back to article Victoria Police warn of malware-laden USB sticks in letterboxes

Police in the Australian State of Victoria have warned citizens not to trust un-marked USB sticks that appear in their letterboxes. The warning, issued today, says “The USB drives are believed to be extremely harmful and members of the public are urged to avoid plugging them into their computers or other devices.” “Upon …

Happy

What size?

Just thinking of putting them into a linux box and wiping them...

36
1

Re: What size?

While I do not think this particular incident depends on it, keep BadUSB in mind.

Linux, I believe, is vulnerable. Indeed, a Windows machine with an AV package that's aware of this is probably in a better position than the typical Linux installation with no AV at all.

No, it's best to only use UFDs you personally depackaged after getting them through a reliable chain of supply from a reputable manufacturer. $deity-knows they're chap enough!

8
21
Anonymous Coward

Re: What size?

Linux, I believe, is vulnerable.

RISC platforms included?

13
0
Silver badge
Devil

Re: What size?

"Linux, I believe, is vulnerable."

ONLY if you use a distro that has auto-play auto-enabled and you didn't shut that @#$% off

In my machines, even automount is VERBOTEN

18
5

Re: What size?

Nope. In order to even recognise that there's a USB device plugged in, the kernel has to talk to it before any consideration of mounting a filesystem from it comes up, which means the USB device firmware has an avenue of attack. That's the BadUSB thing -

https://nakedsecurity.sophos.com/2014/08/02/badusb-what-if-you-could-never-trust-a-usb-device-again/

12
0
Silver badge

Re: What size?

Nope. In order to even recognise that there's a USB device plugged in, the kernel has to talk to it before any consideration of mounting a filesystem from it comes up, which means the USB device firmware has an avenue of attack.

Even though it looks like a memory stick, the firmware inside its microcontroller doesn't have to implement that. It could be programmed to identify itself as a keyboard instead (or as well). Now it creates a terminal window and types a few commands with your privileges.

17
0
Headmaster

Re: What size?

If you can gain access to such a rare machine, formatting the USB sticks in a non-web-facing Amiga/Pegasos is pretty safe.

3
0
Linux

Re: What size?

Using RubberDucky payloads it would have to be pre-programmed for either Windows keys and commands or for Linux specifically.

So in the case of USB through the post, the chances of a Linux payload would be non-existent unless it is a targeted attack. Security through obscurity sometimes lowers the chance of problems dramatically, even if not recommended as a rule.

10
1

Re: What size?

Too long since posting to edit the previous post.

Wanted to add that the other payloads are driver installs, so the USB can pretend to be a network interface to intercept traffic for instance. These would also need to be Windows or Linux specific drivers, with Linux handling it quite differently.

The point being I don't think it's possible to make a cross platform BadUSB that works on Mac + linux + windows, although no doubt the future will prove me wrong.

8
0
Anonymous Coward

Re: What size?

That was my first question as well, too small then why bother, any other size just run them through our box that is designed just for that.

1
0

Re: What size?

I'm pretty certain that it would be possible to use timing information, command sequences and the like to allow a stick to detect what the platform is that it has been plugged into - it seems to take windows 10+ seconds to initialize a simple keyboard so I'm sure their are timings in their which can be detected.

1
1
Silver badge

Re: What size?

"Linux, I believe, is vulnerable."

Linux can be run from a live CD. Good luck with infecting that.

9
1
Silver badge

Re: What size?

@Dr Syntax:

"Linux can be run from a live CD. Good luck with infecting that".

Quite right.

BUT

A really malicious device subverts the BIOS. So do the initial usb wipe on a machine you can afford to lose. And then wipe your BIOS.

6
0
Silver badge

Re: What size?

"A really malicious device subverts the BIOS. So do the initial usb wipe on a machine you can afford to lose. And then wipe your BIOS."

Unless, of course, BadUSB prevents you from doing so. Plus if it manages to get onto a system and find a way to root it or whatever, it may go on to silently infect other firmware it could find (like drive controllers) and infect them one-way, to the point not even nuking from orbit can be sure.

