29 Types of USB Attacks and How to Stay Safe from Them

29 Types of USB Attacks and How to Stay Safe from Them
By Bruno, April 15, 2018
https://securityzap.com/usb-attacks/

"Recently, researchers from Ben-Gurion University of the Negev in Israel have discovered 29 (yes, you read it correctly) ways someone can insert malware into your computer or smartphone via USB port. Luckily, the team of experts suggested solutions on how to stay safe and what to do if attacked.

All 29 malware attacks are divided into four categories:

• Attacks that reprogram the
• Attacks that reprogram USB’s firmware.
• Malware that takes advantage of the flaws in the operating
• Electrical attacks.

This shorty guide will try to shed some light on these pieces of malware and what steps you can take to protect your data—whether your computer has already been infected or to prevent the infection in the first place.

Note that these steps are very general, and they might not work against all these threats, that’s why we placed the “What to do now?” section at the end of this guide (with the exception of those threats that have had their protective measures specifically identified by the researchers).

1. RUBBER DUCKY
Rubber Ducky is a ransomware threat developed in 2010 with a primary aim to encrypt your files by acting as a keyboard with pre-entered keystrokes. It works on every operating system that recognizes USB stick as the main input device—keyboard.

The most probable scenario is that the attacker will offer a PIN code to decrypt the files in exchange for money. Unfortunately, a simple Google search shows that the Rubber Ducky USB stick is available for purchase for a mere $50.

2. PHUKD/URFUKED
This malware works on the same principle as Rubber Ducky, with a subtle difference that allows the attacker(s) to choose a specific time to activate the keystrokes thanks to a programmed timer.

3. EVILDUINO
Evilduino uses an Arduino microcontroller, reprograms it and injects malicious keyboard and mouse strokes in your computer.

WHAT TO DO IF YOU ARE INFECTED WITH EVILDUINO:
You can try to uninstall it with a third-party tool that will scan your computer and look for malware and other issues that can affect your device. Make sure to use a trusted tool that can identify Evilduino, locate it and uninstall it. Try one of these:

• Revo Uninstaller
• Comodo Programs Manager
• IObit Uninstaller

4. USBDRIVEBY
Another malware that reprograms microcontrollers and uses a pre-entered keyboard and mouse strokes is USBdriveby. This malware changes DNS settings and unlocks the computer. The device, called Teensy, is one of the commonly used products for this purpose. It can be purchased on Amazon for just $20.

5. USB HARDWARE TROJAN
The USB hardware Trojan uses USB channels such as speakers and keyboard to exfiltrate and compromise users’ data. This Trojan uses two types of channels that are not safeguarded by endpoint security protections—kernel-space and user-space.

WHAT TO DO IF YOUR COMPUTER IS INFECTED WITH THE USB HARDWARE TROJAN?
One of the solutions experts recommend is Real-Time Protection, which identifies and blocks the threat before it starts extracting data. If you are Windows 10 user:
1. GO TO SETTINGS/ WINDOWS DEFENDER

2. CLICK ON OPEN WINDOWS DEFENDER SECURITY CENTER

3. CLICK VIRUS & THREAT PROTECTION

4. GO TO VIRUS & THREAT PROTECTION SETTINGS

5. TURN ON REAL-TIME PROTECTION


6. RIT (READ IT TWICE) ATTACK VIA USB MASS STORAGE
This malware monitors the target user’s activity and alters files on the infected computer by using a USB mass storage device. RIT can be transmitted not only by USB devices but also by any other external storage unit.

HOW TO REMOVE RIT FROM YOUR COMPUTER:
To get rid of RIT, try an anti-malware program (Comodo, for example). To install Comodo and remove the threat from your computer, follow these steps.

7. ATTACKS ON WIRELESS USB DONGLES
One of the most famous attacks from this category is KeySweeper. It is a USB wall charger that collects data from all wireless keyboards that are in range. The malware attacks Microsoft keyboards manufactured before 2011. Luckily, later models are more difficult to hack.

HOW TO PROTECT YOUR COMPUTER:
To stay safe even if your computer is in KeySweeper’s range, use a keyboard that operates by using Bluetooth technology.

8. TURNIPSCHOOL
This USB spyware tool was inspired by the National Security Agency’s Cottonmouth program, whose main purpose was to spy on people of interest, collect data and take control of a target’s computer. Needless to say, the device is controlled by radio.

