U3 USB Stick (In-)Security
Q2/2007 by Martin Suess, martin.suess@csnc.ch
2
Another way is to set up a web server locally
and redirect the request for u3.sandisk.com to
the local web server using the hosts file.
The autostart feature automatically runs the
application defined in the autorun.inf. This file
may be adapted to run malicious code.
The stick may be changed in a way that the
autorun starts the malicious code which then
starts the official launcher application stored on
the memory stick drive. This way it is hard for a
user to determine the difference between a
normal U3 stick and a modified one.
Since nearly no evidence is left on the machine,
it is hard to track such malware. A virus scanner
might detect known malware when the stick is
plugged in through on-access scans. The virus
scanner may also be started manually to search
the drives.
When a USB stick drive it is plugged in,
Windows will, by default, ask which action to
execute. Such actions can be defined with an
additional autorun.inf on the USB stick:
[autorun]
icon=folder.ico
open=evil_hack.bat
action=Open folder to view files
shell\open\command=evil_hack.bat
What happens when you plug in a stick
prepared like this? Autorun starts the following
dialog:
Please notice that the Windows default entry to
view the folder content also appears further
down in the list. Clicking on the injected
command executes the batch file evil_hack.bat
in this example. The last line of the autorun.inf
file causes the evil_hack.bat to be executed
when a user double-clicks on the drive in the
drive overview (under "My Computer") and
even works when autostart is disabled:
This technique clearly aims on social
engineering but also works for normal, non-U3,
USB sticks.
Small, Yet Powerful
Using the possibilities of this new technology,
many scenarios come to mind. Let's have a
quick thought on the options:
1. A memory stick which is prepared to gather
information on every machine it is plugged
in and executed. The information is packed
and stored on the stick. The software could
steal passwords, confidential documents
and more. Nearly no evidence remains on
the system - a forensic nightmare. This is
also known as pod-slurping [5].
2. The stick could contain a program that
installs itself on every system it is plugged
in and executed. Once it is installed on the
system it could monitor users, copy data
from the system and memory sticks which
are plugged in later. This stick could be
plugged in at the Internet Café around the
corner. The data could easily be packed
and sent over the Internet.
3. Similar to the second scenario, a stick could
be used to bring a trojan into a company
which tries to open a tunnel to the attacker
through various channels.
4. When an attacker wants to own a bot
network. He visits various Internet Cafés
with his U3 USB stick containing a self-
(18 Seiten)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Kommentare zu diesen Handbüchern