Security

U.S. military compromised by removable media malware: Five ways to avoid the same fate

Defense Secretary Lynn has been discussing a 2008 compromise of U.S. military network security by a foreign intelligence agency. The DOD is taking measures to protect itself. You should do the same.

Defense Secretary Lynn has been discussing a 2008 compromise of U.S. military network security by a foreign intelligence agency. The DOD is taking measures to protect itself. You should do the same.


The Washington Post reports in Defense official discloses cyberattack:

The most significant breach of US military computers was caused by a flash drive inserted into a US military laptop on a post in the Middle East in 2008.

A foreign intelligence agency managed to place malware on a USB flash drive that was later plugged into the US military laptop, infecting it. From there, the infection made its way onto a U.S. military Central Command network. According to Defense Secretary William J. Lynn III:

"That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control."

"It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary."

With the growth of widespread network-delivered malware infections in today's almost universally connected world, it can be easy to forget that sometimes the old methods are still effective. In the 1990s, people who used computers on a regular basis were much more cognizant of the potential danger of viruses that could move from computer to computer via removable media like floppy disks.

The threat has not gone away just because it is often easier to infect many computers over the network instead. In fact, if your organization is very well-protected from network threats, a determined attacker may well take advantage of the relatively low level of protection used for other means of infection like removable media. Even for those of us who may not be likely targets of such attacks, the development of malware that uses removable media as an infection vector can also catch many of the rest of us in the crossfire, if we are not careful.

There are a number of measures that can be employed to reduce your vulnerability to malware that infects MS Windows computers via USB flash media and other removable media. A few of them are explained here.

How to avoid removable media malware

#1 Disable AutoRun

The most common mechanism used to infect removable media and, through that, to infect computers, is MS Windows AutoRun. This is distinct from AutoPlay, which automatically starts up your media player and starts playing audio or video media from, for instance, a CD or DVD. AutoRun does things like start installers when installation media is attached to the system somehow, such as the CDROM tray or a USB port. These things can be run manually from Windows Explorer -- and if your malware needs to be run manually too, you will be much less likely to get your computer infected.

#2 Implement restrictive removable media policy

The most foolproof way to protect yourself against malware that infects computers via removable storage media is to disallow all removable media usage. If no removable media can be used with your computers, no infected removable media will be used with your computers. Because this is not always an option, there are other alternatives, including limiting removable media to specific items that have been checked and approved, and to disallow using them anywhere else where they might pick up infections to bring back to the network.

#3 Check all removable media on a secured system before use

If you have a computer that is set up to safely check for malware that could affect the rest of the systems you want to protect, it can help ensure the safety of your IT resources. You can set up a system with any AutoRun capabilities deactivated, and which preferably is not even subject to infection by the same malware that could affect the systems you want to protect. Unix-like OSes such as BSD Unix and Linux-based systems, serve well in this capacity when protecting an MS Windows network. Keep the system segregated from any network resources so it cannot transmit any malware on tested media across the network, and with no unnecessary software running on it so there will be less opportunity for it to get infected as well. It is preferable to boot from read-only media or to re-image the boot drive between uses as well. Run malware scans on the media and check out the contents of the media -- including the autorun.inf file -- while it is connected to the secured system. Combined with a restrictive removable media policy, a very effective level of protection can be achieved.

#4 Choose to ban all removable media

Depending on how far you want to go, you could simply disconnect the data cables for various removable media reading devices and lock the case so they cannot be reconnected without a key; remove the devices entirely (and still lock the case); or even semi-permanently plug or destroy the interface used to plug in external devices, such as by filling sockets with epoxy or clipping the pins on a motherboard where the cable for a system case USB port is attached.

#5 Implement the basics

Of course, educating your users and ensuring you have anti-malware scanning running on the systems you want to protect is one of the most important steps you can take, and can easily mean the difference between being safe and merely thinking you are safe.

The defeatist approach is always an option too. You can console yourself with what a friend said to me when told about this article while it was being written:

"The Pentagon spends billions of dollars a year in an ultimately futile attempt to secure its network against cyberattack. Why do you think your underpaid and overworked IT Administrator is going to succeed where they have failed?"

