author's personal copymalkamanila.angelfire.com/publication/2011_digital... · author's...
TRANSCRIPT
This article appeared in a journal published by Elsevier. The attachedcopy is furnished to the author for internal non-commercial researchand education use, including for instruction at the authors institution
and sharing with colleagues.
Other uses, including reproduction and distribution, or selling orlicensing copies, or posting to personal, institutional or third party
websites are prohibited.
In most cases authors are permitted to post their version of thearticle (e.g. in Word or Tex form) to their personal website orinstitutional repository. Authors requiring further information
regarding Elsevier’s archiving and manuscript policies areencouraged to visit:
http://www.elsevier.com/copyright
Author's personal copy
Universal serial bus based software attacks andprotection solutions
Dung Vu Phama, Ali Syed a, Malka N. Halgamuge b,*aSchool of Computing and Mathematics, Charles Sturt University, Study Centre Melbourne, Victoria 3000, AustraliabDepartment of Civil and Environmental Engineering, Department of Electrical and Electronic Engineering, The University of Melbourne,
Grattan Street, Parkville, Victoria 3010, Australia
a r t i c l e i n f o
Article history:
Received 12 January 2010
Received in revised form
26 January 2011
Accepted 17 February 2011
Keywords:
USB
Flash drive
Autorun
Hack tool
Malware
a b s t r a c t
Information security risks associated with Universal Serial Bus (USB) storage devices have
been serious issues since 2003, which marked the wide adoption of USB technologies in the
computing industry, especially in corporate networks. Due to the insecure design and the
open standards of USB technologies, attackers have successfully exploited various
vulnerabilities in USB protocols, USB embedded security software, USB drivers, and
Windows Autoplay features to launch various software attacks against host computers and
USB devices. The purposes of this paper are: (i) to provide an investigation on the currently
identified USB based software attacks on host computers and USB storage devices, (ii) to
identify the technology enablers of the attacks, and (iii) to form taxonomy of attacks. The
results show that a multilayered security solution framework involving software imple-
mentations at the User Mode layer in the operating systems can help eliminate the root
cause of the problem radically.
ª 2011 Elsevier Ltd. All rights reserved.
1. Introduction
Universal Serial Bus (USB) is a communication standardwhich
has beenwidely adopted in the computing industry for the last
few years for replacing serial and parallel ports. USB offers
a number of advantages such as high data processing speed,
hot swapping, plug-and-play (PnP), and self-power supplying
to peripherals which helps it quickly gain the popularity. The
implementation of USB allows a wide range of different elec-
tronic devices to connect to computers such as mice,
keyboards, PDAs, gamepads, joysticks, scanners, printers,
digital cameras, personal media players, flash drives, and
external hard drives. However, the popularity of USB interface
capable devices has resulted in increased risks to information
security of both host computers and USB devices. In this
research, we investigate all the currently identified USB based
software attacks, and develop a conceptual security
framework for protecting host computers andUSB drives from
USB based software attacks. In details, the following aspects
are considered:
� Software attacks on host computers by USB based malware
such as worms, viruses, and Trojan horses, and USB based
hack tools.
� Software attacks on USB drives by hack tools.
� A security framework for protecting both USB drives and host
computers against USB based software attacks.
2. Previous work
Previous researches have been conducted in three areas: (1)
USB based software attacks on host computers, (2) software
* Corresponding author.E-mail address: [email protected] (M.N. Halgamuge).
ava i lab le a t www.sc iencedi rec t .com
journa l homepage : www.e lsev ie r . com/ loca te /d i in
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4
1742-2876/$ e see front matter ª 2011 Elsevier Ltd. All rights reserved.doi:10.1016/j.diin.2011.02.001
Author's personal copy
attacks on USB devices, and (3) protection measures and best
practices for preventing USB based software attacks.
2.1. USB based software attacks on host computers
USB based software attacks on host computers refer to soft-
ware attacks launched from USB devices against host
computers. Such attacks analyzed in previous researches can
be categorized into online attack mode referring to the attacks
launched from USB drives which are inserted into running
computers, and offline attack mode which happens when
attackers manage to boot the target computers from their
crafted USB drives.
2.1.1. Online attack modeAmong the attacks on host computers, data theft has been the
biggest concern related to USB devices in corporate environ-
ments since 2005 when USB 2.0 devices became popular. Data
theft is normally conducted using various simple ad hoc
programmed utilities which are capable of silently down-
loading some specific data files from host computers into USB
drives (Alzarouni, 2006; Fabian, 2007). In 2006 and 2007, there
was a substantial increase in the frequency and the level of
complexity of USB based software attacks on computers,
especially networked computers. The ad hoc programmed
hack tools, automatically launched from USB drives were
capable of doing many kinds of data manipulation on
computer systems such as changing registry settings,
installing backdoors and other malicious codes, stealing
confidential information, and even downloading the system
page file from a running computer to a USB drive (Alzarouni,
2006; Lee et al., 2007). Cryptography attacks were also
common during the period with the support of USB drives and
some ad hoc programmed hack tools which are capable of
exploiting operating systems’ data encryption keys, Open
SSH, and Apache HTTPS servers (Harrison and Xu, 2007).
After the USB 2.0 standard, the U3 revolution becoming
popular in 2007 has made U3 (USB) drives ultimate hacking
tools. The applications installed in U3 drives can be executed
withouthaving tobe installedonhostcomputers.Attackers can
simply craft their ownU3 ISO imageswith necessary hack tools
to replace the original U3 ISO images on U3 drives, and take
advantageof the technology to launchmulti-payloadattackson
the target computers (Alzarouni, 2006; Lee et al., 2007).
In 2008, a utility was developed to allow manipulating the
information on inserted USB devices stored in Windows
registry. It was suggested that when such a utility is used in
combination with other malicious codes, it creates an addi-
tional protection layer for the attackers who employ USB
devices as attack tools (Thomas and Morris, 2008). Although
the idea of manipulating Windows registry by utilities or
malware was not new, it did suggest another possibility of
software attacks using USB devices. Obviously, skilled
attackers can further improve the idea to help them clear their
tracks or create obfuscating information on the host
computers after completing their attacks.
2.1.2. Offline attack modeThe enabler for offline attack mode comes from the “boot from
USB” capability of the recent motherboards and Pre-
installation Environment (PE) tools such as Windows PE and
Bart PE. These PE tools make it possible for the cores of some
Windows editions such as Windows XP and Vista to be
installed on and boot fromUSB drives. Later on,miscellaneous
toolkits such as antivirus software, data recovery, hard-drive
diagnostics, zip software, web browsers, secure file transfer
protocol (FTP), word processing, registry editor, product key
viewer, network configuration, and remote desktop client
tools are bundled into bootable USB drives (Gibson and Dyar,
2007).
