U.S. military compromised by removable media malware: Five ways to avoid the same fate

Defense Secretary Lynn has been discussing a 2008 compromise of U.S. military network security by a foreign intelligence agency. The DOD is taking measures to protect itself. You should do the same.

Defense Secretary Lynn has been discussing a 2008 compromise of U.S. military network security by a foreign intelligence agency. The DOD is taking measures to protect itself. You should do the same.

The Washington Post reports in Defense official discloses cyberattack:

The most significant breach of US military computers was caused by a flash drive inserted into a US military laptop on a post in the Middle East in 2008.

A foreign intelligence agency managed to place malware on a USB flash drive that was later plugged into the US military laptop, infecting it. From there, the infection made its way onto a U.S. military Central Command network. According to Defense Secretary William J. Lynn III:

"That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control."

"It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary."

With the growth of widespread network-delivered malware infections in today's almost universally connected world, it can be easy to forget that sometimes the old methods are still effective. In the 1990s, people who used computers on a regular basis were much more cognizant of the potential danger of viruses that could move from computer to computer via removable media like floppy disks.

The threat has not gone away just because it is often easier to infect many computers over the network instead. In fact, if your organization is very well-protected from network threats, a determined attacker may well take advantage of the relatively low level of protection used for other means of infection like removable media. Even for those of us who may not be likely targets of such attacks, the development of malware that uses removable media as an infection vector can also catch many of the rest of us in the crossfire, if we are not careful.

There are a number of measures that can be employed to reduce your vulnerability to malware that infects MS Windows computers via USB flash media and other removable media. A few of them are explained here.

How to avoid removable media malware

#1 Disable AutoRun

The most common mechanism used to infect removable media and, through that, to infect computers, is MS Windows AutoRun. This is distinct from AutoPlay, which automatically starts up your media player and starts playing audio or video media from, for instance, a CD or DVD. AutoRun does things like start installers when installation media is attached to the system somehow, such as the CDROM tray or a USB port. These things can be run manually from Windows Explorer -- and if your malware needs to be run manually too, you will be much less likely to get your computer infected.

#2 Implement restrictive removable media policy

The most foolproof way to protect yourself against malware that infects computers via removable storage media is to disallow all removable media usage. If no removable media can be used with your computers, no infected removable media will be used with your computers. Because this is not always an option, there are other alternatives, including limiting removable media to specific items that have been checked and approved, and to disallow using them anywhere else where they might pick up infections to bring back to the network.

#3 Check all removable media on a secured system before use

If you have a computer that is set up to safely check for malware that could affect the rest of the systems you want to protect, it can help ensure the safety of your IT resources. You can set up a system with any AutoRun capabilities deactivated, and which preferably is not even subject to infection by the same malware that could affect the systems you want to protect. Unix-like OSes such as BSD Unix and Linux-based systems, serve well in this capacity when protecting an MS Windows network. Keep the system segregated from any network resources so it cannot transmit any malware on tested media across the network, and with no unnecessary software running on it so there will be less opportunity for it to get infected as well. It is preferable to boot from read-only media or to re-image the boot drive between uses as well. Run malware scans on the media and check out the contents of the media -- including the autorun.inf file -- while it is connected to the secured system. Combined with a restrictive removable media policy, a very effective level of protection can be achieved.

#4 Choose to ban all removable media

Depending on how far you want to go, you could simply disconnect the data cables for various removable media reading devices and lock the case so they cannot be reconnected without a key; remove the devices entirely (and still lock the case); or even semi-permanently plug or destroy the interface used to plug in external devices, such as by filling sockets with epoxy or clipping the pins on a motherboard where the cable for a system case USB port is attached.

#5 Implement the basics

Of course, educating your users and ensuring you have anti-malware scanning running on the systems you want to protect is one of the most important steps you can take, and can easily mean the difference between being safe and merely thinking you are safe.

The defeatist approach is always an option too. You can console yourself with what a friend said to me when told about this article while it was being written:

"The Pentagon spends billions of dollars a year in an ultimately futile attempt to secure its network against cyberattack. Why do you think your underpaid and overworked IT Administrator is going to succeed where they have failed?"