USB Trojan Hides In Portable Applications, Targets Air-Gapped Systems

← Back to Stories (view on slashdot.org)

USB Trojan Hides In Portable Applications, Targets Air-Gapped Systems

Posted by msmash on Thursday March 24, 2016 @06:06AM from the security-woes dept.

Reader itwbennett writes: A Trojan program, dubbed USB Thief by researchers at security firm ESET, infects USB drives that contain portable installations of popular applications such as Firefox, NotePad++, or TrueCrypt, and it also seems to be designed to steal information from so-called air-gapped computers. "In the case we analyzed, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called 'WinAudit'," the ESET researchers said. The stolen data was saved back to the USB drive and was encrypted using elliptic curve cryptography. Once the USB drive was removed, there was no evidence left on the computer, the ESET researchers added.

41 of 83 comments (clear)

Min score:

Reason:

Sort:

Air gapped by JohnStock · 2016-03-24 06:09 · Score: 1

I just like it when it's air gapped..
1. Re:Air gapped by khasim · 2016-03-24 06:38 · Score: 1
  
  So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?
  Looks like they've re-invented "sneakernet".
  Seriously. If security is that important that you air-gap a system, why aren't you locking down the USB ports?
2. Re:Air gapped by DougOtto · 2016-03-24 06:43 · Score: 1
  
  So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?
  Looks like they've re-invented "sneakernet".
  Seriously. If security is that important that you air-gap a system, why aren't you locking down the USB ports?
  Developing a, super secure, file based Intranet?
  
  --
  Solving Unix problems since 1989...
3. Re:Air gapped by khasim · 2016-03-24 07:08 · Score: 4, Informative
  
  Since your air-gapped computer doesn't have network capabilities (duh) the only reasonable way to do that is with a USB drive.
  Not if you really do not want that key to be leaked.
  USB drives are too easily compromised.
  Use a CD drive instead. Yes, you CAN still buy them. And verify the CD on a different computer.
4. Re:Air gapped by iggymanz · 2016-03-24 07:27 · Score: 1
  
  I wonder why so many don't do like ye olden days when a floppy disk was first malware scanned before using a program or loading data from it on it by people who cared.
  Of course, that only protects against "known threats to the scanner", but that's one step better than blind trust
5. Re:Air gapped by Trax3001BBS · 2016-03-24 07:35 · Score: 1
  
  So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?
  http://portableapps.com/ was my first thought. It's a very impressive collection of portable software, Firefox/Mozilla isn't listed in my setup, Sea monkey and Opera are.
  My folder is just under 6 Gigs, the software meant to be on a USB device or at least right at home.
  This piece of malware might hit portableapps rather hard, just for being what it is.
6. Re:Air gapped by Bob+the+Super+Hamste · 2016-03-24 07:43 · Score: 4, Interesting
  
  And yes this is how secure systems operate. You have a box that you load an ISO image onto that goes and checks that image with a battery of AV and other security products and then produces a CD or DVD that you then go and bring with you into your secure server room to load onto the servers. The disk then lives in that room until it gets fed to a shredder. Any electronic gadgets that enter the room remain in the room until they also get fed to a shredder.
  
  Yes I have been in such facilities and even got to see one of my co-workers lose his new iPhone to the shredder because he didn't heed the warnings.
  
  --
  Time to offend someone
7. Re:Air gapped by mikael · 2016-03-24 07:44 · Score: 1
  
  How else can you load and install third-party applications? Maybe you are an animation artist trying to do that ultimate animation for your demo reel. Then you need to install applications like 3DMax, Photoshop, ZBrush, Softimage. Sometime manuals or tutorials only come in HTML format. So you need a web browser to read them.
  
  --
  Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
8. Re:Air gapped by caution+live+frogs · 2016-03-24 07:52 · Score: 1
  
  My work air gaps the government-owned computers from the university-owned ones. Different networks, same building, often same room. We have approved, encrypted drives to transfer files. USB ports ARE locked down, but that doesn't mean no USB devices are allowed.
9. Re:Air gapped by HexaByte · 2016-03-24 08:12 · Score: 1
  
  >So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?
  >Looks like they've re-invented "sneakernet".
  >Seriously. If security is that important that you air-gap a system, why aren't you locking down the USB ports?
  You confuse security with idiocy. Just because there is a secure system, doesn't mean that an idiot can't screw it up!
  
