Hackers pierce network with jerry-rigged USB mouse


V

Virus Guy

http://www.theregister.co.uk/2011/06/27/mission_impossible_mouse_attack/

Hackers pierce network with jerry-rigged mouse

(Mission Impossible meets Logitech)

By Dan Goodin in San Francisco

Posted in Enterprise Security, 27th June 2011 18:06 GMT

When hackers from penetration testing firm Netragard were hired to
pierce the firewall of a customer, they knew they had their work cut
out. The client specifically ruled out the use of social networks,
telephones, and other social-engineering vectors, and gaining
unauthorized physical access to computers was also off limits.

Deprived of the low-hanging fruit attackers typically rely on to get a
toe-hold onto their target, Netragard CTO Adriel Desautels borrowed a
technique straight out of a plot from Mission Impossible: He modified a
popular, off-the-shelf computer mouse to include a flash drive and a
powerful microcontroller that ran custom attack code that compromised
whatever computer connected to it.

For the attack to work, the booby-trapped USB Logitech mouse had to look
and behave precisely the same as a normal device. But it also needed to
include secret capabilities that allowed the mouse to do things no user
would ever dream possible.

“The microcontroller acts as if there's a person sitting at the keyboard
typing,” Desautels told The Reg. “When a certain set of conditions are
met, the microcontroller sends commands to the computer as if somebody
was typing those commands in on the keyboard or the mouse.”
Interior view of modifified Logitech mouse

Interior view of Logitech mouse modified by penetration testers. Picture
supplied by Netragard

http://regmedia.co.uk/2011/06/27/mouse_guts.jpg

The Teensy microcontroller programmed by the Netragard hackers was
programmed to wait 60 seconds after being plugged in to a computer and
then enter commands into its keyboard that executed malware stored on
the custom-built flash drive snuck into the guts of the Logitech mouse.
To squelch warnings from McAfee antivirus, which was protecting the
customer's PCs, the microcontroller contained undocumented exploit code
that subverted the program's dialogue boxes to evade detection.

Desautels said he chose the highly involved method after deciding
against a simpler attack that relied only on a USB drive and
functionality in Windows that automatically executes its contents when
its connected to the computer. As previously reported, malware
infections that exploit the widely abused Autorun feature plummeted in
the past few months as Microsoft has made it easier for customers to
turn it off.

The modified mouse wasn't hemmed in by the change because it didn't rely
on Autorun for the malicious code to be executed. The programmable
microcontroller, in effect, acted as its own rogue agent that was under
the control of the Netragard penetration testers who had programmed it.
Because the the attack code is executed by the mini computer on the
Teensy card, the technique can work against a variety of operating
systems, not just Windows. What's more, no drivers are needed.

“You're plugging in a computer device, in either a keyboard or a mouse,
that has a mind of its own,” Desautels explained. “There's no defense,
either. Plug one of these in and you're basically screwed.”

To get someone from the target company to use the mouse, Netragard
purchased a readily available list names and other data of its
employees. After identifying a worker who looked especially promising,
they shipped him the modified mouse, which they put back in its original
packaging and added marketing materials so the shipment would look like
it was part of a promotional event.

Three days later, the malware contained on the mouse connected to a
server controlled by Netragard. Much of the malware used in the attack
was first dreamed up by security researcher Adrien Crenshaw. Netragard's
detailed description of the attack comes as the US Department of
Homeland Security released results from a recent test that showed 60
percent of employees who picked up foreign computer discs and USB thumb
drives in the parking lots of government buildings and private
contractors connected them to their computers. ®
 
Ad

Advertisements

D

David H. Lipman

From: "Virus Guy said:
http://www.theregister.co.uk/2011/06/27/mission_impossible_mouse_attack/

Hackers pierce network with jerry-rigged mouse

(Mission Impossible meets Logitech)

By Dan Goodin in San Francisco

Posted in Enterprise Security, 27th June 2011 18:06 GMT

When hackers from penetration testing firm Netragard were hired to
pierce the firewall of a customer, they knew they had their work cut
out. The client specifically ruled out the use of social networks,
telephones, and other social-engineering vectors, and gaining
unauthorized physical access to computers was also off limits.

Deprived of the low-hanging fruit attackers typically rely on to get a
toe-hold onto their target, Netragard CTO Adriel Desautels borrowed a
technique straight out of a plot from Mission Impossible: He modified a
popular, off-the-shelf computer mouse to include a flash drive and a
powerful microcontroller that ran custom attack code that compromised
whatever computer connected to it.

