Professional Documents
Culture Documents
net/publication/223334849
CITATIONS READS
35 3,786
3 authors:
Malka N. Halgamuge
RMIT University
186 PUBLICATIONS 2,596 CITATIONS
SEE PROFILE
All content following this page was uploaded by Malka N. Halgamuge on 02 November 2017.
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4
available at www.sciencedirect.com
Article history: Information security risks associated with Universal Serial Bus (USB) storage devices have
Received 12 January 2010 been serious issues since 2003, which marked the wide adoption of USB technologies in the
Received in revised form computing industry, especially in corporate networks. Due to the insecure design and the
26 January 2011 open standards of USB technologies, attackers have successfully exploited various
Accepted 17 February 2011 vulnerabilities in USB protocols, USB embedded security software, USB drivers, and
Windows Autoplay features to launch various software attacks against host computers and
Keywords: USB devices. The purposes of this paper are: (i) to provide an investigation on the currently
USB identified USB based software attacks on host computers and USB storage devices, (ii) to
Flash drive identify the technology enablers of the attacks, and (iii) to form taxonomy of attacks. The
Autorun results show that a multilayered security solution framework involving software imple-
Hack tool mentations at the User Mode layer in the operating systems can help eliminate the root
Malware cause of the problem radically.
ª 2011 Elsevier Ltd. All rights reserved.
1. Introduction framework for protecting host computers and USB drives from
USB based software attacks. In details, the following aspects
Universal Serial Bus (USB) is a communication standard which are considered:
has been widely adopted in the computing industry for the last
few years for replacing serial and parallel ports. USB offers Software attacks on host computers by USB based malware
a number of advantages such as high data processing speed, such as worms, viruses, and Trojan horses, and USB based
hot swapping, plug-and-play (PnP), and self-power supplying hack tools.
to peripherals which helps it quickly gain the popularity. The Software attacks on USB drives by hack tools.
implementation of USB allows a wide range of different elec- A security framework for protecting both USB drives and host
tronic devices to connect to computers such as mice, computers against USB based software attacks.
keyboards, PDAs, gamepads, joysticks, scanners, printers,
digital cameras, personal media players, flash drives, and
external hard drives. However, the popularity of USB interface
capable devices has resulted in increased risks to information 2. Previous work
security of both host computers and USB devices. In this
research, we investigate all the currently identified USB based Previous researches have been conducted in three areas: (1)
software attacks, and develop a conceptual security USB based software attacks on host computers, (2) software
* Corresponding author.
E-mail address: malka.nisha@unimelb.edu.au (M.N. Halgamuge).
1742-2876/$ e see front matter ª 2011 Elsevier Ltd. All rights reserved.
doi:10.1016/j.diin.2011.02.001
Author's personal copy
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4 173
attacks on USB devices, and (3) protection measures and best installation Environment (PE) tools such as Windows PE and
practices for preventing USB based software attacks. Bart PE. These PE tools make it possible for the cores of some
Windows editions such as Windows XP and Vista to be
2.1. USB based software attacks on host computers installed on and boot from USB drives. Later on, miscellaneous
toolkits such as antivirus software, data recovery, hard-drive
USB based software attacks on host computers refer to soft- diagnostics, zip software, web browsers, secure file transfer
ware attacks launched from USB devices against host protocol (FTP), word processing, registry editor, product key
computers. Such attacks analyzed in previous researches can viewer, network configuration, and remote desktop client
be categorized into online attack mode referring to the attacks tools are bundled into bootable USB drives (Gibson and Dyar,
launched from USB drives which are inserted into running 2007).
computers, and offline attack mode which happens when Although the “boot from USB” feature was originally
attackers manage to boot the target computers from their designed for computer administration purposes, bootable USB
crafted USB drives. drives are also very powerful hack tools. With the aid of a few
hundred-megabyte USB 2.0 drives, an attacker can boot the
2.1.1. Online attack mode target computer from the USB drive and dump all the data
Among the attacks on host computers, data theft has been the from the host computer to the USB drive within half an hour.
biggest concern related to USB devices in corporate environ- Even with cryptography, the cryptographic key materials
ments since 2005 when USB 2.0 devices became popular. Data stored in computer memory (RAM) were successfully retrieved
theft is normally conducted using various simple ad hoc with the aid of a bootable USB drive and a tiny plug-in of a few
programmed utilities which are capable of silently down- kilobytes in an experiment in 2008 (Halderman et al., 2008).
