the attack
methods. Functionality enhancements opened up
new possibilities for hackers. For example, Win-
dows Autorun made it simpler for users to gain im-
So Successful mediate access to the contents of their drives but
According to analysts at In-Stat, by 2012 the also enabled hackers to write code that could initi-
market will ship over 4 billion USB-enabled de- ate without user intervention. And platforms such as
vices per year. From the establishment of the the U3 smartdrive platform made it possible to run
USB 1.0 standard to the roll-out of iPods and applications directly from the drive, giving hackers
thumb drives, and all the way through the de- another potentially untraceable attack vehicle.
velopment of USB 3.0-enabled mega-storage
devices, portable device innovation has always Some of the most public early successes by malware
been about speed, capacity and convenience. distributors using evolved USB as a vector came
This has meant great things for the business several years ago with the eruption of Conficker.
world, which leverages these devices for in- One of the major variants of this devastating worm
credible productivity gains. used USB propagation to great effect, explains re-
searchers in a recent SRI International Report:
But the standard’s successful proliferation has
also made it a prime target for malware devel- “Conficker B copies itself as the auto-
opers. It’s a matter of simple mathematics. The run.inf to removable media drives in the
more devices out in the wild, the more likely an system, thereby forcing the executable
attack will find fertile ground for propagation. to be launched every time a remov-
»
able drive is inserted into a system. It
combines this with a unique social-en-
gineering attack to great effect. It sets
the “shell execute’’ keyword in the auto-
Early on, USB malware was exploratory and ex-
run.inf file to be the string “Open folder
perimental. Most of all it was just, well, random.
to view files’”, thereby tricking users into
Hackers would find ways to get malware files onto
running the Autorun program.” 2
drives--either online or even manually--and cross
their fingers in hope that the intended victim clicked
the files to initiate infection.
2. SRI International, An Analysis of Conficker’s Logic and Rendezvous Points, Phillip Porras, Hassen Saidi and Vinod Yegneswaran (March 2009)
2»
Unruly USB: Devices Expose Networks to Malware
This manipulation of Autorun is a common theme
with many malware variants that plague IT envi-
ronments today. For example, the SillyFDC worm
USB Malware in the Headlines
that infected Army systems in 2008 used a similar
As an example of just how easily malware can
method. Any USB device connected to an infected
propagate through USB, at a 2010 conference
machine would become infected and then would in-
a major software company unknowingly gave
fect any other machine to which it was connected;
away informational USB drives that were in-
then that machine would begin infecting other USB
fected by an Autorun worm. The kicker? The
devices plugged into it. This is how the malware
conference in question was the Australian Com-
is able to move from machine to machine via USB
puter Emergency Response Team (AusCERT)
devices and this “worm like” malware propagation
2010 conference, a security conference. 3
»
method copies itself to all available drives, shares,
removable media and peer-to-peer software appli-
cation file folders.
This can greatly increase the exposure surface of In addition to propagating malware, USB drives
an organization that may otherwise have its net- have also proven to be exceptional hacking plat-
work security bases covered. In fact, Microsoft re- forms for those attackers with physical access to
cently announced its findings that Windows XP us- corporate machines. One of the many legitimate
ers were 10 times more likely to get infected when useful features of USB drives is their ability to act
faced with such an attack. as a “PC on a stick” through the use of certain plat-
form and virtualization utilities such as BartPE/
PeToUSB, UBCD4, UNetBootin and MojoPac. But
again, this legitimate use can also be used for dark
purposes. It also makes it possible for malicious
users to replicate their entire Windows hacking lab
with a USB device and run it on virtually any PC
with an available USB port. When the malicious
user is done, she simply removes the USB device
and leaves without a trace.
Continued »
3. SC Magazine US, IBM distributed infected USB drives at conference, Angela Moscaritolo (May 24, 2010)
3Unruly USB: Devices Expose Networks to Malware
Stuxnet Crisis
In 2010, the IT community witnessed how dangerous USB-propagated malware truly can be when the Stux-
net family of Trojans 4 came to light. Uncovered by researchers in the summer of 2010, Stuxnet was found
to be primarily spread by USB. Unlike many previous USB worms that depend on the Windows AutoRun
feature to allow the virus to load onto a machine, Stuxnet was different. This worm took advantage of a vul-
nerability in shortcut (.lnk) files put on the infected drive.
