USB Trojan Hides In Portable Applications, Targets Air-Gapped Systems

Reader itwbennett writes: A Trojan program, dubbed USB Thief by researchers at security firm ESET, infects USB drives that contain portable installations of popular applications such as Firefox, NotePad++, or TrueCrypt, and it also seems to be designed to steal information from so-called air-gapped computers. "In the case we analyzed, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called 'WinAudit'," the ESET researchers said. The stolen data was saved back to the USB drive and was encrypted using elliptic curve cryptography. Once the USB drive was removed, there was no evidence left on the computer, the ESET researchers added.

OJ DID DO IT!

He killed her and him!

Air gapped

[JohnStock]

I just like it when it's air gapped..

Re:Air gapped

[khasim]

So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?

Looks like they've re-invented "sneakernet".

Seriously. If security is that important that you air-gap a system, why aren't you locking down the USB ports?

Re:Air gapped

[DougOtto]

So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?

Looks like they've re-invented "sneakernet".

Seriously. If security is that important that you air-gap a system, why aren't you locking down the USB ports?

Developing a, super secure, file based Intranet?

Re:Air gapped

Depends on why you're air-gapping the system.

One of the common uses of air-gapped systems these days is for key signing. You have a private key that you're using to sign your applications. To avoid hackers getting their hands on it, you air-gap the system on which the private key is stored. The only problem is that in order to release your signed application, you need to get it to, and then back from, the air-gapped system. Since your air-gapped computer doesn't have network capabilities (duh) the only reasonable way to do that is with a USB drive.

Granted, you're probably going to use a dedicated drive that doesn't have Firefox installed on it, but still, that's one reason why you don't want to lock down the USB ports of an air-gapped computer.

Re:Air gapped

[khasim]

Since your air-gapped computer doesn't have network capabilities (duh) the only reasonable way to do that is with a USB drive.

Not if you really do not want that key to be leaked.

USB drives are too easily compromised.

Use a CD drive instead. Yes, you CAN still buy them. And verify the CD on a different computer.

Re:Air gapped

Michael Mlekoday? is that you?

Re:Air gapped

[iggymanz]

I wonder why so many don't do like ye olden days when a floppy disk was first malware scanned before using a program or loading data from it on it by people who cared.

Of course, that only protects against "known threats to the scanner", but that's one step better than blind trust

Re:Air gapped

Your mom called. Dinner is ready.

Re:Air gapped

[Trax3001BBS]

So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?

http://portableapps.com/ was my first thought. It's a very impressive collection of portable software, Firefox/Mozilla isn't listed in my setup, Sea monkey and Opera are.

My folder is just under 6 Gigs, the software meant to be on a USB device or at least right at home.

This piece of malware might hit portableapps rather hard, just for being what it is.

Re:Air gapped

[Bob+the+Super+Hamste]

And yes this is how secure systems operate. You have a box that you load an ISO image onto that goes and checks that image with a battery of AV and other security products and then produces a CD or DVD that you then go and bring with you into your secure server room to load onto the servers. The disk then lives in that room until it gets fed to a shredder. Any electronic gadgets that enter the room remain in the room until they also get fed to a shredder.

Yes I have been in such facilities and even got to see one of my co-workers lose his new iPhone to the shredder because he didn't heed the warnings.

Re:Air gapped

[mikael]

How else can you load and install third-party applications? Maybe you are an animation artist trying to do that ultimate animation for your demo reel. Then you need to install applications like 3DMax, Photoshop, ZBrush, Softimage. Sometime manuals or tutorials only come in HTML format. So you need a web browser to read them.

Re:Air gapped

[caution+live+frogs]

My work air gaps the government-owned computers from the university-owned ones. Different networks, same building, often same room. We have approved, encrypted drives to transfer files. USB ports ARE locked down, but that doesn't mean no USB devices are allowed.

Re:Air gapped

Seriously. If security is that important that you air-gap a system, why aren't you locking down the USB ports?

Air-gapped systems, at least in my experience, have mostly been used by small-mid sized businesses with an internal CA used for intranet and sometimes internet devices. Air-gapped systems are a PitA to work with especially when you only need to touch them every few months to 12 months like a small-mid sized business CA. As a result people move certs around via USB or CD. Either way this wouldn't really touch it because CAs like that are rarely not running Linux.

