CEHv6 module 41 hacking USB devices

Trang 1

Hacking USB Devices

Ethical Hacking and CountermeasuresVersion 6

Module XLIHacking USB Devices

Ethical Hacking and Countermeasures v6

Module XLI: Hacking USB Devices

Exam 312-50

Trang 2

News

Source: http://www.vnunet.com/

News

A worm named SillyFD-AA installs itself onto computer systems, puts a message in Internet

Explorer as “Hacked by 1Byte”, and installs an autorun.inf file on removable devices such as USB

and floppy diskettes According to experts, this worm spreads through USB drives

This worm can act as a backdoor and may insert some malicious code in the computer Once an

infected USB device is connected to a computer, the worm automatically installs and spreads

further on its own

Computer users should take care while plugging any unknown devices to their PC’s as it may

contain any malicious code The users are advised to turn off the autorun option in Window’s

operating system so that this worm should not run automatically

Trang 3

Hacking USB Devices

Module Objective

• USB Devices

• USB attacks

• Viruses and worms

• USB Hacking Tools

• USB Security Tools

 Viruses and Worms

 USB Hacking Tools

 USB Security Tools

 Countermeasures

Trang 4

Module Flow

USB Devices

USB attacks USB Security Tools

USB Hacking Tools

Countermeasures Viruses and worms

Module Flow

Trang 5

Hacking USB Devices

Introduction to USB Devices

Universal Serial Bus (USB) is a serial bus standard to interface devices

It is pluggable, allowing device to be connected or removed while computer is running

A pen drive is a compact, removable storage device just like a floppy disk or a CD

A pen drive can be plugged into the USB port

 Introduction to USB Devices

A USB acts as an interface and add-on device, allowing peripheral devices and host

communications These devices can be connected or disconnected if the system is running as they

are pluggable When any device is connected to the system, it detects the device using a pull-up

resistor Pull-up resistors detect low speed and high speed devices on D- and D+ wire signals,

respectively The Human Interface Device is also one of the USB device types It gives structure to

the data transferred between the device and the system These devices can describe the

information of the data received and sent during the enumeration process No more devices are

required to handle the data received by the host system from the USB These HID includes many

devices such as mouse, keyboard, joystick, etc

Trang 6

Trang 7

Hacking USB Devices

A design flaw common to the USB keys is the improper storage of password values, which can allow the extraction of all data, including private information

Changing the password value which is stored in an EEPROM allows access to the device and extract all private information

 Electrical Attack

An electrical attack can be performed on the USB keys when the device’s circuit board is

physically accessed This attack is done to steal the private data stored on the device with a

legitimate user’s pin number and password The USB device consists of the microprocessor with

USB support, external memory, and glue circuitry If the password is improperly stored, it will

allow the attacker to steal the data easily The password value stored in the Electrically Erasable

Programmable Read Only Memory (EEPROM) can be changed and data can be easily extracted

The attacker can reset the password to the original one once the hack is performed on the USB,

thus ensuring that the owner of the USB is not aware of any suspicious activity

Serial EEPROMs require minimal circuitry to read and write, hence they are used mostly in the

engineering industry But they are insecure; and do not provide security to the devices in which

they are used A device programmer is attached to the device where serial EEPROMs are used to

provide security by restricting inappropriate access

Trang 8

A software attack is a non-invasive attack In this attack, the device is not tampered or harmed

The software attack makes use of the normal operating conditions of the device and its purpose is

to find the flaws in the implementation of the software or firmware in the product Once the

attack is done, the results can be replicated to other devices USB software attack can be chosen

from two distinct areas:

Examine the communication channels

Custom device drivers and commercial USB protocol analyzers are used to examine the

communication channels between USB device and the host computer

Analyze and determine the possibility to brute-force a password

USB key device can be accessed by analyzing and determining the administrator’s MKEY value or

the genuine user password or PIN

Vendor provided software development kits consists of source code, header files, and lot of

information about the design and structure of the device They contain bits and pieces of serial

EEPROM contents of the key leaking the secret and private information

Trang 9

Hacking USB Devices

USB Attack on Windows

Buffer-overflow vulnerabilities in USB device allow an attacker to bypass the Windows security and gain administrative privileges of the host machine

Attacker having idea about the vulnerability in a USB device driver can program one USB device, known as portable memory stick, to pose as the kind of device that uses the vulnerable driver

Attacker then plugs the device into the host system and triggers the exploit when the host system loads the flawed driver