4
1

Re: What size?

Considering the cost of a USB stick, why bother?

2
0
Silver badge

Re: What size?

And you check the integrity of the onboard processors and their hidden storage areas how, exactly?

3
0
Silver badge

Re: What size?

Oh dear, the Linux fanboy ignorance and arrogance is still alive and well, isn't it. Have you never heard of in-memory malware? Never heard of bootloaders or persistence via microcode in the NIC / storage/ video controllers? SMM ring any bells? IPMI? BMC?

6
3
Anonymous Coward

Re: What size?

@ Tom Paine

You are talking to a bunch of Linux script kiddies, very few of them understand what you are saying.

0
4
Anonymous Coward

Re: What size?

Oh dear, the Linux fanboy ignorance and arrogance is still alive and well, isn't it. Have you never heard of in-memory malware? Never heard of bootloaders or persistence via microcode in the NIC / storage/ video controllers? SMM ring any bells? IPMI? BMC?

Okay, to my mind, a malicious USB device has a few ways to infect a machine:

You can try attacking the USB stack on the host, wherein you're basically trying to find an arbitrary code exploit when reading USB device descriptors or in how USB packets are parsed by the driver. Successful exploitation would gain kernel-level privileges which would then permit persistence as you describe.

You can try emulating a network device, in which case then you can start attacking the machine as if you were another system on the local network. Tricky, but doable.

HID devices are a possibility, however as you can't see what's being typed/clicked, you're attacking blind. Logo Key+R on a Windows box might pop up the Run command, but that same key combo will do nothing on my box.

USB storage is the other avenue I see, and you might be able to trick applications into loading up shell code, but you're assuming a lot there since the OS may cache things in RAM, not expecting the block to suddenly change "on-disk".

In all the above examples however, it relies on the payload being executable by the host. If the host is a modern IBM PC compatible, then yes, you're probably safe going with x86-64 code.

If you make that assumption though it'll be bad luck for you if your target decided to use a Raspberry Pi or their old 2003-era iBook to check out your USB stick.

2
0
Silver badge

Re: What size?

But.. but... it's Linux! It's a Linux Live CD! The gold standard of security! That's bomb-proof, bullet-proof, virus-proof, social-engineering-proof, tiger-proof, velociraptor-proof, everything proof! Isn't it? It's the computing equivalent of walking the city streets, in the middle of the night, in January, wearing only a t-shirt, with your pitbull. Because you're that hard and scared of nothing.

But in all seriousness. These USB sticks are probably tiny and cost pennies. Big enough to deliver a load of viruses, but scarcely worth the effort/time/risk of re-formatting.

0
0

The safest way to handle them short of a large hammer...

Would be to put them in a cheap USB hub attached to a Raspberry Pi powered by a suitably current-limited DC supply, to which Pi you're logged in through the serial port. This allows you to safely peruse the malware on said stick without being pwned, and if it's a BadUSB device, only the $5 USB hub takes one for the team. What are the chances that the USB malware can pwn an ARM-based Pi without your being able to detect it?

You already KNOW (or should at a minimum assume) that there's malware on it, the only question is "what kind, and can I turn the tables on the rat-bastards?"

2
0
Silver badge

Or maybe it was targeted

...at an individual, with a load of other sticks distributed in the hope of making it appear more random?

One or two people were intended recipients and all the others were mere obfuscation, a physical form of spear phishing, if you like. Whilst the actual cost of a USB sticks is low, even that cost and the effort of physical distribution seems odd when you can use email and dodgy websites near enough for free. From the perps point of view, physical distribution is surely quite risky - even if the person delivering them didn't know what they were, he must have been paid by somebody to deliver them, and there's the risk of track-back.

Would seem to me there must be more value at stake than just hijacking a bunch of random computers.

28
0
Silver badge

Re: Or maybe it was targeted

"Would seem to me there must be more value at stake than just hijacking a bunch of random computers."

