Criminals Distribute Infected USB Sticks In Parking Lot 298
New submitter sabri writes "The Dutch news-site Elsevier is reporting that cybercriminals attempted to steal data from a multinational chemicals company by 'losing' spyware-infected USB sticks on the company's parking lot. Their attempt failed as one of the employees who found the stick dropped it off at the company's IT department, who then found the spyware and issued a warning. So next time, don't expect to find someone's dirty pictures on a USB stick you just found..."
just mount it in Linux (Score:4, Interesting)
and laugh at the windows auto-loader files they tried to get you with.
Seriously, I found a "trick" USB stick in my work mailbox once, which turned out to be a test from our IT department that, if you loaded it (in Windows), would direct you to an obligatory computer security training program. After I called them about it, they let me keep it.
Cool, free thumb drive! (Score:5, Interesting)
dd if=/dev/zero of=/dev/[usbdrive]
voila, free thumb drive, malware free.
This is discussed in... (Score:5, Interesting)
This technique is discussed in "Metasploit - The penetration testers guide" ( http://shop.oreilly.com/product/9781593272883.do [oreilly.com] )
Excellent book by the way. After reading it, you'll never look at computer security the same way again, and may very well just switch to an Abacus with a box of crayons on top.
Re:why would you run something from it? (Score:4, Interesting)
There are a few factors
1: the dominant operating system has blurred the line between running executables and opening data files. Then they went even furher and introduced autorun to make users live's easier. They have tried to put theese genies back in the bottle but it's difficult to do without introducing a load of pain for users.
2: Even if the OS doesn't have the above problem a USB stick could be put together that enumerated as a keyboard as well as a mass storage device, it could then do pretty much anything the user can do (though it has to do it blind).
2: the natural assumption when finding a USB stick in the company parking lot is that a co-worker dropped it. Therefore the natural thing to do is to try and determine who owns it so it can be returned to it's rightful owner. Deternining who owns it generally requires looking at the contents
Re:Expensive (Score:5, Interesting)
Personally, I'd target smartphones.
If I were a malicious programmer out to get corporate dirt, I would release a "perfectly harmless" appstore game or business applet. This applet does not in any way harm the phone, or call home. What I does instead is drop some binaries on the root of the internal sdcard or flash memory storage device to mimic this attack.
This has several advantages:
1) you can update your penetration package as part of an app update, which the user won't catch.
2) you can target a device frequently demanded to be added to device exception lists, such as corporate CEOs insisting their iBone be able to sync their corporate email.
This gives you a mostly unprotected path to the mailserver if the package delivery mechanism is done right.
In the case of android phones at least, you can control how the device talks to the computer, and what HID classes it wants. This could let the phone operate as a hardware keylogger, etc.
Seriously, smartphones are a torpedo.
Re:Thats what virtual machines are for. (Score:5, Interesting)
Re:Expensive (Score:5, Interesting)
In certain military environments I worked in the USB, Firewire, and microphone ports were immediately filled with epoxy and (where possible) disconnected from the motherboard.
Personal Story (Score:5, Interesting)
So there may be a virus, or maybe just a lonely coworker.
Re:just mount it in Linux (Score:5, Interesting)
If the USB device can present itself as the right item, it can potentially do more damage than "just" a drive or filesystem with malware on it.
I forget the exact mode of attack, but some will nudge the mouse a pixel or two every minute or so to prevent the screensaver from kicking on, and then after some period of user inactivity will begin doing the nefarious bits. I suppose it's easy to kick off a cmd shell from that point and script the attack.
I'd imagine the non-mouse/keyboard part of the "drive" is baited with good porn or addictive games to encourage its continued presence. Anyway, you can scan it all you want, the drive is clean.
Contest (Score:5, Interesting)
Re:Thats what virtual machines are for. (Score:5, Interesting)
We had a couple turn out in our parking lot that when plugged in showed up as a hub that was connected to a usb drive, cd drive and a keyboard. The last one was tricky. After being plugged in, it would install the devices one by one and try to run them, if that didn't work, it registered as a keyboard and tried to put the input of windows key+r then iexplore websiteURL. That last one took me by surpise, as I'd never seen it before.
Re:Thats what virtual machines are for. (Score:4, Interesting)
The quadrillion bacteria happily living in your guts would disagree, and depending on the type of their population they'll even change your behaviour.
http://www.sciencedaily.com/releases/2011/05/110517110315.htm [sciencedaily.com]
Speculation vs Investigation (Score:4, Interesting)
The 'cyber criminals planted the usb sticks in an attempt to steal data'... stuff doesn't come from investigation, it comes from speculation. It could simply have been an infected USB stick an employee threw away or dropped.
DSM is really a boring chemicals business, employing tens of thousands of people. The chances of spyware getting past anti virus software and onto the right persons computer is pretty damn slim.
So it looks more like projection to me. There's a lot of talk about cybercriminals as part of the 'cyberwar' budget requests. This was a lost USB key infected. IT dept projects the cyberwar onto their company and assumes it was a cyberattack and not some piece of crapware. Cyberwar lobby grabs the story and pumps it up for their own agenda.
Re:Expensive (Score:5, Interesting)
dud example
There are no examples, and the "5 easy steps" from the linked page haven't worked for years.
One of the reasons Linux is more secure is that the community responds far more quickly to potential threats.
Hairyfeet always gets to +5 with votes from the Apple/Windows crowd here, but he's never been able to show a single current instance of actual Linux malware in the wild. Much like the 235 patents, it's always threats from the future or the past.
Re:Cool, free thumb drive! (Score:2, Interesting)
The USB device just needs to look for typical access patterns to determine what kind of system it's plugged into. It can look like a completely normal USB mass storage device to both systems, just with a different payload depending on the way it's accessed by the host.
A USB thumb drive isn't limited to being a USB mass storage device either. It could pose as a keyboard and send key sequences to open a shell and send files to a server on the internet.
This just goes to show that Linux isn't immune against user stupidity either. Where Windows users are ignorant, Linux users are smug, and that makes them just as vulnerable.
Re:why would you run something from it? (Score:5, Interesting)
The contents of your current working directory are of no interest to me.