**This article is only for educational purposes**
Critical infrastructures like Oilrigs and nuclear reactors have sophisticated level of information security training & solutions to protect against cyber attack. However hackers are thinking one step ahead of security professionals to hack to into critical infrastructure. Critical infrastructures have isolated network thus very difficult to reach through from outside world. For this reason hackers have developed malware like Stuxnet and Flame, which spread via USB devices as lot of information is exchanged using USB storage devices explain ethical hacker Mike Stevens.
USB drives are reusable memory storage devices that are plugged into a computer’s USB port and are commonly referred to as flash drives or memory sticks. You can wipe them any number of times and use them for different purposes.
The USB drives are so common these days that hackers have started writing malwares specifically to target them. Using these malwares hackers are able to hack into isolated networks like in nuclear plants. In this article we are going to talk about USB related malware with the help of information security solutions experts.
DESIGN OF USB DISK
A USB flash drive is a data storage device that includes flash memory with an integrated Universal Serial Bus (USB) interface. A flash drive consists of a small printed circuit board carrying the circuit elements and a USB connector, insulated electrically and protected inside a plastic, metal, or rubberized case. Most flash drives use a standard type-A USB connection allowing connection with a port on a personal computer, but drives for other interfaces also exist. USB flash drives draw power from the computer via the USB connection.
Below mentioned are the parts of a flash drive:
- Standard-A USB plug – provides a physical interface to the host computer.
- USB mass storage controller – a small microcontroller with a small amount of on-chip ROM and RAM.
- NAND flash memory chip(s) – stores data (NAND flash is typically also used in digital cameras).
- Crystal oscillator – produces the device’s main 12 MHz clock signal and controls the device’s data output through a phase-locked loop.
- Cover – typically made of plastic or metal, protecting the electronics against mechanical stress and even possible short circuits.
- Jumpers and test pins – for testing during the flash drive’s manufacturing or loading code into the microprocessor.
- LEDs – indicate data transfers or data reads and writes.
- Write-protect switches – Enable or disable writing of data into memory.
- Unpopulated space – provides space to include a second memory chip. Having this second space allows the manufacturer to use a single printed circuit board for more than one storage size device.
- Some drives offer expandable storage via an internal memory card slot, much like a memory card reader.
Most flash drives ship pre-formatted with the FAT32, or ExFat file systems. Sectors are 512 bytes long, for compatibility with hard disk drives, and the first sector can contain a master boot record and a partition table.
There are two kinds of USB malwares first is are USB disk firmware malware and second one is normal computer malware that run on USB disks Ghost malware. We are going to cover more details of each of these malware and how hackers are using them hack into isolated network of critical infrastructures like power plants, nuclear reactors etc.
1.USB mass storage controller Firmware Based Malwares
Hackers make these malwares by reprograming the firmware on USB mass storage controller removable USB drives. As the malware is injected inside the firmware, which is on the micro controller and not on flash memory (where we stores our files), the antivirus cannot detect the malware or its activity.
Mike Stevens, information security training explains that once the malware is injected inside the firmware the USB disk can do the following
- The USB firmware malware can emulate a keyboard and issue commands on behalf of the logged-in user, for example giving root access to the hacker and infect other devices in the network.
- The USB disk can act as network card and change the computer’s DNS setting to redirect traffic.
Trust given by Windows, Mac, and Linux operating systems to Human Interface Devices (HIDs), such as keyboards, network cards is the reason behind this attack. As activities performed by the malware appear as though a logged-in user performed those activities. The USB with malware in firmware is detected as a HID by an operating system, and malware runs the script to give root control to the hacker. Antivirus cannot detect this kind of threat as antivirus thinks that a user is logged in and user gave access to a trusted person.
There are 3 different kinds of attack based on USB mass storage controller Firmware.
As explained before the an attacker will take a regular USB disk which contains a small microprocessor, inject malware into firmware and take root control of the computer with help of this malware. This type of USB is called BADUSB.
Types of attacks with BADUSB
- Spoof as USB of 4 GB however it has a space of 32 GB where it will use rest of space to copy the data and later on upload to hacker server. Thus when you format the disk you only format 4 GB of space.
- Spoof as a keyboard or mouse.
- Spoof as a network adaptor.
- Spoof as a phone or tablet.
- Spoof as a webcam.
- Spoof as an authentication bank token.
- Spoof as printers and scanners.
- Spoof as a Type-C plug for both power and data for new Mac book, Chromebook Pixel. For all its versatility, Type-C is still based on the USB standard, which makes it vulnerable to a nasty firmware attack. Thus would be attack via power cord.
HOW TO CREATE BAD USB
STEP 1. Check for micro controller details
The first check the details about controller and the associated firmware. You need software like ChipGenius, CheckUDisk, UsbIDCheck, USBDeview to determine that. These are open source software and are easily available. They will provide you Chip Vendor, Part-Number, Product Vendor, Product Model, VID, PID.
STEP 2. Restoring the original firmware and check the firmware (Optional Step)
You can use the step to repair your USB also if for some reason you brick it. You can visit website like flashboot.ru and check for restoring software.
You can use VID and PID found in previous step to search for flashing software. You can download the MP (Mass Production) Tool like USBest UT16 tool according to your PID, VID and then flash the controller. This will restore your USB completely as new USB as per information security solutions experts.
STEP 3. Preparing for the injection of firmware with malware
We will cover the scenario of Toshiba USB drives having Phison controller. The tools needed are available on GITHUB.