9. DEFAULT GATEWAY OVERRIDE
In this scenario, the infected USB stick affects the functioning of the Ethernet adapter and changes the DNS settings. This way, all data is transferred to the hacker’s server.

10. SMARTPHONE-BASED HID ATTACKS
Another type of threat vector are attacks where hackers reprogram USB’s firmware. The malware changes the way a smartphone interacts with the keyboard and mouse. It mimics these peripherals and sends pre-entered keystrokes to the victim’s smartphone.

11. KEYBOARD EMULATION BY MODIFIED USB FIRMWARE
This is another example of how tampered USB firmware can be used for simulating the keyboard. As already mentioned, this type of malware sends pre-determined keystrokes to the victim’s computer.

12. HIDDEN PARTITION PATCH
The USB drive is used as a hidden partition acting like a normal drive, only it cannot be detected or formatted. The purpose of this virus is to exfiltrate data from your computer.

13. DNS OVERRIDE BY MODIFIED USB FIRMWARE
Similar to the Default Gateway Override, this malware changes DNS settings and redirects traffic to the attacker’s server. However, in this case, it is not the microcontroller that is altered, but the USB’s firmware.

POSSIBLE PROTECTIVE MEASURES:
There’s not much you can do—if infected with this type of malware, you will probably have to reinstall the entire operating system.

14. BOOT SECTOR VIRUS
The infected USB stick recognizes the type of operating system based on how it interacts with it. Then, the malware boots the system from the USB.

15. PASSWORD PROTECTION BYPASS PATCH
Password Protection Bypass Patch does just what its name suggests—it enables access to password-protected content by altering the USB’s firmware.

16. VIRTUAL MACHINE BREAK-OUT
In this scenario, researchers have shown how reprogrammed USB firmware can hijack the user’s VirtualBox or their laptop camera for spying.

17. ISEEYOU
Similar to the previous example, researchers have shown how reprogrammed USB firmware can be used for spying on users with their own cameras. The virus even disabled the LED light on the camera, so the user is not even aware that they are being monitored.

18. STUXNET
This malware, together with the below Fanny Worm, uses unprogrammed USB devices and operating system flaws for the purpose of cyber espionage. The malware was famously used to spy on the Iranian nuclear program.

19. FANNY WORM
Fanny Worm is not just similar to Stuxnet; it’s also possibly related to it. Fanny Worm operates on the same principle and is convenient for spying on computers that are not connected to the internet by exploiting Microsoft’s LNK vulnerability. It was developed by Equation Group, a code name for the NSA as revealed by researchers in 2015.

20. DATA HIDING ON USB MASS STORAGE DEVICES
Researchers have shown that even USB sticks that seem empty can contain malware or stolen data. They can be placed in an invisible file or outside of the regular partition.

21. AUTORUN EXPLOITS
Window’s autorun option saved users a lot of time but also opened new horizons for malware lurking on USB sticks. Some of the examples of autorun malware include the Sony BMG Rootkit and the Conficker Worm. Both viruses automatically attack the computer once an infected USB stick or disc is inserted.

HOW TO REMOVE AUTORUN MALWARE FROM YOUR COMPUTER:

• Disable the autorun function.
• Search every drive’s root for inf.
• Open the file with Notepad.
• Look for Label= and shellexecute= lines and save the name of the file marked with those lines.
• Close the autorun.inf file.
• Delete it.
• Find the file you have
• Delete that file as well.

22. DRIVER UPDATE
This is one of the most complicated attacks because it uses the VeriSign Class 3 Organizational Certificate that allows malware to be marked as “verified.” This way, the virus is identified as a trusted Microsoft program. Luckily, this attack is very complicated to pull off, and because of that, it is not that common.

23. RAM DUMP ATTACK
This malware is stored on a USB device, and it harvests the data from RAM. Attackers use memory dump to infiltrate a victim’s computer. Once they do that, they have access to decryption keys and passwords. This malware is especially convenient for extracting data from point-of-sale (POS) systems.

HOW TO AVOID RAM DUMP ATTACKS:

• Use strong passwords.
• Use an antivirus program.
• Use firewall.
• Keep the software updated.
• Restrict internet access.
• Disable remote access.

24. BUFFER OVERFLOW-BASED ATTACKS
Buffer overflow is an error in the code that occurs when there is more data than the buffer can handle. This is a system’s weak spot, and it can be easily exploited in the service of a malware attack. The code in the malware can be used for gaining access to one’s computer.

