USB Devices and Malware Attacks

New Flaws in USB Devices Let Attackers Install Malware: Black Hat

[...] In a blog post providing more insight into the talk, Nohl and Lell reveal that the root trigger for their USB exploitation technique is by abusing and reprogramming the USB controller chips, which are used to define the device type. USB is widely used for all manner of computer peripherals as well as in storage devices. The researchers alleged that the USB controller chips in most common flash drives have no protection against reprogramming.

"Once reprogrammed, benign devices can turn malicious in many ways," the researchers stated.

Some examples they provide include having an arbitrary USB device pretend to be a keyboard and then issue commands with the same privileges as the logged-in user. The researchers contend that detecting the malicious USB is hard and malware scanner similarly won't detect the issue.

I'm not surprised, and no one else should be, either. After all, this isn't the first time researchers at a Black Hat USA security conference demonstrated how USB can be used to exploit users.

Last year, at the Black Hat USA 2013 event, security researchers demonstrated the MACTANS attack against iOS devices. With MACTANS, an Apple iOS user simply plugs in a USB plug in order to infect Apple devices. Apple has since patched that flaw.

In the MACTANS case, USB was simply used as the transport cable for the malware, but the point is the same. Anything you plug into a device, whether it's a USB charger, keyboard or thumb drive has the potential to do something malicious. A USB thumb drive is widely speculated to be the way that the Stuxnet virus attacked Iran's nuclear centrifuges back in 2010. The U.S. National Security Agency (NSA) allegedly has similar USB exploitation capabilities in its catalog of exploits, leaked by whistleblower Edward Snowden.

While the Security Research Labs researchers claim there are few defenses, the truth is somewhat different.

A reprogrammed USB device can have certain privileges that give it access to do things it should not be able to do, but the bottom line is about trust. On a typical Windows system, USB devices are driven by drivers that are more often than not signed by software vendors. If a warning pops up on a user's screen to install a driver, or that an unsigned driver is present, that should be a cause for concern.

As a matter of best practice, don't plug unknown USB devices into your computing equipment. It's just common sense, much like users should not open attachments that look suspicious or click on unknown links. The BadUSB research at this year's Black Hat USA conference is not as much a wake-up call for USB security as it is a reminder of risks that have been known for years

     

Thieves who offer Customer Suport to victims? It's called "Ransomware"

Just when you thought you'd seen it all:

'Perfect' ransomware is the scariest threat to your PC

Nothing spurs malware development like success, and that’s likely to be the case in the coming months with ransomware.

Ransomware has been around for around a decade, but it wasn’t until last fall, with the introduction of CryptoLocker, that the malevolent potential of the bad app category was realized. In the last four months of 2013 alone, the malicious software raked in some $5 million, according to Dell SecureWorks. Previously, it took ransomware purveyors an entire year to haul in that kind of money.

So is it any wonder that the latest iteration of this form of digital extortion has attracted the attention of cyber criminals? A compromised personal computer for a botnet or Distributed Denial of Service attack is worth about a buck to a byte bandit, explained Johannes B. Ullrich, chief research officer at the SANS Institute. “With ransomware, the attacker can easily make $100 and more,” he said.

What distinguishes CryptoLocker from past ransomware efforts is its use of strong encryption. Document and image files on machines infected with the Trojan are scrambled using AES 256-bit encryption, and the only way for a keyboard jockey to regain use of the files is to pay a ransom for a digital key to decrypt the data.

[...]

Honor among thieves
The CryptoLocker crew also know the value of maintaining good customer relations. “They’re honoring people who do pay the ransom,” said Jarvis, of SecureWorks.

“In most cases they’re sending the decryption keys back to the computer once they receive payment successfully,” he explained. “We don’t know what the percentage of people who successfully do that is, but we know it’s part of their business model not to lie to people and not do it.”

Moreover, in November, they began offering support to victims who, for whatever reason, fail to meet the hijackers’ ransom deadlines. By submitting a portion of an encrypted file to the bad actors at a black website and paying the ransom, a victim can receive a key to decrypt their files. “You have to reinfect yourself with the malware but once you do that, you can get a successful decryption,” Jarvis explained.

[...]

Ransomware Inc.
"It is inevitable that we will see a cryptographic ransomware toolkit,” he added, “maybe even multiple toolkits because it’s clear that there’s a business opportunity here for criminals.”

Moreover, that opportunity is likely to reach beyond the consumer realm and into the greener pastures of business. “Going after consumers is small fish,” said Bruen, of the Digital Citizens Alliance. “The next step is to conduct ransom operations on major companies. This has already happened,” he said.

“From an attacker’s perspective, there’s definitely a higher risk in getting caught because companies are going to throw more money at the problem than an ordinary consumer can,” he continued, “but the payoff from one of these companies—a Target or a Nieman Marcus—will be much larger.”

Current ransomware attacks involve encrypting select file types on a hard drive, but a business attack will likely choose a higher value target. “Cryptographic keys and digital certificates are ripe for ransom,” Venafi’s Bocek said.

"Whether it’s taking out the key and certificate that secures all communications for a bank or the SSH keys that connect to cloud services for an online retailer, keys and certificates are a very attractive target,” he observed. [...]

Welcome to the Brave new world. The orginal article has embedded links, and more details about the evolution of this software, the way it spreads, and it's potential future applications.

I've already come across a lesser "scareware" version of Ransomeware, that was mentioned in the article. It locked up one of my Linux computers, and wanted payment to unlock it, so this isn't just a Microsoft thing. I was able to get rid of it by uninstalling my browser, clearing the cache, and reinstalling Firefox. But what they are talking about in this article is much more advanced.

