See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/223334849

Universal serial bus based software attacks and protection solutions

Article in Digital Investigation · April 2011

DOI: 10.1016/j.diin.2011.02.001 · Source: DBLP

CITATIONS READS

35 3,786

3 authors:

Dung Vu Pham Ali Syed

University of Melbourne Charles Sturt University
7 PUBLICATIONS 94 CITATIONS 22 PUBLICATIONS 583 CITATIONS

SEE PROFILE SEE PROFILE

Malka N. Halgamuge
RMIT University
186 PUBLICATIONS 2,596 CITATIONS

SEE PROFILE

All content following this page was uploaded by Malka N. Halgamuge on 02 November 2017.

The user has requested enhancement of the downloaded file.

 Author's personal copy

d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4

available at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/diin

Universal serial bus based software attacks and

protection solutions

Dung Vu Pham a, Ali Syed a, Malka N. Halgamuge b,*

a
School of Computing and Mathematics, Charles Sturt University, Study Centre Melbourne, Victoria 3000, Australia
b
Department of Civil and Environmental Engineering, Department of Electrical and Electronic Engineering, The University of Melbourne,
Grattan Street, Parkville, Victoria 3010, Australia

article info abstract

Article history: Information security risks associated with Universal Serial Bus (USB) storage devices have
Received 12 January 2010 been serious issues since 2003, which marked the wide adoption of USB technologies in the
Received in revised form computing industry, especially in corporate networks. Due to the insecure design and the
26 January 2011 open standards of USB technologies, attackers have successfully exploited various
Accepted 17 February 2011 vulnerabilities in USB protocols, USB embedded security software, USB drivers, and
Windows Autoplay features to launch various software attacks against host computers and
Keywords: USB devices. The purposes of this paper are: (i) to provide an investigation on the currently
USB identified USB based software attacks on host computers and USB storage devices, (ii) to
Flash drive identify the technology enablers of the attacks, and (iii) to form taxonomy of attacks. The
Autorun results show that a multilayered security solution framework involving software imple-
Hack tool mentations at the User Mode layer in the operating systems can help eliminate the root
Malware cause of the problem radically.
ª 2011 Elsevier Ltd. All rights reserved.

1. Introduction
Universal Serial Bus (USB) is a communication standard which
has been widely adopted in the computing industry for the last
few years for replacing serial and parallel ports. USB offers
a number of advantages such as high data processing speed,
hot swapping, plug-and-play (PnP), and self-power supplying
to peripherals which helps it quickly gain the popularity. The
implementation of USB allows a wide range of different elec-
tronic devices to connect to computers such as mice,
keyboards, PDAs, gamepads, joysticks, scanners, printers,
digital cameras, personal media players, flash drives, and
external hard drives. However, the popularity of USB interface
capable devices has resulted in increased risks to information
security of both host computers and USB devices. In this
research, we investigate all the currently identified USB based
software attacks, and develop a conceptual security
framework for protecting host computers and USB drives from
USB based software attacks. In details, the following aspects
are considered:
 Software attacks on host computers by USB based malware
such as worms, viruses, and Trojan horses, and USB based
hack tools.
 Software attacks on USB drives by hack tools.
 A security framework for protecting both USB drives and host
computers against USB based software attacks.
2. Previous work
Previous researches have been conducted in three areas: (1)
USB based software attacks on host computers, (2) software

