29 Types of USB Attacks and How to Stay Safe from Them

Discussion in 'Accessories' started by hmscott, Apr 25, 2018.

  1. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    5,006
    Messages:
    17,590
    Likes Received:
    21,611
    Trophy Points:
    931
    29 Types of USB Attacks and How to Stay Safe from Them
    By Bruno, April 15, 2018
    https://securityzap.com/usb-attacks/

    "Recently, researchers from Ben-Gurion University of the Negev in Israel have discovered 29 (yes, you read it correctly) ways someone can insert malware into your computer or smartphone via USB port. Luckily, the team of experts suggested solutions on how to stay safe and what to do if attacked.

    All 29 malware attacks are divided into four categories:
    • Attacks that reprogram the
    • Attacks that reprogram USB’s firmware.
    • Malware that takes advantage of the flaws in the operating
    • Electrical attacks.
    This shorty guide will try to shed some light on these pieces of malware and what steps you can take to protect your data—whether your computer has already been infected or to prevent the infection in the first place.

    Note that these steps are very general, and they might not work against all these threats, that’s why we placed the “What to do now?” section at the end of this guide (with the exception of those threats that have had their protective measures specifically identified by the researchers).

    1. RUBBER DUCKY
    Rubber Ducky is a ransomware threat developed in 2010 with a primary aim to encrypt your files by acting as a keyboard with pre-entered keystrokes. It works on every operating system that recognizes USB stick as the main input device—keyboard.

    The most probable scenario is that the attacker will offer a PIN code to decrypt the files in exchange for money. Unfortunately, a simple Google search shows that the Rubber Ducky USB stick is available for purchase for a mere $50.

    2. PHUKD/URFUKED
    This malware works on the same principle as Rubber Ducky, with a subtle difference that allows the attacker(s) to choose a specific time to activate the keystrokes thanks to a programmed timer.

    3. EVILDUINO
    Evilduino uses an Arduino microcontroller, reprograms it and injects malicious keyboard and mouse strokes in your computer.

    WHAT TO DO IF YOU ARE INFECTED WITH EVILDUINO:
    You can try to uninstall it with a third-party tool that will scan your computer and look for malware and other issues that can affect your device. Make sure to use a trusted tool that can identify Evilduino, locate it and uninstall it. Try one of these:
    4. USBDRIVEBY
    Another malware that reprograms microcontrollers and uses a pre-entered keyboard and mouse strokes is USBdriveby. This malware changes DNS settings and unlocks the computer. The device, called Teensy, is one of the commonly used products for this purpose. It can be purchased on Amazon for just $20.

    5. USB HARDWARE TROJAN
    The USB hardware Trojan uses USB channels such as speakers and keyboard to exfiltrate and compromise users’ data. This Trojan uses two types of channels that are not safeguarded by endpoint security protections—kernel-space and user-space.

    WHAT TO DO IF YOUR COMPUTER IS INFECTED WITH THE USB HARDWARE TROJAN?
    One of the solutions experts recommend is Real-Time Protection, which identifies and blocks the threat before it starts extracting data. If you are Windows 10 user:
    1. GO TO SETTINGS/ WINDOWS DEFENDER
    [​IMG]
    2. CLICK ON OPEN WINDOWS DEFENDER SECURITY CENTER
    [​IMG]
    3. CLICK VIRUS & THREAT PROTECTION
    [​IMG]
    4. GO TO VIRUS & THREAT PROTECTION SETTINGS
    [​IMG]
    5. TURN ON REAL-TIME PROTECTION
    [​IMG]

    6. RIT (READ IT TWICE) ATTACK VIA USB MASS STORAGE

    This malware monitors the target user’s activity and alters files on the infected computer by using a USB mass storage device. RIT can be transmitted not only by USB devices but also by any other external storage unit.

    HOW TO REMOVE RIT FROM YOUR COMPUTER:
    To get rid of RIT, try an anti-malware program (Comodo, for example). To install Comodo and remove the threat from your computer, follow these steps.

