Attack of the iPods!
Thanks to OS design flaws like AutoRun, MP3 players (like the iPod) and USB drives can be used for more nefarious purposes than just carrying data out the door.
By Simson Garfinkel
AutoRun isn't just a problem for Windows. Back in the 1990s the Macintosh had a similar feature called Autostart that automatically ran QuickTime 2.0 files; Apple removed the feature from the operating system after the so-called Hong Kong virus (formally known as Autostart-9805) spread to thousands of computers in 1998. Likewise, the Palm operating system has a similar feature that automatically gives every program on an SD card the chance to run when that card is plugged into the expansion slot of a computer running PalmOS.
The AutoRun threat is very real and has been exploited on a massive scale. The Rootkit/spyware combination that Sony Music distributed last year on millions of compact discs was installed as part of an AutoRun script. Spyware was installed on Windows-based PCs all over the world. It turns out that the music CDs also included spyware for Macs, but on MacOS the spyware needed to be manually installed, and few Apple users bothered.
Worse than Autorun: Direct Memory Access
But as bad as AutoRun is, there's a vulnerability built into practically every desktop computer and server that's currently in use—and this is a vulnerability that affects PCs running Windows, Macs and quite possibly machines running Linux or even Solaris. The vulnerability is based on the direct memory access facilities built into the FireWire and USB standards.
Bypassing the Safeguards
There are basically two ways to move information between a computer system and the rest of the world. The first is called Programmed I/O (PIO), when the computer's central processing unit carefully copies each byte of memory between the world and the computer. PIO is easy to implement—the early PCs used PIO exclusively—but it's slow.
DMA, on the other hand, uses bulk data transfers to move blocks of information between the world and the PC's memory. When early PCs moved from PIO to DMA, the maximum data transfer speed rose from 8MBps to 33MBps; today's systems support transfer speeds of 133MBps or more. With DMA-based systems the CPU sets up the transfer and then goes off to work on other things. The disk or other DMA-aware device initiates the transfer all by itself when it is ready, and a message gets sent to the CPU when the transfer is finished. Because FireWire and USB were designed with the intention of connecting high-speed disk drives, both specifications have provisions for DMA. This means that, under many circumstances, a device that's plugged into a FireWire or USB interface has the ability to read and write to individual physical memory locations inside a the host computer. Such access necessarily bypasses the host operating system and any security checks that it might wish to implement.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
Other stories by Simson Garfinkel
Understanding malware techniques and the ever-more sophisticated cybercrime ecosystem
Virtual analysis misses 1/3 of malware?
Advanced evasion techniques emerge
Organized cybercrime revealed
The rise of anti-forensics
The botnet hunters
Timeline: a decade of malware
- Enterprise File Sharing: All You Need to Know
- Forrester Research and EMC on Continuous Availability
- Big Ideas; Big Tech-Continuous Availability for VMware
- Reduce Costs, Maximize Performance and Ensure High Availability of your Business Critical Applications
- Software Asset Management - Program Considerations to Help Reduce Risk and Lower Costs
- Content Analytics Explained
- Mandiant's APT1: Revisited
The Mandiant APT1 report made our industry stronger by encouraging -- if not forcing -- information sharing. By Nick Selby - Attacks from China: A survival guide
- #FFSec: Infosec pros who bring value to Twitter
More Salted Hash with Bill Brenner