* Corresponding author.
E-mail address: malka.nisha@unimelb.edu.au (M.N. Halgamuge).
1742-2876/$ e see front matter ª 2011 Elsevier Ltd. All rights reserved.
doi:10.1016/j.diin.2011.02.001
 Author's personal copy
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4
attacks on USB devices, and (3) protection measures and best
practices for preventing USB based software attacks.
2.1. USB based software attacks on host computers
USB based software attacks on host computers refer to soft-
ware attacks launched from USB devices against host
computers. Such attacks analyzed in previous researches can
be categorized into online attack mode referring to the attacks
launched from USB drives which are inserted into running
computers, and offline attack mode which happens when
attackers manage to boot the target computers from their
crafted USB drives.
2.1.1. Online attack mode
Among the attacks on host computers, data theft has been the
biggest concern related to USB devices in corporate environ-
ments since 2005 when USB 2.0 devices became popular. Data
theft is normally conducted using various simple ad hoc
programmed utilities which are capable of silently down-
loading some specific data files from host computers into USB
drives (Alzarouni, 2006; Fabian, 2007). In 2006 and 2007, there
was a substantial increase in the frequency and the level of
complexity of USB based software attacks on computers,
especially networked computers. The ad hoc programmed
hack tools, automatically launched from USB drives were
capable of doing many kinds of data manipulation on
computer systems such as changing registry settings,
installing backdoors and other malicious codes, stealing
confidential information, and even downloading the system
page file from a running computer to a USB drive (Alzarouni,
2006; Lee et al., 2007). Cryptography attacks were also
common during the period with the support of USB drives and
some ad hoc programmed hack tools which are capable of
exploiting operating systems’ data encryption keys, Open
SSH, and Apache HTTPS servers (Harrison and Xu, 2007).
After the USB 2.0 standard, the U3 revolution becoming
popular in 2007 has made U3 (USB) drives ultimate hacking
tools. The applications installed in U3 drives can be executed
without having to be installed on host computers. Attackers can
simply craft their own U3 ISO images with necessary hack tools
to replace the original U3 ISO images on U3 drives, and take
advantage of the technology to launch multi-payload attacks on
the target computers (Alzarouni, 2006; Lee et al., 2007).
In 2008, a utility was developed to allow manipulating the
information on inserted USB devices stored in Windows
registry. It was suggested that when such a utility is used in
combination with other malicious codes, it creates an addi-
tional protection layer for the attackers who employ USB
devices as attack tools (Thomas and Morris, 2008). Although
the idea of manipulating Windows registry by utilities or
malware was not new, it did suggest another possibility of
software attacks using USB devices. Obviously, skilled
attackers can further improve the idea to help them clear their
tracks or create obfuscating information on the host
computers after completing their attacks.
2.1.2. Offline attack mode
The enabler for offline attack mode comes from the “boot from
USB” capability of the recent motherboards and Pre-
173
installation Environment (PE) tools such as Windows PE and
Bart PE. These PE tools make it possible for the cores of some
Windows editions such as Windows XP and Vista to be
installed on and boot from USB drives. Later on, miscellaneous
toolkits such as antivirus software, data recovery, hard-drive
diagnostics, zip software, web browsers, secure file transfer
protocol (FTP), word processing, registry editor, product key
viewer, network configuration, and remote desktop client
tools are bundled into bootable USB drives (Gibson and Dyar,
2007).
Although the “boot from USB” feature was originally
designed for computer administration purposes, bootable USB
drives are also very powerful hack tools. With the aid of a few
hundred-megabyte USB 2.0 drives, an attacker can boot the
target computer from the USB drive and dump all the data
from the host computer to the USB drive within half an hour.
Even with cryptography, the cryptographic key materials
stored in computer memory (RAM) were successfully retrieved
with the aid of a bootable USB drive and a tiny plug-in of a few
kilobytes in an experiment in 2008 (Halderman et al., 2008).
Moreover, such these attacks do not cause any damage to the
host’s operating system or data, and neither requires the host
operating system’s accounts.
2.2. Software attacks on connected USB drives
Similar to the data stored in host computers, data stored on
USB drives and even secure USB flash drives are also vulner-
able to different kinds of software attacks. USB drive security-
software bugs and the insecure nature of the communication
channels between the USB devices and host computers make
many password-protected and even fingerprint-protected
USB drives vulnerable to software attacks. On password-pro-
tected USB drives such as Safeboot Phantom and MXI MXP
Stealth, weak passwords result in successful brute force
attacks. On fingerprint-protected USB drives such as the Bio-
SlimDisk iCool drives, imported fingerprints can be easily
deleted with the support of a crafted program. This allows
attackers to import their own fingerprints and compromise
the security measures (Jeong et al., 2007; Bakker et al., 2007).
The other type of attack on such devices is security protection
bypass which is conducted by exploiting vulnerabilities in the
security software of USB drives. Successfully exploiting the
vulnerabilities allows attackers to have direct access to the
data stored in secure partition of the devices (Jeong et al.,
2007).
2.3. USB based malware
USB based malware is the most common type of USB based
software attack. However, this type of attack has not been
addressed in any of the previous papers. While attacks
analyzed in the previous researches are normally target-
specific and manually triggered, attacks by USB based mal-
ware are fully automated and do not normally have specific
targets. USB based malware is supposed to be accounted for
the majority of all USB based software attacks. However, this
threat vector has not received enough attention and further
work on this type of attacks is necessary.
 Author's personal copy
174 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4
2.4. Currently proposed protection measures
The proposed solutions for secure use of USB technologies in
previous researches can be categorized into three categories:
data access control, USB port access control, and security policies.
Among the three types of solutions, data access control is
probably the most interesting, feasible and widely adopted.
Data access control allows the use of USB devices while it
maintains definite security levels. The commonly proposed
data access control solutions include disabling Autorun,
limiting user privileges, encrypting the stored data on both
communication ends, restricting access to vital data on crit-
ical servers, monitoring access to servers, and limiting the size
of data transferable to USB drives (Alzarouni, 2006).
USB port access control involves disabling USB ports
physically, or disabling USB port by firmware and operating
system settings and third party utilities. In some organiza-
tions, USB ports on computers are physically disabled by glue
which is the last recommended solution. Disabling USB ports
by Basic Input Output System (BIOS) settings, Windows
registry, and Group Policy settings are some other options.
Many researchers recommend deploying third party utilities
such as NetWrix USB Blocker, DeviceLock, and Zlock to apply
USB port access privileges to specific users, user groups, and
even USB device classes such as Palm, and USB phones
(Alzarouni, 2006; Fabian, 2007).
Acceptable Use Policy (AUP) is also commonly referred to
as management solutions for USB security issues. AUPs are
normally implemented with security education and training
programs to provide users with essential understanding on
secure use of information systems, regulate users’ actions,
and provide procedures for managing security incidents
(Fabian, 2007). AUPs are generally cost-effective management
solutions which can be implemented in any corporate
environment.
2.5. Unresolved issues in the proposed solutions
There were some disadvantages and unresolved issues in the
proposed solutions in the previous papers which affect the
solutions’ efficiency and effectiveness.
Firstly, there are some disadvantages in the proposed
solutions because important factors such as business efficiency,
investment and maintenance costs, end users, and personal
computers were not considered in any of these solutions. Data
access control and USB interface access control are obstacles
to business efficiency and potentially become a burden of IT
budget in terms of both software license and maintenance
costs. End users and personal computers (PC) were not