25. DEVICE FIRMWARE UPGRADE
Another sneaky way of inserting malware into a USB device is replacing the legitimate firmware with an infected version.

WHAT CAN YOU DO?
To protect your USB device from the malicious upgrade, you can disable firmware updates.

26. USB THIEF
USB Thief is malware that operates incognito on USB devices and uses portable apps such as Firefox or TrueCrypt. It has a strong self-protection mechanism and cannot be copied. The purpose of this malware is to collect data from computers that are not connected to the internet.

27. USBEE ATTACK
USBee Attack is, one might say, probably the work of a mastermind. Until this method was invented, somebody had to bring an infected USB device into the building. However, USBee uses devices that are already in the facility and turns them into data transmitters. This attack can be conducted even if the computer is not connected to the internet.

28. ATTACKS ON SMARTPHONES
Malicious programs can be inserted even into smartphones with USB chargers. Make sure not to charge your phone with public chargers in coffee shops or airports because these devices can be corrupted. Also, do not plug in your phone into a computer.

HOW TO REMOVE MALWARE FROM A SMARTPHONE:

• First, you will have to uninstall suspicious apps from your phone. Go to Settings/Applications, select the one you want to uninstall and click Uninstall.
• Restart your phone.
• Scan the phone with a mobile antivirus program, such as Avast’s free mobile security tool.
• Delete all malicious apps.

29. USB KILLER
USB Killer is a type of electrical attack. The device has the capacity to physically destroy the entire hardware system. Unfortunately, the computer will not recover from this.

IF YOUR COMPUTER IS INFECTED, HERE’S WHAT TO DO:
According to researchers, there are no fully guaranteed methods to get rid of malware coming through USB stick. You can try conventional techniques listed below; however, nobody can guarantee they will work every time or for every type of attack.

1. One of those methods is restoring your operating system to the previous version. If you are Windows 10 user, you can do the following:

• Go to My Computer

• Click Properties

• Click System Protection

• Select System Restore/ Choose a Different Restore Point

• Click Next

• Select the convenient date

• Click Finish

Make sure that all of your files are backed up because once you restore your operating system to the previous version, all programs that were installed after the selected date will be lost.

2. Another method is trying to uninstall the malware from your Programs (Apps) and Features:

• Hold Windows+ X
• Select Apps and Features

• Find the malware
• Select it
• Click Uninstall

Luckily, my computer is not infected with malware, so for demonstration I used Skype.

3. You can also use the uninstall command:

• Hold Windows+ R
• Type regedit
• Find the malware
• Double click on the UninstallString
• Copy Value Data
• Hold Windows+ R
• Paste Value Data
• Click OK
• Follow the wizard

HOW TO STAY SAFE
There are several general rules you need to follow to protect your USB stick, computer and smartphone from malware. You can at least try to do so with these recommendations:

• Always use your own (don't share)
• Do not use USB devices you find in a coffee shop or on the street.
• Connect to the 3G network rather than public Wi-Fi.
• If possible, block USB devices.
• Scan your keyboard, USB stick, mouse and other peripherals for malware.
• Disable updates to your peripheral devices.

For the majority of these malware threats, there is no certain strategy on how to get rid of it once you are infected. You can try the methods listed above, but nobody can guarantee it will work.

Also, in most cases, you have to have enough skill to identify the malware without the help of an outside security program. The last option is to re-install your operating system and hope for the best—sometimes, even this doesn’t help.

On the other hand, there are some measures users can take to make their USB devices and computers safer. For instance, do not use someone else’s USB stick, always bring your own charger, use an antivirus program and scan your systems on a regular basis."

 

I had not considered that last line. USB-C chargers are becoming more common now, but they also transport data (though some existing chargers already do that). Any dataline can be perverted.

 

Stay safe:

 

An antidote for some of the threats is to use USB cables which only carry power but not data for chargin phones or other devices using public USB power sockets.

John

 

CIRCLean - USB key sanitizer
http://circl.lu/projects/CIRCLean/
https://github.com/CIRCL/Circlean
https://linuxsecurity.expert/tools/circlean/
https://linuxsecurity.expert/tools/circlean/alternatives/



"Malware regularly uses USB sticks to infect victims, and the abuse of USB sticks is a common vector of infection (as an example Lost USB keys have 66% chance of malware).

CIRCLean is an independent hardware solution to clean documents from untrusted (obtained) USB keys / USB sticks. The device automatically converts untrusted documents into a readable but disarmed format and stores these clean files on a trusted (user owned) USB key/stick.