Re:Air gapped

[HexaByte]

>So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?
>Looks like they've re-invented "sneakernet".
>Seriously. If security is that important that you air-gap a system, why aren't you locking down the USB ports?

You confuse security with idiocy. Just because there is a secure system, doesn't mean that an idiot can't screw it up!

Re:Air gapped

[PPH]

a CD or DVD that you then go and bring with you into your secure server room to load onto the servers. The disk then lives in that room until it gets fed to a shredder.

This assumes that you have air gapped the servers in that server room. Otherwise someone will just skip the steps needed to infect the CD/DVD iso and attack the servers directly. So now the question is: What good is a server room full of servers that can't talk to anything beyond the walls? Some applications do exist for such architecture deep within the CIA/NSA/DoD/etc. But they are not much use to anyone who needs I/O beyond physical printouts, people working inside the perimeter or to control dedicated hardware (process control or missile launch commands, for example).

Re:Air gapped

[dgatwood]

The real question is why those systems weren't configured to refuse to run unsigned apps and/or apps signed with a different key than the last time you ran them. This sort of attack should be almost impossible on any modern desktop OS.

Re:Air gapped

[PPH]

Slow I/O. OK for producing 'golden master' application CD/DVDs. But I wouldn't even carry a USB drive back and forth to that air gapped machine unless I really trusted its manufacturer. Anyone remember SanDisk U3 flash drives? Ever wonder what the hell that s/w might be doing on your system when you plugged it in? Ever try to remove it from a USB stick?

There are methods of key signing that can effectively secure a private key from inspection even on a networked and compromised O/S system. Think USB connected micro controller running some type of secure enclave key management app. The key pair is generated on-chip and the private key is held by secure storage on the controller (IF you trust the uC hardware). Plaintext in is encrypted on the chip and ciphertext (and a public key) returned.

Re:Air gapped

The idea of PortableApps.com is that they can be run from a USB drive on any Windows system, thus without installation and its controls. I use them on several tablets mainly because they have 32 GB eMMC internal disks that don't have much room left over from the Windows 8/10 installations. I might have to rethink that approach.

It would help if Linux distros could catch up with these ubiquitous Windows tablets, and support their wonky 32-bit UEFI setups for installation, and equally wonky hardware. I have tried nearly a dozen, and the only ones so far that even boot up the installer are Knoppix and latest Rescatux, but they do not support the touchscreen/wifi/battery management/etc.

Re:Air gapped

[rahvin112]

You still need a way to transfer files on air-gaped systems or they aren't real useful. CD writeables are much more difficult to use for normal users than thumb drives so the USB ports are left open. Besides, malware can still get in on the CD, just like it can on the thumb drive.

There are already well known groups of malware that target air gaped systems and try to communicate with networked computers by using microphones and speakers (and probably other techniques as well such as cameras and monitors) in frequencies humans can't hear but the electronics of the speakers and microphones can. This is probably the area of state sponsored hacking so spy agencies can gain access to network restricted defense information and is probably a favorite target of ALL major spy agencies because an air gaped computer is more likely to have something interesting on it, at least to these groups.

Re:Air gapped

[tlhIngan]

So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?

You can create isolated airgapped networks with their own set of web browsers and all that as well, you know.

These networks are often on the classified side of things and there is no connection to the Internet or other network. Properly set up SCADA systems are supposed to be on airgapped networks, for example. But there's often documentation and other things that end up as HTML and you need a browser to view it, and it can be no surprise when they only work on Firefox, say.

Re:Air gapped

[networkBoy]

" see one of my co-workers lose his new iPhone to the shredder"

Bwahahahahaha awesome!
We have systems that are not air gapped (as I can remotely access them) but are not connected to the network either. We use an IP KVM solution to connect keyboard, mouse, monitor remotely. Much more secure against this kind of attack. Of course bad guy at terminal or prepared for such setup can script keyboard commands and series of screenshots, but the barrier is much higher than direct connected systems.

