Author's personal copymalkamanila.angelfire.com/Publication/2011_Digital... · Author's personal...

This article appeared in a journal published by Elsevier. The attachedcopy is furnished to the author for internal non-commercial researchand education use, including for instruction at the authors institution

and sharing with colleagues.

Other uses, including reproduction and distribution, or selling orlicensing copies, or posting to personal, institutional or third party

websites are prohibited.

In most cases authors are permitted to post their version of thearticle (e.g. in Word or Tex form) to their personal website orinstitutional repository. Authors requiring further information

regarding Elsevier’s archiving and manuscript policies areencouraged to visit:

http://www.elsevier.com/copyright

http://www.elsevier.com/copyright

Author's personal copy

Universal serial bus based software attacks andprotection solutions

Dung Vu Phama, Ali Syed a, Malka N. Halgamuge b,*aSchool of Computing and Mathematics, Charles Sturt University, Study Centre Melbourne, Victoria 3000, AustraliabDepartment of Civil and Environmental Engineering, Department of Electrical and Electronic Engineering, The University of Melbourne,

Grattan Street, Parkville, Victoria 3010, Australia

a r t i c l e i n f o

Article history:

Received 12 January 2010

Received in revised form

26 January 2011

Accepted 17 February 2011

Keywords:

USB

Flash drive

Autorun

Hack tool

Malware

a b s t r a c t

Information security risks associated with Universal Serial Bus (USB) storage devices have

been serious issues since 2003, which marked the wide adoption of USB technologies in the

computing industry, especially in corporate networks. Due to the insecure design and the

open standards of USB technologies, attackers have successfully exploited various

vulnerabilities in USB protocols, USB embedded security software, USB drivers, and

Windows Autoplay features to launch various software attacks against host computers and

USB devices. The purposes of this paper are: (i) to provide an investigation on the currently

identified USB based software attacks on host computers and USB storage devices, (ii) to

identify the technology enablers of the attacks, and (iii) to form taxonomy of attacks. The

results show that a multilayered security solution framework involving software imple-

mentations at the User Mode layer in the operating systems can help eliminate the root

cause of the problem radically.

ª 2011 Elsevier Ltd. All rights reserved.

1. Introduction

Universal Serial Bus (USB) is a communication standardwhich

has beenwidely adopted in the computing industry for the last

few years for replacing serial and parallel ports. USB offers

a number of advantages such as high data processing speed,

hot swapping, plug-and-play (PnP), and self-power supplying

to peripherals which helps it quickly gain the popularity. The

implementation of USB allows a wide range of different elec-

tronic devices to connect to computers such as mice,

keyboards, PDAs, gamepads, joysticks, scanners, printers,

digital cameras, personal media players, flash drives, and

external hard drives. However, the popularity of USB interface

capable devices has resulted in increased risks to information

security of both host computers and USB devices. In this

research, we investigate all the currently identified USB based

software attacks, and develop a conceptual security

framework for protecting host computers andUSB drives from

USB based software attacks. In details, the following aspects

are considered:

� Software attacks on host computers by USB based malware

such as worms, viruses, and Trojan horses, and USB based

hack tools.

� Software attacks on USB drives by hack tools.

� A security framework for protecting both USB drives and host

computers against USB based software attacks.

2. Previous work

Previous researches have been conducted in three areas: (1)

USB based software attacks on host computers, (2) software

* Corresponding author.E-mail address: [email protected] (M.N. Halgamuge).

ava i lab le a t www.sc iencedi rec t .com

journa l homepage : www.e lsev ie r . com/ loca te /d i in

d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4

1742-2876/$ e see front matter ª 2011 Elsevier Ltd. All rights reserved.doi:10.1016/j.diin.2011.02.001


attacks on USB devices, and (3) protection measures and best

practices for preventing USB based software attacks.

2.1. USB based software attacks on host computers

USB based software attacks on host computers refer to soft-

ware attacks launched from USB devices against host

computers. Such attacks analyzed in previous researches can

be categorized into online attack mode referring to the attacks

launched from USB drives which are inserted into running

computers, and offline attack mode which happens when

attackers manage to boot the target computers from their

crafted USB drives.

2.1.1. Online attack modeAmong the attacks on host computers, data theft has been the

biggest concern related to USB devices in corporate environ-

ments since 2005 when USB 2.0 devices became popular. Data

theft is normally conducted using various simple ad hoc

programmed utilities which are capable of silently down-

loading some specific data files from host computers into USB

drives (Alzarouni, 2006; Fabian, 2007). In 2006 and 2007, there

was a substantial increase in the frequency and the level of

complexity of USB based software attacks on computers,

especially networked computers. The ad hoc programmed

hack tools, automatically launched from USB drives were

capable of doing many kinds of data manipulation on

computer systems such as changing registry settings,

installing backdoors and other malicious codes, stealing

confidential information, and even downloading the system

page file from a running computer to a USB drive (Alzarouni,

2006; Lee et al., 2007). Cryptography attacks were also

common during the period with the support of USB drives and

some ad hoc programmed hack tools which are capable of

exploiting operating systems’ data encryption keys, Open

SSH, and Apache HTTPS servers (Harrison and Xu, 2007).

After the USB 2.0 standard, the U3 revolution becoming

popular in 2007 has made U3 (USB) drives ultimate hacking

tools. The applications installed in U3 drives can be executed

withouthaving tobe installedonhostcomputers.Attackers can

simply craft their ownU3 ISO imageswith necessary hack tools

to replace the original U3 ISO images on U3 drives, and take

advantageof the technology to launchmulti-payloadattackson

the target computers (Alzarouni, 2006; Lee et al., 2007).

In 2008, a utility was developed to allow manipulating the

information on inserted USB devices stored in Windows

registry. It was suggested that when such a utility is used in

combination with other malicious codes, it creates an addi-

tional protection layer for the attackers who employ USB

devices as attack tools (Thomas and Morris, 2008). Although

the idea of manipulating Windows registry by utilities or

malware was not new, it did suggest another possibility of

software attacks using USB devices. Obviously, skilled

attackers can further improve the idea to help them clear their

tracks or create obfuscating information on the host

computers after completing their attacks.

2.1.2. Offline attack modeThe enabler for offline attack mode comes from the “boot from

USB” capability of the recent motherboards and Pre-

installation Environment (PE) tools such as Windows PE and

Bart PE. These PE tools make it possible for the cores of some

Windows editions such as Windows XP and Vista to be

installed on and boot fromUSB drives. Later on,miscellaneous

toolkits such as antivirus software, data recovery, hard-drive

diagnostics, zip software, web browsers, secure file transfer

protocol (FTP), word processing, registry editor, product key

viewer, network configuration, and remote desktop client

tools are bundled into bootable USB drives (Gibson and Dyar,

2007).

