Malware that spreads by infecting removable USB (universal serial bus) storage drives is now the target of a new Honeynet Project investigation, citing the increased reliance of malicious programs on portable drives to move from computer to computer.
The ghost-usb-honeypot uses software to emulate portable USB flash drives on Windows systems exposed to malicious software circulating on the Internet. Researchers hope to be able to use the emulated drives to spot malware that copies itself to the virtual flash drives.
The Honeynet Project is a non-profit security research organization that collects and analyzes malware in the wild using a wide range of open source security tools. Honeypots are machines set up in order to attract malware and hackers for the purpose of studying their behavior.
The ghost-usb-honeypot project stems from research conducted by Sebastian Poeplau, a student at Bonn University in Germany. Poeplau first presented the results of work he and others conducted at the University of Bonn’s Institute of Computer Science at a Honeynet Project conference in San Francisco in March. Poeplau said propagation via USB drives is increasingly common, as malware authors look for ways to breach “air-gapped” machines or networks that are not accessible from other networks.
Employees working on such air gapped networks still need to transfer data back and forth, and typically use USB drives to do so. Stuxnet spread via USB drive, as did the recently discovered Flame malware.
Most honeypot installations to date focused on malware that spreads by exploiting vulnerable network services or client software. However, nobody has previously attempted to capture and study malware that spreads by USB drives, Poeplau said in a presentation on the project in March. Ghostdrive is a virtual USB drive implemented using a Windows kernel mode driver that hooks Windows at the level of the disk class driver (disk.sys). A virtual bus driver registers the virtual driver, emulating the act of “plugging in” a removable device in the virtual Windows instance. Any information written to the virtual device copies onto a binary image file.
In a demonstration, Poeplau infected a virtual Windows instance with the Conficker malware, then loaded a virtual USB drive and observed Conficker infecting the drive. He said companies could use the free Ghostdrive tool to help monitor USB infections across their organization. In addition, the Ghostnet project may end up detecting malware that spreads solely using USB drives — something that researchers have yet to identify.
Security researchers have long warned about the danger posed by portable USB drives. In 2010, then Deputy Secretary of Defense (DoD) William Lynn acknowledged an infected USB was responsible for a compromise of the DoD’s classified SIPRNet. Despite that, most companies do not closely manage or monitor the use of removable devices by employees, opening a gaping hole for attackers.