Stuxnet Turns USB Memory Sticks into Weapons of Mass Destruction

By Wayne Rash  |  Posted 2011-02-16

Stuxnet Turns USB Memory Sticks into Weapons of Mass Destruction

This story starts at the Washington, D.C., Auto Show, which is held at the end of January each year. While I was at the show, one of the people at the Land Rover display handed me a USB memory stick. I assumed that it contained a brochure or something similar, so I put it into my pocket and took it home. There, I promptly forgot about it. 

Fast forward a few days and the device appeared on my desk, so I did what you're not supposed to do, and plugged it into my USB port, assuming that Norton would block any bad stuff. Apparently there wasn't any bad stuff, but what alarmed me was that this USB memory didn't appear on my desktop as a removable drive-it simply launched a video showing me a new model of the Range Rover. I couldn't detect the device as a removable drive, so I couldn't reformat it for some other use. Instead, I tossed it into the trash before the video got going. 

The reason this alarmed me is that it demonstrated how easy it is to insert and execute software, good or bad, without the user knowing. Had this same USB memory module contained Stuxnet, my computer might have been infected. This is exactly what happened a couple of years ago in Iran when the Israeli Defense Forces quietly planted some USB memory sticks in places frequented by Iranian nuclear engineers. Like everyone else, they popped the devices into their computers and the rest is history.  

Apparently the insertion of the USB device into the respective computers worked much like the one that showed me the Land Rover video. As soon as the device detected the insertion, it went to work and never waited for permission or a mouse click or whatever. Unlike the video, this worm never gave any indication that it was setting itself up and running. Instead, the software quietly installed itself and then took over the control computers for Iran's uranium centrifuges. It caused the centrifuges to overspeed until they were destroyed, while reporting to the operators that everything was normal. 

While virtually every computer infected by Stuxnet is in Iran, or belongs to a company with a presence in Iran, that doesn't mean that you're in the clear. Now that Stuxnet has been out for a while, it's only a matter of time before malware producers use the delivery mechanism to attack other targets.  

Time to Put Restrictions on USB Use


While the major anti-malware makers say they're ready, most of those are assuming that the new Stuxnet-like malware will be delivered over the Internet. But suppose some infected USB sticks are mixed in with the info kits delivered at a trade show?  

You know how those work: Companies hand out logo-imprinted USB memory devices like they were candy and people take them back to the office and try to use them. Frequently the goal is to erase the brochure and use the memory. But in the case of USB drives, they'd be infected before you could look at the first file. You could bring down an entire industry if you chose your target well. 

And that's the problem with this sort of removable mass storage. It's all too common for people to get USB memory or CD-ROMs that they want to put into their computers and either look at the information or use the memory. But it's very easy to infect these devices and use them as a vector for a massive infection. 

To prevent this, you have a couple of choices. The first is to buy computers without USB ports, but that move has its own set of problems. The second choice is to manage your removable storage so that it can only do certain things. For example, set a USB port so it can only run a keyboard or mouse, but not use mass storage. Or you can set a CD drive so it can't execute programs. 

Either choice will likely cause complaints in the user community, but that may not matter. It's very likely that most users won't have a business-related reason for looking at these devices or using the media, and you can always enable access on a case by case basis if they do. 

But that's only part of the solution. You have to also educate users to not do what I did. By that I mean they have to really believe that they shouldn't just put a USB stick or CD of unknown origin into their computers. All I got for my lapse in judgment was a brief look at a new Range Rover. But it could have been much worse. I was lucky, but next time I need to be smart enough to follow my own advice.  

You're invited to laugh at me or even point fingers and make gestures. I deserve it. Just don't make the same mistake. 

Rocket Fuel