Although the “boot from USB” feature was originally
designed for computer administration purposes, bootable USB
drives are also very powerful hack tools. With the aid of a few
hundred-megabyte USB 2.0 drives, an attacker can boot the
target computer from the USB drive and dump all the data
from the host computer to the USB drive within half an hour.
Even with cryptography, the cryptographic key materials
stored in computermemory (RAM)were successfully retrieved
with the aid of a bootable USB drive and a tiny plug-in of a few
kilobytes in an experiment in 2008 (Halderman et al., 2008).
Moreover, such these attacks do not cause any damage to the
host’s operating system or data, and neither requires the host
operating system’s accounts.
2.2. Software attacks on connected USB drives
Similar to the data stored in host computers, data stored on
USB drives and even secure USB flash drives are also vulner-
able to different kinds of software attacks. USB drive security-
software bugs and the insecure nature of the communication
channels between the USB devices and host computers make
many password-protected and even fingerprint-protected
USB drives vulnerable to software attacks. On password-pro-
tected USB drives such as Safeboot Phantom and MXI MXP
Stealth, weak passwords result in successful brute force
attacks. On fingerprint-protected USB drives such as the Bio-
SlimDisk iCool drives, imported fingerprints can be easily
deleted with the support of a crafted program. This allows
attackers to import their own fingerprints and compromise
the security measures (Jeong et al., 2007; Bakker et al., 2007).
The other type of attack on such devices is security protection
bypass which is conducted by exploiting vulnerabilities in the
security software of USB drives. Successfully exploiting the
vulnerabilities allows attackers to have direct access to the
data stored in secure partition of the devices (Jeong et al.,
2007).
2.3. USB based malware
USB based malware is the most common type of USB based
software attack. However, this type of attack has not been
addressed in any of the previous papers. While attacks
analyzed in the previous researches are normally target-
specific and manually triggered, attacks by USB based mal-
ware are fully automated and do not normally have specific
targets. USB based malware is supposed to be accounted for
the majority of all USB based software attacks. However, this
threat vector has not received enough attention and further
work on this type of attacks is necessary.
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 173
Author's personal copy
2.4. Currently proposed protection measures
The proposed solutions for secure use of USB technologies in
previous researches can be categorized into three categories:
data access control, USB port access control, and security policies.
Among the three types of solutions, data access control is
probably the most interesting, feasible and widely adopted.
Data access control allows the use of USB devices while it
maintains definite security levels. The commonly proposed
data access control solutions include disabling Autorun,
limiting user privileges, encrypting the stored data on both
communication ends, restricting access to vital data on crit-
ical servers, monitoring access to servers, and limiting the size
of data transferable to USB drives (Alzarouni, 2006).
USB port access control involves disabling USB ports
physically, or disabling USB port by firmware and operating
system settings and third party utilities. In some organiza-
tions, USB ports on computers are physically disabled by glue
which is the last recommended solution. Disabling USB ports
by Basic Input Output System (BIOS) settings, Windows
registry, and Group Policy settings are some other options.
Many researchers recommend deploying third party utilities
such as NetWrix USB Blocker, DeviceLock, and Zlock to apply
USB port access privileges to specific users, user groups, and
even USB device classes such as Palm, and USB phones
(Alzarouni, 2006; Fabian, 2007).
Acceptable Use Policy (AUP) is also commonly referred to
as management solutions for USB security issues. AUPs are
normally implemented with security education and training
programs to provide users with essential understanding on
secure use of information systems, regulate users’ actions,
and provide procedures for managing security incidents
(Fabian, 2007). AUPs are generally cost-effective management
solutions which can be implemented in any corporate
environment.
2.5. Unresolved issues in the proposed solutions
There were some disadvantages and unresolved issues in the
proposed solutions in the previous papers which affect the
solutions’ efficiency and effectiveness.
Firstly, there are some disadvantages in the proposed
solutions because important factors such as business efficiency,
investment and maintenance costs, end users, and personal
computers were not considered in any of these solutions. Data
access control and USB interface access control are obstacles
to business efficiency and potentially become a burden of IT
budget in terms of both software license and maintenance
costs. End users and personal computers (PC) were not
considered in any of the proposed solutions. In reality, AUP
and other corporate policies are not applicable to PC users.
Moreover, complicated system configurations and additional
costs for third party software are not likely to be accepted by
PC users.
Secondly, due to the lack of root-cause analysis of these
attacks, the technology enabler of these attack vectors were not
identified. Therefore, the proposed solutions tended to fix the
consequences of the vulnerabilities in USB security software,
Windows Autoplay features, Windows driver security model,
and USB interface management feature instead of addressing
these vulnerabilities directly. Attacks automatically launched
from USB storage devices such as data theft and multi-
payload attacks simply exploit the vulnerability in Windows
Autoplay features. This vulnerability comes from the lack of
a built-in security mechanism inside Windows Autoplay
features. Similarly, due to the lack of a securitymechanism for
USB interface, computer malware can spread back and forth
between USB drives and internal drives. Although both USB
interface is designed for data exchange between computers
and their outside environments, it is left open to external
environment without any security protection mechanism.
Attacks on USB drivers were possible due to the lack of driver
signing enforcement which allows un-identified drivers to be
injected into Windows kernel. However, the proposed solu-
tions do not directly address any of these vulnerabilities.
Thirdly, there was a lack of a complete taxonomy of USB based
software attacks and a framework for addressing USB based soft-
ware attacks in the previous researches. Each of the provided
solutions are designed for addressing some of the currently
identified attack vectors in specific scenarios only and there-
fore tend to left out other attack vectors.
Finally, the attacks and proposed solutions were evaluated
in the contexts of Windows XP and the earlier x86 versions
while their successors such as Windows 7 x86 and x64 have
been in place for a while, and will soon be popular in both
office and home environments.
3. Attacks by USB based malware
3.1. USB based malware
The terms “USB based malware” in this paper refers to
computer worms, virus, Trojan horses, spyware, adware, and
root kits which are specially designed to exploit Windows
Autoplay features to replicate over USB drives and launch
attacks against host computers and computer systems.
Although the term “USB based malware” has been mentioned
on the world wide web as computer malware spreading via
USB drives, this concept does not differentiate the malware
that is purposely designed for spreading via USB drives from
the malware that is designed for replicating via any means of
media. Many worms can spread via many means of media
including USB drives, floppy drives, compact discs, and
network shares, however, they do not exploit the Autoplay
features. Such worms are not considered as USB worms in the
scope of this paper. The majority of the malicious codes
mentioned in this research are referred to as W32/Autorun by
security firms such as Symantec, Microsoft, andMcAfee.W32/
Autorun does not include all the malicious codes that exploit
Autoplay features. This research takes into account any mal-
ware which does exploit Autoplay features.