Since the proliferation of online banking, even a simple keystroke logger would be all that is required to offset the initial costs of purchase and distribution. ( If it is indeed a random attack)..

15
0
Silver badge

Stolen goods?

Maybe somebody stole a box full of USB sticks, in which case, the cost of the attack is considerably less.

4
0
Silver badge

Re: Or maybe it was targeted

Looking at it from a purely economic point of view, the profitability is simply a function of (percentage chance of someone plugging it in times percentage chance of them running a vulnerable system times ransom revenue per infection) minus the cost of the USB sticks. The sort of scum that would do this would have no reason to avoid the 5 finger discount at officeworks/hardly normal so let's assume that is not a big factor.

The low key distribution then minimise the chance of detection as it is much less likely to hit the major mastheads or TV news.

Combined with some phishing, this is indeed a powerful attack vector. I mean, it isn't too hard to find some large company (eg Telstra), fake an envelope with their logo, a short cover letter advertising some new foxtel streaming tie in and say there is some previews on the stick. Then a cheeky final line saying that even if you don't wish to subscribe, we hope you enjoy this 4GB USB stick.

A few logo stickers on the USB stick and even a few of us commentards may have been fooled. Some delayed execution of the malware would make detection very difficult indeed.

2
0
Silver badge
Happy

I'd have a play with one.

I've got a couple of very old boxes knocking around so might fire one of them up for this (not on any network of course) just to see what happens. If the worst happens, all it means is I end up with a computer shaped hole in my junk cupboard.

11
0
Silver badge

Re: I'd have a play with one.

And how will you know whether the worst has happened?

0
0
Silver badge

"Not trust unmarked"

Hehe... Next "campaign" will have Coca Cola or McDonalds emblazoned on them and come attached to some fake marketing promo.

24
0
Anonymous Coward

Re: "Not trust unmarked"

Hehe... Next "campaign" will have Coca Cola or McDonalds emblazoned on them and come attached to some fake marketing promo.

Yup. It'll have a flyer for either something "free" or "win" [whatever], which tends to be enough incentive for people to abandon all caution.

3
0
Silver badge
Facepalm

Re: "Not trust unmarked"

Fake marketing promo?

Ha ha ha ha!

Very possible for a GENUINE marketing promo to be distributing malware laden USB sticks. Possibly even unmarked!

7
0
Anonymous Coward

Live Linux?

Boot DVD without writable media attached, no net access (or local network only, slow-proxy with packet sniff), have a look from there, see where it wants to call.

11
2
Silver badge
Pirate

Re: Live Linux?

OK, live boot into memory, no other media attached, remove boot media when running.

Insert dubious stick.

You'd need a very custom live system to prevent the possibility of something on the dodgy stick attacking and backdooring the hardware firmware in a subtle way and then taking it from there.

'Specially as you'd have no idea what it might be trying to do in the first place and you'd need to try to second guess everything.

Beyond the wit of most of us methinks. I'm beginning to think that the Amstrad PCW had a lot going for it. Life was kinder then.

7
1
Silver badge

Re: Live Linux?

"You'd need a very custom live system to prevent the possibility of something on the dodgy stick attacking and backdooring the hardware firmware in a subtle way and then taking it from there."

Raspberry Pi running from write-protected SD-card.

4
1
Silver badge

Re: Live Linux?

"Raspberry Pi running from write-protected SD-card."

Known hardware. Would probably find a way to pwn the SoC and find firmware to overwrite from there. Plus there's no guarantee the evil device doesn't include an internal whispernet adapter that means it can link up simply by plugging in.

1
2

Bruce Robot?

Strewth!

0
0
Silver badge
Pint

The urge to execute arbitrary code is growing stronger...

We're only about one step away from having our computers wandering the Internet during the wee hours, seeking out code snippets to execute.

