The Evolution of Evil: Changes in the Use of USB Devices as Delivery Mechanisms for Malicious Code
Editor's Note: If you like this article, you may also be interested in Seth Fogie's related piece, Getting Owned: The USB Keystroke Injection Attack.
There is little doubt that the number and complexity of client-side attacks have steadily increased over the last years. We have seen the rise of truly imaginative attacks blending sophisticated exploits with social engineering and creative methods of deployment.
Arguably one of the most progressive attack platforms has been the use of USB media devices and drives as a launching point for attacks. While the use of USB drives as a medium for delivering malicious code is nothing new, we now see the emergence of a new spin to this tried-and-tested method.
In the Beginning: Attacks were Without Form
USB drives have become ubiquitous with daily computer use. They have become so inexpensive and commonplace that they are commonly handed out by vendors or included "free" as enticement when purchasing products.
As the use of USB drives became more common, so has their role in the transmission of malicious code.
Originally the attack was to simply put infected files on a USB storage device and hope that a weary user would click it to initiate the malicious code.
This type of attack quickly morphed into more sophisticated methods as drive enhancements came out with embedded firmware to emulate CD-ROM drives.
While several types of these drives exist, the most widely known is the U3 drive. U3 drives have a small portion of the drive as firmware that emulates an ISO 9660 CD-ROM drive. The business purpose for this functionality was to take advantage of the Microsoft Windows Autorun functionality that automatically executed commands stored in the autorun.inf file typically found on the root directory of CD-ROMs.