The focus of CIRCLean is to establish document exchange even if the used transport layer (the USB stick) cannot be trusted or if there is a suspicion about whether the contained documents are free of malware or not. In the worst case, only the CIRCLean would be compromised, but not the computer reading the target (trusted) USB key/stick.

The code runs on a Raspberry Pi (a small hardware device), which also means it is not required to plug the original USB key into a computer. CIRCLean can be seen as a kind of air gap between the untrusted USB key and your operational computer.

CIRCLean does not require any technical prerequisites of any kind and can be used by anyone. CIRCLean is free software which can be audited and analyzed by third-parties. We also invite all organizations to actively reuse CIRCLean in their own products or contribute to the project.
...
How to get your own instance
The source code with all the sources to convert the content and the scripts needed to build your own image to write onto an SD card are available.

If you prefer to use a pre-build image (last update: 2018-01-29), you can use:

2018-01-29_CIRCLean.img.gz - SHA256: 925bb0fb7bfd2ea8f71320eca5c5413401b1f1ddb26ef030ebf13051b2698160

Please make sure you received the right file by checking the hash.

You can also verify the integrity of this web page by checking the PGP detached signature.

Feedback is more than welcome."

 

I receive and test many new USB devices (hubs, sound cards, adapters, hdd/ssd enclosures, etc - everything except flash drives) on a regular basis, how do I check if they are safe?

 

I'd suggest reading current reviews of USB Security Software to know what's favored today for Windows 10 if that's what you are forced to use. Please post what you find best for Windows 10 so others can benefit.

I've been running the same tool for years, and it blocks USB devices and locks USB Drive access. There isn't much to the detection protection, you'll need additional malware / virus detection software too, but it's a good blocker to stop accidental infections.

This one has the added advantage of supporting legacy OS's:

USB Disk Security

Software won't protect against USB electrical hacks, so I would suggest that besides whatever software solution you pick to stop infection on all of your machines, you also have a "throw-away" machine with a separate USB port card - and don't plug into your motherboard USB ports - that way if you get a bad device that tries to fry your USB port it only damages an under $10 USB card.

You could install detection and scanning malware / anti-virus software on that machine and use it to pre-screen all USB devices before moving them on to use in your office.

You could also run Linux as most malware doesn't expect that as it's host and won't be active, that's why Linux / RaspberryPi was chosen for the CIRCLean tool, you could set up Linux + CIRCLean and other tools on that USB device Pre-Screening machine to extract files without infection and transfer to another USB device or to the file system on your pre-screening machine.

Here are some other USB protection software tools to consider:

MCShield - Supports Windows 10 and also supports legacy OS's

Alternatives to USB Disk Security - Discontinued

Top Alternatives to BitDefender USB Immunizer for Windows

 

@hmscott thank you. I don't use USB flash drives, at all, while as far as I understand all the software linked above seems to be focused on them and not on other devices. So, I personally need to verify USB hubs, SSD enclosures, sound cards, ethernet adapters and similar devices - not something fancy or complex. I have a few raspberry pis and would rather use one of them for testing, instead of a separate Windows machine. What would be your recommendation in this particular scenario?

 

I already gave the recommendations, it's the same for USB Flash drives and USB HDD's and USB SSD's, etc.

As far as the other USB devices, that's why I suggested a USB expansion card instead of plugging them in the motherboard. That way if there is an electrical problem - or electronic kill payload (battery or USB power short) on the device it will destroy the expansion card USB port, instead of the one on the motherboard.

If the other non-storage USB devices have a physically hidden storage device piggy backed onto the USB device to deliver malware, that storage will also be treated the same and that storage will blocked from loading the malware by the USB security software.

If you plug in a non-storage USB device and a storage device shows up on the USB Security Software, then you've found a baddie and can then disassemble it and remove the piggy backed storage device, although for the most part - they are cheap enough that you could just destroy it and be done with it.

You don't *need* to use a Raspberry Pi device to host a Linux / USB software solution, it's just a simple inexpensive example used to show how you can dedicate an inexpensive device to the task instead of using a whole full PC.

Using the CIRCLean tool + a new inexpensive Raspberry Pi device kit, you could set up Linux + CIRCLean as a dedicated device - maybe buy a minimal kit to put it all together easily. Or, use an old PC running Windows + USB Security software + USB expansion slot card, either way works.

If you find anything else interesting in this realm, please let us know.