    7. ATTACKS ON WIRELESS USB DONGLES
    One of the most famous attacks from this category is KeySweeper. It is a USB wall charger that collects data from all wireless keyboards that are in range. The malware attacks Microsoft keyboards manufactured before 2011. Luckily, later models are more difficult to hack.

    HOW TO PROTECT YOUR COMPUTER:
    To stay safe even if your computer is in KeySweeper’s range, use a keyboard that operates by using Bluetooth technology.

    8. TURNIPSCHOOL
    This USB spyware tool was inspired by the National Security Agency’s Cottonmouth program, whose main purpose was to spy on people of interest, collect data and take control of a target’s computer. Needless to say, the device is controlled by radio.

    9. DEFAULT GATEWAY OVERRIDE
    In this scenario, the infected USB stick affects the functioning of the Ethernet adapter and changes the DNS settings. This way, all data is transferred to the hacker’s server.

    10. SMARTPHONE-BASED HID ATTACKS
    Another type of threat vector are attacks where hackers reprogram USB’s firmware. The malware changes the way a smartphone interacts with the keyboard and mouse. It mimics these peripherals and sends pre-entered keystrokes to the victim’s smartphone.

    11. KEYBOARD EMULATION BY MODIFIED USB FIRMWARE
    This is another example of how tampered USB firmware can be used for simulating the keyboard. As already mentioned, this type of malware sends pre-determined keystrokes to the victim’s computer.

    12. HIDDEN PARTITION PATCH
    The USB drive is used as a hidden partition acting like a normal drive, only it cannot be detected or formatted. The purpose of this virus is to exfiltrate data from your computer.

    13. DNS OVERRIDE BY MODIFIED USB FIRMWARE
    Similar to the Default Gateway Override, this malware changes DNS settings and redirects traffic to the attacker’s server. However, in this case, it is not the microcontroller that is altered, but the USB’s firmware.

    POSSIBLE PROTECTIVE MEASURES:
    There’s not much you can do—if infected with this type of malware, you will probably have to reinstall the entire operating system.

    14. BOOT SECTOR VIRUS
    The infected USB stick recognizes the type of operating system based on how it interacts with it. Then, the malware boots the system from the USB.

    15. PASSWORD PROTECTION BYPASS PATCH
    Password Protection Bypass Patch does just what its name suggests—it enables access to password-protected content by altering the USB’s firmware.

    16. VIRTUAL MACHINE BREAK-OUT
    In this scenario, researchers have shown how reprogrammed USB firmware can hijack the user’s VirtualBox or their laptop camera for spying.

    17. ISEEYOU
    Similar to the previous example, researchers have shown how reprogrammed USB firmware can be used for spying on users with their own cameras. The virus even disabled the LED light on the camera, so the user is not even aware that they are being monitored.

    18. STUXNET
    This malware, together with the below Fanny Worm, uses unprogrammed USB devices and operating system flaws for the purpose of cyber espionage. The malware was famously used to spy on the Iranian nuclear program.

    19. FANNY WORM
    Fanny Worm is not just similar to Stuxnet; it’s also possibly related to it. Fanny Worm operates on the same principle and is convenient for spying on computers that are not connected to the internet by exploiting Microsoft’s LNK vulnerability. It was developed by Equation Group, a code name for the NSA as revealed by researchers in 2015.

    20. DATA HIDING ON USB MASS STORAGE DEVICES
    Researchers have shown that even USB sticks that seem empty can contain malware or stolen data. They can be placed in an invisible file or outside of the regular partition.

    21. AUTORUN EXPLOITS
    Window’s autorun option saved users a lot of time but also opened new horizons for malware lurking on USB sticks. Some of the examples of autorun malware include the Sony BMG Rootkit and the Conficker Worm. Both viruses automatically attack the computer once an infected USB stick or disc is inserted.

    HOW TO REMOVE AUTORUN MALWARE FROM YOUR COMPUTER:
    • Disable the autorun function.
    • Search every drive’s root for inf.
    • Open the file with Notepad.
    • Look for Label= and shellexecute= lines and save the name of the file marked with those lines.
    • Close the autorun.inf file.
    • Delete it.
    • Find the file you have
    • Delete that file as well.
    22. DRIVER UPDATE
    This is one of the most complicated attacks because it uses the VeriSign Class 3 Organizational Certificate that allows malware to be marked as “verified.” This way, the virus is identified as a trusted Microsoft program. Luckily, this attack is very complicated to pull off, and because of that, it is not that common.

