The US Army has reportedly suspended the use of USB and removable media devices after a worm began spreading across its network. Use of USB drives, floppy discs, CDs, external drives, flash media cards and all other removable media devices has been placed on hold in order to contain the spread of Agent-BTZ, a variant of the …
U3 bypasses disabled Autorun
I found the hard way that SanDisks U3 writes a segment to appear to be another CD player, and all Windows before Vista install it as such with Autorun Enabled BY DEFAULT, so that crap U3 is then installed and changes your disk assignments while it hunts for stuff to put on your SanDisk web account! There a lot of old sticks out there with the shit still on them, but I remove them from service with a hammer when I find them. And if your data disappears, tough tittie.
Surely the US Army would have specified "access to the Source Code" as a show-stopping precondition when they ordered their Operating Systems. So why can't they just compile Windows without USB support and have done with it?
The muppets (aka US DoD) came up with SElinux but still bloody insist on using that Chinese/Russian friendly OS Windaz.
To quote an old song (anti war song too):
"Where have all the flowers gone, when will they ever learn"
autorun can be globally disabled
@Donald Miller above
you can disable autorun globally for any windows system you can use group policies on, even if it is not joined into a domain.
start-> run -> gpedit.msc
(if youre running xp home... tough luck.. no such file exists... didn't try on vista home, maybe you're SOL here too)
so.. in GPedit
navigate to Local Computer policy -> Computer Configuration -> Administrative Templates -> System
and set the entry named "Turn off Autoplay" to enabled, with autoplay disabled globally for ALL DRIVES (default is only cdrom drives but with policy not applied)
if you set autoplay disabled for all drives it will stay disabled even for yet-unknown devices that will be connected in the future.
This is exactly why off the shelf devices need to be used with care. If there is really a need for USB connectivity the military should just define their own incompatible USB connector, and provide suitable devices (with built-in crypto?) for those who need them. That, and fill the standard USB ports on their PCs with epoxy glue...
Of course, that is why they end up paying $400 for a hammer, but security doesn't come free...
@A J Stiles
Did the steam start venting form your ears before you reached the end of the article? Ill explain.
It said that USB drives were a necessity, what with networks and email being unavailable in theatre. To get rid of them would be an encumbrance.
Why not get rid of bullets as well, they keep killing people ?
What does the subject of this article actually mean?
"US Army bans USB devices to contain worm"
Looks like some words missing, or, perhaps, the words 'to contain worm' should have read 'because they might contain a worm'.
Or is there some subtle nuance of Leydenism that I have missed?
Another way to disable autorun globally
For those who prefer registry settings (and those with Home versions that can't use GPedit.msc), set the
registry key to dword 0xFF.
However, Vista users may still be vulnerable to malware spread this way, see http://secunia.com/advisories/29458/
Stage One of cleanup.
Deleting 'itunes.exe' wherever it's found on US DoD computers would be a good start.
@ autorun can be globally disabled
I'm amazed that people constantly forget about the useful and sometimes extremely powerful built-in diagnostic and administrative tools in Windows (2000 and up, particularly XP, don't know about Vista), such as gpedit.msc, services.msc, msconfig, etc. While it's true that I don't widely advertise these to users who are likely to do more harm than good, any sysadmin worth his/her/its salt surely knows about and how to use these tools. They can do most things that any third-party admin utility can do; granted, the interfaces aren't always intuitive or user-friendly, but you'd think they'd tweak the settings (via reg or bat, maybe) and either make a profile or a user image that they'd roll out on new machines with these settings already in place. It's not like any of this is new; welcome to 2002 (XP) or 1999 (Win2K).
First, @AC 1545: there is nothing wrong with "US Army bans USB devices to contain worm". Contain is a verb.
Secondly, @Steve, Re: "security doesn't come free" - see OpenBSD.
@ ac - What does the subject of this article actually mean?
contain in this sense it to prevent it spreading, like you quarantine people to contain a disease.
because usb drive may begin not having the worm but plug it into a computer which does then it gets it and it can spread onto any other computers that may not be infected
Stop using Windows
Why doesn't the DoD just ban Windows? Use UNIX/Linux.
@AC "What does ... mean?"
John Leyden is obviously better educated than you. My (online) dictionary has the following definitions of "to contain":
lessen the intensity of; temper; hold in restraint; hold or keep within limits
hold back, as of a danger or an enemy; check the expansion or influence of
Custom software that runs on Windows and Windows only (as in it's a WINO--WINE is NOT an OPTION). And getting all the existing Windows-custom software recoded may be difficult if not impossible due to either technical restrictions (since the firm that made it may not do Unix or may not exist anymore) or contractual obligations.
GPedit.msc is in both XP Pro and XP MediaCenter, and it didn't work against U3 on either system. As I said, Vista asks (IF you've not disabled this prompt) if you want to allow U3 to run, so I never bothered to look for GPedit until now. Anybody have any idea what version of Windows the Army uses? Anybody want to bet most of their IT management staff has heard of GPedit.msc? And on this Vista Home Premium SP1 machine neither GPedit.msc or HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun exists, and I'm not going to experiment with adding it since U3 can be killed without it.
Simple, not, G2.
They allow USB on classified networks?
Really? Paris would know better than that!
Anyone else thinking..
.. too late, why bother? And seeing as 99.99% of worms are caught via un-firewalled internet connections, banning the use of usb thumb drives doesn't seem likely to prevent another infection.
Such a temporary ban would cause inconvenience in any organisation
not in any vaguely security conscious organisation at least, as they already have a ban on these sorts of things.
So far, nobody's mentioned TweakUI, which makes it easy to turn off autorun on selected drive types or letters. One caveat is that if you deselect removable drive types it will still do autorun on external USB drives, which is a PITA if the drive contains many JPG files. The best solution is to deselect autorun on all drive letters which may mount USB drives.
I had to fix a laptop infected w/a USB drive worm and it can be a nasty problem.
Secure your data!
I’m sure there is a better way to tackle this issue.
I have read of a new SanDisk secure USB drive, with McAfee malware protection, that seems to be a good solution to securing sensitive data.
You can read more about it: http://www.sandisk-enterprise.com/blog
- Infosec geniuses hack a Canon PRINTER and install DOOM
- Feature Be your own Big Brother: Monitoring your manor, the easy way
- Boffins say they've got Lithium batteries the wrong way around
- In a spin: Samsung accuses LG exec of washing machine SABOTAGE
- Phones 4u slips into administration after EE cuts ties with Brit mobe retailer