Daily cyber threats and internet security news: network security, online safety and latest security alerts
November 20th, 2008

USB Devices Containing Worms Threaten US Army, All Removable Devices Temporarily Banned

Recent increase in malicious code propagating via USB flash drives forced the US Army to suspended the use of USB and removable media devices after a worm began spreading across its network. Use of USB drives, floppy discs, CDs, external drives, flash media cards and all other removable media devices has been placed on hold in order to contain the spread of Agent-BTZ, a variant of the SillyFDC worm. Such a temporary ban would cause inconvenience in any organisation, but for the US military it’s an even more serious problem because in many locations email or online transfer of files are not viable options.

The clampdown applies to both the the secret SIPR and unclassified NIPR networks, according to internal Army emails cited by Wired. Variants of the the SillyFDC worm are capable of spreading over networks or removable media devices, infecting any Windows PC they are plugged into or any external drive connected to an infected device, for example. The malware is programmed to download secondary infectious code from the internet, establishing a conduit that might be used to download keylogging software, password-siphoning spyware or botnet agents onto compromised machines.

Government-approved drives will reportedly be allowed back onto the network soon, but not before they’ve been scanned and cleared of malware infection. Government security teams will be running custom scripts and daily scans for the dual purposes of making sure the ban is enforced and detecting the spread of other forms of malware, Wired adds.

The ban, which gets in the way of troops’ normal work, might seem like over-kill, but without knowing the full specifics of the extent of the infection it’s probably a little unfair to label it as such. The security experts say that actions short of an outright ban may be appropriate for organisations facing similar problems.

Regular users and networks are suffering from malware infections via USB for some time now. Currently, there are two popular methods by which USB flash drives are being infected with malicious code. The first of these methods is referred to as simple file copy. This means that the malicious code initially resides on an infected computer and copies itself to all the storage devices connected to the affected computer. This method requires the user to access the USB flash drive and execute the malicious code.

The second method is referred to as AutoRun.inf modification. This means that the malicious code alters or creates an autorun.inf file on targeted storage devices connected to the affected computer. When an infected USB flash drive is connected to another computer, the malicious code can be automatically executed with no additional user interaction.

These are not the only two methods available. The users are encouraged to do the following to help mitigate the risks:

* Run antivirus software and keep the virus signatures up to date.

* Do not connect an unknown or untrusted USB drive to your computer.

* Disable AutoRun or AutoPlay features for removable media.

Share this item with others:

More on CyberInsecure:
  • HP Ships Proliant Server USB Keys With Malware
  • Olympus Dsitributed Cameras With Malware-Infected Cards In Japan
  • USB Autorun Malware On The Rise
  • Microsoft Keyboards, Media Devices Under Attack By Open-source Kit
  • New DoS Attacks Threaten Mobile Network Security

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: USB Devices Containing Worms Threaten US Army, All Removable Devices Temporarily Banned

    2 Responses to “USB Devices Containing Worms Threaten US Army, All Removable Devices Temporarily Banned”

    1. Asad Quraishi Says:
      December 1st, 2008 at 7:44 am

      I haven’t been able to figure out how this worm propagates. Does it go after a Windows vulnerability through the network once it’s in? Which one?

    2. CyberInsecure Says:
      December 1st, 2008 at 11:12 am

      Asad Quraishi: It is mentioned in the article above that there are 2 methods. Since it is a typical malware, it goes after known vulnerabilities, for example MS08-067 (this one)

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.