A user could infect a machine just by browsing drive files within Windows Explorer. The malware was able to
take advantage of Windows’ process of loading display icons for .lnk files. As soon as the user browses the
USB drive and the machine tries to render the files, the malware hijacks the process and initiates infection.
At no point does the user ever need to launch a file, either manually or through AutoRun.
stuxnet
Search
Stuxnet-related search
strings can lead users to any
of the following payloads:
Some malicious URLs Some malicious URLs Some malicious URLs
lead to sites that exploit lead to the download of lead to the download of
CVE-2010-0886 and TROJ_FAKEAV.SMZU TROJ_CODECPAY.AY
CVE-2010-1885
While it soon became apparent that Stuxnet posed very little threat to the typical IT environment--the virus
was extremely targeted to attack industrial control systems--its attack methods should act as a striking
warning of the types of USB-propagated attacks that we should expect in coming years.
“The Stuxnet worm is a clever, complex example of a targeted threat. But security man-
agers should not make the mistake of thinking that this level of malware — or the even
more sophisticated attacks to come — requires state sponsorship,” John Pescatore and
Earl Perkins wrote in a Gartner brief. “This attack represents an innovative combination
of techniques that have already been used in financially motivated cybercrime attacks.” 5
4. Microsoft, Malware Protection Center, Research Trojan:WinNT/Stuxnet.B
5. Gartner, Don’t Think Targeted Attacks Like Stuxnet Can’t Hit You (September 2010) 4Unruly USB: Devices Expose Networks to Malware
Balancing USB Usefulness USB Security Best Practices
with Protection So what exactly does it take to change our trust
models? It starts with smart policy development.
It is now difficult to return to the days of yore when
Some key policies that organizations should con-
IT administrators would simply glue USB ports
sider to reduce their risks right off the bat include:
shut and call their endpoints secure. USB devices
are an everyday necessity whether you’re running
»» Ensuring common PC and laptop configurations
a mom-and-pop business, a corporate office or a
have AutoRun features disabled, limiting the
government department.
efficacy of USB malware that depends on this
feature to run and to propagate.
The truth is that portable devices have done great
»» Requiring timely installation of security updates
things for the business world, which leverages
in order to minimize the risk of USB-borne
these devices for incredible productivity gains. A
malware taking advantage of unpatched
late 2010 survey found that all of nearly 230 work-
endpoint vulnerabilities.
ers surveyed own at least one USB flash drive and
»» Limiting access of USB and portable
more than half own three to six of these devices.
devices to registered devices only, enabling
better control over who, when and how devices
Today’s workers can now use ultra-portable flash
are being utilized.
drives to easily transfer large amounts of data be-
»» Preventing the initiation of some or all
tween locations. They can use these same devices
executables from portable devices, blocking
to store important presentation information while
malware from running in the first place.
on the road at conferences and sales meetings.
»» Requiring strong passwords (and not allowing
And large organizations can quickly disseminate
the use of default passwords) throughout your
information to a large number of customers or em-
infrastructure to prevent worms such as Stuxnet
ployees by uploading data to USB devices and dis-
from working their way further into systems.
tributing them to the right people.
»» Requiring proper, up-to-date AV and firewall
usage to prevent malware from gaining a
“The issue isn’t USB ports or flash
foothold within the endpoint and spreading to
drives. We need USB – keyboards and
other systems in the network.
iPods don’t work without USB. And
flash drives have their place,” writes
While the first battle in the war against mobile mal-
John Kindervag of Forrester Research.
ware starts with the development of clear, in-depth
“The solution isn’t to ban all flash drives
policies regarding the use of removable devices
or to buy glue; the solution starts with
and media, the ultimate fight still remains. None
changing our Trust Model.” 6
of those policies amount to much without solid en-
6. Forrester Research, Go Long on Glue Manufacturers, John Kindervag (August 25, 2010)
5Unruly USB: Devices Expose Networks to Malware
forcement. Unfortunately, most organizations have Organizations should also widen the lens a bit and
not yet gotten that message. A recent Ponemon think about more than just simple device control.