  --
  HexaByte - he's a square and a half!
10. Re:Air gapped by PPH · 2016-03-24 08:22 · Score: 1
  
  a CD or DVD that you then go and bring with you into your secure server room to load onto the servers. The disk then lives in that room until it gets fed to a shredder.
  
  This assumes that you have air gapped the servers in that server room. Otherwise someone will just skip the steps needed to infect the CD/DVD iso and attack the servers directly. So now the question is: What good is a server room full of servers that can't talk to anything beyond the walls? Some applications do exist for such architecture deep within the CIA/NSA/DoD/etc. But they are not much use to anyone who needs I/O beyond physical printouts, people working inside the perimeter or to control dedicated hardware (process control or missile launch commands, for example).
  
  --
  Have gnu, will travel.
11. Re:Air gapped by dgatwood · 2016-03-24 08:29 · Score: 1
  
  The real question is why those systems weren't configured to refuse to run unsigned apps and/or apps signed with a different key than the last time you ran them. This sort of attack should be almost impossible on any modern desktop OS.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
12. Re:Air gapped by PPH · 2016-03-24 08:39 · Score: 1
  
  Slow I/O. OK for producing 'golden master' application CD/DVDs. But I wouldn't even carry a USB drive back and forth to that air gapped machine unless I really trusted its manufacturer. Anyone remember SanDisk U3 flash drives? Ever wonder what the hell that s/w might be doing on your system when you plugged it in? Ever try to remove it from a USB stick?
  There are methods of key signing that can effectively secure a private key from inspection even on a networked and compromised O/S system. Think USB connected micro controller running some type of secure enclave key management app. The key pair is generated on-chip and the private key is held by secure storage on the controller (IF you trust the uC hardware). Plaintext in is encrypted on the chip and ciphertext (and a public key) returned.
  
  --
  Have gnu, will travel.
13. Re:Air gapped by rahvin112 · 2016-03-24 09:51 · Score: 1
  
  You still need a way to transfer files on air-gaped systems or they aren't real useful. CD writeables are much more difficult to use for normal users than thumb drives so the USB ports are left open. Besides, malware can still get in on the CD, just like it can on the thumb drive.
  There are already well known groups of malware that target air gaped systems and try to communicate with networked computers by using microphones and speakers (and probably other techniques as well such as cameras and monitors) in frequencies humans can't hear but the electronics of the speakers and microphones can. This is probably the area of state sponsored hacking so spy agencies can gain access to network restricted defense information and is probably a favorite target of ALL major spy agencies because an air gaped computer is more likely to have something interesting on it, at least to these groups.
14. Re:Air gapped by tlhIngan · 2016-03-24 10:02 · Score: 1
  
  So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?
  You can create isolated airgapped networks with their own set of web browsers and all that as well, you know.
  These networks are often on the classified side of things and there is no connection to the Internet or other network. Properly set up SCADA systems are supposed to be on airgapped networks, for example. But there's often documentation and other things that end up as HTML and you need a browser to view it, and it can be no surprise when they only work on Firefox, say.
15. Re:Air gapped by networkBoy · 2016-03-24 11:14 · Score: 2
  
  " see one of my co-workers lose his new iPhone to the shredder"
  Bwahahahahaha awesome!
  We have systems that are not air gapped (as I can remotely access them) but are not connected to the network either. We use an IP KVM solution to connect keyboard, mouse, monitor remotely. Much more secure against this kind of attack. Of course bad guy at terminal or prepared for such setup can script keyboard commands and series of screenshots, but the barrier is much higher than direct connected systems.
  Defense in depth.
  -nb
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
16. Re:Air gapped by Anonymous Coward · 2016-03-24 17:43 · Score: 1
  
  You still need a way to transfer files on air-gaped systems or they aren't real useful. CD writeables are much more difficult to use for normal users than thumb drives..
  Oh yes, the poor diddums, they can't just drag'n'drop, they have to think a bit..seriously, I'd never let anyone this incapable anywhere near a system so critical it requires air-gapping.
  
  Besides, malware can still get in on the CD, just like it can on the thumb drive.
  sure, but a burn-once read-once-then-shred CD containing just $name_of_data_file is a lot less likely to contain malware than a USB stick containing all sorts of stuff as well as $name_of_data_file. And I'm not even going into the possibilities of the existence of embedded-in-the-hardware malware on USB sticks.
  