Although the “boot from USB” feature was originally

designed for computer administration purposes, bootable USB

drives are also very powerful hack tools. With the aid of a few

hundred-megabyte USB 2.0 drives, an attacker can boot the

target computer from the USB drive and dump all the data

from the host computer to the USB drive within half an hour.

Even with cryptography, the cryptographic key materials

stored in computermemory (RAM)were successfully retrieved

with the aid of a bootable USB drive and a tiny plug-in of a few

kilobytes in an experiment in 2008 (Halderman et al., 2008).

Moreover, such these attacks do not cause any damage to the

host’s operating system or data, and neither requires the host

operating system’s accounts.

2.2. Software attacks on connected USB drives

Similar to the data stored in host computers, data stored on

USB drives and even secure USB flash drives are also vulner-

able to different kinds of software attacks. USB drive security-

software bugs and the insecure nature of the communication

channels between the USB devices and host computers make

many password-protected and even fingerprint-protected

USB drives vulnerable to software attacks. On password-pro-

tected USB drives such as Safeboot Phantom and MXI MXP

Stealth, weak passwords result in successful brute force

attacks. On fingerprint-protected USB drives such as the Bio-

SlimDisk iCool drives, imported fingerprints can be easily

deleted with the support of a crafted program. This allows

attackers to import their own fingerprints and compromise

the security measures (Jeong et al., 2007; Bakker et al., 2007).

The other type of attack on such devices is security protection

bypass which is conducted by exploiting vulnerabilities in the

security software of USB drives. Successfully exploiting the

vulnerabilities allows attackers to have direct access to the

data stored in secure partition of the devices (Jeong et al.,

2007).

2.3. USB based malware

USB based malware is the most common type of USB based

software attack. However, this type of attack has not been

addressed in any of the previous papers. While attacks

analyzed in the previous researches are normally target-

specific and manually triggered, attacks by USB based mal-

ware are fully automated and do not normally have specific

targets. USB based malware is supposed to be accounted for

the majority of all USB based software attacks. However, this

threat vector has not received enough attention and further

work on this type of attacks is necessary.

d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 173


2.4. Currently proposed protection measures

The proposed solutions for secure use of USB technologies in

previous researches can be categorized into three categories:

data access control, USB port access control, and security policies.

Among the three types of solutions, data access control is

probably the most interesting, feasible and widely adopted.

Data access control allows the use of USB devices while it

maintains definite security levels. The commonly proposed

data access control solutions include disabling Autorun,

limiting user privileges, encrypting the stored data on both

communication ends, restricting access to vital data on crit-

ical servers, monitoring access to servers, and limiting the size

of data transferable to USB drives (Alzarouni, 2006).

USB port access control involves disabling USB ports

physically, or disabling USB port by firmware and operating

system settings and third party utilities. In some organiza-

tions, USB ports on computers are physically disabled by glue

which is the last recommended solution. Disabling USB ports

by Basic Input Output System (BIOS) settings, Windows

registry, and Group Policy settings are some other options.

Many researchers recommend deploying third party utilities

such as NetWrix USB Blocker, DeviceLock, and Zlock to apply

USB port access privileges to specific users, user groups, and

even USB device classes such as Palm, and USB phones

(Alzarouni, 2006; Fabian, 2007).

Acceptable Use Policy (AUP) is also commonly referred to

as management solutions for USB security issues. AUPs are

normally implemented with security education and training

programs to provide users with essential understanding on

secure use of information systems, regulate users’ actions,

and provide procedures for managing security incidents

(Fabian, 2007). AUPs are generally cost-effective management

solutions which can be implemented in any corporate

environment.

2.5. Unresolved issues in the proposed solutions

There were some disadvantages and unresolved issues in the

proposed solutions in the previous papers which affect the

solutions’ efficiency and effectiveness.

Firstly, there are some disadvantages in the proposed

solutions because important factors such as business efficiency,

investment and maintenance costs, end users, and personal

computers were not considered in any of these solutions. Data

access control and USB interface access control are obstacles

to business efficiency and potentially become a burden of IT

budget in terms of both software license and maintenance

costs. End users and personal computers (PC) were not

considered in any of the proposed solutions. In reality, AUP

and other corporate policies are not applicable to PC users.

Moreover, complicated system configurations and additional

costs for third party software are not likely to be accepted by

PC users.

Secondly, due to the lack of root-cause analysis of these

attacks, the technology enabler of these attack vectors were not

identified. Therefore, the proposed solutions tended to fix the

consequences of the vulnerabilities in USB security software,

Windows Autoplay features, Windows driver security model,

and USB interface management feature instead of addressing

these vulnerabilities directly. Attacks automatically launched

from USB storage devices such as data theft and multi-

payload attacks simply exploit the vulnerability in Windows

Autoplay features. This vulnerability comes from the lack of

a built-in security mechanism inside Windows Autoplay

features. Similarly, due to the lack of a securitymechanism for

USB interface, computer malware can spread back and forth

between USB drives and internal drives. Although both USB

interface is designed for data exchange between computers

and their outside environments, it is left open to external

environment without any security protection mechanism.

Attacks on USB drivers were possible due to the lack of driver

signing enforcement which allows un-identified drivers to be

injected into Windows kernel. However, the proposed solu-

tions do not directly address any of these vulnerabilities.

Thirdly, there was a lack of a complete taxonomy of USB based

software attacks and a framework for addressing USB based soft-

ware attacks in the previous researches. Each of the provided

solutions are designed for addressing some of the currently

identified attack vectors in specific scenarios only and there-

fore tend to left out other attack vectors.

Finally, the attacks and proposed solutions were evaluated

in the contexts of Windows XP and the earlier x86 versions

while their successors such as Windows 7 x86 and x64 have

been in place for a while, and will soon be popular in both

office and home environments.

3. Attacks by USB based malware

3.1. USB based malware

The terms “USB based malware” in this paper refers to

computer worms, virus, Trojan horses, spyware, adware, and

root kits which are specially designed to exploit Windows

Autoplay features to replicate over USB drives and launch

attacks against host computers and computer systems.

Although the term “USB based malware” has been mentioned

on the world wide web as computer malware spreading via

USB drives, this concept does not differentiate the malware

that is purposely designed for spreading via USB drives from

the malware that is designed for replicating via any means of

media. Many worms can spread via many means of media

including USB drives, floppy drives, compact discs, and

network shares, however, they do not exploit the Autoplay

features. Such worms are not considered as USB worms in the

scope of this paper. The majority of the malicious codes

mentioned in this research are referred to as W32/Autorun by

security firms such as Symantec, Microsoft, andMcAfee.W32/

Autorun does not include all the malicious codes that exploit

Autoplay features. This research takes into account any mal-

ware which does exploit Autoplay features.