loading some specific data files from host computers into USB Moreover, such these attacks do not cause any damage to the
drives (Alzarouni, 2006; Fabian, 2007). In 2006 and 2007, there host’s operating system or data, and neither requires the host
was a substantial increase in the frequency and the level of operating system’s accounts.
complexity of USB based software attacks on computers,
especially networked computers. The ad hoc programmed
2.2. Software attacks on connected USB drives
hack tools, automatically launched from USB drives were
capable of doing many kinds of data manipulation on
Similar to the data stored in host computers, data stored on
computer systems such as changing registry settings,
USB drives and even secure USB flash drives are also vulner-
installing backdoors and other malicious codes, stealing
able to different kinds of software attacks. USB drive security-
confidential information, and even downloading the system
software bugs and the insecure nature of the communication
page file from a running computer to a USB drive (Alzarouni,
channels between the USB devices and host computers make
2006; Lee et al., 2007). Cryptography attacks were also
many password-protected and even fingerprint-protected
common during the period with the support of USB drives and
USB drives vulnerable to software attacks. On password-pro-
some ad hoc programmed hack tools which are capable of
tected USB drives such as Safeboot Phantom and MXI MXP
exploiting operating systems’ data encryption keys, Open
Stealth, weak passwords result in successful brute force
SSH, and Apache HTTPS servers (Harrison and Xu, 2007).
attacks. On fingerprint-protected USB drives such as the Bio-
After the USB 2.0 standard, the U3 revolution becoming
SlimDisk iCool drives, imported fingerprints can be easily
popular in 2007 has made U3 (USB) drives ultimate hacking
deleted with the support of a crafted program. This allows
tools. The applications installed in U3 drives can be executed
attackers to import their own fingerprints and compromise
without having to be installed on host computers. Attackers can
the security measures (Jeong et al., 2007; Bakker et al., 2007).
simply craft their own U3 ISO images with necessary hack tools
The other type of attack on such devices is security protection
to replace the original U3 ISO images on U3 drives, and take
bypass which is conducted by exploiting vulnerabilities in the
advantage of the technology to launch multi-payload attacks on
security software of USB drives. Successfully exploiting the
the target computers (Alzarouni, 2006; Lee et al., 2007).
vulnerabilities allows attackers to have direct access to the
In 2008, a utility was developed to allow manipulating the
data stored in secure partition of the devices (Jeong et al.,
information on inserted USB devices stored in Windows
2007).
registry. It was suggested that when such a utility is used in
combination with other malicious codes, it creates an addi-
tional protection layer for the attackers who employ USB 2.3. USB based malware
devices as attack tools (Thomas and Morris, 2008). Although
the idea of manipulating Windows registry by utilities or USB based malware is the most common type of USB based
malware was not new, it did suggest another possibility of software attack. However, this type of attack has not been
software attacks using USB devices. Obviously, skilled addressed in any of the previous papers. While attacks
attackers can further improve the idea to help them clear their analyzed in the previous researches are normally target-
tracks or create obfuscating information on the host specific and manually triggered, attacks by USB based mal-
computers after completing their attacks. ware are fully automated and do not normally have specific
targets. USB based malware is supposed to be accounted for
2.1.2. Offline attack mode the majority of all USB based software attacks. However, this
The enabler for offline attack mode comes from the “boot from threat vector has not received enough attention and further
USB” capability of the recent motherboards and Pre- work on this type of attacks is necessary.