Scary stuff.
     

When Spyware Literally Kills

Or at least, get's you killed:

Google engineer finds British spyware on PCs and smartphones
FinSpy turning up in dictatorships across the world

Two security researchers have found new evidence that legitimate spyware sold by British firm Gamma International appears to be being used by some of the most repressive regimes in the world.

Google security engineer Morgan Marquis-Boire and Berkeley student Bill Marczak were investigating spyware found in email attachments to several Bahraini activists. In their analysis they identified the spyware infecting not only PCs but a broad range of smartphones, including iOS, Android, RIM, Symbian, and Windows Phone 7 handsets.

The spying software has the capability to monitor and report back on calls and GPS positions from mobile phones, as well as recording Skype sessions on a PC, logging keystrokes, and controlling any cameras and microphones that are installed.

They report the code appears to be FinSpy, a commercial spyware sold to countries for police criminal investigations. FinSpy was developed by the German conglomerate Gamma Group and sold via the UK subsidiary Gamma International. In a statement to Bloomberg, managing director Martin Muench denied the company had any involvement.

"As you know we don't normally discuss our clients but given this unique situation it's only fair to say that Gamma has never sold their products to Bahrain," he said. "It is unlikely that it was an installed system used by one of our clients but rather that a copy of an old FinSpy demo version was made during a presentation and that this copy was modified and then used elsewhere."

Parallel research by computer investigators at Rapid7 found command and control software servers for the FinSpy code running in Indonesia, Australia, Qatar, Ethiopia, the Czech Republic, Estonia, Mongolia, Latvia, and the United Arab Emirates, with another server in the US running on Amazon's EC2 cloud systems. Less than 24 hours after the research was published, the team noted that several of these servers were shut down.

Gamma and FinSpy gained notoriety last year when documents apparently from the company were found in the Egyptian security service headquarters when it was ransacked by protestors after the fall of Hosni Mubarak. These appear to be a proposal that the Egyptian government buy a five-month license for the software for €287,000. Again Gamma denied involvement.

But Marquis-Boire and Marczak told The New York Times that they appear to have found a link to Gamma in these latest code samples. [...]

One of the negative aspects of the new technology of our Brave New World, is how some people will choose to use it.  Death by Smartphone.

   

Firefox 3 security alert, patch needed

A security glitch has been found, that apparently threatens every Firefox 3 user, regardless of platform. I learned about it here:

Firefox Looking To Lose The Flab - And The Flaw

Memory leaks and code exploits are a fact of life for both browser developers and their users — regardless of the specific browser in question. For the developers at Mozilla, both issues have been on their minds this week, as browser bugs of both sorts have been all over the news.

[...]

Security researchers published code on Wednesday that reportedly would allow an attacker to load unauthorized software on a target's computer simply by having the target view a specially-coded XML file. According to reports, Mozilla developers were blindsided by the bug and immediately raced to find a patch, a task they'd completed by this morning, adding it to next-week's Firefox 3.0.8 release. Because of the exploit, that release is now considered a "high-priority fire-drill security update" for all users.

Yikes. More about it here:

Firefox fix due next week after attack is published

[...] Mozilla Corp. developers have already worked out a fix for the vulnerability. It's slated to ship in the upcoming 3.0.8 release of the browser, which developers are now characterizing as a "high-priority fire-drill security update," thanks to the attack code. That update is expected sometime early next week.

"We ... consider this a critical issue," said Lucas Adamski, director of security engineering at Mozilla, in an e-mail.

The bug affects Firefox on all operating systems, including Mac OS and Linux, according to Mozilla developer notes on the issue.

By tricking a victim into viewing a maliciously coded XML file, an attacker could use this bug to install unauthorized software on a victim's system. This kind of Web-based malware, called a drive-by download, has become increasingly popular in recent years. [...]

If you are using Firefox 3, this would be an update to watch for.

     

When is Adobe Flash not Adobe Flash?

When it's pretending to be an Adobe Flash Update, but really planting a Trojan:

Hackers leverage Obama win for massive malware campaign

November 5, 2008 (Computerworld) Hackers have seized on the results of the U.S. presidential election to launch a major malware campaign that tries to trick users into installing an update to Adobe Systems Inc.'s Flash, but actually plants a Trojan horse on unprotected PCs, security experts warned today.

The malware blitz stems from spam messages touting Sen. Barack Obama's victory last night, and offers up a link to what is supposedly a site sporting election results. When users click on the link, however, they're shunted to a fake site that demands the user install an update to Adobe's Flash Player before viewing a video.

Rather than a Flash update, what's actually downloaded is a Trojan horse that compromises the PC then floods the machine with more malware, said Dan Hubbard, vice president of security research at Websense Inc. "This is very coordinated," said Hubbard of the Obama-themed attacks, "with evidence that they planned this, then waited for the election results."

According to Hubbard, the hackers registered 15 to 20 domains yesterday to host the malware and fake site. All the domains are on so-called "fast flux" servers, Hubbard added, referring to the practice in which criminals rapidly switch domains between multiple IP addresses. Identity thieves often use the fast-flux tactic as a way to stay ahead of the law and prevent their servers from being shut down.

Hubbard called the attacks "the largest malicious e-mail campaign going," adding that Websense had tracked 100,000 individual copies of the scam message so far today. [...]

This isn't a partisan attack. The criminals doing this are using the Obama theme because at the moment Obama is a world-wide celebrity. Using people's interest in him like this gives them the biggest platform for these attacks.

While I'm not likely to be a victim by watching Obama videos, I still find it creepy. It seems like I'm often asked to update Adobe Flash, and I usually just hit the button without a second thought. Not anymore.