Windows Autoplay features were designed for providing

appropriate software response to hardware actions initiated

by computer users. The features are available in version 1 and

version 2. Version 1 was designed for Windows 98 and

Windows 2000. Version 2 was improved from version 1 to

support to support multimedia contents and devices and is

available on Windows XP, Windows 2003, Windows Vista,

Windows 2008, andWindows 7. The features operate based on



Autorun.inf files located in the root folders in removable

drives. Autorun.inf files can be compiled via any ANSI text

editor such as Notepad. The typical components of an Autor-

un.inf include four commands: icon, open, shell, and shell/verb.

These commands are used to automatically launch applica-

tions in removable drives when the drives are inserted into

computers. USB based malware is designed to exploit the

Autoplay features by creating Autorun.inf files to automati-

cally launch its copies specified by the open and shell

commands.

Fig. 1 shows the typical content of an Autorun.inf file

created by USB based malware. Icon command specifies the

icon file for the executable files triggered by Autorun.inf file.

This icon can be anything that looks familiar and legitimate to

users. Open command specifies the file to be executed when

Autoplay.inf is loaded by the Autoplay features, and in this

case it specifies a copy of the malware. Shellexecute command

was introduced in Windows Me and 2000. It is also used to

specify a file to be executed byWindowsAutoplay. However, it

also allows applications to runwith their associated files. Both

open and shellexecute commands are used to ensure that the

malware can be executed under any version of Windows.

Shell\auto command specifies the default item in USB drive

shortcut menu activated when users right-click on the drive

icon. In this case, the default item is used to activate the

malware.exe file.

3.2. Analysis of USB based malware’s common profile

Because of the trend in reengineering malware to exploit the

Autoplay features (Thomas et al., 2009), the attack profile of

USB based malware tend to get closer to that of malware in all

categories. However, due to the huge quantity of themalicious

codes and the lack of statistics from security firms, we only

analyze the common profile of the top USB based malware

which was accounted for themajor portion of activities by the

malware in this category in the period of September 2007 to

October 2009 as reported by Microsoft, Trend Micro, Syman-

tec, McAfee, Norman, and Kaspersky. The data on the profile

each malicious code were obtained from the malware defini-

tion databases of Microsoft Malware Protection Center, Kas-

persky Lab, Symantec, Sophos, Trend Micro, McAfee, and

Norman Security Center. The collected data include name,

type, date detected, aliases, alert level, technical analysis, files

created, system folder infection, registry update, auto startup

mechanism, replication media, Autorun.inf file, file infection,

and payload. The data are then analyzed by descriptive

statistics tools. A list of these malicious codes is included in

Table A1 in the Appendix of this paper.

3.3. The development trend of USB based malware

As USB drives become popular, malware is redesigned to

replicate through this vector. The trend from 2007 to March

2009 shows a consistent increase in the number of backdoors,

bots, password stealers, and parasitic viruses redesigned to

spread via USB drives (Thomas et al., 2009). By the end of

March 2009, 20 million unique malicious codes had been

detected by McAfee Avert Lab (Paget, November 20, 2009).

More than half a millionwere Autorunmalware created in the

period from April 2007 to April 2009. The number of Autorun

malware had exceeded 1.2 million by October 2009 (Marcus

et al., 2009; McAfee Threats Report, 2009).

Fig. 2 illustrates the development trends of Autorun mal-

ware and malware of all categories for the period of October

2007 to October 2009. The stack bars show the development

trends of Autorun malware and malware of all categories in

quantity, and the two lines show the development patterns

the malware in development percentages.

In Fig. 3, the graph illustrates co-relational relationships

between the development of Autorun malware and its sup-

porting factors including the availability of USB drives, the

maturity of Windows operating system supporting Autorun

v2, and the maturity of USB technologies. Autorun malware

started to develop in the last quarter of 2007 when Windows

XP reached its pick ofmarketmaturity andUSB 2.0 flash drives

got into its last period of product growth phase. The sharp

increases in the quantity of USB flash drives shipped world-

wide and the world market share of Windows XP and later

versions in the period of October 2008 to October 2009 also led

to the sharp increase of Autorun malware in the period

reflected in both Figs. 2 and 3. In Fig. 2, the overall graph trend

shows a consistent development relationship between

Autorun malware and malware of all categories in each

quarter and the overall period with slightly higher develop-

ment rates for Autorun malware in the year 2009. The reason

for such a relationship could be explained in Fig. 3 which

illustrates Autorun malware’s development trend in relation

to its supporting factors including the quantity of USB flash

Fig. 1 e A typical Autorun.inf file created by USB based

malware.

Fig. 2 e Malware development trend for the period of 10/

2007e10/2009, data source: (Paget, 2009; MCAfee Avert

Labs, 2009).



drives sold, market share of operating systems supporting

USB PnP and Autoplay v2, USB standardmaturity level, U3 and

boot from USB technologies.

4. Attacks on host computers

Attacks on host computers involve buffer overflow attacks on

USB drivers, data theft attacks on host computers, multi-

payload attacks using U3 and portable hack tools, and offline

cold boot attacks.

4.1. Attacks on USB driver

Buffer overflow attack on the vulnerabilities in USB 2.0 drivers

in computer operating systems is the most primitive type of

USB based software attacks whichwas firstmentioned in 2005

(Roberts, 2005). The problem comes from the weakness in the

design of earlier USB 2.0 deviceswhere firmwarewas designed

with little care for security and validations. Attackers could

program their USB drivers to exploit the vulnerabilities and

escalate privileges on any operating system such asWindows,

Linux, and OS/2 (Roberts, 2005). However, such problems on

Windows platform have not yet been confirmed by Microsoft

or computer OEMs.

In 2009, the same problem was detected again in Auers-

wald Linux’s USB driver. Attackers who have physical access

to Linux computers can use their crafted USB drives to execute

arbitrary code on the computers at the kernel level and take

control over the systems (Vega, 2009). Fortunately, this attack

vector is not common, possibly due to the requirements of

physical access to the target computers and knowledge in USB

driver programming.

4.2. Data theft attacks on host computers

Data theft with the support of USB drives has been a serious

issue in corporate networks for the last few years, especially

after USB 2.0 standard became popular in 2004. The common

payload of data theft is intended to steal business data and

sometimes personal data such as credit card information left

in cache memory. This attack vector utilizes some simple

scripts written in Perl, MS DOS batch script, or VBScript, with

some readymade tools freely available in the Internet. Some-

times, Windows built-in utilities such as xcopy.exe, roboco-

py.exe, or copy command are also utilized. Most of these

scripts are designed to exploit the Autoplay features. As the

attack process is conducted in non-console mode or in the

background as a Windows process, it is totally transparent to

users. The common functions provided by readymade tools

used in such attacks include data query (Pod slurping), data

copy (xcopy.exe), simple mail transfer protocol (SMTP) clients,

data compression (rar.exe), and secure socket layer (SSL) client

(Stunnel). The combined payload of these tools allows

attackers to locate the necessary data on host computers and

save the data to their USB drives, or compress and send the

data through an SSL channel to their FTP servers ormailboxes.