Author's personal copy
174 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4
2.4. Currently proposed protection measures these vulnerabilities directly. Attacks automatically launched
from USB storage devices such as data theft and multi-
The proposed solutions for secure use of USB technologies in payload attacks simply exploit the vulnerability in Windows
previous researches can be categorized into three categories: Autoplay features. This vulnerability comes from the lack of
data access control, USB port access control, and security policies. a built-in security mechanism inside Windows Autoplay
Among the three types of solutions, data access control is features. Similarly, due to the lack of a security mechanism for
probably the most interesting, feasible and widely adopted. USB interface, computer malware can spread back and forth
Data access control allows the use of USB devices while it between USB drives and internal drives. Although both USB
maintains definite security levels. The commonly proposed interface is designed for data exchange between computers
data access control solutions include disabling Autorun, and their outside environments, it is left open to external
limiting user privileges, encrypting the stored data on both environment without any security protection mechanism.
communication ends, restricting access to vital data on crit- Attacks on USB drivers were possible due to the lack of driver
ical servers, monitoring access to servers, and limiting the size signing enforcement which allows un-identified drivers to be
of data transferable to USB drives (Alzarouni, 2006). injected into Windows kernel. However, the proposed solu-
USB port access control involves disabling USB ports tions do not directly address any of these vulnerabilities.
physically, or disabling USB port by firmware and operating Thirdly, there was a lack of a complete taxonomy of USB based
system settings and third party utilities. In some organiza- software attacks and a framework for addressing USB based soft-
tions, USB ports on computers are physically disabled by glue ware attacks in the previous researches. Each of the provided
which is the last recommended solution. Disabling USB ports solutions are designed for addressing some of the currently
by Basic Input Output System (BIOS) settings, Windows identified attack vectors in specific scenarios only and there-
registry, and Group Policy settings are some other options. fore tend to left out other attack vectors.
Many researchers recommend deploying third party utilities Finally, the attacks and proposed solutions were evaluated
such as NetWrix USB Blocker, DeviceLock, and Zlock to apply in the contexts of Windows XP and the earlier x86 versions
USB port access privileges to specific users, user groups, and while their successors such as Windows 7 x86 and x64 have
even USB device classes such as Palm, and USB phones been in place for a while, and will soon be popular in both
(Alzarouni, 2006; Fabian, 2007). office and home environments.
Acceptable Use Policy (AUP) is also commonly referred to
as management solutions for USB security issues. AUPs are
normally implemented with security education and training 3. Attacks by USB based malware
programs to provide users with essential understanding on
secure use of information systems, regulate users’ actions, 3.1. USB based malware
and provide procedures for managing security incidents
(Fabian, 2007). AUPs are generally cost-effective management The terms “USB based malware” in this paper refers to
solutions which can be implemented in any corporate computer worms, virus, Trojan horses, spyware, adware, and
environment. root kits which are specially designed to exploit Windows
Autoplay features to replicate over USB drives and launch
2.5. Unresolved issues in the proposed solutions attacks against host computers and computer systems.
Although the term “USB based malware” has been mentioned
There were some disadvantages and unresolved issues in the on the world wide web as computer malware spreading via
proposed solutions in the previous papers which affect the USB drives, this concept does not differentiate the malware
solutions’ efficiency and effectiveness. that is purposely designed for spreading via USB drives from
Firstly, there are some disadvantages in the proposed the malware that is designed for replicating via any means of
solutions because important factors such as business efficiency, media. Many worms can spread via many means of media
investment and maintenance costs, end users, and personal including USB drives, floppy drives, compact discs, and
computers were not considered in any of these solutions. Data network shares, however, they do not exploit the Autoplay
access control and USB interface access control are obstacles features. Such worms are not considered as USB worms in the
to business efficiency and potentially become a burden of IT scope of this paper. The majority of the malicious codes
budget in terms of both software license and maintenance mentioned in this research are referred to as W32/Autorun by
costs. End users and personal computers (PC) were not security firms such as Symantec, Microsoft, and McAfee. W32/
considered in any of the proposed solutions. In reality, AUP Autorun does not include all the malicious codes that exploit
and other corporate policies are not applicable to PC users. Autoplay features. This research takes into account any mal-
Moreover, complicated system configurations and additional ware which does exploit Autoplay features.
costs for third party software are not likely to be accepted by Windows Autoplay features were designed for providing
PC users. appropriate software response to hardware actions initiated
Secondly, due to the lack of root-cause analysis of these by computer users. The features are available in version 1 and
attacks, the technology enabler of these attack vectors were not version 2. Version 1 was designed for Windows 98 and
identified. Therefore, the proposed solutions tended to fix the Windows 2000. Version 2 was improved from version 1 to
consequences of the vulnerabilities in USB security software, support to support multimedia contents and devices and is
Windows Autoplay features, Windows driver security model, available on Windows XP, Windows 2003, Windows Vista,
and USB interface management feature instead of addressing Windows 2008, and Windows 7. The features operate based on
Author's personal copy
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4 175
176 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4
Fig. 3 e The development of USB based malware in relation to its supporting technologies, data sources (Chance, 2005;
W3chools, 2009).
drives sold, market share of operating systems supporting physical access to the target computers and knowledge in USB
USB PnP and Autoplay v2, USB standard maturity level, U3 and driver programming.
boot from USB technologies.