Institute study found that only 26 percent of organi- Defense-in-depth should play a role in risk mitiga-
zations utilize device control to put real ‘teeth’ into tion. For example, intelligent whitelisting technology
their policy enforcement. 7
can help prevent the initiation of risky applications
running on the endpoints by controlling the trust fac-
Enforcement: Putting Teeth in Policies tors that enable execution, such as code source, who
authorized the application, whether it is running on
By enforcing usage policies for removable devices
other stable systems within the network and from
such as USB flash drives and other removable me-
where the application originated. And the use of en-
dia such as CDs / DVDs, you can control the flow
cryption to augment defenses could make network
of inbound and outbound data from your endpoints.
assets less attractive to potential attackers.
Devices that are not authorized should simply not be
allowed to execute. Ideally, organizations should look
Finally, organizations should consider revisiting end
for tools and develop processes that enable them to
user training to ensure they’re covering the risks
quickly establish and enforce device control policies
posed by USB devices. That one-time discussion on
as simply and as methodically as possible. The idea
the first day at work has likely been long forgotten by
is to enable users to continue to use approved de-
most employees and is undoubtedly obsolete anyway.
vices without resorting to an outright blanket ban.
After all, these workers really are your first, last and
Policies should be manageable by user or user group
best defense against USB attacks. That’s why IT pro-
as well as by computer, and organizations should look
fessionals need to remember that in order to win over
for capabilities that enable user groups to be immedi-
the hearts and minds of these line-of-business users,
ately associated with devices “on-the-fly.” The goal is
they’ll need to institute policies and practices that don’t
to dramatically simplify the management of endpoint
adversely affect these workers’ daily productivity. This
device resources through improved tracking of who,
means taking control of USB device usage without
when and how devices are being used. By validating
stooping to wholesale purchases of superglue.
removable devices as they are used within the enter-
prise, you can prevent malware from being introduced
By developing policies and implementing solutions
into the network. This includes assigning permissions
that enable a more flexible but easily trackable envi-
for authorized removable devices and media to individ-
ronment, IT departments become partners in security
ual users or user groups and controlling the uploading
and business success rather than technology mall
of unknown or unwanted files from removable devices.
cops to be disregarded at all costs. Enterprises with
such forward-looking technology decision-makers will
gain a decisive productivity advantage while protect-
ing their organizational endpoints.
7. Ponemon Institute, State of Endpoint Risk 2011 (Nov. 2010)
6Unruly USB: Devices Expose Networks to Malware About Lumension Security, Inc. Lumension Security, Inc., a global leader in operational end- point management and security, develops, integrates and mar- kets security software solutions that help businesses protect their vital information and manage critical risk across network and endpoint assets. Lumension enables more than 5,100 cus- tomers worldwide to achieve optimal security and IT success by delivering a proven and award-winning solution portfolio that includes Vulnerability Management, Endpoint Protection, Data Protection, and Compliance and Risk Management offerings. Lumension is known for providing world-class customer support and services 24x7, 365 days a year. Headquartered in Scotts- dale, Arizona, Lumension has operations worldwide, including Florida, Texas, Luxembourg, the United Kingdom, Germany, Ire- land, Spain, France, Australia, and Singapore. Lumension: IT Se- cured. Success Optimized.™ More information can be found at www.lumension.com. Lumension, Lumension Patch and Remediation, Lumension Vulnerability Management Solution, “IT Secured. Success Optimized.”, and the Lumension logo are trademarks or registered trademarks of Lumension Security, Inc. All other trademarks are the property of their respective owners. Global Headquarters 8660 East Hartford Drive, Suite 300 Scottsdale, AZ 85255 USA phone: +1.888.725.7828 fax: +1.480.970.6323 www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Compliance and IT Risk Management 7
You can also read