Such attack techniques are not always effective in many

scenarios on Windows operating systems that support User

Account Control (UAC) feature. UAC is a security feature

which is available in Windows Vista, Windows 2008, and

Windows 7. This feature monitors all processes and activities

Fig. 3 e The development of USB based malware in relation to its supporting technologies, data sources (Chance, 2005;

W3chools, 2009).



on the computer, and protects the system files and settings

from abnormal access by both Windows built-in processes

and applications. When UAC is turned on (by default), all

processes are run under standard user rights and permissions.

Access to systems files and settings, and folders where users

do not have permissions will trigger security alerts and priv-

ilege escalation requests. Abnormal activities by unsigned

applications such as hack tools and malware will trigger

UAC’s security alerts. Some dangerous hack tools mentioned

in this paper such as SwitchBlade, GonZors Blade, Amish

Blade, PasswordDump, Ethereal, Network Password Recovery,

and White Hat Payload all trigger UAC’s security alerts.

The threats from this attack vector still exist when

attackers use signed applications in combination with their

scripts to run attacks in the background which is very similar

to that of system administrators’ scripts for data backup. The

following scripts in Figs. 4,5 and 6 exploit the Autoplay

features to secretly copy files in user’s Document folder to the

inserted USB drive, compressed and encrypted with password

using copy command, rar.exe, and hstart.exe. Fig. 4 shows the

content of Autorun.inf file in the root folder of the USB drive.

Fig. 5 shows the content of trigger.bat file located in

a hidden folder in the USB drive. This file loads the payload file

(xcp.bat) using hidden start tool with “/noconsole” option

which force the xcp.bat to run without a console making the

attack process transparent to the users.

Fig. 6 shows the content of xcp.bat containing the attack

payloads which copy all files in the Documents folder to

a folder called “STOLENDATA” in the attacker’s USB drive.

The copied data is further compressed and encrypted with

password by rar.exe utility and saved under the file name

stolendata.dat leaving no trace for users. However, when the

UAC setting is set to high, any of such processes will not be

created in the background. A notification of process failure

will be popped-up calling for users’ attention.

4.3. Multi-payload attacks by U3 hack tools

U3 is an open standard developed to provide users with

application mobility through an application platform avail-

able in U3 drives whereby U3 applications can be installed on

and run from U3 drives independently from host computers.

In a U3 drive, a small partition located at the beginning of the

drive is marked as a CDFS (CD file system) partition so that

Windows recognizes it as a CD rather than a removable drives.

U3 applications are self-contained applications run from the

CDFS partition without having to be installed on the host

computers, modify the registry, or reserve computer

resources. While the Autoplay feature for removable drives is

disabled on Windows 7, it is still enabled for the CDFS parti-

tion. U3 technology is supported on Windows platform for

Windows 2000 SP4 and the later on both x64 and x86 versions.

Attackers of this vector have a large and flexible range of

hack tools to deploy on U3 drives. They can customize their

own ISO images with necessary hack tools and malware to

install in the CDFS partitions to exploit the Autoplay feature

which is available for CDFS partitions or directly run the hack

tools from the U3 Launchpad. Some commonly known hack

tools available in U3 format (.u3p) are USB Switchblade, U3

Incident Response Switchblade, USB Hacksaw, USB Pocket

Knife, Nmap, Ethereal, Wireshark, Showtraf, TCPDump,

Nemesis and John the Ripper, HTTP RAT, Anonymizer, and

Data Recovery. Among these tools, Switchblade is a very

dangerous toolkit consisting of several hack tools capable of

recovering important information from Windows systems

such as passwords (SAM, messenger clients, web browsers

cache), LSA Secret, service, system and port information. USB

SwitchBlade is available in two versions developed by Hak5

community and GonZor. USB SwitchBlade developed by Hak5

community is now available in several sub-versions by

Kapowdude, Gandalf, Silivrenion, and Amish. The codes of

these sub-versions are adjusted by Hak5 member and are

slightly different form each others. However, the payloads

remain the same and they all trigger UAC. The later version

developed by GonZor is more powerful and is capable of

overwriting programs on U3 CDFS partitions. As these parti-

tions are read only, antivirus programs cannot delete the

installed hack tools on detection. Beside Switchblade, U3

Incident Response Switchblade was developed to support the

process of evidence gathering in security incidents. This tool

gathers information on accounts, groups, networking (such as

IP, DNS cache, ARP table, NetBIOS, routing information, fire-

wall state and rules), and services status. Generally, these

tools are now all detected and blocked by many antivirus

programs. However, U3 development kit is open to public

assisting U3 application developers. Attackers can also

compile hack tools to .u3p format in many circumstances.

There are also U3 compilers such as Package Factory which

allows people to recompile many applications to .u3p format.

Some popular utilities compiled to .u3p format include disk

management tools (Partition Magic, Symantec Ghost), registry

tools (Clean Registry, Registry Mechanic), anonymous surfing

(Anonymizer, HTTP RAT), data recovery (Data Recovery, Pro

Data Recovery, Easy Recovery), Web browsers (Firefox, Opera),

torrent clients (eMule, FlashGet, Utorrent), instant messengers

(Pidgin, MSNMessenger, YahooMessenger), password recovery,

script editors (Notepad), OpenOffice, virtual DVD (Virtual CD), ISO

compliers and CD burners (Ultra ISO, Nero), data compression and

encryption (WinRar), and antivirus(Avast, Dr Web Cureit).

Fig. 4 e The crafted Autorun.inf file.

Fig. 5 e trigger.bat file used to launch the payload in no

console mode.

Fig. 6 e xcp.bat contains the actual attack payloads.



4.4. Offline cold boot attack

The original concept of booting up from USB used a light-

weight edition ofWindowsXP fromCDs for the administrative

purposes such as data rescue, operating system repair from

serious crashes, or virus scanning. This was first possible

when Microsoft releasedWindows PE 1.0 for Windows XP and

Windows 2003 in 2002. When USB 2.0 drives became popular

and boot from USB became a default feature of computer

mainboards, dumping Windows to USB drives became

popular in 2006, especially with the support of Bart PE.

Windows PE 2.0 (for Windows Vista, Windows, 2008), and 3.0

(for Windows 7) also support boot from USB at quite low

system requirements making such solutions popular. After

Windows PE, boot from USB has now been possible on various

Linux distributions such as Knoppix, Ubuntu, Linux Mint, and

Kubuntu.

Cold boot attack from USB is the most dangerous among all

attack vectors analyzed in this paper. After a cold boot from

a USB drive, the target computer will be under control of the

operating systems running on the attacker’s USB drive.