Defense in depth.
-nb

Re:Air gapped

> process control ...and several other manufacturing steps. There's EE's in this crowd, see how many points from raw stock to finished box it might be wise to have a machine airgapped.

It's kind of like the infamous "do you trust your compiler?" paper. If you're making or working with anything sensitive, the answer is: you cannot trust anything, that's just not how trusted systems work, any more than you can drop the transitivity property of addition and keep math as we know it.

Re:Air gapped

You still need a way to transfer files on air-gaped systems or they aren't real useful. CD writeables are much more difficult to use for normal users than thumb drives..

Oh yes, the poor diddums, they can't just drag'n'drop, they have to think a bit..seriously, I'd never let anyone this incapable anywhere near a system so critical it requires air-gapping.

Besides, malware can still get in on the CD, just like it can on the thumb drive.

sure, but a burn-once read-once-then-shred CD containing just $name_of_data_file is a lot less likely to contain malware than a USB stick containing all sorts of stuff as well as $name_of_data_file. And I'm not even going into the possibilities of the existence of embedded-in-the-hardware malware on USB sticks.

There are already well known groups of malware that target air gaped systems and try to communicate with networked computers by using microphones and speakers (and probably other techniques as well such as cameras and monitors) in frequencies humans can't hear but the electronics of the speakers and microphones can.

Firstly, most desktops and servers don't have built in microphones (that we know of..)
Secondly, again, if they have one, the speaker/beeper/buzzer/whatever in most desktops is a rather pathetic creature, barely capable of operating over a wide range of frequencies humans can hear, Laptops?, oh sure, you might have speakers and a microphone, again, they're usually rather pathetic creatures.
Most microphone inserts I've tested tail off around 14-15kHz, the worst being 10kHz, the best (so far) was reasonable up to 19kHz, they were intended for speech (only requiring something like 100Hz-5kHz), not for recording high-fidelity music.
Speakers, the standard internal PC type speakers max out somewhere in the 5kHz range, initially, they were only intended to faithfully reproduce beeep, so didn't need to be anything better. Anyone who connects external speakers to an enabled embedded sound card on a critical system not employed in any sort of Music/Video production deserves everything that happens to them. An act that fundamentally idiotic means they've more to worry about that the theoretical air-gap bridging capabilities of some malware.

Also consider, the associated on-board audio circuitry for these devices is usually tailored for a nominal 20Hz-20kHz 'hearing' range, so, assuming an adult's hearing falls off at the 14-15kHz point (I'm 52, and, as I'm typing this, I'm getting annoyed by a 15.650kHz 'whine' from a nearby CRT TV - despite years of both listening to, and generating loud Music, I can still hear up to about 18kHz, but with several 'dead' zones in the response), that would give you at best the 15-20kHz band for the malware to play with. Now, as younger people can hear higher frequencies (I used to be able to hear bats - Noctule [22-25kHz] - when younger), this further restricts the available bandwidth for the malware again to probably 18-20kHz if you're lucky.
Again, remember, the microphone inserts usually tail off at 15kHz..

This is probably the area of state sponsored hacking so spy agencies can gain access to network restricted defense information and is probably a favorite target of ALL major spy agencies because an air gaped computer is more likely to have something interesting on it, at least to these groups.

I personally know one author who keeps his important work and data on an old air-gapped Win311 machine, he uses CDwriter as a means of transferring data from it (keyboard and flatbed scanner for inputting data in). Nothing defence related, just stuff he'd rather keep 'secure' until he sends the final draft in electronic form to the publisher. It lives in a different room from the internet connected machine in his house.
I know of the existence of one government installation where the only external networked computer is in the security office, all

Re:Air gapped

[dgatwood]

What does installation have to do with code signing? Windows generally pops up a scare dialog if you try to run an unsigned app. And if the admin configures the machine properly, as you should for an airgapped machine, it won't let you run an unsigned app at all. So this sort of attack just shouldn't be possible on current versions of Windows or OS X if the admins configured the systems properly.