Windows Autoplay features were designed for providing
appropriate software response to hardware actions initiated
by computer users. The features are available in version 1 and
version 2. Version 1 was designed for Windows 98 and
Windows 2000. Version 2 was improved from version 1 to
support to support multimedia contents and devices and is
available on Windows XP, Windows 2003, Windows Vista,
Windows 2008, andWindows 7. The features operate based on
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4174
Author's personal copy
Autorun.inf files located in the root folders in removable
drives. Autorun.inf files can be compiled via any ANSI text
editor such as Notepad. The typical components of an Autor-
un.inf include four commands: icon, open, shell, and shell/verb.
These commands are used to automatically launch applica-
tions in removable drives when the drives are inserted into
computers. USB based malware is designed to exploit the
Autoplay features by creating Autorun.inf files to automati-
cally launch its copies specified by the open and shell
commands.
Fig. 1 shows the typical content of an Autorun.inf file
created by USB based malware. Icon command specifies the
icon file for the executable files triggered by Autorun.inf file.
This icon can be anything that looks familiar and legitimate to
users. Open command specifies the file to be executed when
Autoplay.inf is loaded by the Autoplay features, and in this
case it specifies a copy of the malware. Shellexecute command
was introduced in Windows Me and 2000. It is also used to
specify a file to be executed byWindowsAutoplay. However, it
also allows applications to runwith their associated files. Both
open and shellexecute commands are used to ensure that the
malware can be executed under any version of Windows.
Shell\auto command specifies the default item in USB drive
shortcut menu activated when users right-click on the drive
icon. In this case, the default item is used to activate the
malware.exe file.
3.2. Analysis of USB based malware’s common profile
Because of the trend in reengineering malware to exploit the
Autoplay features (Thomas et al., 2009), the attack profile of
USB based malware tend to get closer to that of malware in all
categories. However, due to the huge quantity of themalicious
codes and the lack of statistics from security firms, we only
analyze the common profile of the top USB based malware
which was accounted for themajor portion of activities by the
malware in this category in the period of September 2007 to
October 2009 as reported by Microsoft, Trend Micro, Syman-
tec, McAfee, Norman, and Kaspersky. The data on the profile
each malicious code were obtained from the malware defini-
tion databases of Microsoft Malware Protection Center, Kas-
persky Lab, Symantec, Sophos, Trend Micro, McAfee, and
Norman Security Center. The collected data include name,
type, date detected, aliases, alert level, technical analysis, files
created, system folder infection, registry update, auto startup
mechanism, replication media, Autorun.inf file, file infection,
and payload. The data are then analyzed by descriptive
statistics tools. A list of these malicious codes is included in
Table A1 in the Appendix of this paper.
3.3. The development trend of USB based malware
As USB drives become popular, malware is redesigned to
replicate through this vector. The trend from 2007 to March
2009 shows a consistent increase in the number of backdoors,
bots, password stealers, and parasitic viruses redesigned to
spread via USB drives (Thomas et al., 2009). By the end of
March 2009, 20 million unique malicious codes had been
detected by McAfee Avert Lab (Paget, November 20, 2009).
More than half a millionwere Autorunmalware created in the
period from April 2007 to April 2009. The number of Autorun
malware had exceeded 1.2 million by October 2009 (Marcus
et al., 2009; McAfee Threats Report, 2009).
Fig. 2 illustrates the development trends of Autorun mal-
ware and malware of all categories for the period of October
2007 to October 2009. The stack bars show the development
trends of Autorun malware and malware of all categories in
quantity, and the two lines show the development patterns
the malware in development percentages.
In Fig. 3, the graph illustrates co-relational relationships
between the development of Autorun malware and its sup-
porting factors including the availability of USB drives, the
maturity of Windows operating system supporting Autorun
v2, and the maturity of USB technologies. Autorun malware
started to develop in the last quarter of 2007 when Windows
XP reached its pick ofmarketmaturity andUSB 2.0 flash drives
got into its last period of product growth phase. The sharp
increases in the quantity of USB flash drives shipped world-
wide and the world market share of Windows XP and later
versions in the period of October 2008 to October 2009 also led
to the sharp increase of Autorun malware in the period
reflected in both Figs. 2 and 3. In Fig. 2, the overall graph trend
shows a consistent development relationship between
Autorun malware and malware of all categories in each
quarter and the overall period with slightly higher develop-
ment rates for Autorun malware in the year 2009. The reason
for such a relationship could be explained in Fig. 3 which
illustrates Autorun malware’s development trend in relation
to its supporting factors including the quantity of USB flash
Fig. 1 e A typical Autorun.inf file created by USB based
malware.
Fig. 2 e Malware development trend for the period of 10/
2007e10/2009, data source: (Paget, 2009; MCAfee Avert
Labs, 2009).
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 175
Author's personal copy
drives sold, market share of operating systems supporting
USB PnP and Autoplay v2, USB standardmaturity level, U3 and
boot from USB technologies.
4. Attacks on host computers
Attacks on host computers involve buffer overflow attacks on
USB drivers, data theft attacks on host computers, multi-
payload attacks using U3 and portable hack tools, and offline
cold boot attacks.
4.1. Attacks on USB driver
Buffer overflow attack on the vulnerabilities in USB 2.0 drivers
in computer operating systems is the most primitive type of
USB based software attacks whichwas firstmentioned in 2005
(Roberts, 2005). The problem comes from the weakness in the
design of earlier USB 2.0 deviceswhere firmwarewas designed
with little care for security and validations. Attackers could
program their USB drivers to exploit the vulnerabilities and
escalate privileges on any operating system such asWindows,
Linux, and OS/2 (Roberts, 2005). However, such problems on
Windows platform have not yet been confirmed by Microsoft
or computer OEMs.
In 2009, the same problem was detected again in Auers-
wald Linux’s USB driver. Attackers who have physical access
to Linux computers can use their crafted USB drives to execute
arbitrary code on the computers at the kernel level and take
control over the systems (Vega, 2009). Fortunately, this attack
vector is not common, possibly due to the requirements of
physical access to the target computers and knowledge in USB
driver programming.
4.2. Data theft attacks on host computers
Data theft with the support of USB drives has been a serious
issue in corporate networks for the last few years, especially
after USB 2.0 standard became popular in 2004. The common
payload of data theft is intended to steal business data and
sometimes personal data such as credit card information left
in cache memory. This attack vector utilizes some simple
scripts written in Perl, MS DOS batch script, or VBScript, with
some readymade tools freely available in the Internet. Some-
times, Windows built-in utilities such as xcopy.exe, roboco-
py.exe, or copy command are also utilized. Most of these
scripts are designed to exploit the Autoplay features. As the
attack process is conducted in non-console mode or in the
background as a Windows process, it is totally transparent to
users. The common functions provided by readymade tools
used in such attacks include data query (Pod slurping), data
copy (xcopy.exe), simple mail transfer protocol (SMTP) clients,
data compression (rar.exe), and secure socket layer (SSL) client
(Stunnel). The combined payload of these tools allows
attackers to locate the necessary data on host computers and
save the data to their USB drives, or compress and send the
data through an SSL channel to their FTP servers ormailboxes.
