Home > Articles > Cisco Network Technology > General Networking > The Evolution of Evil: Changes in the Use of USB Devices as Delivery Mechanisms for Malicious Code

The Evolution of Evil: Changes in the Use of USB Devices as Delivery Mechanisms for Malicious Code

Article Description

The use of USB devices as a delivery mechanism for malicious code has grown significantly over the years, and a new evolution of USB attacks is now emerging. Microcontrollers and carefully crafted code are replacing simple USB flash drives. USB microcontrollers are small, capable of circumventing most malware detection software, and can deliver devastating payloads. Brad Bowers takes a closer look at this new attack vector and reveals some of the challenges IT security professionals face as the use of microcontrollers as an attack platform matures.
Redemption: Saved from Evil

Redemption: Saved from Evil

So with all the new security headaches that the Teensy and similar devices will bring to security professionals and the organizations they protect, there is still light at the end of the tunnel. There are some proactive mitigation steps that can be done to limit the impact from this form of attack.

The Teensy's inherent capability to skirt under the radar of most antivirus and detection software is also its greatest weakness. The Teensy typically does not contain any storage on the device that is system accessible nor does it register as a drive. While this makes it difficult to detect, it also makes it dependent on the logged-in user having access rights to execute files needed for microcontroller Teensy to run.

Currently, the Teensy requires files such as cmd.exe and iexplorer.exe to be on the system and executable. In a corporate environment, the use of GPOs can be an effective method for limiting access to these files and assist in mitigating the risks from a Teensy based attack.

Another mitigating control is to lock down or disable the USB ports to only known good devices. While this is relatively easy, there are some caveats that need to be considered. Many applications and Windows registry hacks enable system administrators to disable the "UsbStor" registry settings under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\". This allows administrators to disable the function of USB storage devices from being connected to the system, but does not protect against a microcontroller Teensy attack. The proper way to mitigate the risk is to enumerate the specific devices needed by the system in a "whitelist" policy and use the list to create a custom GPO allowing only those whitelisted devices.

While this can become an administrative burden in a larger organization, it is a fairly effective method for limiting the exposure to these types of attack. An excellent write up on how to configure custom GPOs to mitigate Teensy types of attacks can be found on Adrian CrenShaw's IronGeek website here.

5. What the Future Holds: Purgatory?? | Next Section Previous Section