Criminals Distribute Infected USB Sticks In Parking Lot

New submitter sabri writes "The Dutch news-site Elsevier is reporting that cybercriminals attempted to steal data from a multinational chemicals company by 'losing' spyware-infected USB sticks on the company's parking lot. Their attempt failed as one of the employees who found the stick dropped it off at the company's IT department, who then found the spyware and issued a warning. So next time, don't expect to find someone's dirty pictures on a USB stick you just found..."

Re:Expensive

[Anonymous Coward]

This will usually bypass all the internet-based filtering and security systems.

Re:Expensive

[leftbrainstrain]

I haven't heard of this technique actually being used in the wild, but it's enough of a threat to be included in the standard security training everyone has to take for at least a few Fortune 500 companies -- it's why some companies (and the U.S. military, I think) may disable USB ports. Trying to get at potential targets through standard attack vectors may not be effective, so if you have a financial backer this may present a promising attack vector that greedy targets may enable. The book "Security Engineering" cites this web site (had to find via archive.org) where a consulting company found out people inserted the USB sticks under slightly different circumstances: http://web.archive.org/web/20090621014856/http://www.vnunet.com/computing/news/2173365/uk-firms-naive-usb-stick [archive.org]

Re:Or just browse the thing while running Linux

[ArchieBunker]

Actually auto run is no longer turned on by default in windows. XP had an update that disabled it.

Re:why would you run something from it?

[hawguy]

what if it had been raining?

The flash drives would have been wet, yet fully functional after they dried?

I've washed more than one flash drive and they still worked - I'm using one now that was washed over a year ago. I ran one through the driver once, and after I broke off the melted and mishapen plastic, I plugged it in and it worked.

Re:Cool, free thumb drive!

[mark-t]

After executing 'dd', you still need to run mkfs on the device that holds the filesystem, or else all you have is a blanked drive. Don't forget to use "-t vfat" as an option to mkfs, or else you won't be able to use it anywhere but in Linux.

Re:Cool, free thumb drive!

[k(wi)r(kipedia)]

Not if the drive has firmware that detects if it's plugged into a Windows host.

Interesting. But can Linux detect the presence of the firmware, which presumably has to send some sort of message down the USB bus? My closest experience to this is with a combo USB 3G modem and flash drive.

To handle such devices under Linux, there's a program called USB modeswitch. From the package description:

Mode switching tool for controlling "flip flop" USB devices

Several new USB devices have their proprietary Windows drivers onboard, especially WAN dongles. When plugged in for the first time, they act like a flash storage and start installing the driver from there. If the driver is already installed, the storage device vanishes and a new device, such as an USB modem, shows up. This is called the "ZeroCD" feature.

On Debian, this is not needed, since the driver is included as a Linux kernel module, such as "usbserial". However, the device still shows up as "usb-storage" by default. usb-modeswitch solves that issue by sending the command which actually performs the switching of the device from "usb-storage" to "usbserial".

Re:just mount it in Linux

[mlts]

USB sticks can present themselves to the computer as more than just removable hard disks. I've seen some that will act as keyboards and when plugged into Windows, will automatically try to type things in.

If the USB device can present itself as the right item, it can potentially do more damage than "just" a drive or filesystem with malware on it.

Re:Expensive

[Anonymous Coward]

Yes, but with Linux you could mount the filesystem noexec and the malware writer would have to figure out how to get it to execute in order to undo the restriction. Which is a substantially harder thing than figuring out how to get it to autorun. Any idiot that's running strange programs from found USB drives deserves whatever malware he gets.

Linux virus

[DrYak]

If you think Linux has a magical immunity you might want to read how to write a Linux virus in 5 easy steps [geekzone.co.nz] which shows with just a little social engineering its really not hard to target Linux just as the malware writers target Windows and OSX now.

From the article you mention:

A step that could be taken by the Gnome and KDE developers: Require launchers to have execute permissions. A saved attachment won't have those. Therefore, even though a syntactically correct and properly named launcher was dropped on the desktop a user can't just click on it and start it if the execute bit is not set.

Done. Modern versions of KDE need launcher to have execute permission. That hole is patched.

And nobody pretends that Linux has some magically imunity to viruses. As a Unix-like OS it just follows a few key principles :
- don't blindly execute everything. require executable to be explicitely marked as such (thus any shit downloaded from the web or from e-mail won't automatically be launchable).
- don't run constantly as root. thus the amount of harm that a program can do is limited to the access rights of a user. (While this still makes it possible to send spam, mine the data of the user, and modify the user profile, at least it prevents further deeper compromising of the running system).
That doesn't magically solve all malware problems in the universe. But at least it makes the life of malware writer a little bit more complicated. And the 5-step virus relies on a work-around of the first rule. Which has been since then corrected.

Back then, this no-brainer principles were NOT followed by Windows XP, making it even easier to write worms spreading over e-mail. Thankfully, since then Vista has arrived and has brought UAC dialogs in these situations (now how much dialogs can help security problems when the users are used to "okay" click on everything, that remains to be seen).

Or did you think android runs on Windows?

Android is a completely different beast and instead of unix-like userland it uses it's very own userland (a Java-like system).
Though it too doesn't allow execution of arbitrary e-mail attachment too. It's not impossible to write android malware, even malware that finds a way to look legitimate to android's capability system.

But at least the scenario "Here are some pics of hot lesbian teens! Click on the attachment to view them!" doesn't work on modern OSes. Except windows (and that's until WinXP, starting from Vista, you get an UAC dialog telling you that you run an executable from an untrusted source - now how many idiots will click on "okay" anyway is a different story).

Re:Linux virus

[Anonymous Coward]

In case of a rogue USB stick, the virus wouldn't be downloaded. It would already be on a fs with execute bit set.

I find it odd: the amount of mental gymnastics you go through to prove linux to be better.

Re:Linux virus

[ais523]

Same with Gnome, btw; a launcher without execute permission will get opened in a text editor if you double-click on it.

Re:Expensive

[Anonymous Coward]

Of course on a properly managed system, also on Windows, such a USB stick will do nothing.

Re:Linux virus

[Compaqt]

>mount -o noexec /dev/usb /media/usb_stick

How many people are going to do that?

Most any distribution will automount anything you plug in. You never get the chance to run your mount command.

You're talking about what you would do. Everybody else is talking about what the average person would do.

By the way, what are you running--a server distro?

Even if we limit ourselves to a Linux shop (say one of the ones which have been covered by Slashdot, Munich city government or whatever), the average user does not have USB autodetection turned off. How else do their USB keyboards work?

Re:Speculation vs Investigation

[dutchwhizzman]

No, it's investigation. It's not just one stick, it were multiple sticks with the exact same contents on the parking lot at the same time. Yes, that sounds as clumsy as it is.

Re:Linux virus

[ozmanjusri]

How many people are going to do that?

Everybody *

Desktop distributions use pmount for USB hotplugging. From the man page:

OPTIONS
...

  -e, --exec
                            Mount the device with the exec option. Default is noexec.

http://www.linuxcertif.com/man/1/pmount/ [linuxcertif.com]

By the way, what are you running--a server distro?

Most server distros don't automount (no desktop). You can get them to automount USB drives to a specified location (ie, for a media server) but need to install and enable the automount package and configure it, much like colinrichardday's suggestion.

* Rounded up for clarity.

Re:Expensive

[TheRaven64]

noexec only disables things that the kernel runs directly. It doesn't disable scripts if you invoke them via the correct command interpreter and it certainly doesn't protect you against, for example, a libpng or libjpeg exploit and a malicious image.