USB sticks as modern Trojan horses

In the Greek legend, Ulysses outsmarts the residents of Troy with a wooden horse that was apparently left behind. Copycats still successfully use the same model: e-mails allegedly containing nude images -- or apparently lost USB sticks. Steve Stasuikonis of Secure Network Technologies reports of an interesting penetration test at a credit union where he used specially prepared USB sticks to retrieve more interesting data then he would ever have imagined.

Under contract with the credit union, Stasuikonis was to test the security of the network, especially by using social engineering tricks. Instead of trying to get bits of information in small talk or flirting, Stasuikonis and his staff equipped USB sticks with a key logger, that collects passwords and sends them by e-mail. Twenty such modern Trojan horses were then "lost" on the company's campus. Some employees could not resist: 15 of the sticks were found and promptly inserted in company computers.

While the article does not explain whether the auto-run mechanism was used to activate the key logger or whether the employees manually launched the applications they found out of curiosity, we can assume that the latter would happen if hackers were clever enough.

It won't be easy to protect networks from such attacks. Antivirus software will not do much good against such handcrafted malware. Another obvious option -- using personal firewalls to prevent critical data from being sent by e-mail -- is also not especially promising. If the PC is connected to the Internet, clever hackers will find a way to get data past such a guard. The only options left are to completely block USB ports or, even more radical, a ban on executing unknown applications, such as via a white list mechanism as in Microsoft's Software Restriction Policies.

(ju)