When Microsoft disabled AutoRun on XP and Vista back in February, 2011, everyone thought this was game over for the bad guys who were abusing the removable media distribution/infection vector in particular. However, pragmatic and market demand-driven opportunistic cybercrime-friendly vendors quickly realized that this has opened up a new business opportunity, that is, if they ever manage to find a way to bypass Microsoft’s AutoRun protection measures.

Apparently, they seem to have a found a way to bypass the protection measure by tricking Windows into thinking that the connected USB memory stick is actually a ‘Human Interface Device’ (keyboard for instance), allowing them to (physically) execute custom scripts within 30/40 seconds of connecting the custom USB memory stick to the targeted PC.

From theory into practice, let’s profile their international underground market propositions and discuss the impact these USB sticks could have in today’s bring your own device (BYOD) corporate environment.

More details:

Sample screenshots of the actual advertisements:

Windows_7_8_Custom_USB_Memory_Stick_Bypass_AutoRun_Protection Windows_7_8_Custom_USB_Memory_Stick_Bypass_AutoRun_Protection_01

According to the advertisement, the malicious script/file executes in under 50 seconds on first mount, and within 30 seconds on a second re-mount, followed by just 6 seconds of visible (malicious) activity on the screen, with the vendor behind the ‘solution’ also working on Mac OS X version. The price for a custom 128MB USB memory stick is $54, and the price for a custom 8GB USB memory stick is $64.

We’re also aware of yet another cross-platform (Windows, Mac OS X, Linux) commercially available (not advertised at any cybercrime-friendly communities for the time being) AutoRun protection bypassing ‘solution’, relying on the same concept as the first one. However, due to its payload generating capability, custom scripting language, and lower price ($39.99), we expect that the custom USB ‘solution’ pitched to pen-testers internationally would remain the tactic of choice to anyone wanting to compromise a host, once they manage to bypass the physical security (if any) in place.

Time to get back to the basics – physical security.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This