AutoRun Malware: Why your computer is summoning dark lords after you plugged in that parking lot USB
For the last three weeks you've overheard your coworkers go on and on about the MMORPG they've been playing online. Curiosity starts gnawing at the resistance you've put up against the peer pressure of falling prey to another trend. Your wall finally crumbles as one coworker from the group passes your cubicle, and her eyes light up at your prospective interest in hours of mythical exploration and orc-slaying. "I can actually bring you a copy of the game on a flash drive tomorrow if you'd like!" You smile and accept her amenable offer.
Fast forward to the next evening; your coworker followed through and you're beyond excited to install the game and finally get to experience what everyone has been raving about. You plug the drive in and as you're about to open File Explorer, things start going amiss. Your computer starts acting strangely without you even having clicked anything.
As you could probably tell from the title and this ravishing tale of nerd-fun-gone-wrong, this week's blog post centers on USB malware. We'll take a dive into how it works and some examples of these portable nightmares.
What is USB malware and how does it work?
Just as the name states, USB malware is a piece of malicious code that resides on and propagates using removable mass storage devices. If the removable device originated from an unknown source, the malware may have been intentionally placed on there. If it came from a friend or colleague, it may have been written to the device without their knowledge. The same way that a plethora of malware types plagues computers, a great variety of malware can affect removable drives as well.
One of the concerning factors surrounding infected USBs is that malware can sometimes execute upon the drive being plugged into a host, depending on what the code is built to do and if AutoRun is enabled on the endpoint. This gives the user little to no reprieve to manually mitigate or stop bad code from running, and that's if they even realize that's what is happening or about to happen.
AutoRun/AutoPlay Settings
The AutoRun/AutoPlay settings on Windows OSs allows for the automated execution of media. In today's world, it's easy to see why this feature could be more of a curse than a blessing. When enabled, Windows looks for "autorun.inf," an ASCII text file containing commands, such as which executable to run when the drive is inserted or what actions take place when the user double-clicks on the drive icon. This file is located in the root directory of the drive being inserted.
If you're curious on how to disable AutoRun/AutoPlay on Windows 10, both via the GUI and group policy, check out Tech Republic's article here.
USB Malware Case Study: Stuxnet and .LNK file exploits
One of the most globally renown pieces of malware is Stuxnet. It caught the world's attention not only because of its nature but because it exceeded the threshold of what most people considered to be technologically possible at that point in time. It was also considered by some to be the first cyber intrusion with kinetic ramifications.
Stuxnet is the malware that negatively impacted the nuclear centrifuges located at the Natanz uranium enrichment facility in Iran and was discovered in 2010. It entered the facility via infected USB drives, with some outlets reporting that targeted supply chain interdiction was involved in getting the code on the drives in the first place.
One of the interesting mechanisms found in Stuxnet was it's .lnk file exploit. In Windows, .lnk files are used as shortcuts to a specific program or file. They are normally found in the following directories:
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent
C:\Users\<username>\AppData\Roaming\Microsoft\Office\Recent (For Microsoft Office files)
Sometimes threat actors will write .lnk files to startup directories as a persistence mechanism to ensure execution upon logon. The file path for that directory is below:
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
The may also place Powershell code within the .lnk, opening a Pandora's box of attack possibilities. In the case of Stuxnet, the developers utilized a somewhat clever mechanism; they planted malicious code in one of the modules utilized to generate a shortcut icon.
Shortcuts just like the ones picture above use what's known as a .cpl (control panel) file in order to generate the image in the icon. .lnk files have the file path of the .cpl stored in their "file location info" section. The attackers behind Stuxnet instead directed the .lnk file to look in a different path, which led to a malicious executable located on the removable drives.
A higher level view of Stuxnet and the goals behind it can be found here.
Recommendations
A few tips on best and safest practices when working with removable media:
Do not plug in devices originating from unknown sources. Threat actors have been known to drop drives in parking lots or even sending out USB drives with fake gift cards, hoping to lure someone into plugging the device in.
Disable AutoRun/AutoPlay on your endpoint, as shown here.
Periodically review the files and folders on the drive. Scrutinize and ensure all of the objects on there were intentionally placed there by you. In the event you find something unwanted, remove it.
Only use a removable drive if you actually need to. This reduces the adversary's attack surface and it's one less vector he or she could use to exploit the endpoint.
If investigating for infected drives that may have been unknowingly plugged into an endpoint in your environment, the following registry key contains data for USB drives that have been introduced to the host:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2