V
Virus Guy
http://www.theregister.co.uk/2011/06/27/mission_impossible_mouse_attack/
Hackers pierce network with jerry-rigged mouse
(Mission Impossible meets Logitech)
By Dan Goodin in San Francisco
Posted in Enterprise Security, 27th June 2011 18:06 GMT
When hackers from penetration testing firm Netragard were hired to
pierce the firewall of a customer, they knew they had their work cut
out. The client specifically ruled out the use of social networks,
telephones, and other social-engineering vectors, and gaining
unauthorized physical access to computers was also off limits.
Deprived of the low-hanging fruit attackers typically rely on to get a
toe-hold onto their target, Netragard CTO Adriel Desautels borrowed a
technique straight out of a plot from Mission Impossible: He modified a
popular, off-the-shelf computer mouse to include a flash drive and a
powerful microcontroller that ran custom attack code that compromised
whatever computer connected to it.
For the attack to work, the booby-trapped USB Logitech mouse had to look
and behave precisely the same as a normal device. But it also needed to
include secret capabilities that allowed the mouse to do things no user
would ever dream possible.
“The microcontroller acts as if there's a person sitting at the keyboard
typing,” Desautels told The Reg. “When a certain set of conditions are
met, the microcontroller sends commands to the computer as if somebody
was typing those commands in on the keyboard or the mouse.”
Interior view of modifified Logitech mouse
Interior view of Logitech mouse modified by penetration testers. Picture
supplied by Netragard
http://regmedia.co.uk/2011/06/27/mouse_guts.jpg
The Teensy microcontroller programmed by the Netragard hackers was
programmed to wait 60 seconds after being plugged in to a computer and
then enter commands into its keyboard that executed malware stored on
the custom-built flash drive snuck into the guts of the Logitech mouse.
To squelch warnings from McAfee antivirus, which was protecting the
customer's PCs, the microcontroller contained undocumented exploit code
that subverted the program's dialogue boxes to evade detection.
Desautels said he chose the highly involved method after deciding
against a simpler attack that relied only on a USB drive and
functionality in Windows that automatically executes its contents when
its connected to the computer. As previously reported, malware
infections that exploit the widely abused Autorun feature plummeted in
the past few months as Microsoft has made it easier for customers to
turn it off.
The modified mouse wasn't hemmed in by the change because it didn't rely
on Autorun for the malicious code to be executed. The programmable
microcontroller, in effect, acted as its own rogue agent that was under
the control of the Netragard penetration testers who had programmed it.
Because the the attack code is executed by the mini computer on the
Teensy card, the technique can work against a variety of operating
systems, not just Windows. What's more, no drivers are needed.
“You're plugging in a computer device, in either a keyboard or a mouse,
that has a mind of its own,” Desautels explained. “There's no defense,
either. Plug one of these in and you're basically screwed.”
To get someone from the target company to use the mouse, Netragard
purchased a readily available list names and other data of its
employees. After identifying a worker who looked especially promising,
they shipped him the modified mouse, which they put back in its original
packaging and added marketing materials so the shipment would look like
it was part of a promotional event.
Three days later, the malware contained on the mouse connected to a
server controlled by Netragard. Much of the malware used in the attack
was first dreamed up by security researcher Adrien Crenshaw. Netragard's
detailed description of the attack comes as the US Department of
Homeland Security released results from a recent test that showed 60
percent of employees who picked up foreign computer discs and USB thumb
drives in the parking lots of government buildings and private
contractors connected them to their computers. ®
Hackers pierce network with jerry-rigged mouse
(Mission Impossible meets Logitech)
By Dan Goodin in San Francisco
Posted in Enterprise Security, 27th June 2011 18:06 GMT
When hackers from penetration testing firm Netragard were hired to
pierce the firewall of a customer, they knew they had their work cut
out. The client specifically ruled out the use of social networks,
telephones, and other social-engineering vectors, and gaining
unauthorized physical access to computers was also off limits.
Deprived of the low-hanging fruit attackers typically rely on to get a
toe-hold onto their target, Netragard CTO Adriel Desautels borrowed a
technique straight out of a plot from Mission Impossible: He modified a
popular, off-the-shelf computer mouse to include a flash drive and a
powerful microcontroller that ran custom attack code that compromised
whatever computer connected to it.
For the attack to work, the booby-trapped USB Logitech mouse had to look
and behave precisely the same as a normal device. But it also needed to
include secret capabilities that allowed the mouse to do things no user
would ever dream possible.
“The microcontroller acts as if there's a person sitting at the keyboard
typing,” Desautels told The Reg. “When a certain set of conditions are
met, the microcontroller sends commands to the computer as if somebody
was typing those commands in on the keyboard or the mouse.”
Interior view of modifified Logitech mouse
Interior view of Logitech mouse modified by penetration testers. Picture
supplied by Netragard
http://regmedia.co.uk/2011/06/27/mouse_guts.jpg
The Teensy microcontroller programmed by the Netragard hackers was
programmed to wait 60 seconds after being plugged in to a computer and
then enter commands into its keyboard that executed malware stored on
the custom-built flash drive snuck into the guts of the Logitech mouse.
To squelch warnings from McAfee antivirus, which was protecting the
customer's PCs, the microcontroller contained undocumented exploit code
that subverted the program's dialogue boxes to evade detection.
Desautels said he chose the highly involved method after deciding
against a simpler attack that relied only on a USB drive and
functionality in Windows that automatically executes its contents when
its connected to the computer. As previously reported, malware
infections that exploit the widely abused Autorun feature plummeted in
the past few months as Microsoft has made it easier for customers to
turn it off.
The modified mouse wasn't hemmed in by the change because it didn't rely
on Autorun for the malicious code to be executed. The programmable
microcontroller, in effect, acted as its own rogue agent that was under
the control of the Netragard penetration testers who had programmed it.
Because the the attack code is executed by the mini computer on the
Teensy card, the technique can work against a variety of operating
systems, not just Windows. What's more, no drivers are needed.
“You're plugging in a computer device, in either a keyboard or a mouse,
that has a mind of its own,” Desautels explained. “There's no defense,
either. Plug one of these in and you're basically screwed.”
To get someone from the target company to use the mouse, Netragard
purchased a readily available list names and other data of its
employees. After identifying a worker who looked especially promising,
they shipped him the modified mouse, which they put back in its original
packaging and added marketing materials so the shipment would look like
it was part of a promotional event.
Three days later, the malware contained on the mouse connected to a
server controlled by Netragard. Much of the malware used in the attack
was first dreamed up by security researcher Adrien Crenshaw. Netragard's
detailed description of the attack comes as the US Department of
Homeland Security released results from a recent test that showed 60
percent of employees who picked up foreign computer discs and USB thumb
drives in the parking lots of government buildings and private
contractors connected them to their computers. ®