considered in any of the proposed solutions. In reality, AUP
and other corporate policies are not applicable to PC users.
Moreover, complicated system configurations and additional
costs for third party software are not likely to be accepted by
PC users.
Secondly, due to the lack of root-cause analysis of these
attacks, the technology enabler of these attack vectors were not
identified. Therefore, the proposed solutions tended to fix the
consequences of the vulnerabilities in USB security software,
Windows Autoplay features, Windows driver security model,
and USB interface management feature instead of addressing
these vulnerabilities directly. Attacks automatically launched
from USB storage devices such as data theft and multi-
payload attacks simply exploit the vulnerability in Windows
Autoplay features. This vulnerability comes from the lack of
a built-in security mechanism inside Windows Autoplay
features. Similarly, due to the lack of a security mechanism for
USB interface, computer malware can spread back and forth
between USB drives and internal drives. Although both USB
interface is designed for data exchange between computers
and their outside environments, it is left open to external
environment without any security protection mechanism.
Attacks on USB drivers were possible due to the lack of driver
signing enforcement which allows un-identified drivers to be
injected into Windows kernel. However, the proposed solu-
tions do not directly address any of these vulnerabilities.
Thirdly, there was a lack of a complete taxonomy of USB based
software attacks and a framework for addressing USB based soft-
ware attacks in the previous researches. Each of the provided
solutions are designed for addressing some of the currently
identified attack vectors in specific scenarios only and there-
fore tend to left out other attack vectors.
Finally, the attacks and proposed solutions were evaluated
in the contexts of Windows XP and the earlier x86 versions
while their successors such as Windows 7 x86 and x64 have
been in place for a while, and will soon be popular in both
office and home environments.
3. Attacks by USB based malware
3.1. USB based malware
The terms “USB based malware” in this paper refers to
computer worms, virus, Trojan horses, spyware, adware, and
root kits which are specially designed to exploit Windows
Autoplay features to replicate over USB drives and launch
attacks against host computers and computer systems.
Although the term “USB based malware” has been mentioned
on the world wide web as computer malware spreading via
USB drives, this concept does not differentiate the malware
that is purposely designed for spreading via USB drives from
the malware that is designed for replicating via any means of
media. Many worms can spread via many means of media
including USB drives, floppy drives, compact discs, and
network shares, however, they do not exploit the Autoplay
features. Such worms are not considered as USB worms in the
scope of this paper. The majority of the malicious codes
mentioned in this research are referred to as W32/Autorun by
security firms such as Symantec, Microsoft, and McAfee. W32/
Autorun does not include all the malicious codes that exploit
Autoplay features. This research takes into account any mal-
ware which does exploit Autoplay features.
Windows Autoplay features were designed for providing
appropriate software response to hardware actions initiated
by computer users. The features are available in version 1 and
version 2. Version 1 was designed for Windows 98 and
Windows 2000. Version 2 was improved from version 1 to
support to support multimedia contents and devices and is
available on Windows XP, Windows 2003, Windows Vista,
Windows 2008, and Windows 7. The features operate based on
 Author's personal copy
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4
Fig. 1 e A typical Autorun.inf file created by USB based
malware.
Autorun.inf files located in the root folders in removable
drives. Autorun.inf files can be compiled via any ANSI text
editor such as Notepad. The typical components of an Autor-
un.inf include four commands: icon, open, shell, and shell/verb.
These commands are used to automatically launch applica-
tions in removable drives when the drives are inserted into
computers. USB based malware is designed to exploit the
Autoplay features by creating Autorun.inf files to automati-
cally launch its copies specified by the open and shell
commands.
Fig. 1 shows the typical content of an Autorun.inf file
created by USB based malware. Icon command specifies the
icon file for the executable files triggered by Autorun.inf file.
This icon can be anything that looks familiar and legitimate to
users. Open command specifies the file to be executed when
Autoplay.inf is loaded by the Autoplay features, and in this
case it specifies a copy of the malware. Shellexecute command
was introduced in Windows Me and 2000. It is also used to
specify a file to be executed by Windows Autoplay. However, it
also allows applications to run with their associated files. Both
open and shellexecute commands are used to ensure that the
malware can be executed under any version of Windows.
Shell\auto command specifies the default item in USB drive
shortcut menu activated when users right-click on the drive
icon. In this case, the default item is used to activate the
malware.exe file.
3.2. Analysis of USB based malware’s common profile
Because of the trend in reengineering malware to exploit the
Autoplay features (Thomas et al., 2009), the attack profile of
USB based malware tend to get closer to that of malware in all
categories. However, due to the huge quantity of the malicious
codes and the lack of statistics from security firms, we only
analyze the common profile of the top USB based malware
which was accounted for the major portion of activities by the
malware in this category in the period of September 2007 to
October 2009 as reported by Microsoft, Trend Micro, Syman-
tec, McAfee, Norman, and Kaspersky. The data on the profile
each malicious code were obtained from the malware defini-
tion databases of Microsoft Malware Protection Center, Kas-
persky Lab, Symantec, Sophos, Trend Micro, McAfee, and
Norman Security Center. The collected data include name,
type, date detected, aliases, alert level, technical analysis, files
created, system folder infection, registry update, auto startup
mechanism, replication media, Autorun.inf file, file infection,
and payload. The data are then analyzed by descriptive
statistics tools. A list of these malicious codes is included in
Table A1 in the Appendix of this paper.
175
Fig. 2 e Malware development trend for the period of 10/
2007e10/2009, data source: (Paget, 2009; MCAfee Avert
Labs, 2009).
3.3. The development trend of USB based malware
As USB drives become popular, malware is redesigned to
replicate through this vector. The trend from 2007 to March
2009 shows a consistent increase in the number of backdoors,
bots, password stealers, and parasitic viruses redesigned to
spread via USB drives (Thomas et al., 2009). By the end of
March 2009, 20 million unique malicious codes had been
detected by McAfee Avert Lab (Paget, November 20, 2009).
More than half a million were Autorun malware created in the
period from April 2007 to April 2009. The number of Autorun
malware had exceeded 1.2 million by October 2009 (Marcus
et al., 2009; McAfee Threats Report, 2009).
Fig. 2 illustrates the development trends of Autorun mal-
ware and malware of all categories for the period of October
2007 to October 2009. The stack bars show the development
trends of Autorun malware and malware of all categories in
quantity, and the two lines show the development patterns
the malware in development percentages.
In Fig. 3, the graph illustrates co-relational relationships
between the development of Autorun malware and its sup-
porting factors including the availability of USB drives, the
maturity of Windows operating system supporting Autorun
v2, and the maturity of USB technologies. Autorun malware
started to develop in the last quarter of 2007 when Windows
XP reached its pick of market maturity and USB 2.0 flash drives
got into its last period of product growth phase. The sharp
increases in the quantity of USB flash drives shipped world-
wide and the world market share of Windows XP and later
versions in the period of October 2008 to October 2009 also led
to the sharp increase of Autorun malware in the period
reflected in both Figs. 2 and 3. In Fig. 2, the overall graph trend
shows a consistent development relationship between
Autorun malware and malware of all categories in each
quarter and the overall period with slightly higher develop-
ment rates for Autorun malware in the year 2009. The reason
for such a relationship could be explained in Fig. 3 which
illustrates Autorun malware’s development trend in relation
to its supporting factors including the quantity of USB flash
 Author's personal copy
176 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4
Fig. 3 e The development of USB based malware in relation to its supporting technologies, data sources (Chance, 2005;
