Victoria Police warn of malware-laden USB sticks in letterboxes Police in the Australian State of Victoria have warned citizens not to trust un-marked USB sticks that appear in their letterboxes. The warning, issued today, says “The USB drives are believed to be extremely harmful and members of the public are urged to avoid plugging them into their computers or other devices.” “Upon …
While I do not think this particular incident depends on it, keep BadUSB in mind.
Linux, I believe, is vulnerable. Indeed, a Windows machine with an AV package that's aware of this is probably in a better position than the typical Linux installation with no AV at all.
No, it's best to only use UFDs you personally depackaged after getting them through a reliable chain of supply from a reputable manufacturer. $deity-knows they're chap enough!
Nope. In order to even recognise that there's a USB device plugged in, the kernel has to talk to it before any consideration of mounting a filesystem from it comes up, which means the USB device firmware has an avenue of attack. That's the BadUSB thing -
https://nakedsecurity.sophos.com/2014/08/02/badusb-what-if-you-could-never-trust-a-usb-device-again/
Nope. In order to even recognise that there's a USB device plugged in, the kernel has to talk to it before any consideration of mounting a filesystem from it comes up, which means the USB device firmware has an avenue of attack.
Even though it looks like a memory stick, the firmware inside its microcontroller doesn't have to implement that. It could be programmed to identify itself as a keyboard instead (or as well). Now it creates a terminal window and types a few commands with your privileges.
Using RubberDucky payloads it would have to be pre-programmed for either Windows keys and commands or for Linux specifically.
So in the case of USB through the post, the chances of a Linux payload would be non-existent unless it is a targeted attack. Security through obscurity sometimes lowers the chance of problems dramatically, even if not recommended as a rule.
Too long since posting to edit the previous post.
Wanted to add that the other payloads are driver installs, so the USB can pretend to be a network interface to intercept traffic for instance. These would also need to be Windows or Linux specific drivers, with Linux handling it quite differently.
The point being I don't think it's possible to make a cross platform BadUSB that works on Mac + linux + windows, although no doubt the future will prove me wrong.
I'm pretty certain that it would be possible to use timing information, command sequences and the like to allow a stick to detect what the platform is that it has been plugged into - it seems to take windows 10+ seconds to initialize a simple keyboard so I'm sure their are timings in their which can be detected.
"A really malicious device subverts the BIOS. So do the initial usb wipe on a machine you can afford to lose. And then wipe your BIOS."
Unless, of course, BadUSB prevents you from doing so. Plus if it manages to get onto a system and find a way to root it or whatever, it may go on to silently infect other firmware it could find (like drive controllers) and infect them one-way, to the point not even nuking from orbit can be sure.
Oh dear, the Linux fanboy ignorance and arrogance is still alive and well, isn't it. Have you never heard of in-memory malware? Never heard of bootloaders or persistence via microcode in the NIC / storage/ video controllers? SMM ring any bells? IPMI? BMC?
Okay, to my mind, a malicious USB device has a few ways to infect a machine:
You can try attacking the USB stack on the host, wherein you're basically trying to find an arbitrary code exploit when reading USB device descriptors or in how USB packets are parsed by the driver. Successful exploitation would gain kernel-level privileges which would then permit persistence as you describe.
You can try emulating a network device, in which case then you can start attacking the machine as if you were another system on the local network. Tricky, but doable.
HID devices are a possibility, however as you can't see what's being typed/clicked, you're attacking blind. Logo Key+R on a Windows box might pop up the Run command, but that same key combo will do nothing on my box.
USB storage is the other avenue I see, and you might be able to trick applications into loading up shell code, but you're assuming a lot there since the OS may cache things in RAM, not expecting the block to suddenly change "on-disk".
In all the above examples however, it relies on the payload being executable by the host. If the host is a modern IBM PC compatible, then yes, you're probably safe going with x86-64 code.
If you make that assumption though it'll be bad luck for you if your target decided to use a Raspberry Pi or their old 2003-era iBook to check out your USB stick.
But.. but... it's Linux! It's a Linux Live CD! The gold standard of security! That's bomb-proof, bullet-proof, virus-proof, social-engineering-proof, tiger-proof, velociraptor-proof, everything proof! Isn't it? It's the computing equivalent of walking the city streets, in the middle of the night, in January, wearing only a t-shirt, with your pitbull. Because you're that hard and scared of nothing.
