Dangerous flash drives. What can USB connection lead to?

It may seem to you that this is an obsolete topic designed for simpletons, and you are very familiar with this threat. I assure you it is not. This threat is far more dangerous than it is considered, it includes not only the banal planting flash drives with the virus, but even the sale of infected flash drives in the store or distribution as prizes in a competition on cyber security.

Probably the best way to assess the scale of the threat would be to plant flash drives and see how many victims follow the bait. This is exactly what a group of researchers from the University of Illinois did, leaving 297 flash drives in different places of the educational institution. The flash drives used in the study collected information about users, although they did not cause any damage.

The results were scary:

• 290 out of 297 flash drives were taken;
• 135 (45%) found flash drives were not only inserted into the computer, but also one or more files contained on them were opened;
• 20 flash drives were inserted into the device without opening files.

But that's not all. After opening the file, the user was asked to take a small survey with compensation of $10. Having processed the survey results and received various statistics, the researchers drew attention to a number of interesting aspects.

• Survey participants underestimated the risk of opening malicious files. Some of them even perceived files on a flash drive as safe, seeing the .html extension.
• Being afraid of infection of a personal computer, survey participants often opened flash drives on university computers.
• The participants believed that the operating system and antivirus would protect them.
• Some research participants took reasonable precautions, for example, opening HTML files in a text editor or disconnecting a computer from the network while opening files.

You can get acquainted with the results of the study in English here.

Since we are talking about the scientific side, let's classify the threats that may come from a flash drive or other USB media like an external hard drive.

The first one is malware recorded on a USB flash drive in order to infect the victim's computer. Everything is clear here, and most of the readers know about this threat. However, almost all operating systems and even more antiviruses today are blocking file autorunning, that is why simply opening a flash drive with a trojan is not dangerous in most situations.

Just do not think that I recommend inserting the found flash drives into a computer, just note that modern devices are well protected from being infected by malicious software by automatically launching it without user intervention.

The second one is flash drives that contain secure files by themselves, the purpose of which is to make the user go to the malefactor’s website.

The third one is fraud. For example, a flash drive may have access to an Internet bank with thousands of dollars in the account. The victim logs into the account, and it turns out that the account holder has allowed transfers from one account to another only within the bank.

To withdraw money, the victim must open an online account in the same bank, what, fortunately, turns out to be an easy matter. The victim opens an account and successfully transfers money to it. It remains to withdraw the funds, but for any expenditure transactions, you must go through the identification of the account, and it costs 500 euro. And here's the bad luck, as you can't pay them from the account, you need to invest with your money.

The victim in anticipation of receiving a large amount of money pays for passing the test. As you can guess, these online banks are created by scammers so that stupid and dishonest people part with their money.

A flash drive can also turn out to be a USB killer, capable of disabling the victim's computer, which is the fourth attack option. We have talked about such devices here, take a few minutes to read. If you insert such a USB flash drive into your computer, get ready to buy a new motherboard.

You will probably come across the opinion that any USB flash drive can be safely launched if you can open files in a sandbox or virtual environment. Tell these experts about this threat.

The fifth option is BadUSB. In our opinion, this is the most dangerous way to attack. In this case, the flash drive impersonates another device connected via USB. We have talked in detail about the attack BadUSB here and here.

The sixth option is a flash drive bug that does not harm the computer, only by charging from it, but it is used as a microphone for listening on the perimeter and / or a GPS tracker to track the location. Similar devices can be bought on AliExpress.

With the help of such a flash drive you can spy on the second half, employee or business competitor.

Usually, USB flash drives are simply planted, for example, in a mailbox, as there was the case during a large-scale malicious campaign in Australia. Sometimes these flash drives are presented as a gift, and it was this gift that was awarded to the Taiwan Bureau of Investigation by the winners of the quiz on cybersecurity.

According to local media, the winners received flash drives infected with the XtbSeDuA.exe trojan. The task of this trojan is to collect information on the victim’s computer and send it to the control server.

You should not make an exception even for flash drives received from people you trust. Many popular malicious programs are able to record themselves independently on external storage media connected to the compromised device, and thus infecting all new computers.

But that's not all, remember that you should not buy flash drives on AliExpress for personal use, it seems to me that you understand it better than I do.

There is another address attack that is usually used against the heads of organizations and which you should be aware of. Many of us have USB flash drives, and most of them are standard models that anyone can buy in the store.

A malefactor, such as a colleague, finds out which flash drive the victim uses, and purchases the same one. A malware is placed on it and it is called by the name of the manufacturer of the flash drive, for example Transcend. The program uses a shortcut in the form of a folder, and the victim thinks that this is a folder, although in fact it is an executable file.

By inserting a flash drive, the victim does not detect the files, but they see the Transcend “folder” where they will certainly try to enter. When you try to log in, the system will notify you about an attempt to launch an application, which may be called Transcend security update. It will be signed by a non-Transcend developer, but how many people pay attention to it?

After that, the victim will be informed that these are important updates, the installation of which is necessary for further use of the product. During the installation process, the victim will be asked for administrator rights, after which a shortcut to the Transcend security update program will appear on the desktop, and the flash drive will be cleared. I took the name of the program out of my head, it can be any, depending on the model used and the creator's creativity.

In the end, the victim is likely to remove the installed program, probably, check it for viruses. But antiviruses will not find fault with anything, the program serves only to divert attention and does not pose any threat. The real threat is already secretly installed in the system with administrator rights, and this gives the attacker almost unlimited power over the victim's device.

I want to finish the article with the main advice of this chapter, which is not to underestimate the threat posed by USB media, and this is not only flash drives, but also external hard drives. Try not to connect other people's media to your computer at all, this is the best protection.

In the end, it was thanks to a USB drive with malware that the Iranian nuclear program was prevented. At least, that's how they wrote in the media.