 

Here is an interesting targeted malware delivered by USB:

BeatCoin: Leaking Private Keys from Air-Gapped Cryptocurrency Wallets
http://forum.notebookreview.com/thr...l-transformation.812591/page-36#post-10718307

 

Here's an example of what kind of things you are up against should random USB devices "show up" out of the blue; a heads up on what to watch out for as well as what people are up to...

Nefarious USB Cables - Hak5 2408


Exploding USB Drives - Hak5 2407

 

Kim Jong Un received a USB from South Korea's president with a blueprint for connecting North Korea with the world
Tara Francis Chan, 1m ago...
http://www.businessinsider.com/kim-jong-un-received-a-usb-from-south-koreas-president-2018-5

• "Kim Jong Un received a USB from South Korea's president during their summit at the DMZ in April.
• The USB contained a presentation and e-book containing a blueprint for economic cooperation between the two countries that could link North Korea to Russia, China, and Europe through trade and trains.
• The USB appears to provide a further incentive for Kim to keep the agreements made between North and South Korea at the summit.
• USBs are regularly smuggled over the border into North Korea to promote South Korean and Western entertainment and news."

 

I'm surprised that this is news. Even in Hollywood, spies steal data by plugging in some super duper USB stick, usually followed by the spy doing everything possible to distract the target and avoid detection until the progress bar reaches 100%, at which point the USB is discreetly unplugged and the spy comes up with an excuse to make a swift retreat.

 

In Hollywood *Movies*... not in Hollywood - in Hollywood nobody don't know nuttin, capeesh?

 

IBM bans all removable storage, for all staff, everywhere
Risk of ‘financial and reputational damage’ is too high, says CISO
By Simon Sharwood, APAC Editor 10 May 2018 at 05:01
https://www.theregister.co.uk/2018/05/10/ibm_bans_all_removable_storage_for_all_staff_everywhere/

"IBM has banned its staff from using removable storage devices.

In an advisory to employees, IBM global chief information security officer Shamla Naidoo said the company “is expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).”

The advisory stated some pockets of IBM have had this policy for a while, but “over the next few weeks we are implementing this policy worldwide.”

Big Blue’s doing this because “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.”

IBMers are advised to use Big Blue’s preferred sync ‘n’ share service to move data around.

But the advisory also admitted that the move may be “disruptive for some.”

She’s not wrong: The Register understands that frontline IBM staff sometimes need to download patches so they can be installed on devices they manage for clients and that bootable USB drives are one means of installing those patches.

Indeed, IBM offers advice on how to install Linux on its own POWER 9 servers using a USB key. ®

UPDATE: Since publishing this story we've heard whispers that IBM has taken note of staff objections to the removable storage ban, especially when doing software updates, and is considering making a few exemptions."

Comments

 

Kingstons Robert Allen talks about CyberSecurity! is YOUR DATA SECURE?
KitGuruTech
Published on Jul 24, 2018
Andrzej recently had time to sit and chat with Kingston's Robert Allen - Director of Marketing and technical services. Rob wanted to update us on the efforts Kingston are making to ensure their customers drives and flash storage is secure! How important is this for you?


Is your encrypted USB drive secure?
August 10, 2017
https://www.kaspersky.com/blog/encrypted-usb-drives-audit/17948/

"How can you be sure the “secure” USB drive you’re using is really secure and the data you store on it can’t be extracted? That’s exactly the question Google’s security researchers Ellie Bursztein, Jean-Michel Picod, and Rémi Audebert addressed in their talk, “ Attacking encrypted USB keys the hard(ware) way,” at the recent Black Hat USA 2017. (PDF)"

Apple’s USB Restricted Mode: how to use your iPhone’s latest security feature
By Chris Welch @chriswelch, Jul 10, 2018, 12:31pm EDT
https://www.theverge.com/2018/7/10/17550316/apple-iphone-usb-restricted-mode-how-to-use-security

 

This rigged charger can hijack your new laptop
Dave Lee, 10 August 2018
https://www.bbc.co.uk/news/technology-45139397

"A neat feature of many modern laptops is the ability to power them up through the USB port. Unlike the rectangular USB ports of old, the newer type - USB-C - can carry enough power to charge your machine.

That’s great news: it means you don’t need to add a separate port just for charging. And when the USB port isn’t being used for power, it can be used for something useful, like plugging in a hard drive, or your phone.

But while you and I may look at that as an improvement, hackers see an opportunity to exploit a new vulnerability..."