Experimental Evidence
Chapter 4. Crimeware in Small Devices
4.1. Propagation Through USB Drives [*]
4.1.4. Gauging the Risk
One feature of USB-based crimeware is its low propagation cost. All an attacker needs is a bunch of USB flash drives, on which the attacker installs the crimeware. Because the size of crimeware is small, it can be loaded onto almost any USB flash drive. In mid-2007, the cost for a 1GB USB flash drive was approximately $10. Another feature of USB-based crimeware is its high hit rate, based on the statistics that 15 out of 20 scattered USB flash drives had been found and plugged into a company's computers by the firm's employees [383]. This hit rate is much higher than that of traditional phishing emails. By using state-of-the-art techniques, more than 99% of phishing emails can be filtered by the mail servers before they can reach the recipients [13, 14].
According to a phone survey conducted by Pew Internet & American Life Project in 2005, 2% of people who received phishing emails admitted to providing the requested information [113]. Hence the hit rate of phishing emails is expected to be 0.01 x 0.02 = 0.02%, much lower than that of USB-based crimeware. An important factor responsible for the high hit rate of USB-based crimeware is that few people will refuse to take a free USB flash drive given its convenience for data storage and transportation. If it is an iPod, people will like it even more.
Statistics show that the total financial loss attributed to phishing was $2.8 billion in 2006 [252], and the average loss per victim was $1244 [441]. We believe that USB-based crimeware may cause a higher loss than the traditional phishing emails, owing to its much higher hit rate. A person having a USB flash drive loaded with crimeware may share the drive with family members, friends, or colleagues. Thus, USB-based crimeware will hit at least one victim if the crimeware is not detected by the antivirus software. Assume such an attack causes the same amount of average loss (i.e., $1244) to a victim as phishing does. Then a $10 investment in a USB flash drive will make a profit of $1244 for the attacker. What else can be more profitable than this business? The loss will be worse if one USB flash drive harvests information from more than one victim. While a victim is not likely to fall prey twice to the same phishing attack, he or she will not escape the attack of the crimeware unless it is removed by the antivirus software from the system.
Attackers may also design crimeware that propagates through the USB port. In other words, the program can "infect" any USB storage device that is inserted into the machine. If a USB device becomes infected, it can spread the crimeware to other machines it plugs in. In countries where pirated software is popular, computer users may not be able to update their antivirus software in time to avoid the attack. The USB-based crimeware in such systems is expected to survive longer than usual because of the out-of-date virus database used by the systems. That will cause more damage to both individuals and society.
The storage size of USB flash drives has increased rapidly, going from the initial 8MB [453] to 64GB in 2006 [349]. This huge capacity provides convenience when the goal is theft of bulk information. For example, a thief could steal all of a server's or PC's data, take it home, and crack the security at the attacker's leisure.
4.1.5. Countermeasures
Several techniques can be used to reduce the threats posed by USB-based crimeware. First, all users should keep their antivirus software up-to-date. This will make it more difficult for the crimeware to circumvent the security check of the system.
A lot of USB-based crimeware takes advantage of the auto-run feature of Windows system, so disabling the auto-run feature of the Windows system will help to reduce the likelihood of being automatically infected by crimeware contained in a connected USB flash drive. Organizations such as financial institutions may also need to disable the USB ports of the computers used by their employees.
Some administration tools [435] can be used to control the use of USB devices, to track information as it is read from or written to the USB devices, and to log every event and attempt to access the USB devices. The logs will help to trace the attacker in case some information has been stolen or suspicious accesses have been
performed.
Because a lot of crimeware steals information and communicates with remote attackers, it is very important to keep computers behind the protection of the firewall and to make sure the firewall is working well. In case a computer has been infected by USB-based crimeware, stop using that machine and cut off its network connection before taking further actions to clean the crimeware.
Fortunately, USB-based crimeware has aroused public attention. Both industries and researchers are making valiant efforts to mitigate the threats posed by it. The good news is that some manufacturers of USB drives have begun to let their products be shipped with built-in antivirus protection [193]. Nevertheless, we need to recognize that the built-in antivirus software must be updated the first time the USB drives are used. As time goes on, the regular USB drives without protection will be gradually replaced by the new ones with antivirus protection.
Chapter 4. Crimeware in Small Devices
Bruno Crispo, Melanie Rieback, Andrew Tanenbaum, Ollie Whitehouse, and Liu Yang
This chapter considers the potential for crimeware in small devices, including USB drives, radio frequency identification (RFID) tags, and general mobile devices. These devices can and often do contain important data. As these devices continue to proliferate, crimeware authors may turn their attention to them.
4.1. Propagation Through USB Drives[*]
[*] This section is by Liu Yang.
Not counting built-in hardware, USB flash drives are probably the most popular storage devices today. They are small, lightweight, fast, portable, rewritable, and reliable. In 2007, the largest-capacity USB flash drive had a storage size of 64GB [436]. USB flash drives are supported by all modern operating systems. Besides being used in data storage and transfer, these drives find use in a variety of other applications. In particular, they can be used by system administrators to load configuration information and software tools for system maintenance, troubleshooting, and recovery. In case of system failure or emergency, a bootable USB flash drive can be used to launch an operating system [439]. These drives are also used in audio players, such as the iPod produced by Apple, Inc.