Or are you saying that you reboot the machine from a separate OS installed on the USB drive? In which case, if a user of an airgapped system is doing that, you have much bigger problems.... :-)

Okay, I suppose there's the possibility of them signing the app with a legitimate signing cert (which would then get revoked as soon as somebody noticed its use in signing malware, but an air-gapped machine wouldn't be able to DL the CRL or query the OCSP server)... but you'd think people would notice that the app stopped working when used on a non-air-gapped machine, and would start asking questions....

Re:Air gapped

[Bob+the+Super+Hamste]

You do realize that there are systems that are not connected to the internet as a whole that exist in secure buildings and while they rely on external data that data is brought in on direct connections that do not go over the public internet. Modern society depends on such systems and some operators of such systems are better at resisting the temptation to just connect everything to the internet directly or indirectly. If following a proper defense in depth strategy these isolated systems still have lots of security on top of them even though they are not connected to the public internet. If you are interested in what the going state of the art in security for these types of systems is you can read the Cybersecurity Procurement Language for Energy Delivery Systems document and go read the NERC CIP v5 standard. These set the minimum level of security that exist on the systems.

Re:Air gapped

[PPH]

Stuxnet.

If you want to attack an air-gapped system, it's still possible. Defense in depth helps, but then it works well for connected systems as well. The one thing that an air gap does is to slow down (or effectively stop) probing systems by external hostile actors.

I lost my USB drive. I wrote a program that autom

I lost my USB drive. I wrote a program that automatically backs up my computer when I plug it in (of course encrypted). I guess they found it.

Linux? BSD?

> it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU)

Apparently, this happens in Microsoft Windows. But does it work in Linux? BSD?

Re:Linux? BSD?

[Flavianoep]

I makes a copie of the /etc directory.

Re:Linux? BSD?

[MobileTatsu-NJG]

That depends, does Linux and BSD finally support USB drives?

Re:Linux? BSD?

[zlives]

ok, that was funny

Re:Linux? BSD?

[orledrat]

In fact, FOSS is ideal for airgapping any apparatus, on account of all its open bits and such.

Re:Linux? BSD?

[MobileTatsu-NJG]

Ah yes, I remember attempting to set up wifi on both RedHat and OSX (BSD based...)... both were over-zealous in supporting air-gap-based security

Re:Linux? BSD?

[TheCarp]

tbh I have been a Linux user far to long to not belly laugh at this.

I have had several machines that were quite effectively "air gapped" by default installs that didn't support the latest whiz-bang onboard network out of the box. Nothing quite like the realization that you need to upgrade your kernel to use the network in order to upgrade your kernel.

In fairness though, I have had it happen on Windows installs as well.

Re:Linux? BSD?

[PPH]

But does it work in Linux?

systemd unit files.

Re:Linux? BSD?

Or else I gets the hose again.

Re: Linux? BSD?

Not if it rubs itself with lotion.

Re: Linux? BSD?

Which of course does not run of a USB drive. How come that you anti systemd trolls are always so clueless?

Re: Linux? BSD?

does not run of a USB drive.

Not run. Upload. Like Windows registry. One place and common format to sniff out entire system configuration.

Re:Linux? BSD?

[fisted]

Wasn't HKCU just one part of the "whole windows registry"? In win98 it was, anyway.

Re:Linux? BSD?

So you learnt all those nasty words and sayings from some fucked up relative (prolly that dribbly uncle that usedta come into your room at night) and now you feel that you have to keep spewing them out everywhere you can.
It's really sad that you don't even realize what a stunted, under-developed mind you have. If you learnt to think for yourself instead of repeating that crap, you might start to see that people are just people, some of them are different than you, and some of them aren't total dickwits like you, cos they know how to just accept that its a big world full of different kinds of people. Dickwit.

Re:Linux? BSD?

...I have had several machines that were quite effectively "air gapped" by default installs that didn't support the latest whiz-bang onboard network out of the box. Nothing quite like the realization that you need to upgrade your kernel to use the network in order to upgrade your kernel.

Ah yes, the one which finally made me drop a Distro I won't name was that the kernel loaded for the install process supported the on-board network hardware, the kernel it subsequently installed, didn't.
fun times..
(and yes, lest you start getting smug, you Redmondistas, I have also been bitten by Windows Update replacing a perfectly working network driver with a fscked piece of shit...)