This allows an attacker to take control of host computer

An attacker can reprogram a USB device using buffer overflow vulnerabilities Attacker

reprograms the devices to act as a memory stick to access the locked workstation An attacker can

gain administrative access by violating Windows security using the buffer over flow

vulnerabilities This is an example of danger posed by peripheral devices that use USBs, firewalls,

and wireless networking connections When USB devices are plugged into systems with Windows

32-bit operating systems such as Windows XP and 2000, the buffer overflow flaws occur in device

drivers An attacker, who has the idea of vulnerability in USB driver, can program one portable

memory stick and plug the device into the host system and exploit the system while it is loading

the flawed driver

This attack can be prevented, as these attacks need physical access to the system Whenever any

USB is plugged into the network, it can be determined using many USB security tools

Trang 10

Trang 11

Hacking USB Devices

Virus: W32/Madang-Fam

W32/Madang-Fam is a family of viruses for the Windows platform, which spreads via Removable storage devices

It attempts to infect files with an EXE or SCR extension on all drives and on connected network shares

It contains the code to download and execute code from one or more remote websites

It may attempt to run the files

W32/Madang-Fam is a virus that spreads through removable storage device for the Windows

platform These viruses try to infect the files present on all drives and connected to the network

shares with an EXE or SCR extension They contain code to download and execute from remote

websites These viruses drop a self-infected file <System>\Serverx.exe They setup the registry

entry to run it on startup The registry entry is as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Serverx

<System>\Serverx.exe

They may attempt to run the files <System>\setupx.exe and <System>\Updatex.exe and inject

themselves into the kernel or into another running process

Trang 12

W32/Hasnot-A worm spreads through USB devices on Windows platform After infecting, this

worm hides the files and folders It also appends the original name of files or folders by copying

itself It spreads through network shares and USB devices It copies itself on the root folder drive

as Skynet.exe file

Additionally, it adds an autorun.inf file Once the drive is mounted, <Root>\autorun.inf file is

designed in such a way that the worm starts spreading When first run, this worm copies itself to

the following files:

<Root>\Documente und Einstellungen.exe

<Root>\Documenti e Impostazioni.exe

<Root>\Documents and Settings.000.exe

<Root>\Documents and Settings.exe

Trang 13

Hacking USB Devices

<Root>\System Volume Information.exe

On startup the below registry entries are created to run WinNT.com and _default pif The

registry entries are:

Trang 14

W32/Fujacks-AK worm spreads from one network to other via network shares and removable

storage devices This worm copies itself with GameSetup.exe and setup.exe filenames Later, it

creates the file autorun.inf to ensure that the file setup.exe is executed It can access the Internet

and communicate with the remote server through HTTP When this worm is run for the first time,

it copies itself to the files mentioned below:

<System>\drivers\spoclsv.exe

<Root>\setup.exe

<Root>\autorun.inf.- this file can be safely deleted

On startup, the registry entry created to run spoclsv.exe is as follows:

Whenever this worm finds EXE files, it infects them and creates Desktop_.ini file when it is

succeeded This worm can delete all shares including Admin$ share This worm infects the floppy

discs and USB devices and creates a hidden file Autorun.inf on them This Autorun.inf file is

designed in such a way that once the removable devices are connected to any uninfected system, it

starts working

Trang 15

Hacking USB Devices

correspondingly

It runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer

It has the functionality to access the Internet and communicate with a remote server via HTTP and it may change HTML files

W32/Fujacks-E is a worm that affects Windows platform, and has a backdoor functionality This

worm spreads on networks through removable devices and network shares It replicates itself

with file names, namely Gamesetup.exe and setup.exe filenames Later, it creates the file

autorun.inf to ensure that the file setup.exe is executed It can access the Internet and

communicate with the remote server through HTTP This worm runs in the background providing

the background server The attacker gains access and controls the system

It may change the HTML files When this worm is first run, it copies itself to the

\drivers\spoclsv.exe On start up, the following registry entry is created to run spoclsv.exe:

Trang 16

It adds its 66048 Bytes of code at the end of the original file,

so whenever the file is executed, the virus is also executed

W32/Dzan-C is a virus that affects the Windows platform This virus spreads through removable

storage devices such as USB devices and floppy disks and runs hidden in a system providing

background server

An attacker can gain access and control over the system If the system is infected with this virus,

then the files created are as follows:

<Windows>\inetinfo.exe

<System>\1021\services.exe

New system driver registers the following file and names it as “services”

<System>\1021\services.exe

It has a display name “Themes Plug and Play” and starts automatically when the system is started

Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\services

Trang 17

Hacking USB Devices

W32/SillyFD-AA

W32/SillyFD-AA is a worm for the Windows platform

Once installed, W32/SillyFD-AA spreads through removable storage devices, including floppy drives and USB keys