But in all seriousness. These USB sticks are probably tiny and cost pennies. Big enough to deliver a load of viruses, but scarcely worth the effort/time/risk of re-formatting.
Would be to put them in a cheap USB hub attached to a Raspberry Pi powered by a suitably current-limited DC supply, to which Pi you're logged in through the serial port. This allows you to safely peruse the malware on said stick without being pwned, and if it's a BadUSB device, only the $5 USB hub takes one for the team. What are the chances that the USB malware can pwn an ARM-based Pi without your being able to detect it?
You already KNOW (or should at a minimum assume) that there's malware on it, the only question is "what kind, and can I turn the tables on the rat-bastards?"
...at an individual, with a load of other sticks distributed in the hope of making it appear more random?
One or two people were intended recipients and all the others were mere obfuscation, a physical form of spear phishing, if you like. Whilst the actual cost of a USB sticks is low, even that cost and the effort of physical distribution seems odd when you can use email and dodgy websites near enough for free. From the perps point of view, physical distribution is surely quite risky - even if the person delivering them didn't know what they were, he must have been paid by somebody to deliver them, and there's the risk of track-back.
Would seem to me there must be more value at stake than just hijacking a bunch of random computers.
"Would seem to me there must be more value at stake than just hijacking a bunch of random computers."
Since the proliferation of online banking, even a simple keystroke logger would be all that is required to offset the initial costs of purchase and distribution. ( If it is indeed a random attack)..
Looking at it from a purely economic point of view, the profitability is simply a function of (percentage chance of someone plugging it in times percentage chance of them running a vulnerable system times ransom revenue per infection) minus the cost of the USB sticks. The sort of scum that would do this would have no reason to avoid the 5 finger discount at officeworks/hardly normal so let's assume that is not a big factor.
The low key distribution then minimise the chance of detection as it is much less likely to hit the major mastheads or TV news.
Combined with some phishing, this is indeed a powerful attack vector. I mean, it isn't too hard to find some large company (eg Telstra), fake an envelope with their logo, a short cover letter advertising some new foxtel streaming tie in and say there is some previews on the stick. Then a cheeky final line saying that even if you don't wish to subscribe, we hope you enjoy this 4GB USB stick.
A few logo stickers on the USB stick and even a few of us commentards may have been fooled. Some delayed execution of the malware would make detection very difficult indeed.
Hehe... Next "campaign" will have Coca Cola or McDonalds emblazoned on them and come attached to some fake marketing promo.
Yup. It'll have a flyer for either something "free" or "win" [whatever], which tends to be enough incentive for people to abandon all caution.
OK, live boot into memory, no other media attached, remove boot media when running.
Insert dubious stick.
You'd need a very custom live system to prevent the possibility of something on the dodgy stick attacking and backdooring the hardware firmware in a subtle way and then taking it from there.
'Specially as you'd have no idea what it might be trying to do in the first place and you'd need to try to second guess everything.
Beyond the wit of most of us methinks. I'm beginning to think that the Amstrad PCW had a lot going for it. Life was kinder then.
"Raspberry Pi running from write-protected SD-card."
Known hardware. Would probably find a way to pwn the SoC and find firmware to overwrite from there. Plus there's no guarantee the evil device doesn't include an internal whispernet adapter that means it can link up simply by plugging in.
We're only about one step away from having our computers wandering the Internet during the wee hours, seeking out code snippets to execute.
Black hat hackers should next concentrate on Wifi, Bluetooth, and so on. See if there's some exploit so that malware can be spread via the SSID or something similar. Your device will spot the malformed SSID broadcast,and succumb to the inevitable urge to execute any code found therein.
How about Siri and Cortana? Can the sound of crashing waves lead them to spot executable numbers passing by in the sampled white noise? 'Hey code!' So they'll dive in and execute.
It's getting ridiculous.
"We're only about one step away from having our computers wandering the Internet during the wee hours, seeking out code snippets to execute."
That's more or less what most cats do - so we need to come up with the computer equivalent of neutering a pet to prevent unwanted consequences. Thoughts, anyone?
More like a toddler that finds something on the floor and inevitably eats it.
That's what modern computers are like.
We're so close to the point where malware source code could be spray painted on the sidewalk, and any passing smartphone would see it, and - of course - immediately compile it and execute it.
It's actually already ridiculous. E.g. Malware in images or other media files.
Just so. Compare with the 1980s direct equivalent of a USB stick, the floppy disc. With a floppy, the interface between drive and system was simple, and being so simple, was dead easy to secure and trust.