While USB flash drives certainly offer convenience in our lives, they also pose security challenges to computer users and organizations. For example, they can be used as carriers of viruses, spyware, and crimeware [431,
432]. Computers and other electronic devices are vulnerable to attackers connecting a flash drive to a free USB port and installing crimeware to retrieve confidential information from the systems. One common feature of USB flash drives is that they are small in size and, therefore, can be easily disguised. For example, they can be integrated into a watch or a pen. This feature helps in information stealing by USB flash drives. In 2006, for example, a man in England was convicted of using an MP3 player to compromise ATMs; he stole roughly $400,000 of other people's money [434]. The criminal plugged his MP3 player into the back of free-standing cash machines, and the MP3 player then recorded the customer details as they were transmitted over the phone lines to the bank. The recorded information was used to clone cards for taking money from the ATMs.
Crimeware can be propagated by USB flash drives in a variety of ways. The propagator may distribute it intentionally or unintentionally, locally or remotely (e.g., selling USB drives preloaded with crimeware at a very low price on eBay, as in the case involving the sale of wireless routers with malicious firmware described by Tsow et al. [426]). Alternatively, the attacker may intentionally drop USB flash drives containing crimeware in places where they are sure to be found (e.g., bathroom, elevator, and sidewalk)—and simply wait.
In 2006, Stasiukonis and his colleagues were hired by a credit union to evaluate the security of its network system [383]. Instead of using a traditional approach, Stasiukonis and his colleagues prepared some USB flash drives imprinted with a trojan that, when run, would collect passwords, logins, and machine-specific information from a user's computer, and then email the findings back to them. They scattered these drives in the parking lot, smoking areas, and other areas that employees frequently visited. Most employees who found the USB drives plugged the drives into their computers immediately after they sat down in front of their computers. The collected confidential information was then mailed back to the researchers. Among the 20 distributed USB flash drives, 15 were found by credit union employees and all had been plugged into the company's computers. The harvested data helped Stasiukonis and his colleagues to compromise additional systems of the company. Many portable media players (PMPs) have their data saved on USB flash drives. Like the common USB drives used for data transfer, these players pose potential threats to the computers to which they are connected for power recharging and music downloading. Apart from being infected by crimeware stored on a connected
computer, some media players based on USB flash drives have inborn threats before they are shipped out from the manufacturers. For example, some of the fifth-generation iPods made by Apple were reported to contain a trojan named RavMonE.exe, a variant of the W32/RJump worm [433, 445]. Upon the iPod being connected to a computer with its auto-run option enabled, the crimeware was installed to the connected computer if the user agreed to the auto-run prompt [452]. The crimeware opened a backdoor providing the attacker with
unauthorized remote access to the compromised computer [445, 448]. Imagine that a user connects such an iPod on his company's computer for downloading music; the crimeware may be propagated to the company's entire network in just a few seconds. That will allow the attacker to remotely access the company's computer systems.
In November 2006, Microsoft released Zune [455], a digital audio player. The device plays music and videos, displays images, receives FM radio, and shares files wirelessly with other Zunes. Like the Bluetooth malware, the wireless feature of Zune presents an extra challenge for security forces. For example, Zune will be able to transmit corporate data outside the building without going through the company's networks.
4.1.1. Example: Stealing Windows Passwords
An example will suffice to show how easy it is to steal the passwords of a Windows system with a USB flash drive. In Microsoft Windows systems, users' accounts, which also contain usernames and passwords, are kept in the Windows registry and in the SAM (Secure Account Manager) file. The SAM file keeps usernames and hash values of the corresponding passwords. This file is located under the %SystemRoot%\system32\config directory for the Windows 2000 and Windows XP operating systems and under a slightly different directory for the
Windows 9X and Windows NT systems.
One approach to obtain the usernames and the corresponding passwords is to access the SAM file. It is impossible to access the SAM file while the Windows operating system is running, because this file is used by the operating system. However, if an attacker has physical access to the machine, it is possible to copy the SAM file by booting the machine with another operating system. A bootable USB flash drive [439] can be used to accomplish this task. After the machine is booted up, the hard drive containing the SAM file can be mounted to the file system of the running system. Then the SAM file can be copied to a directory of the connected USB drive.
The newly obtained SAM file can be processed offline by using a password recovery tool such as LCP [438], SAMDump [449], SAMinside [450], or pwdump [442, 443, 444]. For example, LCP can extract the usernames and corresponding password hashes from the imported SAM file and then retrieve the passwords of users by using any of three approaches: the dictionary attack, the brute force attack, and the hybrid attack (which
combines the former two strategies). Usually, the LCP will find the passwords of the target users in a short time, sometimes within a few minutes. In cases where the password hashes of users are encrypted by the SYSKEY tool of the operating system, a file named system, which contains the ciphertext of the encrypted password hashes, needs to be copied as well to recover the passwords of the target users. The system file is located in the same directory as the SAM file.
