More USB Problems

As if Stuxnet hadn’t produced enough concerns about using USB jump drives with industrial control systems, yesterday US-CERT posted a warning about reports of “newly purchased removable media devices [that] are infected with malicious code”. If the system autorun is enabled (the default setting for most systems) the worm will infect the system when the device is connected.

There is no information in this report about what types of ‘removable media devices’ have been reported to be infected. This is not really a new issue; I recall reports of digital picture frames becoming infected at the manufacturer’s location when the quality control checks were done with an unprotected computer. Whether the devices being reported to US-CERT were deliberately or accidentally infected is not explained in this warning.

US-CERT recommends the implementing the following security practices:

• Disable autorun in Windows [see Microsoft knowledgebase article 967715].
• Maintain up-to-date antivirus software.
• Maintain up-to-date hardware, operating systems, and software by applying security patches, fixes, and updates.
• Perform virus scanning of the removable media devices prior to each use.

Please note that this warning did not come from DHS ICS-CERT so it did not include the caveat included in most ICS-CERT mitigation recommendations that administrators need to evaluate the potential impacts of the recommended mitigation measures on their particular systems prior to implementation.