Attackers have absolute freedom to dowhatever they want on

their operating systems and on the victims’ computers, even

on computer with encrypted volumes. Moreover, there are

a few distributions of these lightweight operating systems

shippedwith a variety of hack tools including data recovering,

data backup, encryption and decryption, secure FTP, SAM

editing, network configuration, remote desktop, password

retrieval, and key viewer. Some of these versions are Super

WinPEwas and Paragon HDD Manager. These versions can be

downloaded easily from torrent networks. This allows people

with little technical knowledge to participate in this attack

vector. Finally, because the operating systems run on

attackers’ external USB drives, there is generally no trace left

on victim computers after cold boot attacks.

5. Attacks on USB storage devices

Software attacks onUSB drives include exploiting the insecure

USB protocol to attack the communication channels between

USB devices and host computers, attacks on USB security

software, and data theft.

5.1. Attack on USB protocol

This attack vector utilizes USB protocol analyzers such as

USBlyzer, Advanced USB Port Monitor, and USB Trace to

analyze and decode the communication channel betweenUSB

devices and host computers to obtain information on trans-

port between the devices and the host computers, such as

password for the security software on the USB drives. The

common functions of such utilities include data monitoring,

logging, decoding, and saving by protocol and packet analysis.

The enabler of this attack vector is the insecure USB protocol

which transmits data between USB devices and host

computers in an unencrypted format. This vulnerability has

been exploited in many scenarios allowing attackers to

successfully obtain the passwords of password-protected USB

drives which do not support data encryption on transport

(Halderman et al., 2008).

5.2. Attack on security software on secure USB drives

Exploiting vulnerabilities in USB security software is the most

common attack vector targeting secure USB drives. The two

main drivers for this attack vector are password recovery and

business data recovery. Moreover, there are also some facili-

tators behind this attack vector. The first one is the ease of

access to USB product documentations and software devel-

opment kits consisting of source codes, header files, and other

related information about the EEPROMcontent of USB devices.

The second factor is all USB standards from 1.0 to 3.0 are open

standards provided by the USB Forum and freely available for

public access. Lastly, USB standards are rather simple and

insecure. It does not require too much knowledge about

electronic engineering or programming to be able to design

and assemble USB devices, and write USB drivers for the

devices.

Vulnerabilities in USB drives’ security software resulted in

security protection bypass on both password-protected and

fingerprint-protected USB drives. This allows attackers to

have direct access to the protected data partition. A common

exploit is buffer overflow attack on the security software

conducted by sending known erroneous packets to the USB

software (Bakker et al., 2007). When buffer overflow attack

cannot be employed, password brute-force attack is another

option. As many secure USB drives do not support self-locked

mechanisms activated after a number of wrong password

attempts, attackers can simply run password brute-force

attack until the valid password is found (Bakker et al., 2007).

Although password brute-force attack is generally not feasible

with strong passwords ofmore than 9 characters created from

a combination of capital characters, lower case characters,

numbers, and special characters, such passwords are rarely

implemented by users.

5.3. Data theft attack on USB drives

Similar to data theft attacks on computers, data theft attacks

on USB drives are mainly conducted with the aid of hack tools

running as processes which silently wait for inserted USB

drives and upload data from the drives to the host computer or

send the data to a remote mailbox or FTP server. The two

representative hack tools for this category are USBDumper

andUSBHacksaw. USBDumper is a small utility running in the

background as a process listening for connected USB drives.

On detection of inserted USB drives, the process starts

uploading data from the drive to the host computer trans-

parently to the users. USB Hacksaw is improved from USB-

Dumper. This version combines Stunnel, Blat, and Gmail with

USBDumper. The data from USB drives will first be uploaded

to a folder on the host computer where it is compressed by

rar.exe, before being sent to a Gmail account by Blat in an SSL

channel created by Stunnel. The mechanism is very simple

using available utilities in the Internet and some simple batch

files. Essentially, the tools can be different nevertheless they

have the same mechanism as that of Dumper and Hacksaw.

Even though many of these tools can be detected by antivirus



programs, this attack vector is hard to prevent. These tools

can be re-coded easily in various scripting languages such as

VBScript, batch scripting, and Perl. The attack processes can

also be scheduled by operating system task schedulers. This

makes the chance for success higher because the action

patterns are very similar to those of administrative tasks

scheduled by system administrators. Moreover, if the attacks

happen on attackers’ computers, security features are nor-

mally disabled allowing the attacks to happen smoothly.

6. USB based malware common profile

USB based worms account for the major portion of USB based

malware mainly due to the capability of exploiting the Auto-

play feature to replicate. Each of these worms comes in large

families of up to hundreds of variants such as Pushbot family

withmore than 420 variants which have very similar infection

mechanisms and payloads. This can somehow be explained

by the availability of USB malware construction kits in the

Internet.

Fig. 7 shows the common profile of the analyzed USB based

malware which has been simplified with the focus on the

replication mechanism via USB devices and the payload. At

the beginning of an attack cycle when an infected USB drive is

inserted into a computer, the Autoplay feature will trigger the

Autorun.inf which activates themalware. The very first action

done by such malware is to install its copies into the system

folders on the host computer. Windows registry will then be

updated to allow these copies to be started with the operating

system. Many of the analyzed worms update the HKLM\Soft-

ware\Microsoft\Windows\CurrentVersion\Run key to make

their copies start withWindows atWindows startup. After the

copies are loaded, Process Explorer and Windows Task

Manager will show their process locations as inside system

folders making users confuse themwith legitimate processes.

These processes actively listen for inserted USB drives to

replicate themselves by installing their copies and creating

Autorun.inf files on themedia. The worms can work as botnet

clients or further codes will be silently downloaded from

remote servers and installed on the infected computers

making the computers clients of the worm authors’ botnets.

The majority of the analyzed malware are designed for

creating botnets and participating in DDoS attacks. Such

a payload is also the common payload for the malware of all

categories in the period of 2008e2009 (Marcus et al., 2009).

7. Solution

The security framework illustrated in Fig. 8 is a conceptual

model which helpsmitigate the identified USB based software

attacks. The model consists of seven concentric layers where

three threat layers and three protection layers are arranged

one after another. The identified attacks are categorized into

Fig. 7 e The simplified common profile of USB based

malware.

Fig. 8 e Security framework for mitigating USB based

software attacks.



threat layers, and protection measures are categorized into

the corresponding protection layers to achieve the best

protection results. The inner protection layers are designed

for mitigating the attacks from the outer threat layers and

therefore an attack may be mitigated by one or multiple

security measures at one or more protection layers. The core

layer contains operating system files and settings, data on

host computers, and data in USB drives. The goal of this

framework is to protect the core layer from USB based soft-

ware attacks located in the three threat layers.