Black hat hackers should next concentrate on Wifi, Bluetooth, and so on. See if there's some exploit so that malware can be spread via the SSID or something similar. Your device will spot the malformed SSID broadcast,and succumb to the inevitable urge to execute any code found therein.

How about Siri and Cortana? Can the sound of crashing waves lead them to spot executable numbers passing by in the sampled white noise? 'Hey code!' So they'll dive in and execute.

It's getting ridiculous.

3
0
Silver badge

Re: The urge to execute arbitrary code is growing stronger...

So what are you going to do? Go back to the Sears catalog? Oh, that's right. The State is now savvy enough to pose as Sears. Back to horse and manure piles and life expectancies under 60?

1
1
Silver badge

Re: The urge to execute arbitrary code is growing stronger...

"We're only about one step away from having our computers wandering the Internet during the wee hours, seeking out code snippets to execute."

That's more or less what most cats do - so we need to come up with the computer equivalent of neutering a pet to prevent unwanted consequences. Thoughts, anyone?

1
0
Silver badge
Pint

Re: The urge to execute arbitrary code is growing stronger...

More like a toddler that finds something on the floor and inevitably eats it.

That's what modern computers are like.

We're so close to the point where malware source code could be spray painted on the sidewalk, and any passing smartphone would see it, and - of course - immediately compile it and execute it.

It's actually already ridiculous. E.g. Malware in images or other media files.

2
0
Silver badge

Re: The urge to execute arbitrary code is growing stronger...

Sounds good, where do I sign?

0
0

Re: The urge to execute arbitrary code is growing stronger...

Just so. Compare with the 1980s direct equivalent of a USB stick, the floppy disc. With a floppy, the interface between drive and system was simple, and being so simple, was dead easy to secure and trust.

In this instance, you simply typed "format a:" before attempting to read the drive. 100% success rate.

If you wanted to write-protect a disc, there was a physical switch. Flip that switch and no electronic tricks could get around it. (Hacking the mechanics of the disc drive would work, but that is a physical attack.)

Simple is good.

0
0
Anonymous Coward

If something is free...

...you are the product being sold.

2
2
Anonymous Coward

Re: If something is free...

Or we grew too many courgettes and we're giving away the surplus, Mr. Glass-half-empty!

5
0
Anonymous Coward

Re: If something is free...

"Or we grew too many courgettes and we're giving away the surplus, Mr. Glass-half-empty!"

There's no such thing as Altruism. Even behaviour such as giving away stuff for free, for non-commercial purposes, has benefit to the giver in terms of 'feel-good' factor at least, and potentially leverage in future for good deeds done and expected in return.

Any company however issuing something for free - like free facebook, or free gifts, is using YOU as the commodity. They will either be selling your personal information, or targetting you with marketing to get you to buy something.

Don't be naive - if something is free, then there is always a price to be paid by the recipient.

1
6

Re: If something is free...

What are the numerous *nix distro providers after then?

5
0
Anonymous Coward

Re: If something is free...

"There's no such thing as Altruism."

"Don't be naive - if something is free, then there is always a price to be paid by the recipient."

NO such thing? ALWAYS? Then explain small churches and such that operate charity kitchens and the like.

5
1
Anonymous Coward

Re: If something is free...

"NO such thing? ALWAYS? Then explain small churches and such that operate charity kitchens and the like."

The Church is one of the wealthiest organisations, that has a massive property portfolio and pays no tax.

Like I said. Naive.

4
5

This post has been deleted by its author

Anonymous Coward

Re: If something is free...

"What are the numerous *nix distro providers after then?"

An opportunity for their product placement to get into the hands of the masses, a subset of whom will become advocates, who go on to buy SLES/RedHat support for their Enterprises rather than Windows.

Do you thing Google giving away Android for free has anything to do with them being altruistic? It's about market penetration and displacing the incumbent vendors and getting market share so they can continue the sales pipelines down these platforms.

No such thing as Altruism.

2
3
Silver badge

Re: If something is free...

"The Church"

Which one? Last time I looked, there was more than one.

6
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018