4.2. Data theft attacks on host computers
4. Attacks on host computers Data theft with the support of USB drives has been a serious
issue in corporate networks for the last few years, especially
Attacks on host computers involve buffer overflow attacks on after USB 2.0 standard became popular in 2004. The common
USB drivers, data theft attacks on host computers, multi- payload of data theft is intended to steal business data and
payload attacks using U3 and portable hack tools, and offline sometimes personal data such as credit card information left
cold boot attacks. in cache memory. This attack vector utilizes some simple
scripts written in Perl, MS DOS batch script, or VBScript, with
4.1. Attacks on USB driver some readymade tools freely available in the Internet. Some-
times, Windows built-in utilities such as xcopy.exe, roboco-
Buffer overflow attack on the vulnerabilities in USB 2.0 drivers py.exe, or copy command are also utilized. Most of these
in computer operating systems is the most primitive type of scripts are designed to exploit the Autoplay features. As the
USB based software attacks which was first mentioned in 2005 attack process is conducted in non-console mode or in the
(Roberts, 2005). The problem comes from the weakness in the background as a Windows process, it is totally transparent to
design of earlier USB 2.0 devices where firmware was designed users. The common functions provided by readymade tools
with little care for security and validations. Attackers could used in such attacks include data query (Pod slurping), data
program their USB drivers to exploit the vulnerabilities and copy (xcopy.exe), simple mail transfer protocol (SMTP) clients,
escalate privileges on any operating system such as Windows, data compression (rar.exe), and secure socket layer (SSL) client
Linux, and OS/2 (Roberts, 2005). However, such problems on (Stunnel). The combined payload of these tools allows
Windows platform have not yet been confirmed by Microsoft attackers to locate the necessary data on host computers and
or computer OEMs. save the data to their USB drives, or compress and send the
In 2009, the same problem was detected again in Auers- data through an SSL channel to their FTP servers or mailboxes.
wald Linux’s USB driver. Attackers who have physical access Such attack techniques are not always effective in many
to Linux computers can use their crafted USB drives to execute scenarios on Windows operating systems that support User
arbitrary code on the computers at the kernel level and take Account Control (UAC) feature. UAC is a security feature
control over the systems (Vega, 2009). Fortunately, this attack which is available in Windows Vista, Windows 2008, and
vector is not common, possibly due to the requirements of Windows 7. This feature monitors all processes and activities
Author's personal copy
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4 177
178 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4
4.4. Offline cold boot attack drives which do not support data encryption on transport
(Halderman et al., 2008).
The original concept of booting up from USB used a light-
weight edition of Windows XP from CDs for the administrative 5.2. Attack on security software on secure USB drives
purposes such as data rescue, operating system repair from
serious crashes, or virus scanning. This was first possible Exploiting vulnerabilities in USB security software is the most
when Microsoft released Windows PE 1.0 for Windows XP and common attack vector targeting secure USB drives. The two
Windows 2003 in 2002. When USB 2.0 drives became popular main drivers for this attack vector are password recovery and
and boot from USB became a default feature of computer business data recovery. Moreover, there are also some facili-
mainboards, dumping Windows to USB drives became tators behind this attack vector. The first one is the ease of
popular in 2006, especially with the support of Bart PE. access to USB product documentations and software devel-
Windows PE 2.0 (for Windows Vista, Windows, 2008), and 3.0 opment kits consisting of source codes, header files, and other
(for Windows 7) also support boot from USB at quite low related information about the EEPROM content of USB devices.