The security measures proposed in the three protection

layers in the framework are aimed at resolving the problem

root causes of the identified attacks. Table 1 summarizes the

solution framework in the format of a solution matrix.

7.1. The first threat and first protection layer

The first threat layer includes multi-payload attacks using U3

hack tools, USB based malware, and data theft attacks. Attacks

from this layer are normally handled effectively by the secu-

rity measures in the first protection layer because most mal-

ware scanners would recognize the involvement of malware

and hack tools in these attacks. Windows XP SP2 and later

versions are equipped with some free anti-malware solutions

including Windows Defender, Microsoft Security Essentials

(MSE), and Windows Firewall. Windows Defender, previously

known as Microsoft Antispyware, is a spyware and adware

scanner available via Windows update without any mainte-

nance effort. MSE is an anti-malware programwhich provides

real-time protection and auto-update like many other anti-

malware programs in the market. A test conducted by AV-

Test.org in October 2009 showed that MSE achieved 98.44 per

cent detection rate using malware signature based detection

(Pham et al., 2010). Moreover, as malicious codes tend to

communicate with servers in the Internet, Windows Firewall

is an effective measure which blocks such communication

and prevents the malware from completing its attack cycle.

In terms of hack tools, the results of our experiment with

over 3800 hack tools and hack toolkits including the most

common USB based hack tools listed in Table 2 below

demonstrated thatmost of these hack tools can be detected by

the common antivirus software. Many of these hack tools can

be directly executed from USB drives or compiled to portable

format using compilation tools such as Package factory

VMware ThinApp, Landesk Application Virtualization, Ceedo,

and InstallFree. More importantly, all the critical USB based

hack tools such as GonZors SwitchBlade, USB Pocket Knife,

USB Hacksaw, USBDumper, and Port Slurp can be detected by

all of these antivirus software. A list of these USB hack tools

can be found at Table A2 and the categories of the payloads of

these hack tools and hack toolkits are listed Table A3 the

Appendix of this paper.

Beside malware scanners, UAC, AppLocker, and Parse

Autorun are recommended security features for Windows

Vista and later editions. UAC is a built-in feature first available

in Windows Vista. This feature actively monitors process

activities and prevents abnormal access to system files and

settings which resemble common malware behaviors. Some

hack tools such as USB SwitchBlade and Network Password

Recovery were possible on Windows XP and the earlier

edition. However, these hack tools will now trigger Windows

security alert activated by UACwhen they try to access system

files and settings. AppLocker is a new feature ofWindows 2008

R2 and Windows 7 which allows administrators to have

control over the execution of specific applications and scripts

based on specific computers, users and user groups, and the

Table 1 e Solution matrix.

Attack category Technology enabler asproblem root cause

Attack/problem & threat layer Protection solutions &Protection layer

Attacks by USB

based malware

No security management

mechanism for USB interfaceaLayer 1: Malware can spread back and forth

between USB drives and internal drives.

Layer 1: AppLocker, antivirus

software, firewall, UAC.

No security mechanism for

Windows Autoplay featuresbLayer 1: This USB worm possiblec Layer 1: Parse Autorun

Attacks on host

computers

No security mechanism for

Windows Autoplay featuresbLayer 1: Hack tools can be activated

automatically on USB drive insertion.

Layer 1: Parse Autorun

No security management

mechanism for USB interfaceaLayer 1: Hack tools can be executed

from USB drives which are

external drives.

Layer 1: AppLocker, antivirus

software, firewall, UAC

Data is left unprotected when the

operating system is offline

Layer 2: Offline cold boot attacks. Layer 2: Volume encryption

Driver signing is not enforced Layer 3: This makes USB driver

injection possible.

Layer 3: Enforcing driver signingwith

standardized USB drivers.

USB driver is located in kernel

mode layer

Layer 3: Attacker gain system privilege

once USB driver injection is completed.

Layer 3: Completely move USB driver

to User Mode layer.

Attacks on USB

storage devices

No standardized USB security

software

Layer 3: USB security software attacks: buffer

overflow and password brute force attacks

Layer 3: Standardize USB driver and

security software.

No security mechanism for USB

protocol

Layer 3: Attack on USB protocol Layer 3: Standardize USB driver and

security software

a USB drives are not properly managed as “external” devices and thus there is no “firewall” between USB drives and computer internal drives.

b Windows Autoplay features automatically loads any files including malware as specified in Autorun.inf files.

c USB worm is capable of self-replicating due to Windows Autoplay features.



file locations. Moreover, AppLocker also supports application

execution permissions based on the application’s valid digital

signatures and therefore unsigned applications including

malware and other malicious codes will be blocked from

execution (Pham et al., 2010). Therefore, AppLocker can be

a useful tool for network administrators in enterprise envi-

ronments to preventmalware and hack tools’ execution while

allowing the execution of specific legitimate applications.

However, the use of AppLocker is rather complicated to basic

users and this feature is not available to all Windows editions.

In this paper, we propose Parse Autorun as an additional

feature for Windows which fix the vulnerability in Windows

Autoplay features. This feature prevents unsigned executable

files called by Autorun.inf from being activated. Fig. 9 shows

the proposed algorithm for Parse Autorun.

When a removable drivewith an Autorun.inf file at the root

folder is inserted, Autoplay features will activate Parse

Autorun which parses the Autorun.inf file for execution

commands such as open, shellexecute, and shell\auto to locate

executable files called by the Autorun.inf file. The executable

files are checked by application signature and if they are

signed, they can be executed byWindowsAutoplay. If they are

not signed application, they will be scanned by available anti-

malware software such as MSE and they will not be executed

automatically. This generally helps avoid a lot of attack

scenarios which are transparent to victims because attackers

will have to manually locate the executable files which are

normally hidden in different places in USB drives to trigger the

attacks. Moreover, the result of our experiment also show that

on-demand scans providemuch better protection results than

real-time protectionmethodwhich is only activated when the

hack tools are triggered. Therefore, Parse Autorunwill provide

better protection results than leaving the hack tools to be

detected by Antivirus software on activation.

Generally, the main role of the first protection layer is to

prevent malicious programs and scripts from executing and

Table 2 e USB hack tools detection by commonly usedAntivirus software.

Antivirus software(definition update: May10, 2010)

Detectionranking

Comments

Kaspersky Internet

Security 2010

Fair Detect all critical hack

tools

Norton Internet Security

2010


tools

MacAfee Total Protection

2010


tools

F-Secure Internet Security Good Detect all critical hack

tools and some other

tools

ESET NOD32 Antivirus Good Detect all critical hack


tools

Microsoft Security

Essentials


tools

TrendMicro Internet

Security Pro 2010

Good Detect all critical hack


tools

Bit Defender Internet

Security 2010

Very good Detect most of the hack

tools

AVG Internet Security 9.0 Very good Detect most of the hack

tools

Fig. 9 e Parse Autorun algorithm.



accessing critical system locations such as system32 folder

and Windows Registry.