Such attack techniques are not always effective in many
scenarios on Windows operating systems that support User
Account Control (UAC) feature. UAC is a security feature
which is available in Windows Vista, Windows 2008, and
Windows 7. This feature monitors all processes and activities
Fig. 3 e The development of USB based malware in relation to its supporting technologies, data sources (Chance, 2005;
W3chools, 2009).
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4176
Author's personal copy
on the computer, and protects the system files and settings
from abnormal access by both Windows built-in processes
and applications. When UAC is turned on (by default), all
processes are run under standard user rights and permissions.
Access to systems files and settings, and folders where users
do not have permissions will trigger security alerts and priv-
ilege escalation requests. Abnormal activities by unsigned
applications such as hack tools and malware will trigger
UAC’s security alerts. Some dangerous hack tools mentioned
in this paper such as SwitchBlade, GonZors Blade, Amish
Blade, PasswordDump, Ethereal, Network Password Recovery,
and White Hat Payload all trigger UAC’s security alerts.
The threats from this attack vector still exist when
attackers use signed applications in combination with their
scripts to run attacks in the background which is very similar
to that of system administrators’ scripts for data backup. The
following scripts in Figs. 4,5 and 6 exploit the Autoplay
features to secretly copy files in user’s Document folder to the
inserted USB drive, compressed and encrypted with password
using copy command, rar.exe, and hstart.exe. Fig. 4 shows the
content of Autorun.inf file in the root folder of the USB drive.
Fig. 5 shows the content of trigger.bat file located in
a hidden folder in the USB drive. This file loads the payload file
(xcp.bat) using hidden start tool with “/noconsole” option
which force the xcp.bat to run without a console making the
attack process transparent to the users.
Fig. 6 shows the content of xcp.bat containing the attack
payloads which copy all files in the Documents folder to
a folder called “STOLENDATA” in the attacker’s USB drive.
The copied data is further compressed and encrypted with
password by rar.exe utility and saved under the file name
stolendata.dat leaving no trace for users. However, when the
UAC setting is set to high, any of such processes will not be
created in the background. A notification of process failure
will be popped-up calling for users’ attention.
4.3. Multi-payload attacks by U3 hack tools
U3 is an open standard developed to provide users with
application mobility through an application platform avail-
able in U3 drives whereby U3 applications can be installed on
and run from U3 drives independently from host computers.
In a U3 drive, a small partition located at the beginning of the
drive is marked as a CDFS (CD file system) partition so that
Windows recognizes it as a CD rather than a removable drives.
U3 applications are self-contained applications run from the
CDFS partition without having to be installed on the host
computers, modify the registry, or reserve computer
resources. While the Autoplay feature for removable drives is
disabled on Windows 7, it is still enabled for the CDFS parti-
tion. U3 technology is supported on Windows platform for
Windows 2000 SP4 and the later on both x64 and x86 versions.
Attackers of this vector have a large and flexible range of
hack tools to deploy on U3 drives. They can customize their
own ISO images with necessary hack tools and malware to
install in the CDFS partitions to exploit the Autoplay feature
which is available for CDFS partitions or directly run the hack
tools from the U3 Launchpad. Some commonly known hack
tools available in U3 format (.u3p) are USB Switchblade, U3
Incident Response Switchblade, USB Hacksaw, USB Pocket
Knife, Nmap, Ethereal, Wireshark, Showtraf, TCPDump,
Nemesis and John the Ripper, HTTP RAT, Anonymizer, and
Data Recovery. Among these tools, Switchblade is a very
dangerous toolkit consisting of several hack tools capable of
recovering important information from Windows systems
such as passwords (SAM, messenger clients, web browsers
cache), LSA Secret, service, system and port information. USB
SwitchBlade is available in two versions developed by Hak5
community and GonZor. USB SwitchBlade developed by Hak5
community is now available in several sub-versions by
Kapowdude, Gandalf, Silivrenion, and Amish. The codes of
these sub-versions are adjusted by Hak5 member and are
slightly different form each others. However, the payloads
remain the same and they all trigger UAC. The later version
developed by GonZor is more powerful and is capable of
overwriting programs on U3 CDFS partitions. As these parti-
tions are read only, antivirus programs cannot delete the
installed hack tools on detection. Beside Switchblade, U3
Incident Response Switchblade was developed to support the
process of evidence gathering in security incidents. This tool
gathers information on accounts, groups, networking (such as
IP, DNS cache, ARP table, NetBIOS, routing information, fire-
wall state and rules), and services status. Generally, these
tools are now all detected and blocked by many antivirus
programs. However, U3 development kit is open to public
assisting U3 application developers. Attackers can also
compile hack tools to .u3p format in many circumstances.
There are also U3 compilers such as Package Factory which
allows people to recompile many applications to .u3p format.
Some popular utilities compiled to .u3p format include disk
management tools (Partition Magic, Symantec Ghost), registry
tools (Clean Registry, Registry Mechanic), anonymous surfing
(Anonymizer, HTTP RAT), data recovery (Data Recovery, Pro
Data Recovery, Easy Recovery), Web browsers (Firefox, Opera),
torrent clients (eMule, FlashGet, Utorrent), instant messengers
(Pidgin, MSNMessenger, YahooMessenger), password recovery,
script editors (Notepad), OpenOffice, virtual DVD (Virtual CD), ISO
compliers and CD burners (Ultra ISO, Nero), data compression and
encryption (WinRar), and antivirus(Avast, Dr Web Cureit).
Fig. 4 e The crafted Autorun.inf file.
Fig. 5 e trigger.bat file used to launch the payload in no
console mode.
Fig. 6 e xcp.bat contains the actual attack payloads.
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 177
Author's personal copy
4.4. Offline cold boot attack
The original concept of booting up from USB used a light-
weight edition ofWindowsXP fromCDs for the administrative
purposes such as data rescue, operating system repair from
serious crashes, or virus scanning. This was first possible
when Microsoft releasedWindows PE 1.0 for Windows XP and
Windows 2003 in 2002. When USB 2.0 drives became popular
and boot from USB became a default feature of computer
mainboards, dumping Windows to USB drives became
popular in 2006, especially with the support of Bart PE.
Windows PE 2.0 (for Windows Vista, Windows, 2008), and 3.0
(for Windows 7) also support boot from USB at quite low
system requirements making such solutions popular. After
Windows PE, boot from USB has now been possible on various
Linux distributions such as Knoppix, Ubuntu, Linux Mint, and
Kubuntu.
Cold boot attack from USB is the most dangerous among all
attack vectors analyzed in this paper. After a cold boot from
a USB drive, the target computer will be under control of the
operating systems running on the attacker’s USB drive.
