Custom USB sticks bypassing Windows 7/8’s AutoRun protection measure going mainstream

By Dancho Danchev

When Microsoft disabled AutoRun on XP and Vista back in February, 2011, everyone thought this was game over for the bad guys who were abusing the removable media distribution/infection vector in particular. However, pragmatic and market demand-driven opportunistic cybercrime-friendly vendors quickly realized that this has opened up a new business opportunity, that is, if they ever manage to find a way to bypass Microsoft’s AutoRun protection measures.

Apparently, they seem to have a found a way to bypass the protection measure by tricking Windows into thinking that the connected USB memory stick is actually a ‘Human Interface Device’ (keyboard for instance), allowing them to (physically) execute custom scripts within 30/40 seconds of connecting the custom USB memory stick to the targeted PC.

From theory into practice, let’s profile their international underground market propositions and discuss the impact these USB sticks could have in today’s bring your own device (BYOD) corporate environment.

More details:

Sample screenshots of the actual advertisements:

Windows_7_8_Custom_USB_Memory_Stick_Bypass_AutoRun_Protection Windows_7_8_Custom_USB_Memory_Stick_Bypass_AutoRun_Protection_01

According to the advertisement, the malicious script/file executes in under 50 seconds on first mount, and within 30 seconds on a second re-mount, followed by just 6 seconds of visible (malicious) activity on the screen, with the vendor behind the ‘solution’ also working on Mac OS X version. The price for a custom 128MB USB memory stick is $54, and the price for a custom 8GB USB memory stick is $64.

We’re also aware of yet another cross-platform (Windows, Mac OS X, Linux) commercially available (not advertised at any cybercrime-friendly communities for the time being) AutoRun protection bypassing ‘solution’, relying on the same concept as the first one. However, due to its payload generating capability, custom scripting language, and lower price ($39.99), we expect that the custom USB ‘solution’ pitched to pen-testers internationally would remain the tactic of choice to anyone wanting to compromise a host, once they manage to bypass the physical security (if any) in place.

Time to get back to the basics – physical security.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

5 thoughts on “Custom USB sticks bypassing Windows 7/8’s AutoRun protection measure going mainstream

  1. Pingback: USB flash drives masquerading as keyboards mean more BYOD security headaches | News Weblastic

  2. Pingback: Add Custom Headphone Clips with Sugru | Accessories

  3. Pingback: M-A-O-L » Custom USB sticks bypassing Windows 7/8′s AutoRun protection measure going mainstream

  4. Pingback: The recent subject, pt.20 | Accessories

  5. Pingback: August 2, 2013 | cybersecurity update

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s