Re:Linux? BSD?

[TheCarp]

My favorite, with windows, is when you get the system fully installed with all its crap OEM junk, try to rebuild it with a clean install, only to find out nothing in the whole system works without downloading some special snowflake driver.

Hell my recent build and windows install was almost good.... ASROCK had on board utlities to make a usb stick with drivers.

Snag? Oh yah, the drivers they distribute trojan your machine with adware....right out of the box on a fresh build, the fucking motherboard drivers infect you with adware! Windows users have nothing to smug about.

Gushing?

[orledrat]

I've just read TFA (no big deal) and it seemed positively gushing, with a "white hats off" tone to it.

Oh well.. what sounds like free-form obfuscation improvisation to me turns out to be, once more, the state of the art in today's heists.

Re:Gushing?

State of the art? How is this any different than the viruses that were passed around 30 years ago on c64 floppies?

Re:Gushing?

[tlambert]

State of the art? How is this any different than the viruses that were passed around 30 years ago on c64 floppies?

USB drives are large enough to contain Java and Python programs, so that recent college graduates can finally write viruses again. C64 floppies are not large enough.

Re:Gushing?

[Trax3001BBS]

State of the art? How is this any different than the viruses that were passed around 30 years ago on c64 floppies?

It can't be analyzed or very hard to, and where http://vx/ (dot) netlux (dot) org came in handy.

The site is back -but hard to catch when it's up. It's a malware database, where malware is sent or downloaded just for that purpose. I'd like to see what's said there about this piece of malware.

Confused

How does the trojan get installed on the USB stick in the first place? Either you are using USB drives provided by a stranger (who does that?) or someone has stolen your drive, installed their software, and replaced it without your knowledge. Plausible, but not a great way to propagate this to more than a few specific people.

Re:Confused

How about that many users don't format the USB drives but uses them as they come.

Re:Confused

[duke_cheetah2003]

Even more importantly, what's the point? How does the 'attacker' get their USB stick back with the stolen data?

This feels more like a 'inside job' type trojan, where a person can stick it into a PC they're already trusted to use, and suck everything of value off it to review later. I mean, the way it's difficult to copy and stuff makes it suspiciously not very trojan like. Trojans/malware like to spread easily.

Encrypting the slurped data just feels like plausible deniability for the attacker if the USB were confiscated and inspected.

Re:Confused

[AHuxley]

Find the ready device in car park and pick it up and see what is on it before returning to owner if details are on the files. Gets the code onto a inner networked work computer and hope to infect all other usb devices.
Deep penetration agent gets to a secure work only USB device to install new code and gets the later returned data from a secure area. Sneaker net it out even with no or low site clearance.
Flood all staff members with the code to infect their less secure home and work computers and hope one gets sloppy and uses the air gapped drive for "work" on a home or networked computer.
Flood an nations regional networks per street with code and a random workers home or office computer is infected.
The code would be bespoke so it would not show on any consumer AV yet and would try and infect only for an expected larger network.

Re:Confused

> How does the 'attacker' get their USB stick back with the stolen data? This feels more like a 'inside job'

You're mentally deficient. This executes, exfiltrates (encrypted), removes traces.

Removes traces.

Not "spreads."

This is a payload, not a virus. How do you think it got onto the usb stick? Other malware put it there, the same malware that will remove the exfiltrated data and pipe it on its merry way, and which will probably wipe the usb stick.

You think the person carrying the stick put it there? That this nicely written piece of software is only to be delivered in those very very very few situations where you have MEAT on the inside with access to the air-gapped system?

Those people would just copy the files that matter and encrypt them. They'd do it on a USB stick with an extra flash unit, one which - once written to - severed its leads. Because they'd be getting paid enough to warrant it, and it'd be a lot cheaper to deploy and less technologically revealing if it got busted.

Slashdot has really sunk. Nobody else has even bothered to correct this idiot - instead you upvoted him 4 insightful!?

Re:Confused

..Either you are using USB drives provided by a stranger (who does that?)

