Vulnerabilities / Threats
12/12/2012
12:52 PM
50%
50%

Could A Thumb Drive Stop Stuxnet?

Kingston launches USB thumb drives with built-in ESET antivirus software to eliminate viruses, Trojan applications, rootkits, and worms.

Is the data stored on your USB thumb drive safe from any malware on a PC it gets plugged into?

USB thumb drive manufacturer Kingston Technology this week announced that two of its drives from the Traveler line -- DataTraveler Vault Privacy and DataTraveler 4000 -- now come with an optional ClevX DriveSecurity feature, which requires 300 MB of the drive's space and includes built-in ESET antivirus software for nuking any viruses, worms, Trojan applications, rootkits, or adware that might attempt to infect the drive.

"When the drive owner authenticates to the flash drive, DriveSecurity launches immediately. It updates its virus signature and scans any changes (all new files, applications, etc.) to the flash drive," said ESET. "Upon user request, it checks the entire flash drive to ensure that it is free of malicious code." ESET also said its anti-malware software contains heuristic malware detection to help identity unknown threats. But the company said that the drive's antivirus software won't scan the PC that it gets plugged into.

Is antivirus software on USB thumb drives redundant? Or might it instead have helped prevent the outbreak of such malware as Stuxnet? Indeed, a USB key carrying Stuxnet appears to have been responsible for at least some of the resulting infections, which targeted an Iranian nuclear facility at Natanz. The caveat with Stuxnet, of course, is that the malware seems to have been introduced on purpose, likely by a U.S. agent, meaning it was meant to infect the USB drive and in turn systems at the facility.

[ Hacking group boasts of government, trade group exploits. Read more at Team Ghostshell Hackers Claim NASA, Interpol, Pentagon Breaches. ]

On the other hand, common malware that attempts to infect USB drives remains alive and well, in part because eradicating it is difficult given all of the different ways in which it can spread. For example, ESET last week reported that the second most prevalent virus is an auto-run worm known as Pronny, which spreads in part by infecting removable media. Once the worm infects a system, it then hides versions of itself elsewhere, including on network shares, and attempts to infect everything it can touch, including thumb drives.

USB drives can get infected in numerous ways, such as through supply chain insecurities during production. For example, IBM accidentally distributed thumb drives at an Australian security conference that were infected malware.

Other infection vectors involve employees using virus-infected kiosks or third-party PCs at airports or Internet cafes, giving the USB key to a friend whose PC happens to have a virus, or using the USB key on a corporate network where a virus is residing.

"In practice one sees both unintentional and intentional infection. Stuxnet is an example of the latter, where someone loaded malicious code onto the drive with the intent of getting that code onto a target system," said ESET security evangelist Stephen Cobb in a blog post. "Unintentional infection can occur when you place your USB flash drive into an inadequately protected system. Sure, you may detect the infection later, when you eventually place your drive into your own computer, but you could do a lot of damage before then."

As an example, Cobb references a case detailed earlier this year by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which in 2010 investigated an outbreak of malware tied to the Mariposa botnet. While the affected organization wasn't named, the industry was noted as being "the nuclear sector."

The investigators traced the infection back to a conference presentation, noting in an advisory that "an employee attended an industry event and used an instructor's universal serial bus (USB) flash drive to download presentation materials to a laptop." After the employee reconnected their laptop to the corporate network after returning to work, the malware spread, ultimately infecting 100 other network-connected systems.

As malware gets increasingly sophisticated, so, too, must the technology and strategies we use to detect and eradicate it (or, better yet, stop it before it ever makes it onto network systems). Our Rooting Out Sophisticated Malware report examines the tools, technologies and strategies that can ease some of the burden. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Solenoid
50%
50%
Solenoid,
User Rank: Apprentice
12/17/2012 | 4:33:48 PM
re: Could A Thumb Drive Stop Stuxnet?
Prevent Stuxnet? Yes, as its definition is known.

Prevent the next emergent Stuxnet? Unlikely. State-sponsored malware creators will account for available countermeasures. Remember the unprecedented complexity of Stuxnet? Expect them to top themselves in that respect next time, if it is even exposed.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
12/15/2012 | 2:32:42 PM
re: Could A Thumb Drive Stop Stuxnet?
Great idea! But why the heck did they partner with ESET? Just because it is the cheapest AV app out there? They should have partnered with the best.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5075
Published: 2014-12-27
Integer overflow in aswFW.sys 5.0.594.0 in Avast! Internet Security 5.0 Korean Trial allows local users to cause a denial of service (memory corruption and panic) via a crafted IOCTL_ASWFW_COMM_PIDINFO_RESULTS DeviceIoControl request to \\.\aswFW.

CVE-2011-4720
Published: 2014-12-27
Hillstone HS TFTP Server 1.3.2 allows remote attackers to cause a denial of service (daemon crash) via a long filename in a (1) RRQ or (2) WRQ operation.

CVE-2011-4722
Published: 2014-12-27
Directory traversal vulnerability in the TFTP Server 1.0.0.24 in Ipswitch WhatsUp Gold allows remote attackers to read arbitrary files via a .. (dot dot) in the Filename field of an RRQ operation.

CVE-2012-1203
Published: 2014-12-27
Cross-site request forgery (CSRF) vulnerability in starnet/index.php in SyndeoCMS 3.0 and earlier allows remote attackers to hijack the authentication of administrators for requests that add user accounts via a save_user action.

CVE-2012-1302
Published: 2014-12-27
Multiple cross-site scripting (XSS) vulnerabilities in amMap 2.6.3 allow remote attackers to inject arbitrary web script or HTML via the (1) data_file or (2) settings_file parameter to ammap.swf, or (3) the data_file parameter to amtimeline.swf.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.