Wait! Where did you get that USB? Super-stealthy trojan only drives stick Hackers have created a trojan that that makes exclusive use of USB devices in order to spread. The malware - dubbed USB Thief - is capable of stealthy attacks against air-gapped systems, net security firm ESET warns. USB Thief is well protected against detection and reverse-engineering - not least because it leaves no trace of …
So how does a secure system do data ingress or egress of a nature too complex for human memory,like industrial control programs?
Two ways to deal with this issue come to mind. First, allow only a certain accounts (think in terms of service accounts) access to USB devices on the protected systems and only use known-good USB drives (registered devices) to be used by those accounts. This would apply to both the protected network and the network with internet access.
Second, there are these things called DVDs and CDs....
If you can use USB sticks they aren't secure systems, full stop. Blaming users is a poor excuse.
Some times you have to give the bean counters the information they need and a USB stick is the best way of transferring several hundred pages without connecting the system to the corporate network. That is unless you want to write those pages by hand.
Then you buy your USB sticks from a known good source (how exactly you determine that is an exercise best left to the reader) with a special design, or encase them in a special cover. Then it is down to training the employees really well to know to only plug those approved/special USB sticks into the sensitive PC, and from there to another slightly less sensitive PC that is network connected for email only, so you can email the contents to the bean counter that needs to see it - you don't want to give them the USB sticks, as if they have malware on their PC it could subvert your "known good" USB stick.
I would say the first poster has it right, format before any use....
That only works if you can be sure that the firmware of the USB device is trustworthy, and anybody who has the slightest interest in ITSec knows that you can't rely on that. As soon as the thing has been plugged in to a system that allows the USB device and OS (or even machine firmware) to interact, it could be too late.
This post has been deleted by its author
<quote>We will promptly send a Troubleshooter team to deal with the problem.</quote>
OK???
(Later gets phone call from """Microsoft Technical Support"""): "This is Microsoft Technical Support. Your computer has been sending alerts to Microsoft regarding an infected USB drive. I can help you resolve the issue..."
There is a big flaw in USB design.
It's called USB HID mode.
HOW do you insert and wipe a USB stick without it running evil HID mode software?
A USB charger, mouse, BT dongle, proprietary Wireless keyboard dongle, 3G Modem, keyboard, ANYTHING with USB can penitentially attack your gadget or PC. Not just a memory stick.
I don't know if such a thing exists, but I suppose you could have some kind of special USB hub that only lets certain classes of device connect. A simpler idea, would be to use SD cards (and a single, trustworthy reader) instead of USB drives. I assume it would be much harder to reprogram those to do anything besides store files. Although the SD format does have some kind of seldom-used DRM feature, so who knows what kind of weird stuff could be lurking in there.
suppose you could have some kind of special USB hub that only lets certain classes of device connect.
Except due to design of USB, currently that would need very powerful secure CPU to analyse and pass the USB messages.
I don't believe the retail market has such a device.
>HOW do you insert and wipe a USB stick without it running evil HID mode software?
Use a dedicated Linux/RecoveryOS box (a Raspberry Pi perhaps?) to format the USB stick. The Linux box itself is to be run from a fresh or read-only image every time it is booted.
Of course this doesn't help you if the USB stick pulls some more sophisticated shenanigans, such as presenting a different bank of storage after a pre-set period of time.
Sorry , but the first poster is "incorrect",
Between 2008-2011 I built several 'test' sticks' that could subvert forensic evaluations, including wipes , erasures etc.
The only way to spot the malware was to physically remove the flash chips and analyze them.
The system had the capability to 'code page' rotate sections of code in & out of the onboard CPU inside the USB stick, from hidden 'pages' on the nandf-flash chip.
The system even had an 'anti-forensic' mode, that would wipe , if a sequential read of the device was attempted.
Really dangerous kit, since no AV product could touch it.
>“It seems that this malware was created for targeted attacks on systems isolated from the internet [...] People should understand the risks associated with USB storage devices obtained from sources that may not be trustworthy,”Gardoň warned.”
And our next contestant on 'Mastermind' is Tomáš Gardoň, a malware analyst at ESET, whose specialist subject is The Bleedin' Obvious.
>The data-stealing trojan can be stored as a plugin source of portable applications or as just a library – DLL – used by the portable application. So, whenever an application such as Firefox portable or TrueCrypt portable is executed, the malware will also be run in the background.