system requirements making such solutions popular. After The second factor is all USB standards from 1.0 to 3.0 are open
Windows PE, boot from USB has now been possible on various standards provided by the USB Forum and freely available for
Linux distributions such as Knoppix, Ubuntu, Linux Mint, and public access. Lastly, USB standards are rather simple and
Kubuntu. insecure. It does not require too much knowledge about
Cold boot attack from USB is the most dangerous among all electronic engineering or programming to be able to design
attack vectors analyzed in this paper. After a cold boot from and assemble USB devices, and write USB drivers for the
a USB drive, the target computer will be under control of the devices.
operating systems running on the attacker’s USB drive. Vulnerabilities in USB drives’ security software resulted in
Attackers have absolute freedom to do whatever they want on security protection bypass on both password-protected and
their operating systems and on the victims’ computers, even fingerprint-protected USB drives. This allows attackers to
on computer with encrypted volumes. Moreover, there are have direct access to the protected data partition. A common
a few distributions of these lightweight operating systems exploit is buffer overflow attack on the security software
shipped with a variety of hack tools including data recovering, conducted by sending known erroneous packets to the USB
data backup, encryption and decryption, secure FTP, SAM software (Bakker et al., 2007). When buffer overflow attack
editing, network configuration, remote desktop, password cannot be employed, password brute-force attack is another
retrieval, and key viewer. Some of these versions are Super option. As many secure USB drives do not support self-locked
WinPEwas and Paragon HDD Manager. These versions can be mechanisms activated after a number of wrong password
downloaded easily from torrent networks. This allows people attempts, attackers can simply run password brute-force
with little technical knowledge to participate in this attack attack until the valid password is found (Bakker et al., 2007).
vector. Finally, because the operating systems run on Although password brute-force attack is generally not feasible
attackers’ external USB drives, there is generally no trace left with strong passwords of more than 9 characters created from
on victim computers after cold boot attacks. a combination of capital characters, lower case characters,
numbers, and special characters, such passwords are rarely
implemented by users.
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4 179
programs, this attack vector is hard to prevent. These tools the beginning of an attack cycle when an infected USB drive is
can be re-coded easily in various scripting languages such as inserted into a computer, the Autoplay feature will trigger the
VBScript, batch scripting, and Perl. The attack processes can Autorun.inf which activates the malware. The very first action
also be scheduled by operating system task schedulers. This done by such malware is to install its copies into the system
makes the chance for success higher because the action folders on the host computer. Windows registry will then be
patterns are very similar to those of administrative tasks updated to allow these copies to be started with the operating
scheduled by system administrators. Moreover, if the attacks system. Many of the analyzed worms update the HKLM\Soft-
happen on attackers’ computers, security features are nor- ware\Microsoft\Windows\CurrentVersion\Run key to make
mally disabled allowing the attacks to happen smoothly. their copies start with Windows at Windows startup. After the
copies are loaded, Process Explorer and Windows Task
Manager will show their process locations as inside system
6. USB based malware common profile folders making users confuse them with legitimate processes.
These processes actively listen for inserted USB drives to
USB based worms account for the major portion of USB based replicate themselves by installing their copies and creating
malware mainly due to the capability of exploiting the Auto- Autorun.inf files on the media. The worms can work as botnet
play feature to replicate. Each of these worms comes in large clients or further codes will be silently downloaded from
families of up to hundreds of variants such as Pushbot family remote servers and installed on the infected computers
with more than 420 variants which have very similar infection making the computers clients of the worm authors’ botnets.
mechanisms and payloads. This can somehow be explained The majority of the analyzed malware are designed for
by the availability of USB malware construction kits in the creating botnets and participating in DDoS attacks. Such
Internet. a payload is also the common payload for the malware of all
Fig. 7 shows the common profile of the analyzed USB based categories in the period of 2008e2009 (Marcus et al., 2009).
malware which has been simplified with the focus on the
replication mechanism via USB devices and the payload. At
7. Solution
Fig. 7 e The simplified common profile of USB based Fig. 8 e Security framework for mitigating USB based
malware. software attacks.