This worm attempts to create a hidden file Autorun.inf on the removable drive and copies itself to the removable drive with the hidden filename <Root>\handydriver.exe

W32/SillyFD-AA affects Windows platform by spreading through removable storage devices such

as floppy disks and USB devices It creates a hidden file with name Autorun.inf on removable

drive It copies itself to USB devices with hidden file name <Root>\handydriver.exe Autorun.inf

file is designed to start the worm whenever the device is connected to the uninfected system Then

the worm copies itself to the list of locations mentioned below:

On startup, this worm creates <Root>\autorun.inf file The following registry entries are set to

run this worm:

Trang 18

W32/SillyFDC-BK

W32/SillyFDC-BK is a worm for the Windows platform

W32/SillyFDC-BK spreads via removable shared drives by copying itself to <Root>\krage.exe and creating the file

It mostly spreads through removable shared devices and copies itself to <Root>\krage.exe It

creates the file <Root>\autorun.inf detected as W32/Agent-FOW This file is designed in such a

way that it runs the worm when the removable device is connected to any uninfected system

Trang 19

Hacking USB Devices

W32/LiarVB-A copies itself to the root folder

of the drive and adds an autorun.inf file

W32/LiarVB-A leaves an html file on the infected system with a message about AIDS

The W32/LiarVB-A worm affects the Windows platform This worm spreads through removable

storage devices such as floppy drives and USB keys It copies itself to the root folder of the drive

by adding an autorun.inf file <Root>\autorun.inf file is designed in such a way that it starts the

worm when the removable drive is mounted An html file with a message about AIDS and

following marquee is left on the infected system

"This file does not make harmful change to your computer This File is NOT DANGEROUS for

your computer and FlashDisk (USB) This file does not disturb any data or files on your computer

and FlashDisk (USB) So do not be afraid, and be happy!”

This worm copies itself to the following folders:

<Open folder>\<Folder name>.exe

Trang 20

The list of registry entries mentioned below are created by this worm:

HKCR\*\shell\Scan for Virus\Command\

Trang 21

Hacking USB Devices

W32/Hairy-A

W32/Hairy-A is a worm for the Windows platform

W32/Hairy-A will attempt to copy itself and create autorun.inf to removable drives

W32/Hairy-A changes settings for Microsoft Internet Explorer by modifying values

W32/Hairy-A is a worm that affects Windows platform This worm spreads via removable storage

devices such as floppy disks and USB devices by copying itself It creates autorun.inf file When

this worm is installed, the following files are created:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page

Internet security is affected by setting the following registry entries:

Trang 22

System software is disabled by setting the following registry entries:

Trang 23

Hacking USB Devices

W32/QQRob-ADN

W32/QQRob-ADN is a worm for the Windows platform

W32/QQRob-ADN spreads by copying itself to removable storage devices

W32/QQRob-ADN copies itself to removable storage devices as the hidden file oso.exe and creates a hidden autorun.inf to launch oso.exe automatically when the device is plugged in

W32/QQRob-ADN attempts to block access to security-related sites by modifying the HOSTS file

W32/QQRob-AND is a worm that affects the Windows platform This worm spreads through

removable storage devices such as floppy disks and USB devices by copying itself After first run,

it copies itself to:

“<System>\hx1.bat” is a clean file and is easily deleted Troj/QQRob-ACM is detected in

“<System>\jusodl.dll” file This worm creates oso.exe and autorun.inf files by copying itself as

hidden files When these devices are plugged in, the autorun.inf launches oso.exe file, and affects

the system HOSTS file are modified and try to block access to the security related sites In order

to run jusodl.exe and server.exe on startup, the below registry entries are created

In order to run jusodl.exe and server.exe on startup, this worm creates the following registry

Trang 24

W32/VBAut-B

W32/VBAut-B has functionality to spread via removable storage devices and Instant Messaging protocols and to download, install, and run new software

This worm attempts to copy itself with the filename boot.exe to the available removable storage device creating Autorun.inf to ensure that the copy of the worm is executed once device is accessed

W32/VBAut-B worm downloads new software and installs and runs them on Windows This

worm spreads via IMs and removable storage devices W32/Sohan-k downloads this worm and

then it copies itself to the removable devices with boot.exe file name It creates Autorun.inf file

for running the worm when the device is accessed But this Autorun.inf file can be removed safely

Worm copies itself to the following files when it is run for the first time:

Internet Explorer settings are changed by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

System software is disabled by setting the following registry entries:

Tiêu đề	Hacking USB Devices
Trường học	EC-Council
Chuyên ngành	Cybersecurity / Ethical Hacking
Thể loại	module

Định dạng
Số trang	48
Dung lượng	1,36 MB