7.2. The second threat and second protection layer

Encryption is the best solution for cold boot attacks where the

involvement of physical security measures is not possible.

Encryption prevents attackers from breaching the confiden-

tiality and integrity of the information stored on the host

computer andUSB drive in case theymanage to have access to

the encrypted data. The recommended technologies are

volume based encryption solutions such as BitLocker and

TrueCrypt which encrypt the whole data volumes. Microsoft

Windows supports two volume encryption solutions

including BitLocker introduced in Windows Vista and 2008,

and BitLocker To Go in Window 7. BitLocker To Go also supports

data encryption for removable drives in FAT format which is

a good solution for data on USB drives. Currently, BitLocker is

identified as vulnerable to cold boot attacks where the

attackers manage to obtain the encryption key in the

computer DRAM (Halderman et al., 2008). However, this attack

method is rather complex and requires the involvement of

cooling chemical which can be applied on computer memory

to cool down the DRAM to �50 �C. Obviously, to conduct this

attack, attackers will need to unlock the computer case which

is not easy in scenario that the computer cases are locks.

Moreover, the encryption-key reconstruction process is rather

complex requiring time and advanced technical knowledge,

and on the other hand, there has been no readymade toolkit

for this job identified by this time.

7.3. The third threat and third protection layer

The third protection layer deals with software attacks on USB

security software and USB driver. In reality, attacks on USB

security software have been possible due to the lack of stan-

dardization in security design for USB devices. Table 3

summarizes our proposed solutions to secure USB software.

The common vulnerabilities for buffer overflow attacks are

due to the lack of input validation which allows attackers to

send erroneous packets to the software to cause buffer over-

flow. A standardized validation module for USB security

software is much simpler than that for Web applications and

therefore totally possible. Keyloggers may be a threat to

password enabled USB drives, though it has not yet been

mentioned. Keyloggers can be mitigated by Virtual Keyboard

with randomized keyboard layout for every session.Moreover,

password brute force attacks can be simply mitigated by

a self-lock counter which automatically stops accepting

further log-in attempts after a specific number of failed

attempts. USB protocol attack is probably the most difficult

issue up to now. Our proposed solution involves the use of

asymmetric encryption to encrypt and decrypt the data

passed between USB devices and host computers. This

generally avoids encryption key capturing problemhappening

to symmetric encryption solution and also avoid password

capturing on transmission between the computer and the USB

drive which is the common vulnerability of some USB drives

by ATP Electronics, Samsung Electronics, Samsung Pleomax,

LG Electronics, and Imation (Jeong et al., 2007). However, this

requires effort to standardize the micro-chip for USB drives

which contain the encryption key pair and cryptography

software.

In terms of USB driver, the implementation of USB driver

should be moved to User Mode which prevents privilege

escalation in case attackers manage to complete buffer over-

flow attack on the driver. The previous buffer overflow attacks

on Windows USB driver, though not yet confirmed by Micro-

soft, were possible on Windows XP and the earlier versions

however not onWindows Vista and later versions. This can be

explained byMicrosoft drivermodel inWindows Vista and the

later editions, particularly the User Mode driver model. Fig. 10

illustrates the USB driver model for Windows Vista.

In Fig. 10, the drivers for USB devices provided by hardware

vendors are located in User Mode layer where access to

system resources is limited to user right and privileges only.

This model is applied to Windows Vista and the later.

However, in previous Windows version such as Windows XP

and Windows 2003, USB driver was located in Kernel Mode

layer where it has unlimited access to system resources.

Therefore, successfully committing USB drivers will give

attackers system rights and privileges. On the other hand,

crafted USB drivers could be injected into Windows kernel

was due to the lack of driver signing enforcement inWindows

XP and other 32-bit editions. The enforcement of signed

drivers will prevent unsigned drivers from being injected to

Fig. 10 e Windows USB driver architecture, adapted from

(Architecture of the User Mode Driver Framework, 2007).

Table 3 e USB security software threats and solutions.

Threat Solution

Buffer overflow attack Software input validation

Key logger: password attack Virtual keyboard: random key layout

Password brute force attack Self lock counter

Protocol attack Asymmetric data encryption



Windows kernel and thus help mitigate this threat vector

effectively.

8. Conclusion and further work

In this paper, we have investigated all the currently identified

USB based software attacks and their payloads on host

computers and USB devices, and have established taxonomy

of the attacks. We have also created a security framework to

handle USB based software attacks on the basis of newer

Windows operating systems including Windows Vista,

Windows Server 2008, and Windows 7 on both x86 and x64

platforms. The framework was designed for addressing all the

identified USB based software attacks at the minimum

deployment and maintenance efforts. The result also show

that reengineering effort must be paid in the standardization

process for USB security software to create an industry-wide

secure implementation standard for all USB devices. Finally,

USB driver implementation should be moved to User Mode to

prevent privilege escalation in case a buffer overflow attack on

the driver is successfully conducted.

Appendix.

Table A1. Surveyed USB based malware families.

No. Malware family No. Malware family

1 Auraaxa 26 W32/Frethoga

2 AutoIta 27 W32/Hamweqa

3 AutoIt/Renocidea 28 W32/Harya

4 Brontoka 29 W32/Mabezata

5 Confickera 30 W32/Perlovgaa

6 Emolda 31 W32/Regula

7 Generic!atra 32 W32/SillyShareCopya

8 Invadesysa 33 W32/Taterfa

9 Mal_Otoruna 34 W32/Yacspeel.A.dll

10 Niuniua 35 Worm.Autorun.VHG

11 Pushbota 36 Worm.VBS.Autorun.r

12 PWS-Gamaniav 37 Worm.W32.AutoRuna

13 Slenfbota 38 Worm.W32.AutoRun.dui

14 Troj_CoreLink.D 39 Worm.W32.AutoRun.eee

15 Trojan.Autorun.AET 40 Worm.W32/Autoruna

16 Trojan.AutorunINF.Gen 41 Worm.W32/RJumpa

17 VBS.Runautoa 42 Worm_Agent.TBH

18 W32.Gammima.AG 43 Worm_Autorun.AZB

19 W32.Saltity.AE 44 Worm_Autorun.BSE

20 W32.SillyDC 45 Worm_Autorun.CBZ

21 W32.SillyFDC 46 Worm_Downad.A

22 W32.Sality.OG 47 Worm_QQpass.ADH

23 W32.Worm.

Downadup.Gen

48 Worm_VB.BDN

24 W32/Autoruna

25 W32/Conficker.B

a The number of variants may vary from three, such as W3/Hary

and W32/Mebezat families, to several hundred such as AutoIt and

Pushbot families. However, not all variants’ profiles are available on

the databases. Only autorun related variants with available profiles

in the databases are surveyed.