    23. RAM DUMP ATTACK
    This malware is stored on a USB device, and it harvests the data from RAM. Attackers use memory dump to infiltrate a victim’s computer. Once they do that, they have access to decryption keys and passwords. This malware is especially convenient for extracting data from point-of-sale (POS) systems.

    HOW TO AVOID RAM DUMP ATTACKS:
    • Use strong passwords.
    • Use an antivirus program.
    • Use firewall.
    • Keep the software updated.
    • Restrict internet access.
    • Disable remote access.
    24. BUFFER OVERFLOW-BASED ATTACKS
    Buffer overflow is an error in the code that occurs when there is more data than the buffer can handle. This is a system’s weak spot, and it can be easily exploited in the service of a malware attack. The code in the malware can be used for gaining access to one’s computer.

    25. DEVICE FIRMWARE UPGRADE
    Another sneaky way of inserting malware into a USB device is replacing the legitimate firmware with an infected version.

    WHAT CAN YOU DO?
    To protect your USB device from the malicious upgrade, you can disable firmware updates.

    26. USB THIEF
    USB Thief is malware that operates incognito on USB devices and uses portable apps such as Firefox or TrueCrypt. It has a strong self-protection mechanism and cannot be copied. The purpose of this malware is to collect data from computers that are not connected to the internet.

    27. USBEE ATTACK
    USBee Attack is, one might say, probably the work of a mastermind. Until this method was invented, somebody had to bring an infected USB device into the building. However, USBee uses devices that are already in the facility and turns them into data transmitters. This attack can be conducted even if the computer is not connected to the internet.

    28. ATTACKS ON SMARTPHONES
    Malicious programs can be inserted even into smartphones with USB chargers. Make sure not to charge your phone with public chargers in coffee shops or airports because these devices can be corrupted. Also, do not plug in your phone into a computer.

    HOW TO REMOVE MALWARE FROM A SMARTPHONE:
    • First, you will have to uninstall suspicious apps from your phone. Go to Settings/Applications, select the one you want to uninstall and click Uninstall.
    • Restart your phone.
    • Scan the phone with a mobile antivirus program, such as Avast’s free mobile security tool.
    • Delete all malicious apps.
    29. USB KILLER
    USB Killer is a type of electrical attack. The device has the capacity to physically destroy the entire hardware system. Unfortunately, the computer will not recover from this.

    IF YOUR COMPUTER IS INFECTED, HERE’S WHAT TO DO:

    According to researchers, there are no fully guaranteed methods to get rid of malware coming through USB stick. You can try conventional techniques listed below; however, nobody can guarantee they will work every time or for every type of attack.

    1. One of those methods is restoring your operating system to the previous version. If you are Windows 10 user, you can do the following:
    • Go to My Computer
    [​IMG]
    • Click Properties
    [​IMG]
    • Click System Protection
    [​IMG]
    • Select System Restore/ Choose a Different Restore Point
    [​IMG]
    • Click Next
    [​IMG]
    • Select the convenient date
    [​IMG]
    • Click Finish
    Make sure that all of your files are backed up because once you restore your operating system to the previous version, all programs that were installed after the selected date will be lost.

    2. Another method is trying to uninstall the malware from your Programs (Apps) and Features:
    • Hold Windows+ X
    • Select Apps and Features
    [​IMG]
    • Find the malware
    • Select it
    • Click Uninstall
    [​IMG]
    Luckily, my computer is not infected with malware, so for demonstration I used Skype.