W3chools, 2009).
drives sold, market share of operating systems supporting
USB PnP and Autoplay v2, USB standard maturity level, U3 and
boot from USB technologies.
4. Attacks on host computers
Attacks on host computers involve buffer overflow attacks on
USB drivers, data theft attacks on host computers, multi-
payload attacks using U3 and portable hack tools, and offline
cold boot attacks.
4.1. Attacks on USB driver
Buffer overflow attack on the vulnerabilities in USB 2.0 drivers
in computer operating systems is the most primitive type of
USB based software attacks which was first mentioned in 2005
(Roberts, 2005). The problem comes from the weakness in the
design of earlier USB 2.0 devices where firmware was designed
with little care for security and validations. Attackers could
program their USB drivers to exploit the vulnerabilities and
escalate privileges on any operating system such as Windows,
Linux, and OS/2 (Roberts, 2005). However, such problems on
Windows platform have not yet been confirmed by Microsoft
or computer OEMs.
In 2009, the same problem was detected again in Auers-
wald Linux’s USB driver. Attackers who have physical access
to Linux computers can use their crafted USB drives to execute
arbitrary code on the computers at the kernel level and take
control over the systems (Vega, 2009). Fortunately, this attack
vector is not common, possibly due to the requirements of
physical access to the target computers and knowledge in USB
driver programming.
4.2. Data theft attacks on host computers
Data theft with the support of USB drives has been a serious
issue in corporate networks for the last few years, especially
after USB 2.0 standard became popular in 2004. The common
payload of data theft is intended to steal business data and
sometimes personal data such as credit card information left
in cache memory. This attack vector utilizes some simple
scripts written in Perl, MS DOS batch script, or VBScript, with
some readymade tools freely available in the Internet. Some-
times, Windows built-in utilities such as xcopy.exe, roboco-
py.exe, or copy command are also utilized. Most of these
scripts are designed to exploit the Autoplay features. As the
attack process is conducted in non-console mode or in the
background as a Windows process, it is totally transparent to
users. The common functions provided by readymade tools
used in such attacks include data query (Pod slurping), data
copy (xcopy.exe), simple mail transfer protocol (SMTP) clients,
data compression (rar.exe), and secure socket layer (SSL) client
(Stunnel). The combined payload of these tools allows
attackers to locate the necessary data on host computers and
save the data to their USB drives, or compress and send the
data through an SSL channel to their FTP servers or mailboxes.
Such attack techniques are not always effective in many
scenarios on Windows operating systems that support User
Account Control (UAC) feature. UAC is a security feature
which is available in Windows Vista, Windows 2008, and
Windows 7. This feature monitors all processes and activities
 Author's personal copy
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4
Fig. 4 e The crafted Autorun.inf file.
on the computer, and protects the system files and settings
from abnormal access by both Windows built-in processes
and applications. When UAC is turned on (by default), all
processes are run under standard user rights and permissions.
Access to systems files and settings, and folders where users
do not have permissions will trigger security alerts and priv-
ilege escalation requests. Abnormal activities by unsigned
applications such as hack tools and malware will trigger
UAC’s security alerts. Some dangerous hack tools mentioned
in this paper such as SwitchBlade, GonZors Blade, Amish
Blade, Password Dump, Ethereal, Network Password Recovery,
and White Hat Payload all trigger UAC’s security alerts.
The threats from this attack vector still exist when
attackers use signed applications in combination with their
scripts to run attacks in the background which is very similar
to that of system administrators’ scripts for data backup. The
following scripts in Figs. 4,5 and 6 exploit the Autoplay
features to secretly copy files in user’s Document folder to the
inserted USB drive, compressed and encrypted with password
using copy command, rar.exe, and hstart.exe. Fig. 4 shows the
content of Autorun.inf file in the root folder of the USB drive.
Fig. 5 shows the content of trigger.bat file located in
a hidden folder in the USB drive. This file loads the payload file
(xcp.bat) using hidden start tool with “/noconsole” option
which force the xcp.bat to run without a console making the
attack process transparent to the users.
Fig. 6 shows the content of xcp.bat containing the attack
payloads which copy all files in the Documents folder to
a folder called “STOLENDATA” in the attacker’s USB drive.
The copied data is further compressed and encrypted with
password by rar.exe utility and saved under the file name
stolendata.dat leaving no trace for users. However, when the
UAC setting is set to high, any of such processes will not be
created in the background. A notification of process failure
will be popped-up calling for users’ attention.
4.3. Multi-payload attacks by U3 hack tools
U3 is an open standard developed to provide users with
application mobility through an application platform avail-
able in U3 drives whereby U3 applications can be installed on
and run from U3 drives independently from host computers.
In a U3 drive, a small partition located at the beginning of the
drive is marked as a CDFS (CD file system) partition so that
Windows recognizes it as a CD rather than a removable drives.
U3 applications are self-contained applications run from the
CDFS partition without having to be installed on the host
Fig. 5 e trigger.bat file used to launch the payload in no
console mode.
177
Fig. 6 e xcp.bat contains the actual attack payloads.
computers, modify the registry, or reserve computer
resources. While the Autoplay feature for removable drives is
disabled on Windows 7, it is still enabled for the CDFS parti-
tion. U3 technology is supported on Windows platform for
Windows 2000 SP4 and the later on both x64 and x86 versions.
Attackers of this vector have a large and flexible range of
hack tools to deploy on U3 drives. They can customize their
own ISO images with necessary hack tools and malware to
install in the CDFS partitions to exploit the Autoplay feature
which is available for CDFS partitions or directly run the hack
tools from the U3 Launchpad. Some commonly known hack
tools available in U3 format (.u3p) are USB Switchblade, U3
Incident Response Switchblade, USB Hacksaw, USB Pocket
Knife, Nmap, Ethereal, Wireshark, Showtraf, TCPDump,
Nemesis and John the Ripper, HTTP RAT, Anonymizer, and
Data Recovery. Among these tools, Switchblade is a very
dangerous toolkit consisting of several hack tools capable of
recovering important information from Windows systems
such as passwords (SAM, messenger clients, web browsers
cache), LSA Secret, service, system and port information. USB
SwitchBlade is available in two versions developed by Hak5
community and GonZor. USB SwitchBlade developed by Hak5
community is now available in several sub-versions by
Kapowdude, Gandalf, Silivrenion, and Amish. The codes of
these sub-versions are adjusted by Hak5 member and are
slightly different form each others. However, the payloads
remain the same and they all trigger UAC. The later version
developed by GonZor is more powerful and is capable of
overwriting programs on U3 CDFS partitions. As these parti-
tions are read only, antivirus programs cannot delete the
installed hack tools on detection. Beside Switchblade, U3
Incident Response Switchblade was developed to support the
process of evidence gathering in security incidents. This tool
gathers information on accounts, groups, networking (such as
IP, DNS cache, ARP table, NetBIOS, routing information, fire-
wall state and rules), and services status. Generally, these
tools are now all detected and blocked by many antivirus
programs. However, U3 development kit is open to public
assisting U3 application developers. Attackers can also
compile hack tools to .u3p format in many circumstances.
There are also U3 compilers such as Package Factory which
allows people to recompile many applications to .u3p format.
Some popular utilities compiled to .u3p format include disk
management tools (Partition Magic, Symantec Ghost), registry
tools (Clean Registry, Registry Mechanic), anonymous surfing
(Anonymizer, HTTP RAT), data recovery (Data Recovery, Pro
Data Recovery, Easy Recovery), Web browsers (Firefox, Opera),
torrent clients (eMule, FlashGet, Utorrent), instant messengers
(Pidgin, MSN Messenger, Yahoo Messenger), password recovery,
script editors (Notepad), OpenOffice, virtual DVD (Virtual CD), ISO
compliers and CD burners (Ultra ISO, Nero), data compression and
encryption (WinRar), and antivirus(Avast, Dr Web Cureit).
 Author's personal copy
178 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4
