Something old, something new...with USB

It really amazes me sometimes how a journalist "covering the security scene" will wake up one day and come to the relevation that something is "new". The thing is that most kids in junior high school today know enough about how to use Google to find out that these things really aren't all that "new". Ugh. Maybe now that we've redefined "is", we have to work our way through the dictionary and redefine "new", as well.

Case in point...this ComputerWorld article. Take a look at this excerpt from the first paragraph:

Now, the emergence of USB flash drives that can store and automatically run applications straight off the device could soon make the drives even more of a security headache.

Yeah, okay, this is essentially a true statement...and there's more to it. It's that extra bit of informaiton that needs to be understood to effectively address this threat.

The ComputerWorld article makes repeated references to Hak.5, a video podcast version of MAKE. It's not a podcast I've seen before, but it does look pretty interesting. Anyway, the article refers to something called "Switchblade", described in the episode Wiki as "a custom USB key that will retrieve vital information from a target computer, necessary for auditing password strength".

Okay, so what's really going on here? Well, the issue is the use of the U3-enabled thumb drives. In a nutshell, the U3 utilities create a small CDFS partition at the beginning of the thumb drive, with the intention of providing the user with mobility...anyone owning a U3-enabled thumb drive can take their desktop (well, a limited desktop) anywhere with them, and plug the thumb drive into any workstation and use their applications. Nice, convenient...and a security nightmare.

Like I said, the core issue is the CDFS partition and how Windows systems treat these partitions. Windows has an autorun feature that allows for the "load=" and "run=" lines from autorun.inf files located in the root of the partition to be parsed and executed, but only for certain types of media. Removable (ie, USB) drives don't allow this by default, but CDs and DVDs do. The default value for the NoDriveTypeAutoRun key is 0x95, which means that CD-Rom drives allow the functionality by default.

For more information, MS KB article Q155217 describes how to disable this functionality for CD-Rom drives. Additional information about the Cdrom\AutoRun key is here, and there's an explanation of the AutoRunAlwaysDisable key here. Also, from MS's USB FAQ:

Q: What must I do to trigger Autorun on my USB storage device?
The Autorun capabilities are restricted to CD-ROM drives and fixed disk drives. If you need to make a USB storage device perform Autorun, the device must not be marked as a removable media device and the device must contain an Autorun.inf file and a startup application.

The U3 utility essentially marks a portion of the device as a CDFS partition (...must not be marked as a removable media device...). Please note...regardless of what one thinks it should be, "removable media" != "CD-Rom")

For myself, I purchased a Geek Squad 1GB USB thumb drive when I saw them on sale at Best Buy a while ago. I was shocked when I plugged the device in...not only did I not get 1GB of removable storage, but I also got a bunch of applications...this isn't what I wanted! Digging around the Registry in the USBStor key, I found two entries:

CdRom&Ven_Best_Buy&Prod_Geek_Squad_U3&Rev_6.15

and

Disk&Ven_Best_Buy&Prod_Geek_Squad_U3&Rev_6.15

Hhhmmm...two almost identical entries for the same device, both under the Enum\USBStor key. Beneath both entries, the serial number for the USB device was the same. So we've now got a way of detecting the use of such devices within the infrastructure. For information on tracking USB removable storage devices across Windows systems, check out my GMU2006 presentation slides.

You can go here to download a utility to remove that pesky U3 partition, or just go to U3's Launchpad Removal site.

Okay, so why isn't this 'new'? Back in June, DarkReading had an interesting article on the same subject, from a social engineering perspective. Also, there's a Hacking U3 site that discusses creating your own custom ISO to replace the utilities loaded (scroll down to "The Sting" section).

Finally (as if that weren't enough), there's a nasty little utility called USBDumper that is installed on a PC and silently dumps all files from any USB removable storage device that's plugged into the system. Wow! Copying files is one thing...how about automatically imaging the device and recovering deleted files?!

A brief word on Windows Event Logs: it seems that Windows 2000 will report when USB removable storage devices are plugged into and removed from a system. Event ID 134 would be generated (source = Removable Storage) as the arrival notice and Event ID 160 as the removal notice. However, this seems to have been removed as of XP SP2, according to this KB article:

After you install the hotfix, Netshell no longer listens for Plug and Play device arrival notifications. Therefore, you are not notified about new devices.

Additional Resources/Reading:
Schneier On Security
WikiPedia entry for AutoRun
SecuriTeam Blog entry by Gadi
USBSnoop (2002)
USBSnoop (2001)
USBSnoopy (2001)
USB Monitor