Could A Thumb Drive Stop Stuxnet?

Is the data stored on your USB thumb drive safe from any malware on a PC it gets plugged into?

USB thumb drive manufacturer Kingston Technology this week announced that two of its drives from the Traveler line -- DataTraveler Vault Privacy and DataTraveler 4000 -- now come with an optional ClevX DriveSecurity feature, which requires 300 MB of the drive's space and includes built-in ESET antivirus software for nuking any viruses, worms, Trojan applications, rootkits, or adware that might attempt to infect the drive.

"When the drive owner authenticates to the flash drive, DriveSecurity launches immediately. It updates its virus signature and scans any changes (all new files, applications, etc.) to the flash drive," said ESET. "Upon user request, it checks the entire flash drive to ensure that it is free of malicious code." ESET also said its anti-malware software contains heuristic malware detection to help identity unknown threats. But the company said that the drive's antivirus software won't scan the PC that it gets plugged into.

Is antivirus software on USB thumb drives redundant? Or might it instead have helped prevent the outbreak of such malware as Stuxnet? Indeed, a USB key carrying Stuxnet appears to have been responsible for at least some of the resulting infections, which targeted an Iranian nuclear facility at Natanz. The caveat with Stuxnet, of course, is that the malware seems to have been introduced on purpose, likely by a U.S. agent, meaning it was meant to infect the USB drive and in turn systems at the facility.

[ Hacking group boasts of government, trade group exploits. Read more at Team Ghostshell Hackers Claim NASA, Interpol, Pentagon Breaches. ]

On the other hand, common malware that attempts to infect USB drives remains alive and well, in part because eradicating it is difficult given all of the different ways in which it can spread. For example, ESET last week reported that the second most prevalent virus is an auto-run worm known as Pronny, which spreads in part by infecting removable media. Once the worm infects a system, it then hides versions of itself elsewhere, including on network shares, and attempts to infect everything it can touch, including thumb drives.

USB drives can get infected in numerous ways, such as through supply chain insecurities during production. For example, IBM accidentally distributed thumb drives at an Australian security conference that were infected malware.

Other infection vectors involve employees using virus-infected kiosks or third-party PCs at airports or Internet cafes, giving the USB key to a friend whose PC happens to have a virus, or using the USB key on a corporate network where a virus is residing.

"In practice one sees both unintentional and intentional infection. Stuxnet is an example of the latter, where someone loaded malicious code onto the drive with the intent of getting that code onto a target system," said ESET security evangelist Stephen Cobb in a blog post. "Unintentional infection can occur when you place your USB flash drive into an inadequately protected system. Sure, you may detect the infection later, when you eventually place your drive into your own computer, but you could do a lot of damage before then."

As an example, Cobb references a case detailed earlier this year by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which in 2010 investigated an outbreak of malware tied to the Mariposa botnet. While the affected organization wasn't named, the industry was noted as being "the nuclear sector."

The investigators traced the infection back to a conference presentation, noting in an advisory that "an employee attended an industry event and used an instructor's universal serial bus (USB) flash drive to download presentation materials to a laptop." After the employee reconnected their laptop to the corporate network after returning to work, the malware spread, ultimately infecting 100 other network-connected systems.

As malware gets increasingly sophisticated, so, too, must the technology and strategies we use to detect and eradicate it (or, better yet, stop it before it ever makes it onto network systems). Our Rooting Out Sophisticated Malware report examines the tools, technologies and strategies that can ease some of the burden. (Free registration required.)