What does that even mean?
In what way does a data-stealing trojan that is executed along with a portable version of an app differ from a data-stealing trojan that is executed along with a /non/ portable version of an app?
Don't worry, the question was rhetorical; the answer, of course, is that it doesn't - a trojan is a trojan is a trojan.
>“This is not a very common way to trick users, but very dangerous."
What, like the practice of infecting floppy disks and, later, USB storage devices, that was very common amongst miscreants in the days before the iPhone, he means? *
* yes, yes, pick a device other than the iPhone, if you want to miss the point entirely and make youself look like Billy Nomates.
Or Tomáš Gardoň (probably).
The malware is able to steal data from air-gapped systems (which aren’t connected to the internet) by writing it to the device itself.
Peter Stancik, security evangelist at ESET, explained: “[Stolen] data is written to the device itself: Configuration data include information on what data should be gathered, how they should be encrypted, and where they should be stored. The output destination must always be on the same removable device.” ®
Maybe I'm reading this wrong, but doesn't this mean that any data stolen would be written back to the USB device? And so, if one keeps hold of the device (doesn't hand it back to the untrustworthy source) then the data isn't really stolen??
Don't forget that one of the benefits of the USB system is that a particular device can choose to appear as a Mass Storage Device, or a Keyboard, or a Mouse, or a temperature sensor, or .... For that matter, a sufficiently adept hacker can probably make a single device appear as any of these. So, that USB flash drive you plug in very well may act as a keyboard, and start "typing" commands into the system, even if Autorun is turned off.
Dave
P.S. Ohoh, now I've gone and given some d*mned hacker an idea. :-(
Not just programs (in the sense of software): remember the Sony music CD DRM rootkit fiasco?
(I still don't buy from Sony; I completed my 007 DVD collection, the one thing I wanted that is produced specifically by Sony, by buying second-hand.)
Sticks left in the parking lot tend to be aimed at Windows, or maybe (if applicable and the perpetrators having done their homework) Linux. In both cases the architecture will be x86.
So you put the stick in a RPi or something similar running a bunch of tools that are aimed at peeking into the stuff on the stick, including low-level structures and such, and figuring out if it's kosher. The OS and tools should be on a hard write-protected SD card, or a sacrificial one. Then you put the stick in a MIPS-based machine running a similar (but not the same) set of tools.
Machines with a different architecture can also be used as a front-end for the actual airgapped machine: Instead of putting a stick to be written to in the machine itself, it transfers the data to a RPi via a dedicated link, which the Pi then writes to the stick. Of course this requires the Pi to be subject to the same security audits as the actual system.
@StoneShop -
OMG, now I need to tell granny to fire up an RPi (whatever that is) after she spent several minutes bending over in the parking lot and retrieving the little bit of glitter out of a sense of kindness.
I'm guessing that every new device having sex with our not-so PCs will need to first be given the RPi Certificate of Health. So long printers, mice, keyboards, even video controllers.
How strong willed would you have to be to not plug in a USB stick you found in the street?...
Not strong-willed, just careful. Those go into the nearest bin though to date, I've only found one in a parking lot and it was mashed by the cars and trucks. One has to be seriously nosy to stick a found USB stick into a computer to "see what's on it". Then again... apparently lots of people will do that.
'Lost all faith...' has pointed out a key topic. (More upvotes for Laf please.)
Headline = "Could a flash drive’s firmware be hiding undetectable malware?"
Not the flash memory, but the firmware hidden in the ARM processor that's acting as the USB controller.
It's hopeless.
Handcuff suspect to a chair, aim light into face. Demand, "Are you clean?" Suspect answers, "Yes, I'm squeaky clean." Turn around and yell, "He's okay. He told me that he's clean."
That's exactly how IT Security works these days.
Even A. Turing knew that this wasn't going to end well.
Can Reg'ers / Regstaff break this down please:
1. Where does the trojan code reside? Hidden partition?
2. Where is the offline siphoned file-data stored? Hidden partition? How to misreport the space available / used?
3. What activates or executes the USB-Trojan code in the first place? Assume autorun is disabled.. What gets executed? I thought driver code would only be run on the PC anyway. So is there firmware code that also gets executed on the device that can callback into OS windows code?