4.4. Offline cold boot attack
The original concept of booting up from USB used a light-
weight edition of Windows XP from CDs for the administrative
purposes such as data rescue, operating system repair from
serious crashes, or virus scanning. This was first possible
when Microsoft released Windows PE 1.0 for Windows XP and
Windows 2003 in 2002. When USB 2.0 drives became popular
and boot from USB became a default feature of computer
mainboards, dumping Windows to USB drives became
popular in 2006, especially with the support of Bart PE.
Windows PE 2.0 (for Windows Vista, Windows, 2008), and 3.0
(for Windows 7) also support boot from USB at quite low
system requirements making such solutions popular. After
Windows PE, boot from USB has now been possible on various
Linux distributions such as Knoppix, Ubuntu, Linux Mint, and
Kubuntu.
Cold boot attack from USB is the most dangerous among all
attack vectors analyzed in this paper. After a cold boot from
a USB drive, the target computer will be under control of the
operating systems running on the attacker’s USB drive.
Attackers have absolute freedom to do whatever they want on
their operating systems and on the victims’ computers, even
on computer with encrypted volumes. Moreover, there are
a few distributions of these lightweight operating systems
shipped with a variety of hack tools including data recovering,
data backup, encryption and decryption, secure FTP, SAM
editing, network configuration, remote desktop, password
retrieval, and key viewer. Some of these versions are Super
WinPEwas and Paragon HDD Manager. These versions can be
downloaded easily from torrent networks. This allows people
with little technical knowledge to participate in this attack
vector. Finally, because the operating systems run on
attackers’ external USB drives, there is generally no trace left
on victim computers after cold boot attacks.
5. Attacks on USB storage devices
Software attacks on USB drives include exploiting the insecure
USB protocol to attack the communication channels between
USB devices and host computers, attacks on USB security
software, and data theft.
5.1. Attack on USB protocol
This attack vector utilizes USB protocol analyzers such as
USBlyzer, Advanced USB Port Monitor, and USB Trace to
analyze and decode the communication channel between USB
devices and host computers to obtain information on trans-
port between the devices and the host computers, such as
password for the security software on the USB drives. The
common functions of such utilities include data monitoring,
logging, decoding, and saving by protocol and packet analysis.
The enabler of this attack vector is the insecure USB protocol
which transmits data between USB devices and host
computers in an unencrypted format. This vulnerability has
been exploited in many scenarios allowing attackers to
successfully obtain the passwords of password-protected USB
drives which do not support data encryption on transport
(Halderman et al., 2008).
5.2. Attack on security software on secure USB drives
Exploiting vulnerabilities in USB security software is the most
common attack vector targeting secure USB drives. The two
main drivers for this attack vector are password recovery and
business data recovery. Moreover, there are also some facili-
tators behind this attack vector. The first one is the ease of
access to USB product documentations and software devel-
opment kits consisting of source codes, header files, and other
related information about the EEPROM content of USB devices.
The second factor is all USB standards from 1.0 to 3.0 are open
standards provided by the USB Forum and freely available for
public access. Lastly, USB standards are rather simple and
insecure. It does not require too much knowledge about
electronic engineering or programming to be able to design
and assemble USB devices, and write USB drivers for the
devices.
Vulnerabilities in USB drives’ security software resulted in
security protection bypass on both password-protected and
fingerprint-protected USB drives. This allows attackers to
have direct access to the protected data partition. A common
exploit is buffer overflow attack on the security software
conducted by sending known erroneous packets to the USB
software (Bakker et al., 2007). When buffer overflow attack
cannot be employed, password brute-force attack is another
option. As many secure USB drives do not support self-locked
mechanisms activated after a number of wrong password
attempts, attackers can simply run password brute-force
attack until the valid password is found (Bakker et al., 2007).
Although password brute-force attack is generally not feasible
with strong passwords of more than 9 characters created from
a combination of capital characters, lower case characters,
numbers, and special characters, such passwords are rarely
implemented by users.
5.3. Data theft attack on USB drives
Similar to data theft attacks on computers, data theft attacks
on USB drives are mainly conducted with the aid of hack tools
running as processes which silently wait for inserted USB
drives and upload data from the drives to the host computer or
send the data to a remote mailbox or FTP server. The two
representative hack tools for this category are USBDumper
and USB Hacksaw. USBDumper is a small utility running in the
background as a process listening for connected USB drives.
On detection of inserted USB drives, the process starts
uploading data from the drive to the host computer trans-
parently to the users. USB Hacksaw is improved from USB-
Dumper. This version combines Stunnel, Blat, and Gmail with
USBDumper. The data from USB drives will first be uploaded
to a folder on the host computer where it is compressed by
rar.exe, before being sent to a Gmail account by Blat in an SSL
channel created by Stunnel. The mechanism is very simple
using available utilities in the Internet and some simple batch
files. Essentially, the tools can be different nevertheless they
have the same mechanism as that of Dumper and Hacksaw.
Even though many of these tools can be detected by antivirus
 Author's personal copy
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4
programs, this attack vector is hard to prevent. These tools
can be re-coded easily in various scripting languages such as
VBScript, batch scripting, and Perl. The attack processes can
also be scheduled by operating system task schedulers. This
makes the chance for success higher because the action
patterns are very similar to those of administrative tasks
scheduled by system administrators. Moreover, if the attacks
happen on attackers’ computers, security features are nor-
mally disabled allowing the attacks to happen smoothly.
6. USB based malware common profile
USB based worms account for the major portion of USB based
malware mainly due to the capability of exploiting the Auto-
play feature to replicate. Each of these worms comes in large
families of up to hundreds of variants such as Pushbot family
with more than 420 variants which have very similar infection
mechanisms and payloads. This can somehow be explained
by the availability of USB malware construction kits in the
Internet.
Fig. 7 shows the common profile of the analyzed USB based
malware which has been simplified with the focus on the
replication mechanism via USB devices and the payload. At
Fig. 7 e The simplified common profile of USB based
malware.
179
the beginning of an attack cycle when an infected USB drive is
inserted into a computer, the Autoplay feature will trigger the
Autorun.inf which activates the malware. The very first action
done by such malware is to install its copies into the system
folders on the host computer. Windows registry will then be
updated to allow these copies to be started with the operating
system. Many of the analyzed worms update the HKLM\Soft-
ware\Microsoft\Windows\CurrentVersion\Run key to make
their copies start with Windows at Windows startup. After the
copies are loaded, Process Explorer and Windows Task
Manager will show their process locations as inside system
folders making users confuse them with legitimate processes.
These processes actively listen for inserted USB drives to
replicate themselves by installing their copies and creating
Autorun.inf files on the media. The worms can work as botnet
clients or further codes will be silently downloaded from
remote servers and installed on the infected computers
making the computers clients of the worm authors’ botnets.
The majority of the analyzed malware are designed for
creating botnets and participating in DDoS attacks. Such
a payload is also the common payload for the malware of all
categories in the period of 2008e2009 (Marcus et al., 2009).
7. Solution
The security framework illustrated in Fig. 8 is a conceptual
model which helps mitigate the identified USB based software
attacks. The model consists of seven concentric layers where
three threat layers and three protection layers are arranged
one after another. The identified attacks are categorized into
Fig. 8 e Security framework for mitigating USB based
software attacks.
 Author's personal copy

