Some iPods were shipped from the factory with the Windows RavMonE.exe virus, which goes on to infect other removable media devices plugged into the system. This sounds an awful lot like some of the tools we have been seeing out there lately…
Full Notice from Apple
We recently discovered that a small number - less than 1% - of the Video iPods available for purchase after September 12, 2006, left our contract manufacturer carrying the Windows RavMonE.exe virus. This known virus affects only Windows computers, and up to date anti-virus software which is included with most Windows computers should detect and remove it. So far we have seen less than 25 reports concerning this problem. The iPod nano, iPod shuffle and Mac OS X are not affected, and all Video iPods now shipping are virus free. As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it.
posted by akuma @ October 17, 2006 3:27 pm
Michel submitted the potential use of HTTP R.A.T. trojan. This could be a pretty nasty threat if deployed ala the USB Hacksaw/Switchblade, or even alone through a hacked U3 configured for autorun, this would open an entire system up and not all anti-virus spyware apps will pick this up, at least not right away.
posted by akuma @ 12:50 pm
McDonalds, as part of recent promotion in Japan gave away 10,000 MP3 players pre-loaded with 10 songs each. However in addition to music somehow the QQPass Trojan was also pre-loaded on the MP3 players which steals passwords, usernames and other interesting information from systems that drives are connected to.
posted by akuma @ October 16, 2006 1:18 am
USB Hacksaw is an application created as a proof of concept developed by Hak5 and as an extension to the USB Switchblade. The USB Hacksaw uses a modified version of USB Dumper that once installed on a system will run a process in the background whenever that computer starts, waiting for a USB thumb drive to be installed. Once a USB thumb drive is inserted into a system its contents is automatically sent via an encypted SMTP connection to a remote email account configured by the author.
The tool has been quickly modified to include other malicious purposes, including the running of a special version of Nmap and other vulnerability scans and sending the data to remote locations. A more dangerous version has also been recently release that includes the ability to install the payload onto any drive installed, thus enabling it to infect other systems. This is the first reported case of an actual USB flash drive driven worm.
posted by akuma @ October 7, 2006 11:43 pm
USB Switchblade is the outcome of community project to merge various tools and techniques that take advantage of various Microsoft Windows security vulnerabilities, the majority of which are related to USB ports.
The primary purpose of this tool is to silently recover information from Windows systems, such as password hashes, LSA secrets, IP information as well as browser history and autofill information as well as create a backdoor to the target system for later access. The tool through community development ended up creating a Frankenstein application that exposed some very serious security vulnerabilities in Windows, particulary with regards to removable media devices.
The tool takes advantage of a security hole in U3 drives that allows the creation of a virtual CD-ROM drive, whicn allows the Windows autorun feature to work (unless disabled on the target system). Even if autorun or a U3 drive is not used, the application can still be started by executing a single script on the drive.
The most damaging feature of this tool is the ability to extract the passwords hashs from the target system and load them onto the drive for later cracking through the use of Rainbow tables. The weakness of Windows LM hashes is farily well known. With this application installed on a U3 drive it would only take a few seconds for someone with malicious intent to plug in the drive to an open USB port on a system and walk away with the passwords for that system.
The application also finds browser history (for both IE and Firefox) including autofill information (exposing website passwords etc), as well as AIM and MSN Messenger passwords. It will also reveal product keys for some applications (mostly Microsoft applications).
The tool will also create a ghost admin account, which can function as a back door to the system if it is not behind a firewall.
The tool has evovled in the last month or so to include mulitple version including a way to circumvent anti-virus protection that would usually detect some of the malicious exectubles. Additional files were also added to check the vulnerabilities listing all security and patches installed to the target system, as well as another which will start a VNC service silently in the background.
Resources
posted by akuma @ 4:04 pm