There are several active Movie and Music 'sneakernets' @work involving large capacity USB sticks and External HDs. Whilst the people involved may not be strangers, their machines, and their friends and the machines of their friends are...
Now, do you think I allow these devices anywhere near my machines before they're been scanned by at least two different AV scanners? nope..
Do these others check the devices as diligently before they plug them in? who knows? (and that's the problem)

About two years back, someone asked to borrow one of my (then) spare large capacity 64GB USB sticks to transfer data from a Mac to a PC, several hours later, I get it back, put it in the drawer with all the others. A month later, I have occasion to use it, plug it into machine, and my AV scanners flag several files as PC/Windows trojans (*and* they'd also left a large number of confidential files on it from the Mac (actor/actresses contracts, personal details, release forms parent/guardian release forms, etc..)

Needless to say, I wasn't too impressed when I discovered that the AV software on the PC they'd been using was disabled as it had 'expired'..

Re:Confused

Even more importantly, what's the point? How does the 'attacker' get their USB stick back with the stolen data?

They don't need the stick back, the attack is based on the mobility of the stick between secure systems and insecure systems/networks, with apologies beforehand, a really basic bit of bad pseudo code below should give you the idea.

##
#
# really evil code, runs once from USB stick insertion
# automatically, or via running a trojan'd application off
# stick manually by target sucker.
#
##

#
# Find stuff of interest, add to stash
#

do_sneaky_datamining_stuff_here_and_append_results_to_encrypted_stash;

#
# See if I can dial home
#

if (sneaky_ping($my_candc_server))
      {
      #
      # Can talk to my server, so upload stashed data
      #
      if (upload_encrypted_stash_to($my_candc_server))
            #
            # upload ok, delete cache
            #
            {
            delete_encrypted_stash;
            #
            # Taunt...(and why not?)
            #
            write_to_some_system_log("Bwa ha ha ha....");
            }
      }
exit;

Patience is required...round and round the USB stick goes, gathering information and opportunistically uploading it when it can, it's owner/users unaware they're acting like an ersatz digital Typhoid Mary, (unlike Mary, they're not actually infecting anything else.).

Re:Confused

It's possible that the attacker hopes the target later plugs the USB into a device attached to the greater Internet, where the payload then exfiltrates the data.

IPoAC

[friesofdoom]

Reminds me of IPoAC

Re:IPoAC

Links to the papers would be appropriate:
IPoAC: https://tools.ietf.org/html/rfc1149
IPoAC with QOS: https://tools.ietf.org/html/rfc2549
IPv6oAC: https://tools.ietf.org/html/rfc6214

Re:IPoAC

Reminds me of IPoAC

I refer you to here and here and here.

128GB micro SD cards being available at around the $50 mark, now how many could a single pigeon carry?, how many could a flock of these flying rats then carry?

(Captcha: phoenix, almost weirdly appropriate (and fine if you like your media a wee bit on the toasty side..))

Won't work on APK Hosts File Engine: Why?

See subject: I protect my portable program via a method I extolled @ "CODING FOR DEFCON" here years ago which was up-modded for its technique, one EVERY exe should use imo as it acts as "native/built-in" antivirus protection in the program itself -> http://it.slashdot.org/comment... where I check exe size @ startup of the program - if it differs? Program will NOT operate...

* This thing, IF I understood its description correctly per the source article's analysis, NEEDS to alter .exe size or .DLL function call tables exported (or exe "jump tables"), in order to operate - add even 1 BYTE to my program (which has NO external DLL dependencies (other than OS api) or DLLs it ships with (none, it's a stand-alone single portable Win32 PE executable))? See above.

(It works...)

APK

P.S.=> Anyone see this differently, or did I miss something (only cursory read of the article here is why I ask)? Feel free to correct me... apk

I had my info stolen

[blogagog]

I had the info stolen off my computer last year. The thieves who took it are now slightly dumber for having read it.