180 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4

threat layers, and protection measures are categorized into
the corresponding protection layers to achieve the best
protection results. The inner protection layers are designed
for mitigating the attacks from the outer threat layers and
therefore an attack may be mitigated by one or multiple
security measures at one or more protection layers. The core
layer contains operating system files and settings, data on
host computers, and data in USB drives. The goal of this
framework is to protect the core layer from USB based soft-
ware attacks located in the three threat layers.
The security measures proposed in the three protection
layers in the framework are aimed at resolving the problem
root causes of the identified attacks. Table 1 summarizes the
solution framework in the format of a solution matrix.
7.1. The first threat and first protection layer
The first threat layer includes multi-payload attacks using U3
hack tools, USB based malware, and data theft attacks. Attacks
from this layer are normally handled effectively by the secu-
rity measures in the first protection layer because most mal-
ware scanners would recognize the involvement of malware
and hack tools in these attacks. Windows XP SP2 and later
versions are equipped with some free anti-malware solutions
including Windows Defender, Microsoft Security Essentials
(MSE), and Windows Firewall. Windows Defender, previously
known as Microsoft Antispyware, is a spyware and adware
scanner available via Windows update without any mainte-
nance effort. MSE is an anti-malware program which provides
real-time protection and auto-update like many other anti-
malware programs in the market. A test conducted by AV-
Test.org in October 2009 showed that MSE achieved 98.44 per
cent detection rate using malware signature based detection
(Pham et al., 2010). Moreover, as malicious codes tend to
communicate with servers in the Internet, Windows Firewall
is an effective measure which blocks such communication
and prevents the malware from completing its attack cycle.
In terms of hack tools, the results of our experiment with
over 3800 hack tools and hack toolkits including the most
common USB based hack tools listed in Table 2 below
demonstrated that most of these hack tools can be detected by
the common antivirus software. Many of these hack tools can
be directly executed from USB drives or compiled to portable
format using compilation tools such as Package factory
VMware ThinApp, Landesk Application Virtualization, Ceedo,
and InstallFree. More importantly, all the critical USB based
hack tools such as GonZors SwitchBlade, USB Pocket Knife,
USB Hacksaw, USBDumper, and Port Slurp can be detected by
all of these antivirus software. A list of these USB hack tools
can be found at Table A2 and the categories of the payloads of
these hack tools and hack toolkits are listed Table A3 the
Appendix of this paper.
Beside malware scanners, UAC, AppLocker, and Parse
Autorun are recommended security features for Windows
Vista and later editions. UAC is a built-in feature first available
in Windows Vista. This feature actively monitors process
activities and prevents abnormal access to system files and
settings which resemble common malware behaviors. Some
hack tools such as USB SwitchBlade and Network Password
Recovery were possible on Windows XP and the earlier
edition. However, these hack tools will now trigger Windows
security alert activated by UAC when they try to access system
files and settings. AppLocker is a new feature of Windows 2008
R2 and Windows 7 which allows administrators to have
control over the execution of specific applications and scripts
based on specific computers, users and user groups, and the

Table 1 e Solution matrix.

Attack category Technology enabler as Attack/problem & threat layer Protection solutions &
problem root cause Protection layer

Attacks by USB No security management
based malware mechanism for USB interfacea
No security mechanism for
Windows Autoplay featuresb
Attacks on host No security mechanism for
computers Windows Autoplay featuresb
No security management
mechanism for USB interfacea
Data is left unprotected when the Layer 2: Offline cold boot attacks.
operating system is offline
Driver signing is not enforced
USB driver is located in kernel
mode layer
Attacks on USB No standardized USB security
storage devices software
No security mechanism for USB
protocol
Layer 1: Malware can spread back and forth Layer 1: AppLocker, antivirus
between USB drives and internal drives. software, firewall, UAC.
Layer 1: This USB worm possiblec Layer 1: Parse Autorun
Layer 1: Hack tools can be activated Layer 1: Parse Autorun
automatically on USB drive insertion.
Layer 1: Hack tools can be executed Layer 1: AppLocker, antivirus
from USB drives which are software, firewall, UAC
external drives.
Layer 2: Volume encryption
Layer 3: This makes USB driver Layer 3: Enforcing driver signing with
injection possible. standardized USB drivers.
Layer 3: Attacker gain system privilege Layer 3: Completely move USB driver
once USB driver injection is completed. to User Mode layer.
Layer 3: USB security software attacks: buffer Layer 3: Standardize USB driver and
overflow and password brute force attacks security software.
Layer 3: Attack on USB protocol Layer 3: Standardize USB driver and
security software

a USB drives are not properly managed as “external” devices and thus there is no “firewall” between USB drives and computer internal drives.
b Windows Autoplay features automatically loads any files including malware as specified in Autorun.inf files.
c USB worm is capable of self-replicating due to Windows Autoplay features.
 Author's personal copy

d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4 181

a useful tool for network administrators in enterprise envi-

Table 2 e USB hack tools detection by commonly used
Antivirus software. ronments to prevent malware and hack tools’ execution while
allowing the execution of specific legitimate applications.
Antivirus software Detection Comments
However, the use of AppLocker is rather complicated to basic
(definition update: May ranking
10, 2010) users and this feature is not available to all Windows editions.
In this paper, we propose Parse Autorun as an additional
Kaspersky Internet Fair Detect all critical hack
feature for Windows which fix the vulnerability in Windows
Security 2010 tools
Autoplay features. This feature prevents unsigned executable
Norton Internet Security Fair Detect all critical hack
2010 tools files called by Autorun.inf from being activated. Fig. 9 shows
MacAfee Total Protection Fair Detect all critical hack the proposed algorithm for Parse Autorun.
2010 tools When a removable drive with an Autorun.inf file at the root
F-Secure Internet Security Good Detect all critical hack folder is inserted, Autoplay features will activate Parse
tools and some other Autorun which parses the Autorun.inf file for execution
tools
commands such as open, shellexecute, and shell\auto to locate
ESET NOD32 Antivirus Good Detect all critical hack
executable files called by the Autorun.inf file. The executable
tools and some other
tools files are checked by application signature and if they are
Microsoft Security Fair Detect all critical hack signed, they can be executed by Windows Autoplay. If they are
Essentials tools not signed application, they will be scanned by available anti-
TrendMicro Internet Good Detect all critical hack malware software such as MSE and they will not be executed
Security Pro 2010 tools and some other automatically. This generally helps avoid a lot of attack
tools
scenarios which are transparent to victims because attackers
Bit Defender Internet Very good Detect most of the hack
Security 2010 tools
will have to manually locate the executable files which are
AVG Internet Security 9.0 Very good Detect most of the hack normally hidden in different places in USB drives to trigger the
tools attacks. Moreover, the result of our experiment also show that
on-demand scans provide much better protection results than
real-time protection method which is only activated when the
file locations. Moreover, AppLocker also supports application hack tools are triggered. Therefore, Parse Autorun will provide
execution permissions based on the application’s valid digital better protection results than leaving the hack tools to be
signatures and therefore unsigned applications including detected by Antivirus software on activation.
malware and other malicious codes will be blocked from Generally, the main role of the first protection layer is to
execution (Pham et al., 2010). Therefore, AppLocker can be prevent malicious programs and scripts from executing and

Fig. 9 e Parse Autorun algorithm.