Read the Reg article and the linked one, but not clear about something:
Q1. Connecting the USB causes install driver code to run off the device itself (firmware)? I thought driver install code only ran from drivers installed on the windows side? (assume 'Autorun' disabled)
Q2. Does the Trojan use a Hidden partition to store itself or the offline captured files? (Reported free space gets masked etc)
This has all the hallmarks of a professional job -- NSA code -- that may or may not have leaked out into the wild for use by sophisticated commercial (i.e. criminal) firms.
The real villain of the piece are operating environments that think its cute to execute code automatically when a stick is plugged in. (Windows -- I'm looking at you....). A USB stick is supposed to be a data storage device, a filesystem that when its mounted just gives you somewhere to store information. The only information that should be acted on automatically are the configuration register set that says that the device is a memory device from vendor 'X' and so on. Assuming the driver can be trusted -- and that's a big 'IF' -- then no information other than the directory tree should be read by the system its plugged into.
(I'd assume that any memory device that's plugged in is suspect unless its been proven by an external USB analyzer not to cause unnecessary data traffic on the link. Since this isn't a cheap option maybe the way to go would be to get hold of some really old kit -- floppy drives on an elderly PC running MSDOS or even a paper tape punch/reader -- and use that for data transfer. It will look hokey, it won't be super-convenient and people will have to learn to keep the amount of data transferred to a minimum -- you should be using plain ASCII files or simple image formats, anyway -- but it will thwart the best external hackers.)
> Many desktop computers don't carry built-in flash card readers (that's mainly the realm of laptops). So how do you trust the card reader you're going to need to install to make them readable?
.
We are presuming a computer that is meant to be air-gapped/secured will be equipped with the appropriate alternative hardware to facilitate sneakernet data transfers. Unless the secure hardware is coming from IBM, in which any cheap-ass insecure hardware is invited right in.
Of course, the additional thing would be to install an operating system which would allow you to compile in device drivers that *DON'T* run the HID code, and which would require confirmation & pre-check before mounting the device. Just to add extra security, the non-air-gapped machine that is meant for retrieving the data from teh USB stick should have the same modifications to the USB system.Perhaps develop a USB add-in card with a security-minded chipset, rather than the standard off-the-shelf chipset.
if I wanted to deploy this particular malware:
First off, if this trojan is pre-installed on shop bought devices via firmware, then this trick won't work, for reasons which should be obvious.
It's a frightening thought to think that whole batches of particular factory built usb sticks/drives etc. have this on them. It's best not to think about it, and there's not a lot you can do anyway. Just assume that all devices everywhere are compromised.
Now, to use this malware effectively, it is one thing to get it on to the air-gapped machine, but another to get it back off. If I understand the article correctly, the whole point of this device is to pilfer data, hide it, and then hope to be later connected to a network for retrieval. One could just infect a whole brand range of these devices and hope to get lucky, but more likely, social engineering is used in the form of a directed attack via the old 'Oh someone dropped their USB stick on the floor while they were fiddling for their keys to get into their car - I wonder if they put anything smutty on it of the wife' trick. Works for me!
Once the USB is placed in the target area (car park etc.) you wait and hope for a catch.
Once someone picks this up, they have three choices:
1: Look what is on there via the home computer (sensible if you are being nosey)
2: Look what is on there via the work computer (not sensible at all)
3: Hand in the USB stick to lost property or just throw it into the ocean (most sensible but least likely of all)
The most sensible will dispose of it forthwith. Those who are fallible humans (like most of us) will take it home and put it on an old sacrificial machine and have a looksee. The truly stupid (and these are your marks) will not be able to contain their anticipation and plug it into the computer at work - this is assuming that they are coming in to work and not leaving for home.
We don't care about those that dispose of it. We don't really care that much about those that take it home and put it on an old machine. We are looking for the mugs that put it on the works air gapped machine in the hope of finding some smut or perhaps state secrets - who knows?
Now, this is the trick, and remember our whole use case is based around the mark plugging this into the work compo. WE PUT LOTS OF FILTHY PORN ON IT!
Yup, that's right. It's the sensible thing to do when we go fishing. Why? Well, we want the mark to think he has made a catch, that he is the fisherman and he got the bite, not that he is the fish. If we put nothing on that usb stick, he might have so many he would just throw it away. There is much less chance of him taking it home to put onto his (probably) netted up compo.