Re:I had my info stolen

[Greyfox]

Oh you must have been working for the last company I worked with. They had some left over schwag from the golden days when they were still doing the convention circuit that they handed out one day. Then HR read us the riot act about wearing the comapny T-Shirts we'd gotten. "Kidnapping risk," they said. I wanted to do a PSA for them. Like "Please don't kidnap their employees. All the folks who actually knew how to accomplish anything left the company when it went public. Between the culture of ineptitude implemented by the new CEO and the brain drain to other companies, you'd just set your own nation-state's program back a decade if you actually got anything out of their guys. Try kidnapping some Google employees instead. Thanks!" Rumor has it some Russian hackers had hacked in once, and felt so bad about what they found there that they actually fixed several of the systems before logging out. But hey, at least the company was able to pay a huge amount for a shiny new headquarters. I guess they're actually starting to move into it now that they've taken care of that little asbestos problem they were having.

Well....so?

Let's assume for a moment you've hijacked a USB dongle, you've gotten a ride onto an airgapped computer. ......now what?

Are you going to write a visual basic GUI to trace all the IPs simultaneously or something?

So you've taken over a standalone PC. Huzzah. You've haxxored the boxen.

What are you doing with the data you've stolen?

Did you realize that you now have to snag another ride back OFF the machine via another USB stick, ride someplace else, infect THAT machine, and hope it isn't airgapped too, in order to get out again?

Re:Well....so?

[hawguy]

Let's assume for a moment you've hijacked a USB dongle, you've gotten a ride onto an airgapped computer. ......now what?

Are you going to write a visual basic GUI to trace all the IPs simultaneously or something?

So you've taken over a standalone PC. Huzzah. You've haxxored the boxen.

What are you doing with the data you've stolen?

Did you realize that you now have to snag another ride back OFF the machine via another USB stick, ride someplace else, infect THAT machine, and hope it isn't airgapped too, in order to get out again?

Depends what that hacked computer does and what your objectives are.

A couple examples:

• If that computer is part of a SCADA system at a power plant, you can have your malware shut down the power plant in 10 days or configure it to self-destruct.
• If it's a secure key signing computer, your malware can make it create weak keys.

You don't need to get data off the system for your malware to do harm.

Re:Well....so?

[Trax3001BBS]

Let's assume for a moment you've hijacked a USB dongle, you've gotten a ride onto an airgapped computer. ......now what?

Are you going to write a visual basic GUI to trace all the IPs simultaneously or something?

So you've taken over a standalone PC. Huzzah. You've haxxored the boxen.

What are you doing with the data you've stolen?

Did you realize that you now have to snag another ride back OFF the machine via another USB stick, ride someplace else, infect THAT machine, and hope it isn't airgapped too, in order to get out again?

It sounds beatable just by write protecting the USB device if TFA is correct, so not 100% but very capable.

Taking a leap, I see it as a specialized piece of software looking for something in particular, this by images and the broad term of documentation.

To download images from almost anybodies system would put a dent in the capacity of the USB device (even if just from a browsers cache). It doesn't sound like it would be that obvious and more selective at what it took.

Or I'm giving this malware just way too much credit.

Re:Well....so?

Write protecting modern USB stick is rather harder than it might seem. Most mechanisms are software based or can be hacked around.

Re:Won't work on APK Hosts File Engine code... apk

It will work. They'd just hot patch that check out of your binary and unless you've somehow encrypted the binary and used some kind of loader, it's quite easy.

If you did use a small loader to unencrypt the rest of the binary, they'd just hot-patch the decrypted image in memory through DMA (bypassing cpu's memory isolation) and you'd still be owned.

Wrong time to chime in I think APK.

It steals image files?

I have a couple gigabytes worth of .tiff files from various 3D rendering programs. Sometimes I convert the tiffs into PNGs. Just saying.

Won't work on APK Hosts File Engine code... apk

See subject: I protect my portable program via a method I extolled @ "CODING FOR DEFCON" http://it.slashdot.org/comment... [slashdot.org] here years ago which was up-modded for its technique, one EVERY exe should use imo as it acts as "native/built-in" antivirus protection in the program itself where I check exe size @ startup of the program - if it differs? Program will NOT operate.

Additionally, this functions to also protect my program vs. hexediting alterations as well (bonus).

* This thing, IF I understood its description correctly per the source article's analysis, NEEDS to alter .exe size or .DLL function call tables exported (or exe "jump tables"), in order to operate - add even 1 BYTE to my program (which has NO external DLL dependencies (other than OS api) or DLLs it ships with (none, it's a stand-alone single portable Win32 PE executable))? See above.