 Author's personal copy
182 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4
Fig. 10 e Windows USB driver architecture, adapted from
(Architecture of the User Mode Driver Framework, 2007).
accessing critical system locations such as system32 folder
and Windows Registry.
7.2. The second threat and second protection layer
Encryption is the best solution for cold boot attacks where the
involvement of physical security measures is not possible.
Encryption prevents attackers from breaching the confiden-
tiality and integrity of the information stored on the host
computer and USB drive in case they manage to have access to
the encrypted data. The recommended technologies are
volume based encryption solutions such as BitLocker and
TrueCrypt which encrypt the whole data volumes. Microsoft
Windows supports two volume encryption solutions
including BitLocker introduced in Windows Vista and 2008,
and BitLocker To Go in Window 7. BitLocker To Go also supports
data encryption for removable drives in FAT format which is
a good solution for data on USB drives. Currently, BitLocker is
identified as vulnerable to cold boot attacks where the
attackers manage to obtain the encryption key in the
computer DRAM (Halderman et al., 2008). However, this attack
method is rather complex and requires the involvement of
cooling chemical which can be applied on computer memory
to cool down the DRAM to 50  C. Obviously, to conduct this
attack, attackers will need to unlock the computer case which
is not easy in scenario that the computer cases are locks.
Moreover, the encryption-key reconstruction process is rather
complex requiring time and advanced technical knowledge,
and on the other hand, there has been no readymade toolkit
for this job identified by this time.
7.3. The third threat and third protection layer
The third protection layer deals with software attacks on USB
security software and USB driver. In reality, attacks on USB
Table 3 e USB security software threats and solutions.
Threat Solution
Buffer overflow attack Software input validation
Key logger: password attack Virtual keyboard: random key layout
Password brute force attack Self lock counter
Protocol attack Asymmetric data encryption
security software have been possible due to the lack of stan-
dardization in security design for USB devices. Table 3
summarizes our proposed solutions to secure USB software.
The common vulnerabilities for buffer overflow attacks are
due to the lack of input validation which allows attackers to
send erroneous packets to the software to cause buffer over-
flow. A standardized validation module for USB security
software is much simpler than that for Web applications and
therefore totally possible. Keyloggers may be a threat to
password enabled USB drives, though it has not yet been
mentioned. Keyloggers can be mitigated by Virtual Keyboard
with randomized keyboard layout for every session. Moreover,
password brute force attacks can be simply mitigated by
a self-lock counter which automatically stops accepting
further log-in attempts after a specific number of failed
attempts. USB protocol attack is probably the most difficult
issue up to now. Our proposed solution involves the use of
asymmetric encryption to encrypt and decrypt the data
passed between USB devices and host computers. This
generally avoids encryption key capturing problem happening
to symmetric encryption solution and also avoid password
capturing on transmission between the computer and the USB
drive which is the common vulnerability of some USB drives
by ATP Electronics, Samsung Electronics, Samsung Pleomax,
LG Electronics, and Imation (Jeong et al., 2007). However, this
requires effort to standardize the micro-chip for USB drives
which contain the encryption key pair and cryptography
software.
In terms of USB driver, the implementation of USB driver
should be moved to User Mode which prevents privilege
escalation in case attackers manage to complete buffer over-
flow attack on the driver. The previous buffer overflow attacks
on Windows USB driver, though not yet confirmed by Micro-
soft, were possible on Windows XP and the earlier versions
however not on Windows Vista and later versions. This can be
explained by Microsoft driver model in Windows Vista and the
later editions, particularly the User Mode driver model. Fig. 10
illustrates the USB driver model for Windows Vista.
In Fig. 10, the drivers for USB devices provided by hardware
vendors are located in User Mode layer where access to
system resources is limited to user right and privileges only.
This model is applied to Windows Vista and the later.
However, in previous Windows version such as Windows XP
and Windows 2003, USB driver was located in Kernel Mode
layer where it has unlimited access to system resources.
Therefore, successfully committing USB drivers will give
attackers system rights and privileges. On the other hand,
crafted USB drivers could be injected into Windows kernel
was due to the lack of driver signing enforcement in Windows
XP and other 32-bit editions. The enforcement of signed
drivers will prevent unsigned drivers from being injected to
 Author's personal copy

d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4 183

Windows kernel and thus help mitigate this threat vector

Table A2. Tested common USB hack toolkits.
effectively.
No. Name & version No. Name & version

1 Amish 1.0 (No U3) 26 PasswordFox v1.20

8. Conclusion and further work 2 Asterisk Logger 1.04 27 Pwdump6
3 Blat 262 28 Resource Hacker Version 3.5.2
4 Dialupass2 29 RPC-Mail version 0.1
In this paper, we have investigated all the currently identified 5 Enable-Abel SwitchBlade 30 SkypeLogView v1.12
USB based software attacks and their payloads on host 6 Etherreal on USB 31 Slurp Audit
computers and USB devices, and have established taxonomy 7 Gandalf 7zBlade 32 SniffUSB
of the attacks. We have also created a security framework to 8 GonZors SwitchBlade 1.2 33 Snort 2.8.5
handle USB based software attacks on the basis of newer 9 GonZors SwitchBlade 2.0 34 Stellar Password Recovery v1.5
10 HackBlade 35 Stunnel 3.10
Windows operating systems including Windows Vista,
11 IE Cache View 36 Stunnel 4.33
Windows Server 2008, and Windows 7 on both x86 and x64
12 IE PassView v1.17 37 Switchblade alternative 1.3 by
platforms. The framework was designed for addressing all the Silivrenion
identified USB based software attacks at the minimum 13 IECookiesView 38 TCP Dump version 3.9.4
deployment and maintenance efforts. The result also show 14 IEHistoryView 39 USB HackSaw 0.2
that reengineering effort must be paid in the standardization 15 John 1.7.0.1 40 USB Hacksaw Version 0.1 POC
process for USB security software to create an industry-wide 16 Mail PassView v1.55 41 USB Pocket Knife v0.8.8.0
17 MessenPass v1.30 42 USBDeview v1.06
secure implementation standard for all USB devices. Finally,
18 MozillaCacheView v1.27 43 USBDumper v2.2
USB driver implementation should be moved to User Mode to
19 MozillaCookiesView 44 USBlyzer 1.5
prevent privilege escalation in case a buffer overflow attack on v1.30
the driver is successfully conducted. 20 MozillaHistoryView v1.25 45 Web dumper 2.4
21 Nemesis 1.4 46 White Hat Payload 1.3
22 Network Password 47 Windows password Key
Appendix. Recovery v1.24
23 Nmap 3.8.1 48 WireShark 1.2.1
24 Nmap 5.0 49 U3 Incident Response
Switchblade
25 Nmapbot version 0.2 50 Kapowdude

Table A1. Surveyed USB based malware families.