Author's personal copy
180 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4
threat layers, and protection measures are categorized into (Pham et al., 2010). Moreover, as malicious codes tend to
the corresponding protection layers to achieve the best communicate with servers in the Internet, Windows Firewall
protection results. The inner protection layers are designed is an effective measure which blocks such communication
for mitigating the attacks from the outer threat layers and and prevents the malware from completing its attack cycle.
therefore an attack may be mitigated by one or multiple In terms of hack tools, the results of our experiment with
security measures at one or more protection layers. The core over 3800 hack tools and hack toolkits including the most
layer contains operating system files and settings, data on common USB based hack tools listed in Table 2 below
host computers, and data in USB drives. The goal of this demonstrated that most of these hack tools can be detected by
framework is to protect the core layer from USB based soft- the common antivirus software. Many of these hack tools can
ware attacks located in the three threat layers. be directly executed from USB drives or compiled to portable
The security measures proposed in the three protection format using compilation tools such as Package factory
layers in the framework are aimed at resolving the problem VMware ThinApp, Landesk Application Virtualization, Ceedo,
root causes of the identified attacks. Table 1 summarizes the and InstallFree. More importantly, all the critical USB based
solution framework in the format of a solution matrix. hack tools such as GonZors SwitchBlade, USB Pocket Knife,
USB Hacksaw, USBDumper, and Port Slurp can be detected by
7.1. The first threat and first protection layer all of these antivirus software. A list of these USB hack tools
can be found at Table A2 and the categories of the payloads of
The first threat layer includes multi-payload attacks using U3 these hack tools and hack toolkits are listed Table A3 the
hack tools, USB based malware, and data theft attacks. Attacks Appendix of this paper.
from this layer are normally handled effectively by the secu- Beside malware scanners, UAC, AppLocker, and Parse
rity measures in the first protection layer because most mal- Autorun are recommended security features for Windows
ware scanners would recognize the involvement of malware Vista and later editions. UAC is a built-in feature first available
and hack tools in these attacks. Windows XP SP2 and later in Windows Vista. This feature actively monitors process
versions are equipped with some free anti-malware solutions activities and prevents abnormal access to system files and
including Windows Defender, Microsoft Security Essentials settings which resemble common malware behaviors. Some
(MSE), and Windows Firewall. Windows Defender, previously hack tools such as USB SwitchBlade and Network Password
known as Microsoft Antispyware, is a spyware and adware Recovery were possible on Windows XP and the earlier
scanner available via Windows update without any mainte- edition. However, these hack tools will now trigger Windows
nance effort. MSE is an anti-malware program which provides security alert activated by UAC when they try to access system
real-time protection and auto-update like many other anti- files and settings. AppLocker is a new feature of Windows 2008
malware programs in the market. A test conducted by AV- R2 and Windows 7 which allows administrators to have
Test.org in October 2009 showed that MSE achieved 98.44 per control over the execution of specific applications and scripts
cent detection rate using malware signature based detection based on specific computers, users and user groups, and the
Attacks by USB No security management Layer 1: Malware can spread back and forth Layer 1: AppLocker, antivirus
based malware mechanism for USB interfacea between USB drives and internal drives. software, firewall, UAC.
No security mechanism for Layer 1: This USB worm possiblec Layer 1: Parse Autorun
Windows Autoplay featuresb
Attacks on host No security mechanism for Layer 1: Hack tools can be activated Layer 1: Parse Autorun
computers Windows Autoplay featuresb automatically on USB drive insertion.
No security management Layer 1: Hack tools can be executed Layer 1: AppLocker, antivirus
mechanism for USB interfacea from USB drives which are software, firewall, UAC
external drives.
Data is left unprotected when the Layer 2: Offline cold boot attacks. Layer 2: Volume encryption
operating system is offline
Driver signing is not enforced Layer 3: This makes USB driver Layer 3: Enforcing driver signing with
injection possible. standardized USB drivers.
USB driver is located in kernel Layer 3: Attacker gain system privilege Layer 3: Completely move USB driver
mode layer once USB driver injection is completed. to User Mode layer.
Attacks on USB No standardized USB security Layer 3: USB security software attacks: buffer Layer 3: Standardize USB driver and
storage devices software overflow and password brute force attacks security software.
No security mechanism for USB Layer 3: Attack on USB protocol Layer 3: Standardize USB driver and
protocol security software
a USB drives are not properly managed as “external” devices and thus there is no “firewall” between USB drives and computer internal drives.
b Windows Autoplay features automatically loads any files including malware as specified in Autorun.inf files.
c USB worm is capable of self-replicating due to Windows Autoplay features.
Author's personal copy
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4 181
182 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4 183
184 d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2 e1 8 4