(It works...)

APK

P.S.=> Anyone see this differently, or did I miss something (only cursory read of the article here is why I ask)? Feel free to correct me!

N, disassembly for the JNE instruction override by the malware isn't in this malware, let alone the fact it has to be tailored for that in my program + in the exact place for it!

(Worst part is, due to ~10 antivirus companies claiming exe compressors & their loaders are "malware" along with checking for disassemblers/debuggers is 'malware' (which I overturned constantly by those morons, but ended up taking it out due to ABSOLUTELY STUPID 'rules' for heuristic detection calling those protective methods 'bad' caused false positives by them (which they agreed I was RIGHT on no less, but NEVER changed their bullshit either...))).. apk

Air Gap != Secure

To quote an instructor of mine, who was probably quoting someone else without attribution: "The only secure computer is one that is turned off, unplugged, in a closed safe buried within 6 feet of poured concrete."

Re:Air Gap != Secure

AKA an Amish Computer.

Ridiculous!

On linux, get a uuid on all usb drives approved and have udev rules that disallow mounting on non whitelisted usb sticks. You can AAA them if you've got a remote logging sytem in place. Not sure about windows!

solution.

compile from source. distrowatch.com

or if you use Windows you already have Global Mother Fucking Spyware so what does it matter?

Re:Won't work on APK Hosts File Engine code... apk

Why're your informative posts downmoded? Technique's sound vs the threat currently. Your 1st post too https://it.slashdot.org/commen... but they left junk on this page (nigger etc) alone not downmodding it. What's the matter with the idiots here?

Won't work on APK Hosts File Engine... apk

See subject: I protect my portable program via a method I extolled @ CODING FOR DEFCON https://it.slashdot.org/commen... here years ago which was up-modded for its technique.

It's one EVERY exe should use imo as it acts as "native/built-in" antivirus protection in the program itself where I check exe size @ startup of the program & other areas of operations - & if it differs? It won't run.

Additionally, this functions to also protect my program vs. hexediting alterations as well (bonus).

* This thing, IF I understood its description correctly per the source article's analysis, NEEDS to alter .exe size or .DLL function call tables exported (or exe "jump tables"), in order to operate - add even 1 BYTE to my program (which has NO external DLL dependencies (other than OS api) or DLLs it ships with (none, it's a stand-alone single portable Win32 PE executable))?

See above - It works.

APK

P.S.=> Anyone see this differently, or did I miss something (only cursory read of the article here is why I ask)? Feel free to correct me!

No, disassembly for the JNE instruction override by the malware isn't in this malware, let alone the fact it has to be tailored for that in my program + in the exact place(s) for it!

Worst part is, due to ~10 antivirus companies claiming exe compressors & their loaders are "malware" along with checking for disassemblers/debuggers is 'malware' (which I overturned false positives from them constantly by those morons)?

I ended up taking out compressed exe loaders & disassembler/debugger checks out due to ABSOLUTELY STUPID 'rules' for heuristic detection calling those protective methods 'bad' since it caused false positives by them (which they agreed I was RIGHT on no less, but NEVER changed their bullshit either!)

... apk

It's jealous "ne'er-do-well" losers... apk

Amicusnycl whom I made eat his words https://slashdot.org/comments.... who's still butthurt over it or heroin junkie KGIII https://science.slashdot.org/c... who did the same. Neither produces anything of worth to others & are BULLSHITTERS to the highest order - mere "talkers" not doers.

Probably also other losers of like ilk also along with inferior competitors paid shill cronies. It's common sense: Who else would try attempt to stop me posting or troll me as well as downmod me? I'm not stupid. Neither are you. Do the math here. It's obvious who is doing what to my posts to NO avail - I post as much as always, & IF/WHEN I get a bogus downmod? I repost, exhausting the dolts of their effete useless "downmod points" & I can post with NO limits here unlike most ac posters to do it.

APK

P.S.=> They can't validly beat my points on hosts technically so they resort to other weak bullshit in unjustifiable downmods or offtopic trolling me... apk