Home > Articles > Cisco Network Technology > General Networking > The Evolution of Evil: Changes in the Use of USB Devices as Delivery Mechanisms for Malicious Code

The Evolution of Evil: Changes in the Use of USB Devices as Delivery Mechanisms for Malicious Code

Article Description

The use of USB devices as a delivery mechanism for malicious code has grown significantly over the years, and a new evolution of USB attacks is now emerging. Microcontrollers and carefully crafted code are replacing simple USB flash drives. USB microcontrollers are small, capable of circumventing most malware detection software, and can deliver devastating payloads. Brad Bowers takes a closer look at this new attack vector and reveals some of the challenges IT security professionals face as the use of microcontrollers as an attack platform matures.

Editor's Note: If you like this article, you may also be interested in Seth Fogie's related piece, Getting Owned: The USB Keystroke Injection Attack.

There is little doubt that the number and complexity of client-side attacks have steadily increased over the last years. We have seen the rise of truly imaginative attacks blending sophisticated exploits with social engineering and creative methods of deployment.

Arguably one of the most progressive attack platforms has been the use of USB media devices and drives as a launching point for attacks. While the use of USB drives as a medium for delivering malicious code is nothing new, we now see the emergence of a new spin to this tried-and-tested method.

In the Beginning: Attacks were Without Form

USB drives have become ubiquitous with daily computer use. They have become so inexpensive and commonplace that they are commonly handed out by vendors or included "free" as enticement when purchasing products.

As the use of USB drives became more common, so has their role in the transmission of malicious code.

Originally the attack was to simply put infected files on a USB storage device and hope that a weary user would click it to initiate the malicious code.

This type of attack quickly morphed into more sophisticated methods as drive enhancements came out with embedded firmware to emulate CD-ROM drives.

While several types of these drives exist, the most widely known is the U3 drive. U3 drives have a small portion of the drive as firmware that emulates an ISO 9660 CD-ROM drive. The business purpose for this functionality was to take advantage of the Microsoft Windows Autorun functionality that automatically executed commands stored in the autorun.inf file typically found on the root directory of CD-ROMs.

2. Patterns Begin to Form | Next Section