  There are already well known groups of malware that target air gaped systems and try to communicate with networked computers by using microphones and speakers (and probably other techniques as well such as cameras and monitors) in frequencies humans can't hear but the electronics of the speakers and microphones can.
  Firstly, most desktops and servers don't have built in microphones (that we know of..)
  Secondly, again, if they have one, the speaker/beeper/buzzer/whatever in most desktops is a rather pathetic creature, barely capable of operating over a wide range of frequencies humans can hear, Laptops?, oh sure, you might have speakers and a microphone, again, they're usually rather pathetic creatures.
  Most microphone inserts I've tested tail off around 14-15kHz, the worst being 10kHz, the best (so far) was reasonable up to 19kHz, they were intended for speech (only requiring something like 100Hz-5kHz), not for recording high-fidelity music.
  Speakers, the standard internal PC type speakers max out somewhere in the 5kHz range, initially, they were only intended to faithfully reproduce beeep, so didn't need to be anything better. Anyone who connects external speakers to an enabled embedded sound card on a critical system not employed in any sort of Music/Video production deserves everything that happens to them. An act that fundamentally idiotic means they've more to worry about that the theoretical air-gap bridging capabilities of some malware.
  Also consider, the associated on-board audio circuitry for these devices is usually tailored for a nominal 20Hz-20kHz 'hearing' range, so, assuming an adult's hearing falls off at the 14-15kHz point (I'm 52, and, as I'm typing this, I'm getting annoyed by a 15.650kHz 'whine' from a nearby CRT TV - despite years of both listening to, and generating loud Music, I can still hear up to about 18kHz, but with several 'dead' zones in the response), that would give you at best the 15-20kHz band for the malware to play with. Now, as younger people can hear higher frequencies (I used to be able to hear bats - Noctule [22-25kHz] - when younger), this further restricts the available bandwidth for the malware again to probably 18-20kHz if you're lucky.
  Again, remember, the microphone inserts usually tail off at 15kHz..
  
  This is probably the area of state sponsored hacking so spy agencies can gain access to network restricted defense information and is probably a favorite target of ALL major spy agencies because an air gaped computer is more likely to have something interesting on it, at least to these groups.
  I personally know one author who keeps his important work and data on an old air-gapped Win311 machine, he uses CDwriter as a means of transferring data from it (keyboard and flatbed scanner for inputting data in). Nothing defence related, just stuff he'd rather keep 'secure' until he sends the final draft in electronic form to the publisher. It lives in a different room from the internet connected machine in his house.
  I know of the existence of one government installation where the only external networked computer is in the security office, all
17. Re:Air gapped by dgatwood · 2016-03-24 18:49 · Score: 1
  
  What does installation have to do with code signing? Windows generally pops up a scare dialog if you try to run an unsigned app. And if the admin configures the machine properly, as you should for an airgapped machine, it won't let you run an unsigned app at all. So this sort of attack just shouldn't be possible on current versions of Windows or OS X if the admins configured the systems properly.
  Or are you saying that you reboot the machine from a separate OS installed on the USB drive? In which case, if a user of an airgapped system is doing that, you have much bigger problems.... :-)
  Okay, I suppose there's the possibility of them signing the app with a legitimate signing cert (which would then get revoked as soon as somebody noticed its use in signing malware, but an air-gapped machine wouldn't be able to DL the CRL or query the OCSP server)... but you'd think people would notice that the app stopped working when used on a non-air-gapped machine, and would start asking questions....
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
18. Re:Air gapped by Bob+the+Super+Hamste · 2016-03-25 01:25 · Score: 1
  
  You do realize that there are systems that are not connected to the internet as a whole that exist in secure buildings and while they rely on external data that data is brought in on direct connections that do not go over the public internet. Modern society depends on such systems and some operators of such systems are better at resisting the temptation to just connect everything to the internet directly or indirectly. If following a proper defense in depth strategy these isolated systems still have lots of security on top of them even though they are not connected to the public internet. If you are interested in what the going state of the art in security for these types of systems is you can read the Cybersecurity Procurement Language for Energy Delivery Systems document and go read the NERC CIP v5 standard. These set the minimum level of security that exist on the systems.
  