Attackers have absolute freedom to dowhatever they want on
their operating systems and on the victims’ computers, even
on computer with encrypted volumes. Moreover, there are
a few distributions of these lightweight operating systems
shippedwith a variety of hack tools including data recovering,
data backup, encryption and decryption, secure FTP, SAM
editing, network configuration, remote desktop, password
retrieval, and key viewer. Some of these versions are Super
WinPEwas and Paragon HDD Manager. These versions can be
downloaded easily from torrent networks. This allows people
with little technical knowledge to participate in this attack
vector. Finally, because the operating systems run on
attackers’ external USB drives, there is generally no trace left
on victim computers after cold boot attacks.
5. Attacks on USB storage devices
Software attacks onUSB drives include exploiting the insecure
USB protocol to attack the communication channels between
USB devices and host computers, attacks on USB security
software, and data theft.
5.1. Attack on USB protocol
This attack vector utilizes USB protocol analyzers such as
USBlyzer, Advanced USB Port Monitor, and USB Trace to
analyze and decode the communication channel betweenUSB
devices and host computers to obtain information on trans-
port between the devices and the host computers, such as
password for the security software on the USB drives. The
common functions of such utilities include data monitoring,
logging, decoding, and saving by protocol and packet analysis.
The enabler of this attack vector is the insecure USB protocol
which transmits data between USB devices and host
computers in an unencrypted format. This vulnerability has
been exploited in many scenarios allowing attackers to
successfully obtain the passwords of password-protected USB
drives which do not support data encryption on transport
(Halderman et al., 2008).
5.2. Attack on security software on secure USB drives
Exploiting vulnerabilities in USB security software is the most
common attack vector targeting secure USB drives. The two
main drivers for this attack vector are password recovery and
business data recovery. Moreover, there are also some facili-
tators behind this attack vector. The first one is the ease of
access to USB product documentations and software devel-
opment kits consisting of source codes, header files, and other
related information about the EEPROMcontent of USB devices.
The second factor is all USB standards from 1.0 to 3.0 are open
standards provided by the USB Forum and freely available for
public access. Lastly, USB standards are rather simple and
insecure. It does not require too much knowledge about
electronic engineering or programming to be able to design
and assemble USB devices, and write USB drivers for the
devices.
Vulnerabilities in USB drives’ security software resulted in
security protection bypass on both password-protected and
fingerprint-protected USB drives. This allows attackers to
have direct access to the protected data partition. A common
exploit is buffer overflow attack on the security software
conducted by sending known erroneous packets to the USB
software (Bakker et al., 2007). When buffer overflow attack
cannot be employed, password brute-force attack is another
option. As many secure USB drives do not support self-locked
mechanisms activated after a number of wrong password
attempts, attackers can simply run password brute-force
attack until the valid password is found (Bakker et al., 2007).
Although password brute-force attack is generally not feasible
with strong passwords ofmore than 9 characters created from
a combination of capital characters, lower case characters,
numbers, and special characters, such passwords are rarely
implemented by users.
5.3. Data theft attack on USB drives
Similar to data theft attacks on computers, data theft attacks
on USB drives are mainly conducted with the aid of hack tools
running as processes which silently wait for inserted USB
drives and upload data from the drives to the host computer or
send the data to a remote mailbox or FTP server. The two
representative hack tools for this category are USBDumper
andUSBHacksaw. USBDumper is a small utility running in the
background as a process listening for connected USB drives.
On detection of inserted USB drives, the process starts
uploading data from the drive to the host computer trans-
parently to the users. USB Hacksaw is improved from USB-
Dumper. This version combines Stunnel, Blat, and Gmail with
USBDumper. The data from USB drives will first be uploaded
to a folder on the host computer where it is compressed by
rar.exe, before being sent to a Gmail account by Blat in an SSL
channel created by Stunnel. The mechanism is very simple
using available utilities in the Internet and some simple batch
files. Essentially, the tools can be different nevertheless they
have the same mechanism as that of Dumper and Hacksaw.
Even though many of these tools can be detected by antivirus
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4178
Author's personal copy
programs, this attack vector is hard to prevent. These tools
can be re-coded easily in various scripting languages such as
VBScript, batch scripting, and Perl. The attack processes can
also be scheduled by operating system task schedulers. This
makes the chance for success higher because the action
patterns are very similar to those of administrative tasks
scheduled by system administrators. Moreover, if the attacks
happen on attackers’ computers, security features are nor-
mally disabled allowing the attacks to happen smoothly.
6. USB based malware common profile
USB based worms account for the major portion of USB based
malware mainly due to the capability of exploiting the Auto-
play feature to replicate. Each of these worms comes in large
families of up to hundreds of variants such as Pushbot family
withmore than 420 variants which have very similar infection
mechanisms and payloads. This can somehow be explained
by the availability of USB malware construction kits in the
Internet.
Fig. 7 shows the common profile of the analyzed USB based
malware which has been simplified with the focus on the
replication mechanism via USB devices and the payload. At
the beginning of an attack cycle when an infected USB drive is
inserted into a computer, the Autoplay feature will trigger the
Autorun.inf which activates themalware. The very first action
done by such malware is to install its copies into the system
folders on the host computer. Windows registry will then be
updated to allow these copies to be started with the operating
system. Many of the analyzed worms update the HKLM\Soft-
ware\Microsoft\Windows\CurrentVersion\Run key to make
their copies start withWindows atWindows startup. After the
copies are loaded, Process Explorer and Windows Task
Manager will show their process locations as inside system
folders making users confuse themwith legitimate processes.
These processes actively listen for inserted USB drives to
replicate themselves by installing their copies and creating
Autorun.inf files on themedia. The worms can work as botnet
clients or further codes will be silently downloaded from
remote servers and installed on the infected computers
making the computers clients of the worm authors’ botnets.
The majority of the analyzed malware are designed for
creating botnets and participating in DDoS attacks. Such
a payload is also the common payload for the malware of all
categories in the period of 2008e2009 (Marcus et al., 2009).
7. Solution
The security framework illustrated in Fig. 8 is a conceptual
model which helpsmitigate the identified USB based software
attacks. The model consists of seven concentric layers where
three threat layers and three protection layers are arranged
one after another. The identified attacks are categorized into
Fig. 7 e The simplified common profile of USB based
malware.
Fig. 8 e Security framework for mitigating USB based
software attacks.
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 179
Author's personal copy
threat layers, and protection measures are categorized into
the corresponding protection layers to achieve the best
protection results. The inner protection layers are designed
for mitigating the attacks from the outer threat layers and
therefore an attack may be mitigated by one or multiple
security measures at one or more protection layers. The core
layer contains operating system files and settings, data on
host computers, and data in USB drives. The goal of this
framework is to protect the core layer from USB based soft-
ware attacks located in the three threat layers.
