Monday, November 19, 2007

Danger! That USB Thumbdrive Keydisk thingy has a Virus.

Intro:
You may be able to remember a time when a floppy disk, those 1.44mb of storage, was your only way to get that masterpiece from work or school to home at night. A floppy disk could start a computer and make it go into MS-DOS, but not activate programs just from a simple insertion. Today Keydisks(also called Thumb Drives, and USB disks) are replacing floppies faster than companies can make them. Prices for a 1GB Keydisk can be as low as $20 and I have heard of organizations purchasing them by the bucket load -- literally.

The only problem with Keydisks is the fact that when inserted, they become a new Harddrive on the system, some, like U3 even create CD-Rom drive with a password protected start menu for portable access. This could allow someone to insert a Keydisk into a system, Autorun an invisible, no window launching virus, while they seem to type up that 30 page history report on why man didn't go to the moon and back... the reason I am writing this is because a while back some hackers in Australia left keydisks in public places containing viruses that would be activated as soon as they keydisk was inserted.

This tutorial will show you how to create a keydisk that has the ability to run a hidden program with just simply inserting it.

NEEDED:
- A U3 keydisk
- Internet connection
- works on all Win 98, Win 2000, XP, and Vista Machines.

HOW TO:

After briefly searching the Internet, I can find no program that compares to Sandisk's U3 software. It seems to work every time, no matter what the restrictions are on the PC. (Even limited users allow it to install with no problems)
So...

Setting up the U3 loader on the Keydisk:

If your key disk doesn't have the U3 loader installed, download the installer: http://www.sandisk.com/Retail/Default.aspx?CatID=1411
Run it, following the simple instructions.

Unfortunately there are only certain keydisks that work with the U3 software.
There is a small chip inside the U3 disks that allow it to trick the computer into thinking there is CD drive on the disk, this allows it to run the U3 start menu, which in turn can have a program auto started as soon as it is loaded up. The CD really is just an ISO file hidden on the disk. So when you download the installer it may say your disk is not compatible... which would be a bummer since this really is a neat hack.

Putting the Auto start to work:

Now the U3 firmware comes with some sample programs, the ability to lock the disk, and a bunch of other fancy stuff. You can access the "start button" for U3 by clicking the orange icon that appears by the clock.

U3 allows user to make their own software packages by following instructions and package here http://www.u3.com/developers/downloads/reference.aspx
but for the simplicity of this tutorial I am going to show you how to replace Firefox with any program you like and set it to automatically start when the disk is inserted.

  1. Select the "Explore Keydisk" from the menu (top right)
  2. In the explorer window that comes up, press Ctl + F (or View--> Search) and tell it to find the file "FirefoxForU3Start.exe"
  3. Once you get the results, right click "FirefoxForU3Start.exe"and select "Open Containing Folder."
  4. Rename "FirefoxForU3Start.exe" to something such as: "(BK)FirefoxForU3Start.exe"
  5. Now take another exe file and copy it into the same folder as "FirefoxForU3Start.exe"

    (NOTE: If you can't see the .exe extention then, in explorer, click tools--> folder options, The "View" tab, and uncheck "Hide extensions for known file types"... this also helps you see viruses that disguise themselves as .PDF, .JPG files since now you can see the full ending of the file)

    If you don't have your own "exe" virus just use notepad.exe
    Click Start--> Run and then type:
    %systemroot%\system32
    (System root is a neat way of opening the folder windows lives in)
    scroll till you find "notepad.exe" and copy it to your keydisk.
  6. Now rename "notepad.exe" to "FirefoxForU3Start.exe"
  7. Click the U3 icon and select "Manage U3 Programs."
  8. Click Mozilla Firefox and select the box that says "Start on Insertion"
  9. Select OK and eject the Key disk, Now every time it is inserted "Notepad.exe" (which was renamed to FirefoxForU3Start.exe) will start...
    REMEMBER: Any exe file will work for this, most hackers will create a program that would set a rootkit embedded into the system, and then run the file "(BK)FirefoxU3Start.exe," that way no one will no the difference.
Other options:If you can't get the U3 Launcher on your Keydisk, then another option is to modify a file called "autorun.inf" which is in the root folder (the root is the first items you see when you double click on the drive).

Edit it in the form of:
Open="notepad.exe"
Action="notepad.exe
Shell="notepad.exe
where "notepad.exe" is a program in the root folder.

Protection:
The only way to prevent this--- and it isn't fully fool proof--- is to download Microsoft Powertool's TweakUI.exe (Mirror)
Open the Program from the Start Menu(All Programs--> Powertoys for Windows--> TweakUI)
Then click on My Computer -->Auto Play--> Drives
Uncheck the drives you wish to protect, and click OK.
(NOTE: This disables Auto Run, so any time you put in a CD you will have to go into My Computer to start it)


END NOTES:
This particular attack is hard to execute, since it requires a physical access to someone else's Keydisk and PC. But there has been some talk about the idea that a virus could be implanted into a system and instead of using the Internet to travel, it travels by hopping onto a USB disk, Mobile phone/PDA, and even the USB flash disk in your Camera--- like one of the ways shown above (most likely the second example however).

So the next time some body says they want to plug their Keydisk into your PC think about what you are risking.


More Reading...
http://www.usbhacks.com/ made a post on how Sony installed Rootkits on they Keydisk, causing files to be hidden in the C:\windows folder
http://www.dailycupoftech.com/have-your-lost-usb-drive-ask-for-help/ As soon as your keydisk is inserted, a message shows up saying how to return it.

http://www.mydigitallife.info/2007/03/16/virus-infections-via-usb-drive/
The Virus doesn't need the Internet any more, it has your camera and USB drive!