Transforming USB Malware Into Snitches
Years ago I became deeply interested in trojans that were deployed to USB devices. At the time there were a number of vulnerabilities such as autorun and other functions aimed at making device use more ubiquitous that made this particular attack vector easy. I spent a lot of time working with various pieces of code to understand how they worked and ended up creating my own versions to experiment with. I ended up creating tools that would lead to the first recovery of stolen flash drives, iPods and other devices.
I started a website called USBHacks.com (now shutdown for a number of reasons) that featured some of these tools and techniques. I was humbled to receive a request to include some of my research into the EC Council’s Certified Ethical Hacker (CEH) materials in a chapter specifically on USB based malware. I then developed a specialized piece of code using these techniques that would track a device that may be stolen, that was launched as a product as well as further developed for FLIR to embed in some of their high end thermal imaging cameras for theft protection as well as export controls called “ThermaTrak”.
As my final project for my MSc I wanted to convert technology that was being used to compromise systems into a software application that would track a device when it is accessed from a computer. When a flash drive with the code on it was accessed from a computer it would hijack its Internet connection, gather information about the computer it was connected to including username, internal network data, remote IP and other identifying data and send it to a remote server. Basically a RAT, but with privacy controls built in to gather only a set amount of data without opening a back door into the system or other vulnerabilities.
I launched the solution as a free tracking/theft recovery service was surprised to find it worked with not just flash drives but also digital cameras, original iPods, music players, external hard drives and even GPS devices, basically anything that functioned as a media storage device.
One of the first recoveries occurred in February of 2009. Sohail Prasad installed the code on his 32GB Corsair Flash Voyager. The device was stolen several months later. He manages technology for a business, and had some sensitive information was on the device, luckily he had the USB tracking code installed and promptly activated tracking in the remote server control panel. Within a day he began receiving tracking notifications, the device was connected from the thief’s home computer and accessed multiple times over the next few days.
In addition to tracking data collected from the thief’s residence, additional connections were made from a computer lab at nearby university, over the next few days additional connections were made in other labs, one of which required an ID card to access where a security camera was also present. They were able to get a visual ID of the person and other evidence through log access files and the CCTV footage.
The police assigned a detective to the case and the tracking data and other evidence revealed the identity of the individual who had Sohail’s flash drive, he was confronted by the police and the device was immediately returned. As far as I know it is the first time a flash drive was recovered through such a method.
“I currently have possession of the flash drive again! We had a visual ID of the individual from the security camera, and the person’s name. When I first installed the code, I just thought it was cool, I never thought that I would actually have to use it. Thanks for all of your guidance and assistance in helping me recover my flash drive!” Sohail Prasad- Houston, Texas
This was all several years ago, many of the vulnerabilities associated with automatically running USB malware have been patched, although some only recently. However, USB based malware is still a common attack vector, as we continue to see networks compromised through the use of flash drives.
In addition to taking advantage of autorun functionality I also used another technique to disguise files as text files, MP3s, video files and in the case of the FLIR cameras as thumbnails of thermal images. Even Apple systems are vulnerable to these types of attacks when you bring social engineering into play. I will do separate blog posts on both the FLIR and Mac trojan projects in the coming weeks.