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

29 comments
mrkid
mrkid

I didn't read all the responses, so i'm not sure if someone already touched on this, but you can simply turn off USB writing on a desktop OS via the registry. Why would you buy a case, or break your USB ports? Really?

Ocie3
Ocie3

Quote: [i]".... The most common mechanism used to infect removable media and, through that, to infect computers, is MS Windows AutoRun. This is distinct from AutoPlay, which automatically starts up your media player and starts playing audio or video media from, for instance, a CD or DVD. ...."[/i] As far as I've been able to determine so far, both features are controlled by the value which is set for the same Registry key in Windows XP Home Edition. The value 0xFF is said to disable both (although at least one publication has stated that the value should be 0x95). I am even less sure that 0x65 disables autorun/autoplay for USB devices, but allows autorun/autoplay for optical drives. Regardless, I suppose that I should look at the Registry key value, because when I loaded a game installation disc in the DVD player tonight, the installer began running -- much to my surprise! Do you know whether there is another Windows XP Registry key which controls Autorun separately from Autoplay?

justPaulo
justPaulo

I think that the #1 measure should be "Disable Windoze at all" from running in serious environments, unless of course, the U.S. military Central Command network is not to be included in such pertinent category.

gshollingsworth
gshollingsworth

Simply physically disabling USB ports is not an option. I just setup a machine today with no ps/2 kbd and mouse ports. It is also getting harder to find USB kbds w/o an integrated hub. Finally, user simply provides their own USB hub to plug kbd, mouse, and USB storage. Even logically disabling the USB storage driver is not always an option. Layer approach is always a good idea anyway.

AnsuGisalas
AnsuGisalas

a wooden horse with greeks in it! KISS works, luckily not just for that bad guys, I'll go disable my autorun now, thank you very much :)

seanferd
seanferd

Well, pay no attention to the Security Theater behind the curtain. Look at real attempts to secure networks and devices.

JoeyD714
JoeyD714

Or you could use ZoneAlarm. One day when an executive producer plugged his usb flash drive into my machine to DL a video I edited for him, ZoneAlarm sprang into action; ZoneAlarm said there was a worm on the flash drive & killed it. Not trying to endorse them, but since I've been using ZoneAlarm I haven't had any kind of major infections or intrusions. A few times I THOUGHT I did but using multiple other scanning tools showed that I didn't.

Sterling chip Camden
Sterling chip Camden

... he can if he's the one person who cares about it, instead of one of the hundreds who have only partial responsibility.

AnsuGisalas
AnsuGisalas

We're talking about an inside job, remember? The registry isn't a safeguard, and it's not meant to be either. A physical prevention of USB use will prevent inside jobs [i][b]of this kind[/i][/b]. Of course, breaking the ports is extreme, but then, no lock is unpickable... a dude going in with the welding kit to repair a broken USB slot is at the very least more easy to notice. Edit:bolded italics added

apotheon
apotheon

I find it difficult to identify any flaws in your reasoning on this matter.

apotheon
apotheon

AutoRun is an important part of probably the majority of infections that don't come in via phishing and browser vulnerabilities.

AnsuGisalas
AnsuGisalas

When I try to change the reg key it doesn't take the value 0xFF... I'll have to do some more reading when I find the time. They couldn't make it easy, could they?

Jaqui
Jaqui

we don't have to worry about it on the *x systems, since autorun doesn't exist for them. and the wildly divergent systems make a widely exploitable system extremely unlikely.

Neon Samurai
Neon Samurai

Well, you did it but here's an option for the future. open control panel then Admin tools. Open the local policy editor (or run mmc and add applicable plugin). Local Computer Policy\Computer Configuration\Administrative Templates\System\ Turn Off Autoplay = enabled = all drives Local Computer Policy\User Configuration\Administrative Templates\System\ Turn Off Autoplay = enabled = all drives You have to set it in both places and on the local machine but it'll save you going into regedit. (though, you could also do an easy .reg file to import both settings probably)

AnsuGisalas
AnsuGisalas

I followed the link in the article to the windows "help"-page *cough*... http://support.microsoft.com/kb/967715 It says to edit the key NoDriveTypeAutoRun entering the value 0xFF, but it's a data field, and won't take something that isn't a Hex value... so I gotta figure out what to put in there to set all the bits. Don't have time for hack-and-see right now though. I guess this is just one of those things to ensure that the non-coding users are left to the sharks :( EDIT: I figured it out. And I feel dumb, but it will pass.