- You need to install Windows with .NET 4.0 installed and Visual Studio 2012
- SDCC (Small Device C Compiler) suite to C:\Program Files\SDCC (for building the firmware and patches) and reboot the machine after installing these.
- Double click on DriveCom.sln, this runs Visual Studio. Run the project and compile. Then the DriveCom.exe is in the tools folder.
- Do the same with EmbedPayload.sln and Injector.
- Run DriveCom as below to obtain information about your drive:
DriveCom.exe /drive=E /action=GetInfo
where E is the drive letter. This should tell you the type of controller you have (such as PS2251-03 (2303)) and the unique ID for your flash chip.
STEP 4. Performing Flashing firmware operation
For flashing you will need burner images. These burner images are typically named using the following convention:
where xx is the controller version (such as 03 for PS2251-03 (2303)), yyy is the version number (irrelevant), and z indicates the page size.
z can be either:
2KM — indicates this is for 2K NAND chips.
4KM — indicates this is for 4K NAND chips.
M — indicates this is for 8K NAND chips.
You can download the burner image from Internet from websites like USBDEV.ru.
To build the custom firmware, open a command prompt to the “firmware” directory and run build.bat. You can try with firmware FW03FF01V10353M.BIN as 1.03.53.
The resulting file will be at firmware\bin\fw.bin, which you can then flash to your drive.
It will also produce a firmware\bin\bn.bin file, which is the burner image equivalent of the code.
STEP 5. Dumping the firmware
Once you have the image, enter boot mode by running:
DriveCom.exe /drive=E /action=SetBootMode
where E is the drive letter. Then transfer and execute the burner image by running:
DriveCom.exe /drive=E /action=SendExecutable /burner=[burner]
where E is the drive letter and [burner] is the burner image file name.
You can then dump the firmware by running:
DriveCom.exe /drive=E /action=DumpFirmware /firmware=[firmware]
where E is the drive letter and [firmware] is the destination file name
STEP 6. Injecting the malware into firmware
As per ethical hacking training professor of IICyberSecurity you can learn how to create an exploit payload and inject it in any code. However you can also get script from Rubber Ducky GItHUB page and with the help of Duckencoder you can create an inject.bin file from your script.
You can inject the payload into the firmware by running:
EmbedPayload.exe inject.bin fw.bin
Where inject.bin is your compiled Rubber Ducky script and fw.bin is the custom firmware image.
STEP 7. Flashing the firmware on USB disk controller.
Once you have the burner image and firmware image, flash it by running:
DriveCom.exe /drive=[letter] /action=SendFirmware /burner=[burner] /firmware=[firmware]
where [letter] is the drive letter, [burner] is the burner image name, and [firmware] is the firmware image name.
The above steps will lead to creation of BADUSB and this USB can be used to hack and do penetration testing. You can also create BADSD card which can used in phones and tablets to hack them. Below is the video of information security solutions researchers showing how to modify the firmware of the SD card and inject malware into them.
1.2. USB Rubber Ducky or UKI (USB Key Injector)
Instead of creating your own firmware USB you can also buy USB that are sold in markets like USB Rubber Ducky or UKI (USB Key Injector). You can learn more USB Key Injector and USB Rubber Ducky in information security training of International Institute of Cyber Security.
1.3 Teensy micro controller board
Using a Teensy micro controller board with various types of software in order to imitate HID devices is the most traditional method. You can learn more about teensy in ethical hacking training.
2. GHOST USB Malware
This is like a normal malware but it runs only on USB devices and when it is inside a computer doesn’t do any activity. Criminals often use such methods to compromise isolated networks that are not accessible through Internet. The malware of this kind that was discovered recently was FLAME. In the case of Flame, the malware created a folder that could not be seen by a Windows PC, hiding the application and stolen documents from the user, mentions information security solutions expert. This opened up the possibility that people unknowingly carried Flame from PC to PC. Malware-carrying USB drives are effective in isolated networks holding highly sensitive documents, because portable storage drives are typically used to transfer data between computers on separate networks.
Flame can spread to other systems over a local network (LAN) or via USB stick. It can record audio, screenshots, keyboard activity and network traffic. The program also records Skype conversations and can turn infected computers into Bluetooth beacons, which attempt to download information from nearby Bluetooth-enabled devices. This data, along with locally stored documents, is sent on to one of several command and control servers of hackers. The program then awaits further instructions from these servers.
How to protect yourself from BADUSB, USB Rubber Ducky kind of devices
As per nuclear plant information security solutions expert Taylor Reed of iicybsecurity you can take following steps.
- Connect only USB devices from vendors you know and trusted USB devices. For critical infrastructure like nuclear power plants and Oil Rigs, use devices which have firmware signed and secured by vendor in case somebody tries to break the firmware the devices will not work.
- Keep your anti-malware updated. It will not scan the firmware but it should detect if the BadUSB tries to install or run malware.
- Implement advance information security solutions, which will monitor the use of devices connected to your computer and any additional USB keyboard will be blocked.
How to protect yourself from GHOST USB malware
- Keep your anti-malware updated.
- Use Ghost USB Honeypot. Ghost is a honeypot for detecting malware that spreads via USB devices. The honeypot currently supports Windows XP and Windows 7.
- The way Ghost works is that it first tries to emulate a USB thumb drive. If the malware identifies it as a USB thumb drive, it will trick the malware into infecting it. Ghost then looks for write-based requests on the drive, which is an indication of a malware. You can learn more about Ghost USB honeypot in ethical hacking training.
USB malware are very dangerous and immediate measures should be implemented to ensure the IT infrastructure security with the help of information security solutions experts.