The security measures proposed in the three protection
layers in the framework are aimed at resolving the problem
root causes of the identified attacks. Table 1 summarizes the
solution framework in the format of a solution matrix.
7.1. The first threat and first protection layer
The first threat layer includes multi-payload attacks using U3
hack tools, USB based malware, and data theft attacks. Attacks
from this layer are normally handled effectively by the secu-
rity measures in the first protection layer because most mal-
ware scanners would recognize the involvement of malware
and hack tools in these attacks. Windows XP SP2 and later
versions are equipped with some free anti-malware solutions
including Windows Defender, Microsoft Security Essentials
(MSE), and Windows Firewall. Windows Defender, previously
known as Microsoft Antispyware, is a spyware and adware
scanner available via Windows update without any mainte-
nance effort. MSE is an anti-malware programwhich provides
real-time protection and auto-update like many other anti-
malware programs in the market. A test conducted by AV-
Test.org in October 2009 showed that MSE achieved 98.44 per
cent detection rate using malware signature based detection
(Pham et al., 2010). Moreover, as malicious codes tend to
communicate with servers in the Internet, Windows Firewall
is an effective measure which blocks such communication
and prevents the malware from completing its attack cycle.
In terms of hack tools, the results of our experiment with
over 3800 hack tools and hack toolkits including the most
common USB based hack tools listed in Table 2 below
demonstrated thatmost of these hack tools can be detected by
the common antivirus software. Many of these hack tools can
be directly executed from USB drives or compiled to portable
format using compilation tools such as Package factory
VMware ThinApp, Landesk Application Virtualization, Ceedo,
and InstallFree. More importantly, all the critical USB based
hack tools such as GonZors SwitchBlade, USB Pocket Knife,
USB Hacksaw, USBDumper, and Port Slurp can be detected by
all of these antivirus software. A list of these USB hack tools
can be found at Table A2 and the categories of the payloads of
these hack tools and hack toolkits are listed Table A3 the
Appendix of this paper.
Beside malware scanners, UAC, AppLocker, and Parse
Autorun are recommended security features for Windows
Vista and later editions. UAC is a built-in feature first available
in Windows Vista. This feature actively monitors process
activities and prevents abnormal access to system files and
settings which resemble common malware behaviors. Some
hack tools such as USB SwitchBlade and Network Password
Recovery were possible on Windows XP and the earlier
edition. However, these hack tools will now trigger Windows
security alert activated by UACwhen they try to access system
files and settings. AppLocker is a new feature ofWindows 2008
R2 and Windows 7 which allows administrators to have
control over the execution of specific applications and scripts
based on specific computers, users and user groups, and the
Table 1 e Solution matrix.
Attack category Technology enabler asproblem root cause
Attack/problem & threat layer Protection solutions &Protection layer
Attacks by USB
based malware
No security management
mechanism for USB interfaceaLayer 1: Malware can spread back and forth
between USB drives and internal drives.
Layer 1: AppLocker, antivirus
software, firewall, UAC.
No security mechanism for
Windows Autoplay featuresbLayer 1: This USB worm possiblec Layer 1: Parse Autorun
Attacks on host
computers
No security mechanism for
Windows Autoplay featuresbLayer 1: Hack tools can be activated
automatically on USB drive insertion.
Layer 1: Parse Autorun
No security management
mechanism for USB interfaceaLayer 1: Hack tools can be executed
from USB drives which are
external drives.
Layer 1: AppLocker, antivirus
software, firewall, UAC
Data is left unprotected when the
operating system is offline
Layer 2: Offline cold boot attacks. Layer 2: Volume encryption
Driver signing is not enforced Layer 3: This makes USB driver
injection possible.
Layer 3: Enforcing driver signingwith
standardized USB drivers.
USB driver is located in kernel
mode layer
Layer 3: Attacker gain system privilege
once USB driver injection is completed.
Layer 3: Completely move USB driver
to User Mode layer.
Attacks on USB
storage devices
No standardized USB security
software
Layer 3: USB security software attacks: buffer
overflow and password brute force attacks
Layer 3: Standardize USB driver and
security software.
No security mechanism for USB
protocol
Layer 3: Attack on USB protocol Layer 3: Standardize USB driver and
security software
a USB drives are not properly managed as “external” devices and thus there is no “firewall” between USB drives and computer internal drives.
b Windows Autoplay features automatically loads any files including malware as specified in Autorun.inf files.
c USB worm is capable of self-replicating due to Windows Autoplay features.
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4180
Author's personal copy
file locations. Moreover, AppLocker also supports application
execution permissions based on the application’s valid digital
signatures and therefore unsigned applications including
malware and other malicious codes will be blocked from
execution (Pham et al., 2010). Therefore, AppLocker can be
a useful tool for network administrators in enterprise envi-
ronments to preventmalware and hack tools’ execution while
allowing the execution of specific legitimate applications.
However, the use of AppLocker is rather complicated to basic
users and this feature is not available to all Windows editions.
In this paper, we propose Parse Autorun as an additional
feature for Windows which fix the vulnerability in Windows
Autoplay features. This feature prevents unsigned executable
files called by Autorun.inf from being activated. Fig. 9 shows
the proposed algorithm for Parse Autorun.
When a removable drivewith an Autorun.inf file at the root
folder is inserted, Autoplay features will activate Parse
Autorun which parses the Autorun.inf file for execution
commands such as open, shellexecute, and shell\auto to locate
executable files called by the Autorun.inf file. The executable
files are checked by application signature and if they are
signed, they can be executed byWindowsAutoplay. If they are
not signed application, they will be scanned by available anti-
malware software such as MSE and they will not be executed
automatically. This generally helps avoid a lot of attack
scenarios which are transparent to victims because attackers
will have to manually locate the executable files which are
normally hidden in different places in USB drives to trigger the
attacks. Moreover, the result of our experiment also show that
on-demand scans providemuch better protection results than
real-time protectionmethodwhich is only activated when the
hack tools are triggered. Therefore, Parse Autorunwill provide
better protection results than leaving the hack tools to be
detected by Antivirus software on activation.
Generally, the main role of the first protection layer is to
prevent malicious programs and scripts from executing and
Table 2 e USB hack tools detection by commonly usedAntivirus software.
Antivirus software(definition update: May10, 2010)
Detectionranking
Comments
Kaspersky Internet
Security 2010
Fair Detect all critical hack
tools
Norton Internet Security
2010
Fair Detect all critical hack
tools
MacAfee Total Protection
2010
Fair Detect all critical hack
tools
F-Secure Internet Security Good Detect all critical hack
tools and some other
tools
ESET NOD32 Antivirus Good Detect all critical hack
tools and some other
tools
Microsoft Security
Essentials
Fair Detect all critical hack
tools
TrendMicro Internet
Security Pro 2010
Good Detect all critical hack
tools and some other
tools
Bit Defender Internet
Security 2010
Very good Detect most of the hack
tools
AVG Internet Security 9.0 Very good Detect most of the hack
tools
Fig. 9 e Parse Autorun algorithm.
