Ways to Avoid Removable Media Malware

Based on experience, the USB FLASH DRIVE is one of the major causes of significant security breaches in the IT industry.

With the growth of widespread network-delivered malware infections in today’s almost universally connected world, it can be easy to forget that sometimes the old methods are still effective. In the 1990s, people who used computers on a regular basis were much more cognizant of the potential danger of viruses that could move from computer to computer via removable media like floppy disks.

The threat has not gone away just because it is often easier to infect many computers over the network instead. In fact, if your organization is very well-protected from network threats, a determined attacker may well take advantage of the relatively low level of protection used for other means of infection like removable media. Even for those of us who may not be likely targets of such attacks, the development of malware that uses removable media as an infection vector can also catch many of the rest of us in the crossfire, if we are not careful.

There are a number of measures that can be employed to reduce your vulnerability to malware that infects MS Windows computers via USB flash media and other removable media. A few of them are explained here.

How to avoid removable media malware
1. Disable Auto-run feature in Windows
The most common mechanism used to infect removable media and, through that, to infect computers, is MS Windows AutoRun. This is distinct from AutoPlay, which automatically starts up your media player and starts playing audio or video media from, for instance, a CD or DVD. AutoRun does things like start installers when installation media is attached to the system somehow, such as the CDROM tray or a USB port. These things can be run manually from Windows Explorer–and if your malware needs to be run manually too, you will be much less likely to get your computer infected.

2. Implement restrictive removable media policy
The most foolproof way to protect yourself against malware that infects computers via removable storage media is to disallow all removable media usage. If no removable media can be used with your computers, no infected removable media will be used with your computers. Because this is not always an option, there are other alternatives, including limiting removable media to specific items that have been checked and approved, and to disallow using them anywhere else where they might pick up infections to bring back to the network.

Please take note that this is also related to removable media via mobile devices like mobile phones, PDAs, media players, etc.

3. Check all removable media on a secured system before use
If you have a computer that is set up to safely check for malware that could affect the rest of the systems you want to protect, it can help ensure the safety of your IT resources. You can set up a system with any AutoRun capabilities deactivated, and which preferably is not even subject to infection by the same malware that could affect the systems you want to protect. Unix-like OSes such as BSD Unix and Linux-based systems, serve well in this capacity when protecting an MS Windows network.

Keep the system segregated from any network resources so it cannot transmit any malware on tested media across the network, and with no unnecessary software running on it so there will be less opportunity for it to get infected as well. It is preferable to boot from read-only media or to re-image the boot drive between uses as well.

Run malware scans on the media and check out the contents of the media–including the autorun.inf file–while it is connected to the secured system. Combined with a restrictive removable media policy, a very effective level of protection can be achieved.

4. Choose to ban all removable media
Depending on how far you want to go, you could simply disconnect the data cables for various removable media reading devices and lock the case so they cannot be reconnected without a key; remove the devices entirely (and still lock the case); or even semi-permanently plug or destroy the interface used to plug in external devices, such as by filling sockets with epoxy or clipping the pins on a motherboard where the cable for a system case USB port is attached.

5. Implement the basics
Of course, educating your users and ensuring you have anti-malware scanning running on the systems you want to protect is one of the most important steps you can take, and can easily mean the difference between being safe and merely thinking you are safe.

The defeatist approach is always an option too. You can console yourself with what a friend said to me before…

“The Pentagon spends billions of dollars a year in an ultimately futile attempt to secure its network against cyberattack. Why do you think your underpaid and overworked IT administrator is going to succeed where they have failed?”

-viz

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s