    3. You can also use the uninstall command:
    • Hold Windows+ R
    • Type regedit
    • Find the malware
    • Double click on the UninstallString
    • Copy Value Data
    • Hold Windows+ R
    • Paste Value Data
    • Click OK
    • Follow the wizard
    HOW TO STAY SAFE
    There are several general rules you need to follow to protect your USB stick, computer and smartphone from malware. You can at least try to do so with these recommendations:
    • Always use your own (don't share)
    • Do not use USB devices you find in a coffee shop or on the street.
    • Connect to the 3G network rather than public Wi-Fi.
    • If possible, block USB devices.
    • Scan your keyboard, USB stick, mouse and other peripherals for malware.
    • Disable updates to your peripheral devices.
    For the majority of these malware threats, there is no certain strategy on how to get rid of it once you are infected. You can try the methods listed above, but nobody can guarantee it will work.

    Also, in most cases, you have to have enough skill to identify the malware without the help of an outside security program. The last option is to re-install your operating system and hope for the best—sometimes, even this doesn’t help.

    On the other hand, there are some measures users can take to make their USB devices and computers safer. For instance, do not use someone else’s USB stick, always bring your own charger, use an antivirus program and scan your systems on a regular basis."
     
    custom90gt, Maleko48 and Vasudev like this.
  2. jeremyshaw

    jeremyshaw Big time Idiot

    Reputations:
    726
    Messages:
    2,969
    Likes Received:
    112
    Trophy Points:
    81
    I had not considered that last line. USB-C chargers are becoming more common now, but they also transport data (though some existing chargers already do that). Any dataline can be perverted.
     
    custom90gt and hmscott like this.
  3. Raidriar

    Raidriar ლ(ಠ益ಠლ)

    Reputations:
    1,269
    Messages:
    4,992
    Likes Received:
    3,284
    Trophy Points:
    331
    Stay safe:
    [​IMG]
     
    hmscott likes this.
  4. John Ratsey

    John Ratsey Moderately inquisitive Super Moderator

    Reputations:
    6,862
    Messages:
    28,845
    Likes Received:
    1,788
    Trophy Points:
    581
    An antidote for some of the threats is to use USB cables which only carry power but not data for chargin phones or other devices using public USB power sockets.

    John
     
    Maleko48 and hmscott like this.
  5. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    5,006
    Messages:
    17,590
    Likes Received:
    21,611
    Trophy Points:
    931
    CIRCLean - USB key sanitizer
    http://circl.lu/projects/CIRCLean/
    https://github.com/CIRCL/Circlean
    https://linuxsecurity.expert/tools/circlean/
    https://linuxsecurity.expert/tools/circlean/alternatives/

    [​IMG]

    "Malware regularly uses USB sticks to infect victims, and the abuse of USB sticks is a common vector of infection (as an example Lost USB keys have 66% chance of malware).

    CIRCLean is an independent hardware solution to clean documents from untrusted (obtained) USB keys / USB sticks. The device automatically converts untrusted documents into a readable but disarmed format and stores these clean files on a trusted (user owned) USB key/stick.

    The focus of CIRCLean is to establish document exchange even if the used transport layer (the USB stick) cannot be trusted or if there is a suspicion about whether the contained documents are free of malware or not. In the worst case, only the CIRCLean would be compromised, but not the computer reading the target (trusted) USB key/stick.

    The code runs on a Raspberry Pi (a small hardware device), which also means it is not required to plug the original USB key into a computer. CIRCLean can be seen as a kind of air gap between the untrusted USB key and your operational computer.

    CIRCLean does not require any technical prerequisites of any kind and can be used by anyone. CIRCLean is free software which can be audited and analyzed by third-parties. We also invite all organizations to actively reuse CIRCLean in their own products or contribute to the project.
    ...
    How to get your own instance
    The source code with all the sources to convert the content and the scripts needed to build your own image to write onto an SD card are available.

    If you prefer to use a pre-build image (last update: 2018-01-29), you can use:

    2018-01-29_CIRCLean.img.gz - SHA256: 925bb0fb7bfd2ea8f71320eca5c5413401b1f1ddb26ef030ebf13051b2698160

    Please make sure you received the right file by checking the hash.

    You can also verify the integrity of this web page by checking the PGP detached signature.

    Feedback is more than welcome."
     
    Maleko48 likes this.
  6. Starlight5

    Starlight5 So what if I'm crazy? The best people are.