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 181
Author's personal copy
accessing critical system locations such as system32 folder
and Windows Registry.
7.2. The second threat and second protection layer
Encryption is the best solution for cold boot attacks where the
involvement of physical security measures is not possible.
Encryption prevents attackers from breaching the confiden-
tiality and integrity of the information stored on the host
computer andUSB drive in case theymanage to have access to
the encrypted data. The recommended technologies are
volume based encryption solutions such as BitLocker and
TrueCrypt which encrypt the whole data volumes. Microsoft
Windows supports two volume encryption solutions
including BitLocker introduced in Windows Vista and 2008,
and BitLocker To Go in Window 7. BitLocker To Go also supports
data encryption for removable drives in FAT format which is
a good solution for data on USB drives. Currently, BitLocker is
identified as vulnerable to cold boot attacks where the
attackers manage to obtain the encryption key in the
computer DRAM (Halderman et al., 2008). However, this attack
method is rather complex and requires the involvement of
cooling chemical which can be applied on computer memory
to cool down the DRAM to �50 �C. Obviously, to conduct this
attack, attackers will need to unlock the computer case which
is not easy in scenario that the computer cases are locks.
Moreover, the encryption-key reconstruction process is rather
complex requiring time and advanced technical knowledge,
and on the other hand, there has been no readymade toolkit
for this job identified by this time.
7.3. The third threat and third protection layer
The third protection layer deals with software attacks on USB
security software and USB driver. In reality, attacks on USB
security software have been possible due to the lack of stan-
dardization in security design for USB devices. Table 3
summarizes our proposed solutions to secure USB software.
The common vulnerabilities for buffer overflow attacks are
due to the lack of input validation which allows attackers to
send erroneous packets to the software to cause buffer over-
flow. A standardized validation module for USB security
software is much simpler than that for Web applications and
therefore totally possible. Keyloggers may be a threat to
password enabled USB drives, though it has not yet been
mentioned. Keyloggers can be mitigated by Virtual Keyboard
with randomized keyboard layout for every session.Moreover,
password brute force attacks can be simply mitigated by
a self-lock counter which automatically stops accepting
further log-in attempts after a specific number of failed
attempts. USB protocol attack is probably the most difficult
issue up to now. Our proposed solution involves the use of
asymmetric encryption to encrypt and decrypt the data
passed between USB devices and host computers. This
generally avoids encryption key capturing problemhappening
to symmetric encryption solution and also avoid password
capturing on transmission between the computer and the USB
drive which is the common vulnerability of some USB drives
by ATP Electronics, Samsung Electronics, Samsung Pleomax,
LG Electronics, and Imation (Jeong et al., 2007). However, this
requires effort to standardize the micro-chip for USB drives
which contain the encryption key pair and cryptography
software.
In terms of USB driver, the implementation of USB driver
should be moved to User Mode which prevents privilege
escalation in case attackers manage to complete buffer over-
flow attack on the driver. The previous buffer overflow attacks
on Windows USB driver, though not yet confirmed by Micro-
soft, were possible on Windows XP and the earlier versions
however not onWindows Vista and later versions. This can be
explained byMicrosoft drivermodel inWindows Vista and the
later editions, particularly the User Mode driver model. Fig. 10
illustrates the USB driver model for Windows Vista.
In Fig. 10, the drivers for USB devices provided by hardware
vendors are located in User Mode layer where access to
system resources is limited to user right and privileges only.
This model is applied to Windows Vista and the later.
However, in previous Windows version such as Windows XP
and Windows 2003, USB driver was located in Kernel Mode
layer where it has unlimited access to system resources.
Therefore, successfully committing USB drivers will give
attackers system rights and privileges. On the other hand,
crafted USB drivers could be injected into Windows kernel
was due to the lack of driver signing enforcement inWindows
XP and other 32-bit editions. The enforcement of signed
drivers will prevent unsigned drivers from being injected to
Fig. 10 e Windows USB driver architecture, adapted from
(Architecture of the User Mode Driver Framework, 2007).
Table 3 e USB security software threats and solutions.
Threat Solution
Buffer overflow attack Software input validation
Key logger: password attack Virtual keyboard: random key layout
Password brute force attack Self lock counter
Protocol attack Asymmetric data encryption
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4182
Author's personal copy
Windows kernel and thus help mitigate this threat vector
effectively.
8. Conclusion and further work
In this paper, we have investigated all the currently identified
USB based software attacks and their payloads on host
computers and USB devices, and have established taxonomy
of the attacks. We have also created a security framework to
handle USB based software attacks on the basis of newer
Windows operating systems including Windows Vista,
Windows Server 2008, and Windows 7 on both x86 and x64
platforms. The framework was designed for addressing all the
identified USB based software attacks at the minimum
deployment and maintenance efforts. The result also show
that reengineering effort must be paid in the standardization
process for USB security software to create an industry-wide
secure implementation standard for all USB devices. Finally,
USB driver implementation should be moved to User Mode to
prevent privilege escalation in case a buffer overflow attack on
the driver is successfully conducted.
Appendix.
Table A1. Surveyed USB based malware families.
No. Malware family No. Malware family
1 Auraaxa 26 W32/Frethoga
2 AutoIta 27 W32/Hamweqa
3 AutoIt/Renocidea 28 W32/Harya
4 Brontoka 29 W32/Mabezata
5 Confickera 30 W32/Perlovgaa
6 Emolda 31 W32/Regula
7 Generic!atra 32 W32/SillyShareCopya
8 Invadesysa 33 W32/Taterfa
9 Mal_Otoruna 34 W32/Yacspeel.A.dll
10 Niuniua 35 Worm.Autorun.VHG
11 Pushbota 36 Worm.VBS.Autorun.r
12 PWS-Gamaniav 37 Worm.W32.AutoRuna
13 Slenfbota 38 Worm.W32.AutoRun.dui
14 Troj_CoreLink.D 39 Worm.W32.AutoRun.eee
15 Trojan.Autorun.AET 40 Worm.W32/Autoruna
16 Trojan.AutorunINF.Gen 41 Worm.W32/RJumpa
17 VBS.Runautoa 42 Worm_Agent.TBH
18 W32.Gammima.AG 43 Worm_Autorun.AZB
19 W32.Saltity.AE 44 Worm_Autorun.BSE
20 W32.SillyDC 45 Worm_Autorun.CBZ
21 W32.SillyFDC 46 Worm_Downad.A
22 W32.Sality.OG 47 Worm_QQpass.ADH
23 W32.Worm.
Downadup.Gen
48 Worm_VB.BDN
24 W32/Autoruna
25 W32/Conficker.B
a The number of variants may vary from three, such as W3/Hary
and W32/Mebezat families, to several hundred such as AutoIt and
Pushbot families. However, not all variants’ profiles are available on
the databases. Only autorun related variants with available profiles
in the databases are surveyed.
