Our cure for BadUSB

Any USB device can potentially be zombified and turned into a secret agent for cybercrooks. The world needed a shield against this threat, so we rolled up our sleeves and created one.

Kaspersky Lab patents BadUSB cure

A virus that discreetly infests hardware may be the user’s worst nightmare. Hardware attacks are much scarier than attacks on the operating system because ordinary antivirus scans don’t examine systems at the hardware level. Such attacks pose a very real threat because every day we use hardware that has exploitable vulnerabilities. For example, a couple of years ago researchers found an inherent flaw in the USB interface. They called it BadUSB.

By tampering just slightly with the USB device’s firmware code, an outside party can modify it and inject malware that makes the compromised device pretend it is something else.

After such a modification, an ordinary thumb drive might, for example, impersonate a USB keyboard and input certain commands — say, to erase all of your files. Or it could pretend it’s a network adapter and listen to the data flow between a computer and the Internet.

The problem is that such malware is stored in the thumb drive’s controller, invisible from the outside. An ordinary antivirus product cannot dig that deep: It does not see any viruses on the flash drive because the malware is on a much lower layer than a standard antivirus sweep checks. The second issue is that there is no cure for the inherent USB flaw.

However, a group of Kaspersky Lab experts — Oleg Zaitsev, Olga Domke, Konstantin Manurin, and Mikhail Levinsky — found a way to deal with the problem. Their technology automatically tracks USB devices’ behavior, and it blocks devices that behave suspiciously.

This technology is already integrated into our enterprise product, Kaspersky Endpoint Security; and just a few days ago the team was granted a US patent on it.

Olga Domke explains: “Although attacks using modified or corrupted USB devices are considered theoretical, BadUSB’s presence excites clients’ interest in protection solutions. Nobody wants to be unprotected when theory translates into practice.” And so the product and component teams worked together to develop “BadUSB attack” for Kaspersky Endpoint Security for Windows, a heuristic component that balances endpoint usability and administrator peace of mind.

Dropping Elephant: Inelegant Espionage

An Indian-speaking threat actor, Dropping Elephant chooses targets mainly in the Asian region, paying particular attention to Chinese government/diplomatic organizations – and also to foreign embassies and diplomatic offices in China.