Neon Samurai
Neon Samurai

My grief is with the policy rule being set in Active Directory but not being made affective on the client nodes. "no autorun".. set and confirmed but ineffective. As a result, we've had to manually set the local policy rule on all our machines. Even then, it has to be set under both user and machine branches. Should be no registry hacking involved.. well, unless your on a Home version of possibly. (I didn't read back up the thread to confirm if I knew what you where talking about)

apotheon
apotheon

It's Microsoft. Why would Microsoft want to make it easy to disable one of the "convenience" features it has, in its infinite wisdom, decided must be foisted upon every user everywhere whether they want the security nightmare that comes with it or not?

apotheon
apotheon

I try to keep up with discussion following my articles. By the way, your reference to Tanenbaum inspired me to write that prominently mentions MINIX 3. That article should be appearing in a matter of days, I suspect.

Neon Samurai
Neon Samurai

I figured it would be a heavy task to do if any deeper than a high level overview. It would be interesting if someone out there does have time to focus on one thing for that long. I'm in the same boat generally. I've had Ubuntu in a VM for a week now and still haven't had time to start poking at it beyond the questions I posted in one of the discussions.

justPaulo
justPaulo

:-) You're absolutely right, my fault: Andrew S. Tanenbaum. Nothing to do with RIAA's cruzades! I thought nobody read this anyway...

apotheon
apotheon

I'm unlikely to have the time to devote to such a task in the near future, though I'd be happy to collaborate with someone else with similar (or greater, naturally) expertise who does have the time and inclination. Frankly, while an early review of something like Ubuntu is entirely possible for someone who just sits down with it and tinkers for a weekend, a meaningful security assessment really requires someone who is familiar with it in much more depth -- from regular use -- to be involved. I'm considering a user-level review, without much/any focus on security, of an OS that few TR community members have encountered, in the near future. I am not planning an in-depth security analysis of any OS at all right now, including the OS I use most often, because of the time involved in doing it right. When it comes to security analysis, an OS is a huge topic to tackle. The closest I might get in the next few months might be to just attack between one and three specific security blunders in a particular OS, or to very sketchily list a larger number of security mistakes, and even that is not likely to happen soon.

Neon Samurai
Neon Samurai

Actually, I was just thinking earlier today that someone should do a full security analysis of the latest Ubuntu default install. I have some things that I've listed in discussion following one of Jacks recent articles but I'm curious to see a detailed tear-down beyond my own knowledge.

apotheon
apotheon

The first Tanenbaum that comes to my mind is Andrew, not J. I hope I don't feel like an idiot later for forgetting an important J. Tanenbaum. edit: Judging by the way you mention the name, I tend to suspect you don't mean Joel Tanenbaum, of the legal case "RIAA v. Tanenbaum".

apotheon
apotheon

It really does seem like that's the reasoning behind the development of certain Linux distributions, at times. It gives me headaches when I think about the horror of it too much. It's especially bad when I run across someone who doesn't understand there's a difference between "Linux" in the generic and "Ubuntu" in the specific, and this yokel says something categorical (and categorically nonsensical) like "Ubuntu is the most secure operating system!" It's not, of course.

justPaulo
justPaulo

Always use strong underwear and preferably the best operating system ever: the clay brick. Have people gone mad, what about real american science that brought us UNIX and RTOSes. Go read J. Tanenbaum please.

justPaulo
justPaulo

Always use strong underwear and preferably the best operating system ever: the clay brick. Have people gone mad, what about real american science that brought us UNIX and RTOSes. Go read J. Tanenbaum please.

Neon Samurai
Neon Samurai

is to think "what would a secure distribution do?".. and then do the opposite.

Jaqui
Jaqui

will be yet another nail in the coffin for Ubuntu security. they already butcher it, so I have to agree, they will likely work at getting an autorun going, just to make it even less secure.

apotheon
apotheon

I fully expect Ubuntu, for instance, to have finally and completely duplicated the security nightmare of MS Windows AutoRun within three or four years, if things continue the way they have over the last few years. My advice: prefer (and use) operating systems that favor correctness.

Editor's Picks