Unpatchable Malware That Infects USBs Is Now on the Loose

rcjordan · October 03, 2014, 09:33:53 AM

"they showed that the infected USB can impersonate a keyboard to type any keystrokes the attacker chooses on the victim's machine. Because it affects the firmware of the USB's microcontroller, that attack program would be stored in the rewritable code that controls the USB's basic functions, not in its flash memory—even deleting the entire contents of its storage wouldn't catch the malware. Other firmware tricks demonstrated by Caudill and Wilson would hide files in that invisible portion of the code, or silently disable a USB's security feature that password-protects a certain portion of its memory."

http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

JasonD · October 03, 2014, 10:52:49 AM

I have 5 of these and had them for years. This isn't new.

https://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649

rcjordan · October 03, 2014, 11:27:04 AM

Hacking them is not new
http://blog.opensecurityresearch.com/2012/10/hacking-usb-webkeys.html

but I got the impression that these newly released exploits were something like sql injections and could be done from the web??

JasonD · October 03, 2014, 11:30:00 AM

The key point is you make the USB devices (although they may look like a normal USB Storage) to contain a small processor and in effect be a small computer. Secondary is they identify themselves as either a USB Hub and/or a USB keyboard.

A USB Keyboard then sends preprogrammed key strokes and/or clicks. If you can send keystrokes and clicks you can penetrate anything the user has access to, which of course includes databases etc

gm66 · October 03, 2014, 03:30:54 PM

Naughty USB stix have been around for a while but i haven't seen a debased keyboard-emulation firmware.

So, i suppose they intend it to be used like this :

0. Thoroughly research the target's operating system and environment.

1. Install on target PC or network (may not be easy!).

2. It auto-copies over your remote-shell.

3. It runs the keyboard script that allows your shell to serve through the firewall.

Why bother with KB simulation when you could just manipulate the registry for firewall rules then launch a shell and ping HQ with the IP ?

KB simulation is error-prone, just try any mouse/kb recording software (any Eve Online miners ?).

Depending on your objective, KB simulation has problems :

1. People near the target computer seeing documents/windows/command consoles open and close (does it blank the screen?).
2. Scripting the keyboard strokes. What program will you launch? How will you locate it ? What if they installed the OS on an abnormal drive-letter ?

Can't imagine pro-spooks using it, anywhere sensitive turns off USB/CD/DVD etc ...

JasonD · October 03, 2014, 03:37:16 PM

Gary, everyone of your points is valid and I agree, apart from one.

> Why bother with KB simulation when you could just manipulate the registry for firewall rules then launch a shell and ping HQ with the IP

KB simulation "just works" and when tuned for an OS it works extremely well.

I have created, very simple scripts, that are tuned for each of the major OSs (including iOS and Android) and they .... just work. They're definitely not the quickest or stealthiest (although stealth can be managed) but they work and work well.

However, that isn't to say better can't be achieved with research and planning. It does mean that when you have physical access that is limited or can engineer your device to achieve physical access, it will enable further access reliably.

gm66 · October 03, 2014, 03:46:32 PM

Good points Jason.

I've been out of the game for a while and not kept up with evolving tech so i know little about the KB side of things.

Staying away from the dark arts these days ;+}

Very interesting, though.

Can you send me an example script ?

techteam (who are at) smallseo (yes a dot) couk.

JasonD · October 03, 2014, 03:48:12 PM

> I've been out of the game for a while

Probably wise, considering.....

Scripts - No need to mail you, there are lots here (may be interesting to others too)

https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads

gm66 · October 03, 2014, 03:59:32 PM

Cheers pal

gm66 · October 03, 2014, 04:00:55 PM

What do the scripts run on, i'm being lazy i could Google it but it's more interesting to converse.

gm66 · October 03, 2014, 04:02:27 PM

no worries, got some info, nice micro-hardware.

JasonD · October 03, 2014, 04:08:10 PM

I use these "Rubber Duckys" which is an evolution of Teensy (which was mentioned in the link RCJ posted above)

https://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649

https://www.pjrc.com/teensy/

JasonD · October 03, 2014, 04:08:39 PM

>no worries, got some info, nice micro-hardware.

Yup, info above as we cross posted

JasonD · October 03, 2014, 07:37:08 PM

ahhhhh, I am now wiser about what you meant RCJ.

https://github.com/adamcaudill/Psychson

is code that was released at DerbyCon (A security conference) that essentially rewrites a standard USB's firmware to work in a similar way to the Rubery Ducky's I mentioned above - they even use Rubber Ducky scripts linked above.