For the attack to work, the booby-trapped USB Logitech mouse had to look
and behave precisely the same as a normal device. But it also needed to
include secret capabilities that allowed the mouse to do things no user
would ever dream possible.

“The microcontroller acts as if there's a person sitting at the keyboard
typing,” Desautels told The Reg. “When a certain set of conditions are
met, the microcontroller sends commands to the computer as if somebody
was typing those commands in on the keyboard or the mouse.”
Interior view of modifified Logitech mouse

Interior view of Logitech mouse modified by penetration testers. Picture
supplied by Netragard

http://regmedia.co.uk/2011/06/27/mouse_guts.jpg

The Teensy microcontroller programmed by the Netragard hackers was
programmed to wait 60 seconds after being plugged in to a computer and
then enter commands into its keyboard that executed malware stored on
the custom-built flash drive snuck into the guts of the Logitech mouse.
To squelch warnings from McAfee antivirus, which was protecting the
customer's PCs, the microcontroller contained undocumented exploit code
that subverted the program's dialogue boxes to evade detection.

Desautels said he chose the highly involved method after deciding
against a simpler attack that relied only on a USB drive and
functionality in Windows that automatically executes its contents when
its connected to the computer. As previously reported, malware
infections that exploit the widely abused Autorun feature plummeted in
the past few months as Microsoft has made it easier for customers to
turn it off.

The modified mouse wasn't hemmed in by the change because it didn't rely
on Autorun for the malicious code to be executed. The programmable
microcontroller, in effect, acted as its own rogue agent that was under
the control of the Netragard penetration testers who had programmed it.
Because the the attack code is executed by the mini computer on the
Teensy card, the technique can work against a variety of operating
systems, not just Windows. What's more, no drivers are needed.

“You're plugging in a computer device, in either a keyboard or a mouse,
that has a mind of its own,” Desautels explained. “There's no defense,
either. Plug one of these in and you're basically screwed.”

To get someone from the target company to use the mouse, Netragard
purchased a readily available list names and other data of its
employees. After identifying a worker who looked especially promising,
they shipped him the modified mouse, which they put back in its original
packaging and added marketing materials so the shipment would look like
it was part of a promotional event.

Three days later, the malware contained on the mouse connected to a
server controlled by Netragard. Much of the malware used in the attack
was first dreamed up by security researcher Adrien Crenshaw. Netragard's
detailed description of the attack comes as the US Department of
Homeland Security released results from a recent test that showed 60
percent of employees who picked up foreign computer discs and USB thumb
drives in the parking lots of government buildings and private
contractors connected them to their computers. ®


Very good article that details an example of what is called "the insider threat".

And the US DHS study is very true. Ask anyone in the know in the DoD family why "USB Mass
Storage Devices" is disabled by AD Group Policy what its its association is with
W32/Agent.BTZ.

{ Adrien Crenshaw, that's funny as I received email from him on Fiday ;-) }
 
V

Virus Guy

"David H. Lipman" used improper usenet message composition style by
full-quoting a previous post (all 81 lines) and adding only these 5 new
lines:
And the US DHS study is very true. Ask anyone in the know in the
DoD family why "USB Mass Storage Devices" is disabled by AD Group
Policy what its its association is with W32/Agent.BTZ.

Don't know if this was really true, but I remember reading somewhere
(10+ years ago) that the DoD would only certify Win-NT if the PC's it
came on had their floppy-drive bay doors glued shut.

Presumably filling the USB ports of new DoD PC's with epoxy would be
more effective than disabling them via admin policy.
 
Ad

Advertisements

D

David H. Lipman

From: "Virus Guy said:
"David H. Lipman" used improper usenet message composition style by
full-quoting a previous post (all 81 lines) and adding only these 5 new
lines:

I saw NO reason to snip out that valuable information.

Don't know if this was really true, but I remember reading somewhere
(10+ years ago) that the DoD would only certify Win-NT if the PC's it
came on had their floppy-drive bay doors glued shut.

No. Didn't happen. But that's funny.

Presumably filling the USB ports of new DoD PC's with epoxy would be
more effective than disabling them via admin policy.

USB ports still need to be connected to; keyboards, mice, printers, CAC Readers, bar code
readers and all sorts of other periphery.

That idea is also funny.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top