.

Flash drive virus

<<

iSmith

User avatar

Full Member
Full Member

Posts: 157

Joined: Sun Jan 20, 2008 12:01 pm

Post Tue Jan 29, 2008 10:41 am

Flash drive virus

I once got an infected flash drive to clean. As soon as I put it in, Norton told me it had w32.sillyFDC. I tried to delete it, but the drive was locked. So i unlocked it and put it back in, and the virus disapeared right in front of my eyes. So I scanned it with Norton and it picked up 3 instances of w32.rontok@mm. But even a regularly updated Norton '07 can get confused by this old tricky virus. It names itself X.exe where X is the directory in which it resides. If you open the folder X in Windows explorer the virus moves itself, too quick to catch. I was eventually forced to delete 19 copies of it in dos prompt. ;D
In my eyes, your operating system is as solid as swiss cheese.
<<

Negrita

User avatar

Sr. Member
Sr. Member

Posts: 299

Joined: Sat Sep 10, 2005 5:45 pm

Location: /dev/null

Post Tue Jan 29, 2008 4:20 pm

Re: Flash drive virus

Yet another example of the superiority of the CLI over the GUI.
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.
<<

dannioni

Newbie
Newbie

Posts: 44

Joined: Tue Sep 18, 2007 12:51 pm

Post Mon Feb 04, 2008 12:38 pm

Re: Flash drive virus

Or you could just have opened it in linux from the very beginning :P
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Mon Feb 04, 2008 2:08 pm

Re: Flash drive virus

Or you could have modified the source code to open a listening port for you then left the thumb drive on the table in the break room by the HR department.  At least that is what my evil twin would have done.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

g00d_4sh

User avatar

Sr. Member
Sr. Member

Posts: 394

Joined: Tue Sep 18, 2007 1:50 pm

Location: Guayaquil, Ecuador

Post Mon Feb 04, 2008 3:55 pm

Re: Flash drive virus

I wonder how many USB drives are running around that have Hacksaw on them already.  I could just see someone giving out a box of 'free' usb drives to a college or institution, and using the emailed info from their Gmail account to 'passively' gather info on the students or institution. 

Interesting thought, has anyone done that for pen testing?  Gone into the target area and given out 'free' thumbdrives as a 'promotion'?  Besides installing backdoors and whatnot on them, just having the machines email you outside the organization info passively would be an interesting attack as well.
"Bad.. Good?  I'm the guy with the gun"
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Mon Feb 04, 2008 4:08 pm

Re: Flash drive virus

I heard a story in one of my classes of someone giving out CD's that had something on them, but I've not heard of anyone doing it with a flash drive.. though I'm sure it's been done.
<<

iSmith

User avatar

Full Member
Full Member

Posts: 157

Joined: Sun Jan 20, 2008 12:01 pm

Post Mon Feb 04, 2008 4:40 pm

Re: Flash drive virus

Dannioni, all of the linux distros i've used cannot modify files on a windows storage device.
In my eyes, your operating system is as solid as swiss cheese.
<<

Negrita

User avatar

Sr. Member
Sr. Member

Posts: 299

Joined: Sat Sep 10, 2005 5:45 pm

Location: /dev/null

Post Mon Feb 04, 2008 5:32 pm

Re: Flash drive virus

iSmith wrote:Dannioni, all of the linux distros i've used cannot modify files on a windows storage device.

Have you ever tried Knoppix?
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.
<<

jimbob

Post Mon Feb 04, 2008 5:46 pm

Re: Flash drive virus

iSmith wrote:Dannioni, all of the linux distros i've used cannot modify files on a windows storage device.

Linux now supports read/write on NTFS. Unless you talking about a windows striped volume linux ought to be able to read and write to a regualr Windows storage device.

Jimbob
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Mon Feb 04, 2008 8:11 pm

Re: Flash drive virus

To the question earlier, yes, there are pen testing teams that have physical media drops as part of their assessment.  One of the tiger teams I know used it to really screw with a bank.  They dropped a dozen usb drives in the parking lot that were installed with a piece of code that would fire off when windows auto mounted.  It didn't install anything, just pinged their server so they could get a count.  11 of the 12 were used in the bank, the last was used by a customer on their home system.  As for CD's, that is a story from one of the original black hats.  Someone loaded a trojan onto those little mini-CDs and just walked around the conference throwing them onto the tables of other participants.  Dozens of people picked them up thinking they were demo disks.  The next generation of this is already here, and that is infecting the media on creation.  Foreign governments are pre-loading devices with trojans and just waiting to see where they'll end up.  Other times you'll get people in the factories that will put the malware into memory chips without ever knowing what devices they will get built into...

http://redtape.msnbc.com/2008/01/digital-picture.html
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Mon Feb 04, 2008 11:02 pm

Re: Flash drive virus

Yeah, that's right. That's the story I heard about the CD's. As for the stuff that's getting put on during creation.. pretty creepy.
<<

iSmith

User avatar

Full Member
Full Member

Posts: 157

Joined: Sun Jan 20, 2008 12:01 pm

Post Tue Feb 05, 2008 10:09 am

Re: Flash drive virus

Have you ever tried Knoppix?
[/quote]
I have tried slax, nimblex, and mandriva but i have never really been able to get my hands on knoppix.
In my eyes, your operating system is as solid as swiss cheese.
<<

g00d_4sh

User avatar

Sr. Member
Sr. Member

Posts: 394

Joined: Tue Sep 18, 2007 1:50 pm

Location: Guayaquil, Ecuador

Post Tue Feb 05, 2008 11:15 am

Re: Flash drive virus

Reminds me of the Maxtor hard drives that had a built in trojan that phoned home to china and sent your data to servers there.  A good article on that... though it's amazing how that story became very quiet. 

iSmith, knoppix is as easy to get your hands on as googling it, downloading the iso and making a cd.  It's really a great program for fixing Windblows when it breaks.  Lots of utilities, and like... well most Linux distro's I've ever tried, it supports reading/altering ntfs partitions.  A thumbdrive with either DSL (damn small linux) or backtrack on it is a great little pocket sized tool for fixing computer... or 'fixing' computers.
"Bad.. Good?  I'm the guy with the gun"
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Tue Feb 05, 2008 11:37 am

Re: Flash drive virus

For folks moving into the security or incident response space for the first time, Knoppix, Helix, and BackTrack are an incredible resource.  As for mounting the windows drive you are going to hit two issues: make sure your linux build is recognizing your usb ports, and using the right file system.  Most of the live CD's will auto sense the usb ports so that shouldn't be an issue, and some of them will automount the drive if it is plugged in when you boot.  If you have to mount it manually, try ntfs first and samba seconds if you can't get ntfs to work.  Another thing to check, if you are trying to mount with one of the linux builds meant for forensics (especially Helix) when you do get it mounted it will be hard set as read only.  It can be a bit of a pain in the hind-quarters to get it mounted as writeable.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

Negrita

User avatar

Sr. Member
Sr. Member

Posts: 299

Joined: Sat Sep 10, 2005 5:45 pm

Location: /dev/null

Post Tue Feb 05, 2008 3:45 pm

Re: Flash drive virus

iSmith wrote:I have tried slax, nimblex, and mandriva but i have never really been able to get my hands on knoppix.


Here you go!!!
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.
Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software