No. Malware family No. Malware family
a
1 Auraax 26 W32/Frethoga
2 AutoIta 27 W32/Hamweqa
Table A3. Tested hack tool and hack toolkit categories
3 AutoIt/Renocidea 28 W32/Harya
(total number of toolkits: 3802).
4 Brontoka 29 W32/Mabezata
5 Confickera 30 W32/Perlovgaa No. Category of hack tools No. Category of hack
6 Emolda 31 W32/Regula tools
7 Generic!atra 32 W32/SillyShareCopya
8 Invadesysa 33 W32/Taterfa 1 Bluetooth exploiting tools 22 Phishing tools
9 Mal_Otoruna 34 W32/Yacspeel.A.dll 2 Buffer overflow 23 Proxy hacking
10 Niuniua 35 Worm.Autorun.VHG 3 Credit card information 24 Reverse engineering
11 Pushbota 36 Worm.VBS.Autorun.r exploiting tools tools
12 PWS-Gamaniav 37 Worm.W32.AutoRuna 4 Data collection tools 25 RFID hacking tools
13 Slenfbota 38 Worm.W32.AutoRun.dui 5 Data recovery tools 26 Router cracking
14 Troj_CoreLink.D 39 Worm.W32.AutoRun.eee 6 Database exploiting tools 27 Session hijacking
15 Trojan.Autorun.AET 40 Worm.W32/Autoruna 7 DoS tools 28 Sniffer tools
16 Trojan.AutorunINF.Gen 41 Worm.W32/RJumpa 8 Encryption tools 29 Software cracking kits
17 VBS.Runautoa 42 Worm_Agent.TBH 9 Enumeration 30 Spamming tools
18 W32.Gammima.AG 43 Worm_Autorun.AZB 10 Foot printing 31 Spying tools
19 W32.Saltity.AE 44 Worm_Autorun.BSE 11 Google hacking 32 SQL injection
20 W32.SillyDC 45 Worm_Autorun.CBZ 12 IDS and firewall exploiting 33 Steganography tools
21 W32.SillyFDC 46 Worm_Downad.A 13 Information hiding 34 System exploiting tools
22 W32.Sality.OG 47 Worm_QQpass.ADH 14 Internet anonymity 35 System scanning
23 W32.Worm. 48 Worm_VB.BDN 15 Linux system exploiting 36 Trojan and backdoor
Downadup.Gen tools kits
24 W32/Autoruna 16 Mac OS exploiting tools 37 Virus and worm kits
25 W32/Conficker.B 17 Mail hacking 38 VOIP hacking tools
18 Mobile & PDA devices 39 Web app vulnerability
a The number of variants may vary from three, such as W3/Hary cracking scanner
and W32/Mebezat families, to several hundred such as AutoIt and 19 Password cracking 40 Web browser hacking
Pushbot families. However, not all variants’ profiles are available on 20 Password stealing 41 Web server exploiting
the databases. Only autorun related variants with available profiles tools
in the databases are surveyed. 21 Penetration testing tools 42 Wireless cracking
 Author's personal copy

184 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4

references Lee S, Savoldi A, Lee S, Lim J. Password recovery using an

evidence collection tool and countermeasures. In: Intelligent
information hiding and multimedia signal processing, third
international conference, vol. 2; 2007.
Alzarouni M. The reality of risks from consented use of USB
Marcus D, Greve P, Masiello S, Scharoun D. McAfee threats report:
devices. In: Proceedings of the 4th Australian information
third quarter. McAfee, Inc. McAfee Avert Labs; 2009.
security conference; 2006.
McAfee Threats Report: Second Quarter 2009,” [McAfee, Inc].
Architecture of the User Mode Driver Framework, Version 1.0.
Paget F. Avert passes milestone: 20 million malware samples.
Microsoft Corporation, 2007.
McAfee Lab Blog, McAfee, Inc, <http://www.avertlabs.com/
Bakker PJ, et al. Investigating ‘secure’ USB sticks; 2007. v.1.4. Fox-
research/blog/index.php/2009/03/10/avertpassesmilestone-
IT Forensic IT Experts B.V. Olof Palmestraat 6, 2616 LM Delft,
20-million-malware-samples/>; 2009 [accessed 20.11.09].
The Netherlands.
D.V Pham, M.N Halgamuge, A. Syed and P. Mendis, “Optimizing
Chance R. Understanding USB flash drives as portable
windows security features to block malware and hack tools on
infrastructure. 1401 Hardley Ct., Bel Air, MD 21014, US:
USB storage devices”. Progress in electromagnetics research
Browsercraft, LLC; 2005.
symposium, 2010.
Fabian M. Endpoint security: managing USB based removable
Roberts PF. USB devices can crack windows. eWEEK, Ziff Davis
devices with the advent of portable applications. In:
Enterprise Inc, <http://www.eweek.com/c/a/Security/USB-
Information security curriculum development conference;
devices-can-crack-Windows/>; 2005 [accessed 20.08.09].
2007.
Thomas P, Morris A. An investigation into the development of an
Gibson WR, Dyar D. Implementing preinstallation environment
anti-forensic tool to obscure USB flash drive device
media for use in user support. In: Proceedings of the 35th
information on a windows XP platform. In: Digital forensics
annual ACM SIGUCCS conference on user services; 2007.
and incident analysis, third international annual workshop;
Halderman JA, Schoen SD, Heninger N, Clarkson W, Paul W,
2008. p. 60e6.
Calandrino JA, Feldman AJ. “Lest we remember: cold boot
Thomas V, Ramagopal P, Mohandas R. The rise of autorun- based
attacks on encryption keys,” in Proc. USENIX Security
malware. McAfee Avert Labs, McAfee, Inc; 2009.
Symposium; 2008.
Vega RD. Linux USB device driver - buffer overflow. St Clement
Harrison K, Xu S. Protecting cryptographic keys from memory
House 1-3 Alencon Link Basingstoke RG21 7SB, England: MWR
disclosure attacks. In: 37th annual IEEE/IFIP international
InfoSecurity Security Advisory. MWR InfoSecurity Limited;
conference on dependable systems and networks; 2007.
2009.
Jeong H, Choi Y, Jeon W, Yang F, Lee W, Kim S. Vulnerability
W3chools. Operating system statistics, <http://www.w3schools.
analysis of secure USB flash drives. In: Memory technology,
com/browsers/browsers_os.asp>; 2009 [accessed 10.10.09].
design and testing. IEEE International Workshop; 2007.

View publication stats