BAD USB: Attack on a SHUT DOWN Computer | Real Experiment

00:09

[Music]

00:18

since August 2021 the FBI has received

00:21

reports of several packages that were

00:23

sent to us companies in transportation

00:26

insurance and defense the packages came

00:29

in two variant

00:31

one mimicked a message from HHS US

00:34

Department of Health and Human Services

00:36

with a letter inside with references to

00:38

covid-19 protection guidelines and a

00:40

flash drive with additional

00:45

materials the other imitated a package

00:47

from Amazon gift wrapped inside was a

00:50

fake thank you letter a fake gift card

00:52

and a lyo USB flash drive

00:58

[Music]

01:00

the FBI discovered that the flash drives

01:02

were sent out by the hack group fin 7

01:04

known for their dark side and black

01:06

matter encryption Tools in this video we

01:09

have taken apart such a flash drive

01:11

connected it to a working computer

01:13

recorded all the changes it made to the

01:15

system and we will show you in detail

01:17

how an attack can be organized against

01:19

your company or against your family and

01:21

most importantly you'll see how to

01:23

protect yourself from this

01:25

threet this video was created by the Su

01:28

sub verification platform but more about

01:31

suub in a bit oh yeah you've probably

01:34

wondered who this mysterious voice is I

01:37

think it's time to get acquainted my

01:38

name is Elliot and I am your voice

01:40

assistant who helps you survive in the

01:42

online

01:43

jungle well let's get back to our story

01:47

it looks like an ordinary flash drive in

01:49

fact it is the bad USB which is capable

01:52

of causing irreparable damage to your

01:54

data let's open it up

02:01

[Music]

