Vulnerabilities / Threats
12/12/2012
12:52 PM
Connect Directly
RSS
E-Mail
50%
50%

Could A Thumb Drive Stop Stuxnet?

Kingston launches USB thumb drives with built-in ESET antivirus software to eliminate viruses, Trojan applications, rootkits, and worms.

Is the data stored on your USB thumb drive safe from any malware on a PC it gets plugged into?

USB thumb drive manufacturer Kingston Technology this week announced that two of its drives from the Traveler line -- DataTraveler Vault Privacy and DataTraveler 4000 -- now come with an optional ClevX DriveSecurity feature, which requires 300 MB of the drive's space and includes built-in ESET antivirus software for nuking any viruses, worms, Trojan applications, rootkits, or adware that might attempt to infect the drive.

"When the drive owner authenticates to the flash drive, DriveSecurity launches immediately. It updates its virus signature and scans any changes (all new files, applications, etc.) to the flash drive," said ESET. "Upon user request, it checks the entire flash drive to ensure that it is free of malicious code." ESET also said its anti-malware software contains heuristic malware detection to help identity unknown threats. But the company said that the drive's antivirus software won't scan the PC that it gets plugged into.

Is antivirus software on USB thumb drives redundant? Or might it instead have helped prevent the outbreak of such malware as Stuxnet? Indeed, a USB key carrying Stuxnet appears to have been responsible for at least some of the resulting infections, which targeted an Iranian nuclear facility at Natanz. The caveat with Stuxnet, of course, is that the malware seems to have been introduced on purpose, likely by a U.S. agent, meaning it was meant to infect the USB drive and in turn systems at the facility.

[ Hacking group boasts of government, trade group exploits. Read more at Team Ghostshell Hackers Claim NASA, Interpol, Pentagon Breaches. ]

On the other hand, common malware that attempts to infect USB drives remains alive and well, in part because eradicating it is difficult given all of the different ways in which it can spread. For example, ESET last week reported that the second most prevalent virus is an auto-run worm known as Pronny, which spreads in part by infecting removable media. Once the worm infects a system, it then hides versions of itself elsewhere, including on network shares, and attempts to infect everything it can touch, including thumb drives.

USB drives can get infected in numerous ways, such as through supply chain insecurities during production. For example, IBM accidentally distributed thumb drives at an Australian security conference that were infected malware.

Other infection vectors involve employees using virus-infected kiosks or third-party PCs at airports or Internet cafes, giving the USB key to a friend whose PC happens to have a virus, or using the USB key on a corporate network where a virus is residing.

"In practice one sees both unintentional and intentional infection. Stuxnet is an example of the latter, where someone loaded malicious code onto the drive with the intent of getting that code onto a target system," said ESET security evangelist Stephen Cobb in a blog post. "Unintentional infection can occur when you place your USB flash drive into an inadequately protected system. Sure, you may detect the infection later, when you eventually place your drive into your own computer, but you could do a lot of damage before then."

As an example, Cobb references a case detailed earlier this year by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which in 2010 investigated an outbreak of malware tied to the Mariposa botnet. While the affected organization wasn't named, the industry was noted as being "the nuclear sector."

The investigators traced the infection back to a conference presentation, noting in an advisory that "an employee attended an industry event and used an instructor's universal serial bus (USB) flash drive to download presentation materials to a laptop." After the employee reconnected their laptop to the corporate network after returning to work, the malware spread, ultimately infecting 100 other network-connected systems.

As malware gets increasingly sophisticated, so, too, must the technology and strategies we use to detect and eradicate it (or, better yet, stop it before it ever makes it onto network systems). Our Rooting Out Sophisticated Malware report examines the tools, technologies and strategies that can ease some of the burden. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Solenoid
50%
50%
Solenoid,
User Rank: Apprentice
12/17/2012 | 4:33:48 PM
re: Could A Thumb Drive Stop Stuxnet?
Prevent Stuxnet? Yes, as its definition is known.

Prevent the next emergent Stuxnet? Unlikely. State-sponsored malware creators will account for available countermeasures. Remember the unprecedented complexity of Stuxnet? Expect them to top themselves in that respect next time, if it is even exposed.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
12/15/2012 | 2:32:42 PM
re: Could A Thumb Drive Stop Stuxnet?
Great idea! But why the heck did they partner with ESET? Just because it is the cheapest AV app out there? They should have partnered with the best.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio