USB Trojan Hides In Portable Applications, Targets Air-Gapped Systems 83
Reader itwbennett writes: A Trojan program, dubbed USB Thief by researchers at security firm ESET, infects USB drives that contain portable installations of popular applications such as Firefox, NotePad++, or TrueCrypt, and it also seems to be designed to steal information from so-called air-gapped computers. "In the case we analyzed, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called 'WinAudit'," the ESET researchers said. The stolen data was saved back to the USB drive and was encrypted using elliptic curve cryptography. Once the USB drive was removed, there was no evidence left on the computer, the ESET researchers added.
Air gapped (Score:1)
Re: (Score:2)
So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?
Looks like they've re-invented "sneakernet".
Seriously. If security is that important that you air-gap a system, why aren't you locking down the USB ports?
Re: (Score:2)
So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?
Looks like they've re-invented "sneakernet".
Seriously. If security is that important that you air-gap a system, why aren't you locking down the USB ports?
Developing a, super secure, file based Intranet?
IPoAC (Score:1)
Re: (Score:2)
How else can you load and install third-party applications? Maybe you are an animation artist trying to do that ultimate animation for your demo reel. Then you need to install applications like 3DMax, Photoshop, ZBrush, Softimage. Sometime manuals or tutorials only come in HTML format. So you need a web browser to read them.
Re:Air gapped (Score:5, Informative)
Not if you really do not want that key to be leaked.
USB drives are too easily compromised.
Use a CD drive instead. Yes, you CAN still buy them. And verify the CD on a different computer.
Re: (Score:2)
I wonder why so many don't do like ye olden days when a floppy disk was first malware scanned before using a program or loading data from it on it by people who cared.
Of course, that only protects against "known threats to the scanner", but that's one step better than blind trust
Re:Air gapped (Score:5, Interesting)
Yes I have been in such facilities and even got to see one of my co-workers lose his new iPhone to the shredder because he didn't heed the warnings.
Re: (Score:2)
a CD or DVD that you then go and bring with you into your secure server room to load onto the servers. The disk then lives in that room until it gets fed to a shredder.
This assumes that you have air gapped the servers in that server room. Otherwise someone will just skip the steps needed to infect the CD/DVD iso and attack the servers directly. So now the question is: What good is a server room full of servers that can't talk to anything beyond the walls? Some applications do exist for such architecture deep within the CIA/NSA/DoD/etc. But they are not much use to anyone who needs I/O beyond physical printouts, people working inside the perimeter or to control dedicated h
Re: (Score:2)
Re: (Score:2)
Stuxnet.
If you want to attack an air-gapped system, it's still possible. Defense in depth helps, but then it works well for connected systems as well. The one thing that an air gap does is to slow down (or effectively stop) probing systems by external hostile actors.
Re: (Score:3)
" see one of my co-workers lose his new iPhone to the shredder"
Bwahahahahaha awesome!
We have systems that are not air gapped (as I can remotely access them) but are not connected to the network either. We use an IP KVM solution to connect keyboard, mouse, monitor remotely. Much more secure against this kind of attack. Of course bad guy at terminal or prepared for such setup can script keyboard commands and series of screenshots, but the barrier is much higher than direct connected systems.
Defense in dept
Re: (Score:2)
Slow I/O. OK for producing 'golden master' application CD/DVDs. But I wouldn't even carry a USB drive back and forth to that air gapped machine unless I really trusted its manufacturer. Anyone remember SanDisk U3 flash drives [wikipedia.org]? Ever wonder what the hell that s/w might be doing on your system when you plugged it in? Ever try to remove it from a USB stick?
There are methods of key signing that can effectively secure a private key from inspection even on a networked and compromised O/S system. Think USB connect
Re: (Score:2)
So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?
http://portableapps.com/ [portableapps.com] was my first thought. It's a very impressive collection of portable software, Firefox/Mozilla isn't listed in my setup, Sea monkey and Opera are.
My folder is just under 6 Gigs, the software meant to be on a USB device or at least right at home.
This piece of malware might hit portableapps rather hard, just for being what it is.
Re: (Score:2)
The real question is why those systems weren't configured to refuse to run unsigned apps and/or apps signed with a different key than the last time you ran them. This sort of attack should be almost impossible on any modern desktop OS.
Re: (Score:2)
What does installation have to do with code signing? Windows generally pops up a scare dialog if you try to run an unsigned app. And if the admin configures the machine properly, as you should for an airgapped machine, it won't let you run an unsigned app at all. So this sort of attack just shouldn't be possible on current versions of Windows or OS X if the admins configured the systems properly.
Or are you saying that you reboot the machine from a separate OS installed on the USB drive? In which case,
Re: (Score:2)
My work air gaps the government-owned computers from the university-owned ones. Different networks, same building, often same room. We have approved, encrypted drives to transfer files. USB ports ARE locked down, but that doesn't mean no USB devices are allowed.
Re: (Score:2)
>So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?
>Looks like they've re-invented "sneakernet".
>Seriously. If security is that important that you air-gap a system, why aren't you locking down the USB ports?
You confuse security with idiocy. Just because there is a secure system, doesn't mean that an idiot can't screw it up!
Re: (Score:2)
You still need a way to transfer files on air-gaped systems or they aren't real useful. CD writeables are much more difficult to use for normal users than thumb drives so the USB ports are left open. Besides, malware can still get in on the CD, just like it can on the thumb drive.
There are already well known groups of malware that target air gaped systems and try to communicate with networked computers by using microphones and speakers (and probably other techniques as well such as cameras and monitors) in
Re: (Score:1)
You still need a way to transfer files on air-gaped systems or they aren't real useful. CD writeables are much more difficult to use for normal users than thumb drives..
Oh yes, the poor diddums, they can't just drag'n'drop, they have to think a bit..seriously, I'd never let anyone this incapable anywhere near a system so critical it requires air-gapping.
Besides, malware can still get in on the CD, just like it can on the thumb drive.
sure, but a burn-once read-once-then-shred CD containing just $name_of_data_file is a lot less likely to contain malware than a USB stick containing all sorts of stuff as well as $name_of_data_file. And I'm not even going into the possibilities of the existence of embedded-in-the-hardware malware on USB sticks.
There are already well known groups of malware that target air gaped systems and try to communicate with networked computers by using microphones and speakers (and probably other techniques as well such as cameras and monitors) in frequencies humans can't hear but the electronics of the speakers and microphones can.
Firstly, most
Re: (Score:2)
You can create isolated airgapped networks with their own set of web browsers and all that as well, you know.
These networks are often on the classified side of things and there is no connection to the Internet or other network. Properly set up SCADA systems are supposed to be on airgapped networks, for example. But there's often documentation and other things that end up as HTML and you need a browser to view it, and it can be
I lost my USB drive. I wrote a program that autom (Score:2, Funny)
I lost my USB drive. I wrote a program that automatically backs up my computer when I plug it in (of course encrypted). I guess they found it.
Re: (Score:2)
Re:Linux? BSD? (Score:5, Funny)
That depends, does Linux and BSD finally support USB drives?
Re: (Score:2)
ok, that was funny
Re: (Score:2)
Re: (Score:2, Funny)
Ah yes, I remember attempting to set up wifi on both RedHat and OSX (BSD based...)... both were over-zealous in supporting air-gap-based security
Re: (Score:2)
tbh I have been a Linux user far to long to not belly laugh at this.
I have had several machines that were quite effectively "air gapped" by default installs that didn't support the latest whiz-bang onboard network out of the box. Nothing quite like the realization that you need to upgrade your kernel to use the network in order to upgrade your kernel.
In fairness though, I have had it happen on Windows installs as well.
Re: (Score:2)
My favorite, with windows, is when you get the system fully installed with all its crap OEM junk, try to rebuild it with a clean install, only to find out nothing in the whole system works without downloading some special snowflake driver.
Hell my recent build and windows install was almost good.... ASROCK had on board utlities to make a usb stick with drivers.
Snag? Oh yah, the drivers they distribute trojan your machine with adware....right out of the box on a fresh build, the fucking motherboard drivers in
Re: (Score:2)
But does it work in Linux?
systemd unit files.
Re: (Score:2)
Wasn't HKCU just one part of the "whole windows registry"? In win98 it was, anyway.
Gushing? (Score:2)
Oh well.. what sounds like free-form obfuscation improvisation to me turns out to be, once more, the state of the art in today's heists.
Re:Gushing? (Score:4, Funny)
State of the art? How is this any different than the viruses that were passed around 30 years ago on c64 floppies?
USB drives are large enough to contain Java and Python programs, so that recent college graduates can finally write viruses again. C64 floppies are not large enough.
Re: (Score:2)
State of the art? How is this any different than the viruses that were passed around 30 years ago on c64 floppies?
It can't be analyzed or very hard to, and where http://vx/ [vx] (dot) netlux (dot) org came in handy.
The site is back -but hard to catch when it's up. It's a malware database, where malware is sent or downloaded just for that purpose. I'd like to see what's said there about this piece of malware.
Confused (Score:2, Interesting)
How does the trojan get installed on the USB stick in the first place? Either you are using USB drives provided by a stranger (who does that?) or someone has stolen your drive, installed their software, and replaced it without your knowledge. Plausible, but not a great way to propagate this to more than a few specific people.
Re:Confused (Score:4, Insightful)
Even more importantly, what's the point? How does the 'attacker' get their USB stick back with the stolen data?
This feels more like a 'inside job' type trojan, where a person can stick it into a PC they're already trusted to use, and suck everything of value off it to review later. I mean, the way it's difficult to copy and stuff makes it suspiciously not very trojan like. Trojans/malware like to spread easily.
Encrypting the slurped data just feels like plausible deniability for the attacker if the USB were confiscated and inspected.
Re: (Score:2)
Deep penetration agent gets to a secure work only USB device to install new code and gets the later returned data from a secure area. Sneaker net it out even with no or low site clearance.
Flood all staff members with the code to infect their less secure home and work computers and hope one
I had my info stolen (Score:4, Funny)
Re: (Score:2)
Re: (Score:2)
Let's assume for a moment you've hijacked a USB dongle, you've gotten a ride onto an airgapped computer. ......now what?
Are you going to write a visual basic GUI to trace all the IPs simultaneously or something?
So you've taken over a standalone PC. Huzzah. You've haxxored the boxen.
What are you doing with the data you've stolen?
Did you realize that you now have to snag another ride back OFF the machine via another USB stick, ride someplace else, infect THAT machine, and hope it isn't airgapped too, in order to get out again?
Depends what that hacked computer does and what your objectives are.
A couple examples:
You don't need to get data off the system for your malware to do harm.
Re: (Score:2)
Let's assume for a moment you've hijacked a USB dongle, you've gotten a ride onto an airgapped computer. ......now what?
Are you going to write a visual basic GUI to trace all the IPs simultaneously or something?
So you've taken over a standalone PC. Huzzah. You've haxxored the boxen.
What are you doing with the data you've stolen?
Did you realize that you now have to snag another ride back OFF the machine via another USB stick, ride someplace else, infect THAT machine, and hope it isn't airgapped too, in order to get out again?
It sounds beatable just by write protecting the USB device if TFA is correct, so not 100% but very capable.
Taking a leap, I see it as a specialized piece of software looking for something in particular, this by images and the broad term of documentation.
To download images from almost anybodies system would put a dent in the capacity of the USB device (even if just from a browsers cache). It doesn't sound like it would be that obvious and more selective at what it took.
Or I'm giving this malware just way too