02:03

as we can see inside there is an Arduino

02:05

Pro micr board let's take a closer look

02:09

this board clearly has but does not use

02:11

a micro USB interface and as we can see

02:14

in order not to arouse suspicion of the

02:16

victim the connector was soldered to a

02:18

classic USB plug and the board itself is

02:21

obviously not designed for soldering

02:23

full USB in this case they did the

02:25

tricky thing the plug was glued to the

02:28

case and the board was soldered with a

02:29

pair of of rigid wires this was done to

02:31

force the ejection of the stick onto the

02:33

case and not onto the board so what does

02:36

this very bad flash drive do let's check

02:39

it out we have a computer that is not

02:41

connected to a network and does not

02:42

contain any important data the flash

02:45

drive does not know that we now have a

02:47

key logger running on this computer

02:49

which records all keystrokes we will

02:51

check the log of this program later but

02:53

for now let's take a look at the

02:54

computer

02:55

screen immediately after connecting the

02:58

execute window opens

03:00

let's stop the recording and look at

03:02

what was written in the startup window

03:04

this command runs malicious code from

03:05

the attacker server for example from a

03:08

rented digital ocean virtual type there

03:10

is no data on the fake flash drive of

03:12

course moreover the behavior is clear it

03:15

is not a flash drive but in this case

03:17

it's the keyboard more precisely the

03:20

device is programmed as a keyboard this

03:22

can be checked in task manager now let's

03:24

have a look at the log what do we see a

03:27

miniature device with a keyboard

03:29

controller immediately after connection

03:31

performs random keystrokes the ability

03:34

to pre-program these keystrokes is

03:36

usually used to enter any OS command by

03:38

using the corresponding hotkeys for

03:40

example Windows r or alt F2 the most

03:44

popular form factor of such a device is

03:46

a flash drive but given the small size

03:49

of the device it can be built anywhere

03:51

whether it's a webcam or even a USB

03:53

cable OMG cable the suitable device form

03:56

is set by the context as the choice must

03:59

be optimal in one situation or another

04:02

in addition this attack requires social

04:04

engineering skills in most cases the

04:06

flash drive is essentially a decoy it is

04:09

thrown in different ways in a letter in

04:11

a parcel in a mailbox it's accompanied

04:13

by letters which convince the victim

04:15

that it's authentic and does not arouse

04:17

suspicion the main thing for the victim

04:19

is to plug the flash drive into the

04:22

computer obviously once a flash drive

04:24

attack occurs well it can be pretty

04:27

tricky to undo it it is of course a

04:29

hardware attack at the end of the day hi

04:31

my name is Lucas from ssub and I'm going

04:33

to tell you a little bit about how we

04:34

can prevent some of these attacks from

04:36

occurring in the first place you know

04:38

what could lower the amounts of attacks

04:39

that occur like this well by simply

04:42

verifying the address in the beginning

04:44

ssub is a leader in online address

04:46

verification uh whether it be in banking

04:48

Finance gambling or many other business

04:50

types we're able to verify the address

04:53

of someone through three main ways the

04:56

first one being document upload

04:58

basically taking in that utility bill

05:00

that we're also familiar with something

05:01

that we like to call geolocation which

05:03

is essentially finding out where you are

05:05

based on a number of factors without the

05:07

document upload and the third option

05:09

would then be access to government

05:11

databases where available companies can

05:13

then Implement these methods

05:14

simultaneously or pick and choose which

05:16

parts are going to suit your business

05:18

best if you want to learn more about

05:19

some sub's addressed verification

05:21

Solutions as well as our other products

05:23

please feel free to click the link below

05:25

the attack is extremely fast as

05:27

keystrokes are made quite quickly it's

05:30

quite possible that the user will not

05:31

even notice

05:34

anything as a hardware part attackers

05:37

sometimes use ready-made Solutions like

05:39

hack 5 however a person who has heard at

05:41

least something about rubber ducky May

05:44

suspect Danger from the logo scattering

05:46

around dozens of such flash drives must

05:48

be cheap and widespread in fact such

05:51

flash drives must become a consumable

05:53

item it's true homemade solutions

05:55

dictate their own limitations this table

05:58

shows approximate prices for for devices

06:00

that can be disguised as a flash drive

06:02

and their compatibility with operating

06:04

systems as you can see all this is

06:06

extremely cheap and available in almost

06:08

any country in the world the bigger

06:11

problem is getting the casing usually

06:13

criminals buy the cheapest flash drive

06:14

of the right size and remove the

06:16

contents leaving only the casing or they

06:18

print the casing on a 3D printer as for

06:21

the software part Arduino built-in

06:23

loader supports multiple refeshing it's

06:26

at Mega 32 u4 you can write to it the

06:29

command repeatedly for each specific

06:31

situation in essence you only need to

06:33

fill it up with user application code

06:36

it's not possible to extract such code

06:38

from the flash drive which came into our

06:40

hands but we have written a sketch that

06:42

could perform all the functions recorded

06:44

in the

06:45

log now let's see what an attacker is

06:48

likely to do to gain remote access the

06:50

shortest way is to run a rat remote

06:52

Administration tool that is to install a

06:55

back door on the computer for example

06:58

windows

07:00

Linux each of the above commands is

07:02

built in and as short as possible in one

07:05

action it downloads and runs code over

07:07

HTTP or better

07:10

https before the attack the attacker

07:12

most likely won't know what the

07:13

restrictions are on the local network so

07:15

there is no absolute guarantee of

07:17

success the signal May simply not get

07:19

through but the execution of the

07:21

commands even in this case will give the

07:23

attacker enough information first since

07:26

the server address is given by name a

07:28

DNS query will be executed the DNS

07:31

system is distributed and the query from

07:33

the victim's computer will usually be

07:35

sent anyway if the hacker is using his

07:37

own DNS Zone delegated to a subordinate

07:40

server he will see the query in the logs

07:42

this will be a signal that the flash

07:44

drive was connected and the rce has

07:46

occurred however this does not guarantee

07:49

that network access is

07:51

possible second if access to the

07:54

internet is not restricted in any way

07:56

the attacker's server will receive a

07:58

HTTP request which can also be seen in

08:01

the logs this will be a signal that a

08:03

network connection is possible and that

08:05

the hacker can remotely control the

08:06

victim's

08:07

computer however this does not guarantee

08:10

that the security mechanisms of the

08:11

operating system allow the execution of

08:14

the remote control program nevertheless

08:17

even if the attack fails the attacker

08:19

will have information about the rules of

08:21

access to the internet from the user's

08:22

computer and their awareness of such

08:24

incidents such information can be used

08:27

in repeat attacks and there is an even

08:29

more terrifying type of attack that is

08:31

often overlooked an attack on a locked

08:34

down computer imagine that someone came

08:36

to your house for a visit or broke into

08:38

your apartment when you weren't there or

08:41

pretended to be a client in your office

08:43

and being unnoticed he inserted a flash

08:46

drive into the USB input of the turned

08:48

off computer when the office system unit

08:50

is pushed into a Dusty dark corner it's

08:53

easy enough to insert something

08:54

inconspicuously there and people won't

08:57

notice anything for several years do you

08:59

often look at the back of your computer

09:01

at home but your mouse or keyboard can

09:03

be replaced with an identical one that

09:06

has a built-in bad USB but why do this

09:09

if the computer does not work it's

09:11

simple the criminal programs the flash

09:13

drive to send keystrokes not immediately

09:16

but every n hours or minutes to catch

09:18

the moment when the machine will be

09:19

turned on and unlocked this is called

09:22

delayed rce as long as the PC is locked

09:25

all clicks will go to the password input

09:27

field and disappear I.E the attack will

09:29

go virtually unnoticed in fact such a

09:33

device makes useless all attempts to

09:35

ensure security by locking the computer

09:37

which everyone is so used to after all

09:40

once left unattended a laptop can have

09:43

such a device inserted into it and no

09:45

matter whether the computer has been

09:47

locked or not bad USB flash drive will

09:49

try to perform clicks we mean arbitrary

09:52

code at intervals of a few minutes hours

09:55

or days and sooner or later the moment

09:57

will definitely come when the PC will be

10:00

unlocked then the malicious code will be

10:02

executed and the hacker will get remote

10:05

access and now let's talk about how to

10:07

protect yourself probably the best

10:09

protection here is to use specialized

10:12

software Solutions allowing the

10:13

connection of only pre-approved devices

10:15

from the list a whit list each USB

10:18

device has its own unique vendor ID and

10:21

product ID which are listed on the Whit

10:23

list all other USB devices including bad

10:26

USB sticks will not be recognized by the

10:28

OS this method perfectly protects not

10:31

only from the attack described above but

10:33

also from a number of other attacks and

10:35

can generally keep working computers

10:37

from a host of undesirable consequences

10:40

and the most important rule is common

10:42

sense and caution just as children must

10:45

not talk to strangers the adults must

10:47

not put any unfamiliar devices into

10:49

their computers or you can do it only on

10:52

a safe clean computer with no important

10:55

data and no internet access if you're

10:57

really curious well suub is always ready

11:01

to help you satisfy your curiosity

11:03

safely and win all these battles in the

11:06

online jungle

11:08

[Music]