  --
  Time to offend someone
19. Re:Air gapped by PPH · 2016-03-26 04:46 · Score: 1
  
  Stuxnet.
  If you want to attack an air-gapped system, it's still possible. Defense in depth helps, but then it works well for connected systems as well. The one thing that an air gap does is to slow down (or effectively stop) probing systems by external hostile actors.
  
  --
  Have gnu, will travel.
I lost my USB drive. I wrote a program that autom by Anonymous Coward · 2016-03-24 06:11 · Score: 2, Funny

I lost my USB drive. I wrote a program that automatically backs up my computer when I plug it in (of course encrypted). I guess they found it.
Gushing? by orledrat · 2016-03-24 06:17 · Score: 1

I've just read TFA (no big deal) and it seemed positively gushing, with a "white hats off" tone to it.
Oh well.. what sounds like free-form obfuscation improvisation to me turns out to be, once more, the state of the art in today's heists.
1. Re:Gushing? by tlambert · 2016-03-24 06:37 · Score: 3, Funny
  
  State of the art? How is this any different than the viruses that were passed around 30 years ago on c64 floppies?
  USB drives are large enough to contain Java and Python programs, so that recent college graduates can finally write viruses again. C64 floppies are not large enough.
2. Re:Gushing? by Trax3001BBS · 2016-03-24 07:57 · Score: 1
  
  State of the art? How is this any different than the viruses that were passed around 30 years ago on c64 floppies?
  It can't be analyzed or very hard to, and where http://vx/ (dot) netlux (dot) org came in handy.
  The site is back -but hard to catch when it's up. It's a malware database, where malware is sent or downloaded just for that purpose. I'd like to see what's said there about this piece of malware.
Re:Linux? BSD? by Flavianoep · 2016-03-24 06:23 · Score: 1

I makes a copie of the /etc directory.

--
Linux is for people who don't mind RTFM.
Re:Linux? BSD? by MobileTatsu-NJG · 2016-03-24 06:25 · Score: 4, Funny

That depends, does Linux and BSD finally support USB drives?

--

"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Re:Linux? BSD? by zlives · 2016-03-24 06:33 · Score: 1

ok, that was funny
Confused by Anonymous Coward · 2016-03-24 06:35 · Score: 2, Interesting

How does the trojan get installed on the USB stick in the first place? Either you are using USB drives provided by a stranger (who does that?) or someone has stolen your drive, installed their software, and replaced it without your knowledge. Plausible, but not a great way to propagate this to more than a few specific people.
1. Re:Confused by duke_cheetah2003 · 2016-03-24 07:48 · Score: 3, Insightful
  
  Even more importantly, what's the point? How does the 'attacker' get their USB stick back with the stolen data?
  This feels more like a 'inside job' type trojan, where a person can stick it into a PC they're already trusted to use, and suck everything of value off it to review later. I mean, the way it's difficult to copy and stuff makes it suspiciously not very trojan like. Trojans/malware like to spread easily.
  Encrypting the slurped data just feels like plausible deniability for the attacker if the USB were confiscated and inspected.
2. Re:Confused by AHuxley · 2016-03-24 13:43 · Score: 1
  
  Find the ready device in car park and pick it up and see what is on it before returning to owner if details are on the files. Gets the code onto a inner networked work computer and hope to infect all other usb devices.
  Deep penetration agent gets to a secure work only USB device to install new code and gets the later returned data from a secure area. Sneaker net it out even with no or low site clearance.
  Flood all staff members with the code to infect their less secure home and work computers and hope one gets sloppy and uses the air gapped drive for "work" on a home or networked computer.
  Flood an nations regional networks per street with code and a random workers home or office computer is infected.
  The code would be bespoke so it would not show on any consumer AV yet and would try and infect only for an expected larger network.
  
  --
  Domestic spying is now "Benign Information Gathering"
Re:Linux? BSD? by orledrat · 2016-03-24 06:56 · Score: 1

In fact, FOSS is ideal for airgapping any apparatus, on account of all its open bits and such.
IPoAC by friesofdoom · 2016-03-24 07:05 · Score: 1

Reminds me of IPoAC
I had my info stolen by blogagog · 2016-03-24 07:08 · Score: 3, Funny

I had the info stolen off my computer last year. The thieves who took it are now slightly dumber for having read it.
1. Re:I had my info stolen by Greyfox · 2016-03-24 12:28 · Score: 1
  