    Reputations:
    328
    Messages:
    2,571
    Likes Received:
    1,125
    Trophy Points:
    181
    I receive and test many new USB devices (hubs, sound cards, adapters, hdd/ssd enclosures, etc - everything except flash drives) on a regular basis, how do I check if they are safe?
     
    Last edited: Apr 26, 2018
  7. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    5,006
    Messages:
    17,590
    Likes Received:
    21,611
    Trophy Points:
    931
    I'd suggest reading current reviews of USB Security Software to know what's favored today for Windows 10 if that's what you are forced to use. Please post what you find best for Windows 10 so others can benefit.

    I've been running the same tool for years, and it blocks USB devices and locks USB Drive access. There isn't much to the detection protection, you'll need additional malware / virus detection software too, but it's a good blocker to stop accidental infections.

    This one has the added advantage of supporting legacy OS's:

    USB Disk Security

    Software won't protect against USB electrical hacks, so I would suggest that besides whatever software solution you pick to stop infection on all of your machines, you also have a "throw-away" machine with a separate USB port card - and don't plug into your motherboard USB ports - that way if you get a bad device that tries to fry your USB port it only damages an under $10 USB card.

    You could install detection and scanning malware / anti-virus software on that machine and use it to pre-screen all USB devices before moving them on to use in your office.

    You could also run Linux as most malware doesn't expect that as it's host and won't be active, that's why Linux / RaspberryPi was chosen for the CIRCLean tool, you could set up Linux + CIRCLean and other tools on that USB device Pre-Screening machine to extract files without infection and transfer to another USB device or to the file system on your pre-screening machine.

    Here are some other USB protection software tools to consider:

    MCShield - Supports Windows 10 and also supports legacy OS's

    Alternatives to USB Disk Security - Discontinued

    Top Alternatives to BitDefender USB Immunizer for Windows
     
    Last edited: Apr 26, 2018
    Vasudev and Starlight5 like this.
  8. Starlight5

    Starlight5 So what if I'm crazy? The best people are.

    Reputations:
    328
    Messages:
    2,571
    Likes Received:
    1,125
    Trophy Points:
    181
    @hmscott thank you. I don't use USB flash drives, at all, while as far as I understand all the software linked above seems to be focused on them and not on other devices. So, I personally need to verify USB hubs, SSD enclosures, sound cards, ethernet adapters and similar devices - not something fancy or complex. I have a few raspberry pis and would rather use one of them for testing, instead of a separate Windows machine. What would be your recommendation in this particular scenario?
     
    hmscott likes this.
  9. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    5,006
    Messages:
    17,590
    Likes Received:
    21,611
    Trophy Points:
    931
    I already gave the recommendations, it's the same for USB Flash drives and USB HDD's and USB SSD's, etc.

    As far as the other USB devices, that's why I suggested a USB expansion card instead of plugging them in the motherboard. That way if there is an electrical problem - or electronic kill payload (battery or USB power short) on the device it will destroy the expansion card USB port, instead of the one on the motherboard.

    If the other non-storage USB devices have a physically hidden storage device piggy backed onto the USB device to deliver malware, that storage will also be treated the same and that storage will blocked from loading the malware by the USB security software.

    If you plug in a non-storage USB device and a storage device shows up on the USB Security Software, then you've found a baddie and can then disassemble it and remove the piggy backed storage device, although for the most part - they are cheap enough that you could just destroy it and be done with it.

    You don't *need* to use a Raspberry Pi device to host a Linux / USB software solution, it's just a simple inexpensive example used to show how you can dedicate an inexpensive device to the task instead of using a whole full PC.

    Using the CIRCLean tool + a new inexpensive Raspberry Pi device kit, you could set up Linux + CIRCLean as a dedicated device - maybe buy a minimal kit to put it all together easily. Or, use an old PC running Windows + USB Security software + USB expansion slot card, either way works.

    If you find anything else interesting in this realm, please let us know.
     
    Last edited: Apr 26, 2018
    Starlight5 likes this.
  10. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    5,006
    Messages:
    17,590
    Likes Received:
    21,611
    Trophy Points:
    931
    Last edited: Apr 26, 2018

Share This Page