Table A2. Tested common USB hack toolkits.
No. Name & version No. Name & version
1 Amish 1.0 (No U3) 26 PasswordFox v1.20
2 Asterisk Logger 1.04 27 Pwdump6
3 Blat 262 28 Resource Hacker Version 3.5.2
4 Dialupass2 29 RPC-Mail version 0.1
5 Enable-Abel SwitchBlade 30 SkypeLogView v1.12
6 Etherreal on USB 31 Slurp Audit
7 Gandalf 7zBlade 32 SniffUSB
8 GonZors SwitchBlade 1.2 33 Snort 2.8.5
9 GonZors SwitchBlade 2.0 34 Stellar Password Recovery v1.5
10 HackBlade 35 Stunnel 3.10
11 IE Cache View 36 Stunnel 4.33
12 IE PassView v1.17 37 Switchblade alternative 1.3 by
Silivrenion
13 IECookiesView 38 TCP Dump version 3.9.4
14 IEHistoryView 39 USB HackSaw 0.2
15 John 1.7.0.1 40 USB Hacksaw Version 0.1 POC
16 Mail PassView v1.55 41 USB Pocket Knife v0.8.8.0
17 MessenPass v1.30 42 USBDeview v1.06
18 MozillaCacheView v1.27 43 USBDumper v2.2
19 MozillaCookiesView
v1.30
44 USBlyzer 1.5
20 MozillaHistoryView v1.25 45 Web dumper 2.4
21 Nemesis 1.4 46 White Hat Payload 1.3
22 Network Password
Recovery v1.24
47 Windows password Key
23 Nmap 3.8.1 48 WireShark 1.2.1
24 Nmap 5.0 49 U3 Incident Response
Switchblade
25 Nmapbot version 0.2 50 Kapowdude
Table A3. Tested hack tool and hack toolkit categories(total number of toolkits: 3802).
No. Category of hack tools No. Category of hacktools
1 Bluetooth exploiting tools 22 Phishing tools
2 Buffer overflow 23 Proxy hacking
3 Credit card information
exploiting tools
24 Reverse engineering
tools
4 Data collection tools 25 RFID hacking tools
5 Data recovery tools 26 Router cracking
6 Database exploiting tools 27 Session hijacking
7 DoS tools 28 Sniffer tools
8 Encryption tools 29 Software cracking kits
9 Enumeration 30 Spamming tools
10 Foot printing 31 Spying tools
11 Google hacking 32 SQL injection
12 IDS and firewall exploiting 33 Steganography tools
13 Information hiding 34 System exploiting tools
14 Internet anonymity 35 System scanning
15 Linux system exploiting
tools
36 Trojan and backdoor
kits
16 Mac OS exploiting tools 37 Virus and worm kits
17 Mail hacking 38 VOIP hacking tools
18 Mobile & PDA devices
cracking
39 Web app vulnerability
scanner
19 Password cracking 40 Web browser hacking
20 Password stealing 41 Web server exploiting
tools
21 Penetration testing tools 42 Wireless cracking
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4 183
Author's personal copy
r e f e r e n c e s
Alzarouni M. The reality of risks from consented use of USBdevices. In: Proceedings of the 4th Australian informationsecurity conference; 2006.
Architecture of the User Mode Driver Framework, Version 1.0.Microsoft Corporation, 2007.
Bakker PJ, et al. Investigating ‘secure’ USB sticks; 2007. v.1.4. Fox-IT Forensic IT Experts B.V. Olof Palmestraat 6, 2616 LM Delft,The Netherlands.
Chance R. Understanding USB flash drives as portableinfrastructure. 1401 Hardley Ct., Bel Air, MD 21014, US:Browsercraft, LLC; 2005.
Fabian M. Endpoint security: managing USB based removabledevices with the advent of portable applications. In:Information security curriculum development conference;2007.
Gibson WR, Dyar D. Implementing preinstallation environmentmedia for use in user support. In: Proceedings of the 35thannual ACM SIGUCCS conference on user services; 2007.
Halderman JA, Schoen SD, Heninger N, Clarkson W, Paul W,Calandrino JA, Feldman AJ. “Lest we remember: cold bootattacks on encryption keys,” in Proc. USENIX SecuritySymposium; 2008.
Harrison K, Xu S. Protecting cryptographic keys from memorydisclosure attacks. In: 37th annual IEEE/IFIP internationalconference on dependable systems and networks; 2007.
Jeong H, Choi Y, Jeon W, Yang F, Lee W, Kim S. Vulnerabilityanalysis of secure USB flash drives. In: Memory technology,design and testing. IEEE International Workshop; 2007.
Lee S, Savoldi A, Lee S, Lim J. Password recovery using anevidence collection tool and countermeasures. In: Intelligentinformation hiding and multimedia signal processing, thirdinternational conference, vol. 2; 2007.
Marcus D, Greve P, Masiello S, Scharoun D. McAfee threats report:third quarter. McAfee, Inc. McAfee Avert Labs; 2009.
McAfee Threats Report: Second Quarter 2009,” [McAfee, Inc].Paget F. Avert passes milestone: 20 million malware samples.
McAfee Lab Blog, McAfee, Inc, <http://www.avertlabs.com/research/blog/index.php/2009/03/10/avertpassesmilestone-20-million-malware-samples/>; 2009 [accessed 20.11.09].
D.V Pham, M.N Halgamuge, A. Syed and P. Mendis, “Optimizingwindows security features to block malware and hack tools onUSB storage devices”. Progress in electromagnetics researchsymposium, 2010.
Roberts PF. USB devices can crack windows. eWEEK, Ziff DavisEnterprise Inc, <http://www.eweek.com/c/a/Security/USB-devices-can-crack-Windows/>; 2005 [accessed 20.08.09].
Thomas P, Morris A. An investigation into the development of ananti-forensic tool to obscure USB flash drive deviceinformation on a windows XP platform. In: Digital forensicsand incident analysis, third international annual workshop;2008. p. 60e6.
Thomas V, Ramagopal P, Mohandas R. The rise of autorun- basedmalware. McAfee Avert Labs, McAfee, Inc; 2009.
Vega RD. Linux USB device driver - buffer overflow. St ClementHouse 1-3 Alencon Link Basingstoke RG21 7SB, England: MWRInfoSecurity Security Advisory. MWR InfoSecurity Limited;2009.
W3chools. Operating system statistics, <http://www.w3schools.com/browsers/browsers_os.asp>; 2009 [accessed 10.10.09].
d i g i t a l i n v e s t i g a t i o n 7 ( 2 0 1 1 ) 1 7 2e1 8 4184