  Oh you must have been working for the last company I worked with. They had some left over schwag from the golden days when they were still doing the convention circuit that they handed out one day. Then HR read us the riot act about wearing the comapny T-Shirts we'd gotten. "Kidnapping risk," they said. I wanted to do a PSA for them. Like "Please don't kidnap their employees. All the folks who actually knew how to accomplish anything left the company when it went public. Between the culture of ineptitude implemented by the new CEO and the brain drain to other companies, you'd just set your own nation-state's program back a decade if you actually got anything out of their guys. Try kidnapping some Google employees instead. Thanks!" Rumor has it some Russian hackers had hacked in once, and felt so bad about what they found there that they actually fixed several of the systems before logging out. But hey, at least the company was able to pay a huge amount for a shiny new headquarters. I guess they're actually starting to move into it now that they've taken care of that little asbestos problem they were having.
  
  --
  I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Re:Linux? BSD? by MobileTatsu-NJG · 2016-03-24 07:17 · Score: 1, Funny

Ah yes, I remember attempting to set up wifi on both RedHat and OSX (BSD based...)... both were over-zealous in supporting air-gap-based security

--

"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Re:Well....so? by hawguy · 2016-03-24 07:25 · Score: 1
Let's assume for a moment you've hijacked a USB dongle, you've gotten a ride onto an airgapped computer. ......now what?
Are you going to write a visual basic GUI to trace all the IPs simultaneously or something?
So you've taken over a standalone PC. Huzzah. You've haxxored the boxen.
What are you doing with the data you've stolen?
Did you realize that you now have to snag another ride back OFF the machine via another USB stick, ride someplace else, infect THAT machine, and hope it isn't airgapped too, in order to get out again?
Depends what that hacked computer does and what your objectives are.
A couple examples:
- If that computer is part of a SCADA system at a power plant, you can have your malware shut down the power plant in 10 days or configure it to self-destruct.
- If it's a secure key signing computer, your malware can make it create weak keys.
You don't need to get data off the system for your malware to do harm.
Re:Linux? BSD? by TheCarp · 2016-03-24 07:53 · Score: 1

tbh I have been a Linux user far to long to not belly laugh at this.
I have had several machines that were quite effectively "air gapped" by default installs that didn't support the latest whiz-bang onboard network out of the box. Nothing quite like the realization that you need to upgrade your kernel to use the network in order to upgrade your kernel.
In fairness though, I have had it happen on Windows installs as well.

--
"I opened my eyes, and everything went dark again"
Re:Linux? BSD? by PPH · 2016-03-24 07:58 · Score: 1

But does it work in Linux?
systemd unit files.

--
Have gnu, will travel.
Re:Well....so? by Trax3001BBS · 2016-03-24 08:16 · Score: 1

Let's assume for a moment you've hijacked a USB dongle, you've gotten a ride onto an airgapped computer. ......now what?
Are you going to write a visual basic GUI to trace all the IPs simultaneously or something?
So you've taken over a standalone PC. Huzzah. You've haxxored the boxen.
What are you doing with the data you've stolen?
Did you realize that you now have to snag another ride back OFF the machine via another USB stick, ride someplace else, infect THAT machine, and hope it isn't airgapped too, in order to get out again?
It sounds beatable just by write protecting the USB device if TFA is correct, so not 100% but very capable.
Taking a leap, I see it as a specialized piece of software looking for something in particular, this by images and the broad term of documentation.
To download images from almost anybodies system would put a dent in the capacity of the USB device (even if just from a browsers cache). It doesn't sound like it would be that obvious and more selective at what it took.
Or I'm giving this malware just way too much credit.
Re:Linux? BSD? by fisted · 2016-03-24 11:08 · Score: 1

Wasn't HKCU just one part of the "whole windows registry"? In win98 it was, anyway.

--
CLI paste? paste.pr0.tips!
Re:Linux? BSD? by TheCarp · 2016-03-25 02:31 · Score: 1

My favorite, with windows, is when you get the system fully installed with all its crap OEM junk, try to rebuild it with a clean install, only to find out nothing in the whole system works without downloading some special snowflake driver.
Hell my recent build and windows install was almost good.... ASROCK had on board utlities to make a usb stick with drivers.
Snag? Oh yah, the drivers they distribute trojan your machine with adware....right out of the box on a fresh build, the fucking motherboard drivers infect you with adware! Windows users have nothing to smug about.

--
"I opened my eyes, and everything went dark again"