Table A2. Tested common USB hack toolkits.

No. Name & version No. Name & version

1 Amish 1.0 (No U3) 26 PasswordFox v1.20

2 Asterisk Logger 1.04 27 Pwdump6

3 Blat 262 28 Resource Hacker Version 3.5.2

4 Dialupass2 29 RPC-Mail version 0.1

5 Enable-Abel SwitchBlade 30 SkypeLogView v1.12

6 Etherreal on USB 31 Slurp Audit

7 Gandalf 7zBlade 32 SniffUSB

8 GonZors SwitchBlade 1.2 33 Snort 2.8.5

9 GonZors SwitchBlade 2.0 34 Stellar Password Recovery v1.5

10 HackBlade 35 Stunnel 3.10

11 IE Cache View 36 Stunnel 4.33

12 IE PassView v1.17 37 Switchblade alternative 1.3 by

Silivrenion

13 IECookiesView 38 TCP Dump version 3.9.4

14 IEHistoryView 39 USB HackSaw 0.2

15 John 1.7.0.1 40 USB Hacksaw Version 0.1 POC

16 Mail PassView v1.55 41 USB Pocket Knife v0.8.8.0

17 MessenPass v1.30 42 USBDeview v1.06

18 MozillaCacheView v1.27 43 USBDumper v2.2

19 MozillaCookiesView

v1.30

44 USBlyzer 1.5

20 MozillaHistoryView v1.25 45 Web dumper 2.4

21 Nemesis 1.4 46 White Hat Payload 1.3

22 Network Password

Recovery v1.24

47 Windows password Key

23 Nmap 3.8.1 48 WireShark 1.2.1

24 Nmap 5.0 49 U3 Incident Response

Switchblade

25 Nmapbot version 0.2 50 Kapowdude

Table A3. Tested hack tool and hack toolkit categories(total number of toolkits: 3802).

No. Category of hack tools No. Category of hacktools

1 Bluetooth exploiting tools 22 Phishing tools

2 Buffer overflow 23 Proxy hacking

3 Credit card information

exploiting tools

24 Reverse engineering

tools

4 Data collection tools 25 RFID hacking tools

5 Data recovery tools 26 Router cracking

6 Database exploiting tools 27 Session hijacking

7 DoS tools 28 Sniffer tools

8 Encryption tools 29 Software cracking kits

9 Enumeration 30 Spamming tools

10 Foot printing 31 Spying tools

11 Google hacking 32 SQL injection

12 IDS and firewall exploiting 33 Steganography tools

13 Information hiding 34 System exploiting tools

14 Internet anonymity 35 System scanning

15 Linux system exploiting

tools

36 Trojan and backdoor

kits

16 Mac OS exploiting tools 37 Virus and worm kits

17 Mail hacking 38 VOIP hacking tools

18 Mobile & PDA devices

cracking

39 Web app vulnerability

scanner

19 Password cracking 40 Web browser hacking

20 Password stealing 41 Web server exploiting

tools

21 Penetration testing tools 42 Wireless cracking



r e f e r e n c e s

Alzarouni M. The reality of risks from consented use of USBdevices. In: Proceedings of the 4th Australian informationsecurity conference; 2006.

Architecture of the User Mode Driver Framework, Version 1.0.Microsoft Corporation, 2007.

Bakker PJ, et al. Investigating ‘secure’ USB sticks; 2007. v.1.4. Fox-IT Forensic IT Experts B.V. Olof Palmestraat 6, 2616 LM Delft,The Netherlands.

Chance R. Understanding USB flash drives as portableinfrastructure. 1401 Hardley Ct., Bel Air, MD 21014, US:Browsercraft, LLC; 2005.

Fabian M. Endpoint security: managing USB based removabledevices with the advent of portable applications. In:Information security curriculum development conference;2007.

Gibson WR, Dyar D. Implementing preinstallation environmentmedia for use in user support. In: Proceedings of the 35thannual ACM SIGUCCS conference on user services; 2007.

Halderman JA, Schoen SD, Heninger N, Clarkson W, Paul W,Calandrino JA, Feldman AJ. “Lest we remember: cold bootattacks on encryption keys,” in Proc. USENIX SecuritySymposium; 2008.

Harrison K, Xu S. Protecting cryptographic keys from memorydisclosure attacks. In: 37th annual IEEE/IFIP internationalconference on dependable systems and networks; 2007.

Jeong H, Choi Y, Jeon W, Yang F, Lee W, Kim S. Vulnerabilityanalysis of secure USB flash drives. In: Memory technology,design and testing. IEEE International Workshop; 2007.

Lee S, Savoldi A, Lee S, Lim J. Password recovery using anevidence collection tool and countermeasures. In: Intelligentinformation hiding and multimedia signal processing, thirdinternational conference, vol. 2; 2007.

Marcus D, Greve P, Masiello S, Scharoun D. McAfee threats report:third quarter. McAfee, Inc. McAfee Avert Labs; 2009.

McAfee Threats Report: Second Quarter 2009,” [McAfee, Inc].Paget F. Avert passes milestone: 20 million malware samples.

McAfee Lab Blog, McAfee, Inc, <http://www.avertlabs.com/research/blog/index.php/2009/03/10/avertpassesmilestone-20-million-malware-samples/>; 2009 [accessed 20.11.09].

D.V Pham, M.N Halgamuge, A. Syed and P. Mendis, “Optimizingwindows security features to block malware and hack tools onUSB storage devices”. Progress in electromagnetics researchsymposium, 2010.

Roberts PF. USB devices can crack windows. eWEEK, Ziff DavisEnterprise Inc, <http://www.eweek.com/c/a/Security/USB-devices-can-crack-Windows/>; 2005 [accessed 20.08.09].

Thomas P, Morris A. An investigation into the development of ananti-forensic tool to obscure USB flash drive deviceinformation on a windows XP platform. In: Digital forensicsand incident analysis, third international annual workshop;2008. p. 60e6.

Thomas V, Ramagopal P, Mohandas R. The rise of autorun- basedmalware. McAfee Avert Labs, McAfee, Inc; 2009.

Vega RD. Linux USB device driver - buffer overflow. St ClementHouse 1-3 Alencon Link Basingstoke RG21 7SB, England: MWRInfoSecurity Security Advisory. MWR InfoSecurity Limited;2009.

W3chools. Operating system statistics, <http://www.w3schools.com/browsers/browsers_os.asp>; 2009 [accessed 10.10.09].


Author's personal copymalkamanila.angelfire.com/Publication/2011_Digital... · Author's personal...

Documents

Transcript of Author's personal copymalkamanila.angelfire.com/Publication/2011_Digital... · Author's personal...