If there is lots of filthy kinky porn on there - put something on for everyone's tastes (hell, it doesn't even have to be legal - we are the government remember, we can do wtf we like, who's gonna stop us? We are above the law), then the most highly probable thing that person will do after giving it a quick check, will be to put it back into his pocket after shouting 'BINGO' at the top of his voice, to peruse later on in a safer environment.
He probably won't even open the files at work. He might, but there is a good chance he won't. Too late, the system has been infected and the data has been slurped for later retrieval and transmission back to the control centre.
When he gets home, he doesn't even need to put that on a machine that is connected to the net. Merely plugging it in will cause the trojan to be planted on whatever machine, including the stored data, obfuscated, encrypted and hidden from view, even to us 'experts'. Then, when he plugs in another usb device, that data will then be written to the new drive, and will wait to be put on to a machine that does connect to the net.
It might be a day, it might be a month or a year, but sooner or later, there is a very good chance that you now have your fish, filleted and on a plate and ready for consumption. Mmmm...
Moral of this story: Never, ever plug in a usb stick you find on the floor near your work etc.
That said, it's probably safe to trust the ones you buy in a store, but then again, when the malware is embedded so deep into the system in such a sophisticated manner, no one can really tell.
Just look out for temptation if you work in a sensitive area, and do your best to resist it.
"Just look out for temptation if you work in a sensitive area, and do your best to resist it."
Not going to do much good if the spy locates an official stick used for transport and SWAPS it out with an identical-looking tainted one (complete with any signatures it may need to carry).
I always format,scan USB drives before first use & whenever I save any downloads to them.
I occasionally check Task Manager to see what's running & any 'Trojan' app is going to grab my attention pretty quickly.
Secondly,no one is going to succeed in gaining any data from an 'offline' PC,unless they have online access,or direct physical access with their own USB stick,without getting sussed in what they are up to.
NOT in my household anyway.
"I occasionally check Task Manager to see what's running & any 'Trojan' app is going to grab my attention pretty quickly."
NOT if it's a trojan running ON TOP of an existing legitimate app. That's how this thing works. It hitches a ride on a genuine portable app making them part and parcel.
As presumably the Trojan is inside something the user expected to find on the stick - otherwise they would not run it.
Perhaps part of a "System Restore" function for the particular air-gapped system that's either being repaired or being wiped for sale?
This is so already done: http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe?variant=353378649
A skiddie can do it. No, it doesn't take even close to a state level actor either, though such might be both the main customers and targets.
These guys showed how in 2013: http://www.bunniestudios.com/blog/?p=3554
Just a couple of smart guys. It's not that hard, people.
All USB devices have an internal controller, most storage devices a rather fancy one to handle the horrible reliability of flash (wear leveling, bad block detection and remapping etc). It's usually a reasonably potent processor.
Problem is potentially worse with hard drives or in fact, any of the uP's inside a modern computer that help control devices (including the bios for the mobo). After all - this isn't the days where you have to move a jumper to reflash something - save a penny, make it more convenient for the customer and security, what's that? Rather than get it right, manufacturers make all this stuff reflashable. On top of that, they give you a free program to do it, and access to the original code, as well as the update. It doesn't take a genius to take it from there and do "whatever".
This field-reflashability is due to manufacturers not being willing to get it right on the first try before marketing their trash, and not wanting the cost of returns when they make mistakes. "Just download the latest patch".
A storage device might report fewer blocks than it really has and keep the stuff it plans to exfiltrate on those extras. dd won't touch them as it can't see them either - the malicious code in the uP can easily prevent that. dd would only catch very poorly written attacks.
The USB standard itself is irretrievably broken. All USB drivers on the computer side trust the device to tell it what they are, and whatever they say is believed. If a device says it's a USB stick one second, it can dis and reconnect and be a keyboard the next, a CD drive or modem next, or all at once (though that many things popping up on some opsys might garner attention of even a dumb user). However, damage can be done so fast, it might not have time to screen draw before it's too late.
If USB is broken,then hardware in general is broken because there is absolutely nothing being done that cannot be done another way by another bad actor posing as a good one. It's full on DTA mode with no alternative. You either get nothing done or run the risk of a backstab. No third option.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