In this instance, you simply typed "format a:" before attempting to read the drive. 100% success rate.
If you wanted to write-protect a disc, there was a physical switch. Flip that switch and no electronic tricks could get around it. (Hacking the mechanics of the disc drive would work, but that is a physical attack.)
Simple is good.
"Or we grew too many courgettes and we're giving away the surplus, Mr. Glass-half-empty!"
There's no such thing as Altruism. Even behaviour such as giving away stuff for free, for non-commercial purposes, has benefit to the giver in terms of 'feel-good' factor at least, and potentially leverage in future for good deeds done and expected in return.
Any company however issuing something for free - like free facebook, or free gifts, is using YOU as the commodity. They will either be selling your personal information, or targetting you with marketing to get you to buy something.
Don't be naive - if something is free, then there is always a price to be paid by the recipient.
This post has been deleted by its author
"What are the numerous *nix distro providers after then?"
An opportunity for their product placement to get into the hands of the masses, a subset of whom will become advocates, who go on to buy SLES/RedHat support for their Enterprises rather than Windows.
Do you thing Google giving away Android for free has anything to do with them being altruistic? It's about market penetration and displacing the incumbent vendors and getting market share so they can continue the sales pipelines down these platforms.
No such thing as Altruism.
This post has been deleted by its author
"The Church" Which one? Last time I looked, there was more than one."
Pick one. The Church of England. Over £5 BILLION in assets!
http://www.bbc.co.uk/news/business-23467750
It didn't get that through Altruism. It's selling Altruism - look at all the good things we do, now donate here to keep us in business. That business of collecting £5 BILLION in assets....
"The Church is one of the wealthiest organisations, that has a massive property portfolio and pays no tax."
I said SMALL churches. These usually don't have much of the backing of Rome and have to operate out of THEIR OWN pockets.
And explain people like the late Saint Theresa.
"The church"?
"The Church is one of the wealthiest organisations"?
I think you are woefully uninformed if you think there is one church.
And yes, I know of small churches, that could never be described as anything but operating on a shoestring budget, that feed the poor homeless.
Perhaps you should get out more.
"Or we grew too many courgettes and we're giving away the surplus, Mr. Glass-half-empty!"
Please... NO!
We're just ending the yearly nightmare season here; where if you leave an unattended vehicle unlocked, you're liable to find it full of tomatoes and zucchini when you return!
The police bulletin is vague in the extreme. Although it is written in the plural, there is no corroboration or statements to support the claim. There could, in fact, simply have been a single USB drive put in someone's letterbox. Or it could even have been as trivial as a parent confronting a child with an "unknown" USB drive:
"Where did you get that?
I found it
Where?
Errrr, in the letterbox"
There would appear to be nothing to this story. Nothing at all.
"... is Autoplay on USB even a thing?"
because users are idiots and expect 'things to work' without any understanding or effort on their part. Put a CD in a CD player - user sees it plays music. Put a thing in a slot, expect it to 'do something'.
The alternate is for them to, open file explorer or My Computer, navigate to the newly created drive letter and click it, then review the contents, whilst understanding the nature of file type extensions & not just look at the icons and assume the picture of a document is actually a document and not an executable, and then not ignore any warnings about the file being potentially dangerous.
So they chose the 'make it do something and hope for the best' as the default auto-play setting.
I think back in the day they wanted to simplify PCs and make them more like your friendly CD player or DVD player. If you stick a DVD in your player, you expect it to bring up the DVD movie menu, or CD to start playing the music. So they introduced autoplay for CDs and DVDs on PCs as well, so if your home theatre system was a PC it would act like your DVD player.
Then USBs came along to replace CDs and DVDs, same idea, surely you want them to start playing their content without any user intervention. What could possibly go wrong?
"Then USBs came along to replace CDs and DVDs, same idea, surely you want them to start playing their content without any user intervention. What could possibly go wrong?"
And that's the thing. You have to deal with Stupid every day, and for Stupid, double-clicking on a thing that may not even appear is too much for them. And they're part of Microsoft's target audience, so Microsoft has to cater to them or lose money.
There's now commercially-available "USB sticks" designed to destroy the motherboard with 220v pulses.
http://www.extremetech.com/computing/235328-computer-killing-usb-drives-now-on-sale-for-less-than-60
And yes I'm sorely tempted to leave a bunch of these in the company parking lot...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