The preceding approach may retrieve the passwords of users without their awareness, because the attacker does not make any change to the target system. The only requirement for an attacker is to gain the physical access to a target machine for a few minutes. The copied files can be hidden in the USB flash drive as "deleted" files and recovered later by using some tools.
Another way to compromise a Windows system running on FAT/FAT32 file systems is to boot the system using a USB drive, move the logon.scr file to a backup directory, and change the cmd.exe file name to logon.scr. After that change, the rebooted Windows system will enter the DOS interface directly without asking for a username and password. This approach allows an attacker to change the password of the administrator by using a command such as net user admin mypass [454]; the attacker can then do whatever he or she wants. The compromise may be detected by the administrator soon, once he or she realizes that the administrator password has been changed.
Besides the previously mentioned methods, some tools may be used to reset the accounts and passwords for Windows systems. For example, Windows Key [446, 447] can be installed on a bootable USB flash drive and then used to reset usernames and passwords for a Windows system in a few minutes.
4.1.2. Example: Let's Go Further
The emergence of the U3 smart drive [451], which allows applications to be executed directly on a specially formatted USB flash drive, has raised even more concern among members of the security community. In September 2006, an instant USB password recovery tool—USB Switchblade [432, 437]—was demonstrated as part of Hak5, an online technology show. USB Switchblade consists of a U3 USB flash drive with a payload capable of installing backdoors and extracting confidential information from a connected system [440]. Unlike the traditional USB flash drives, U3 flash drives are self-activating and can auto-run applications when inserted into a system. Upon being inserted into a machine running Microsoft Windows system, USB Switchblade silently recovers information from the system such as password hashes, IP addresses, browser history, auto-fill
information, and AIM and MSN Messenger passwords, as well as creating a backdoor to the target system for later access. This tool takes advantage of a feature in U3 to create a virtual CD-ROM drive on the USB flash drive, allowing the Windows auto-run function to work. In case the auto-run option is disabled, or if U3 is not used, USB Switchblade can be started by executing a single script on the drive. The tool has evolved to circumvent the antivirus protection of some systems that would usually detect malicious executables. Another U3-based malware—USB Hacksaw [431]—has been developed as an extension of USB Switchblade. Once installed on a system, it will run a process in the background whenever the computer starts, waiting for a USB flash drive to be connected. When a USB flash drive is inserted into the system, its contents are
automatically copied and sent through an encrypted SMTP connection to a remote email account controlled by an attacker. Both USB Switchblade and USB Hacksaw are available on public web sites.
4.1.3. DMA Vulnerability
Direct memory access (DMA) is a feature of modern computers that use bulk data transfers to copy blocks of memory from the system RAM to or from a buffer on a device without subjecting the CPU to a heavy overhead. With DMA, a CPU would initialize the data transfer, then do other operations as the transfer is in progress, and receive an interrupt from the DMA controller once the transfer has been completed. Many types of hardware use DMA for data transfer, including disk drives, graphics cards, and networks cards. The specifications for both Firewire and USB, for example, have provisions for DMA. That means under many circumstances a device plugged into a Firewire or USB port has the ability to read and write the physical memory of the connected computer. Such access bypasses the control of the operating system for security check.
Becher, Dornseif, and Klein have demonstrated how to exploit the DMA feature of a system by plugging an iPod running Linux into the Firewire port of a target machine [122]. The iPod successfully grabbed a screenshot of the connected machine without the computer's permission. Actually, the authors claim that they can read and write arbitrary data from and to an arbitrary location of the memory. Thus they can scan the memory for key material and inject malicious code to the memory. For example, the malicious code may scan the hard drive of the target machine for confidential documents and copy them to the iPod.
4.1.4. Gauging the Risk
One feature of USB-based crimeware is its low propagation cost. All an attacker needs is a bunch of USB flash drives, on which the attacker installs the crimeware. Because the size of crimeware is small, it can be loaded onto almost any USB flash drive. In mid-2007, the cost for a 1GB USB flash drive was approximately $10. Another feature of USB-based crimeware is its high hit rate, based on the statistics that 15 out of 20 scattered USB flash drives had been found and plugged into a company's computers by the firm's employees [383]. This hit rate is much higher than that of traditional phishing emails. By using state-of-the-art techniques, more than 99% of phishing emails can be filtered by the mail servers before they can reach the recipients [13, 14].
According to a phone survey conducted by Pew Internet & American Life Project in 2005, 2% of people who received phishing emails admitted to providing the requested information [113]. Hence the hit rate of phishing emails is expected to be 0.01 x 0.02 = 0.02%, much lower than that of USB-based crimeware. An important factor responsible for the high hit rate of USB-based crimeware is that few people will refuse to take a free USB flash drive given its convenience for data storage and transportation. If it is an iPod, people will like it even more.
Statistics show that the total financial loss attributed to phishing was $2.8 billion in 2006 [252], and the average loss per victim was $1244 [441]. We believe that USB-based crimeware may cause a higher loss than