USB gone evil

## Evil USB, whats that again?
Bad USB can work in multiple ways. One is via a reporgramed firmware of a USB stick (or other USB device) giving it a different purpose and funciton.
This doesn’t need to be a USB Mass Storage devide aka “Thumb drive” this can also be a pair of USB Headphones. Re-programming a Firmware is quite easy to do in many cases.
## Why is it working?
Depending on OS – mostly on Windows OS – a plugged in USB device will be automatically mounted and for convinience some files may be executed right away. (Product installer … etc.)
Although this “Autorun” should be turned off – there’s still other attack modes that are sill working. Since the USB device doesnt need to have its “intial purpose” anymore (like a USB Headset) – the Headset can “impersonate” a Keyboard, quickly enter a command and drop the malware.
A Rubber Ducky can fire a script without the user knowlede and input right after the device is plugged in – or even delayed.
If done right – the USB device does not need to be present anymore to execute its malicious intent. (Like a “delayed execution”)

## Why is this relevant?
Not only may USB devices be a planned attack vector – it can as well just be an accident.
Exchanging files with someone who unknowingly has an infected machine may transfer the malware to your clean system.
Even Air-gapped computers or “closed environments” can be infected this way.

In the day’s of “bring your own device” this is particulary relevant – since you always need to be one step ahead.

If you’d drop a handful of cheap USB sticks on the parking-lot in front of your office, you can be almost certain that at least one device will be plugged in (yay! free usb stick!)

Examples for these kinds of attacks are almost endless – and in many environments there’s little protection against this attack vector.

## How do I protect myself and / or my environment?
For Administrators there’s multiple ways to protect an environment from this attack vector from inside the network.
The very crude but effective method would be physically removing or glueing the USB ports of machines. This is quite permanent and implies potential damage to the machines.
Some devices allow disabling USB via the BIOS settings (which then must be locked with a proper password). This though, is not a suitable solution for more than a handful of machines.

GPO’s can be used to disable access to Mass Storage devices. You could also remove the drivers for USB completely and deny installation.
A workaround for some scenarios – not all.
Some “bad usb” devices will not be shown as mass-storage, but for example as keyboard or mouse. On Laptops this could be disabled as well but is rather inconvinient. Also … there are other USB devices still… Modems, and some dont require any kind of driver at all and may not report their intent properly to the OS.

So a Whitelist may be a better solution.
Trend Micro OfficeScan’s Device Control can be used instead to approve certain USB devices.

[Using Device Access Control against Autorun malware – OfficeScan](https://success.trendmicro.com/solution/1054952-using-device-access-control-to-protect-your-computer-against-autorun-malware-in-officescan-osce “OfficeScan Device Control”)

[Configure USB and CDROM Device Access Control – OfficeScan](https://success.trendmicro.com/solution/1056026-officescan-detected-unauthorized-access-to-devices-connected-to-your-computer-pop-up-message-appea
“OfficeScan Device Control”)

This then can still be combined with a GPO or disabled drivers for specific uses.

### Examples

[Evil USB @ GitHub](https://github.com/stevelacy/evil-usb/blob/master/evilUSB.ino “stevelacy/evil-usb ยท GitHub”)

[Bad USB – now with Do-It-Yourself instructions](https://nakedsecurity.sophos.com/2014/10/06/badusb-now-with-do-it-yourself-instructions/ “BadUSB”)

[Evil USB Stick Steals PC, Mac Logins in 13 Seconds](http://www.laptopmag.com/articles/hack-pc-mac-logins “Steal Login Details in 13 seconds”)

#### More info on OS Hardening

Looking for easily digestable checklist/guide for hardening Windows networks from sysadmin

ODAA_Baseline_Tech_Security_Configurations_Win7-2K8.pdf
http://www.dss.mil/documents/odaa/ODAA_Baseline_Tech_Security_Configurations_Win7-2K8.pdf

(https://www.cisecurity.org/)

Microsoft Baseline Security Analyzer 2.3 (for IT Professionals)
https://www.microsoft.com/en-us/download/details.aspx?id=7558

Home > STIGs > Security Requirements Guides (SRGs)
http://iase.disa.mil/stigs/srgs/Pages/index.aspx

The Low Power Analayst’s Lab Setup

# The Low Power Analayst’s Lab Setup

## Hardware

I wanted to keep this “Lab” as mobile as possible and as flexible as possible.
So I’m using a pocket router for this, since it is powered by USB and is based on OpenWRT, low power, easy to use and low price.
You could do all of this in localised VMware workstaion, or VirtualBox. It may not be the best of choices to do things in a local virtualized environment – and also brings its limitations.

– Intel NUC NUC6i3SYH
– 32 GB Ram (I’m using 2x Kingston modules, NUC’s are not very picky…)
– USB network card
– SSD, almost any will do. I had a spare Samsung 850 EVO 500GB available
– GL-AR150 as a router
– USB stick to boot & install ESXI

## Software

This may be very unique for whatever you want to do with your lab. I’m using this for a mix between malware analysis and learning platform for network defense, analysis and playground for nasty stuff.

– ESXI
– IWSVA (Interscan Web Security Virtual Appliance, Trend Micro)
– Some other various Trend Micro tools
– Linux Distribution of your preference, I’m using Ubuntu Server 16.04 LTS
– Kali Linux
– RemNux Linux
– Windows 10 Client (Any will do)
– Windows XP Client (Preferrably unpatched, for testing)

## Set up GL-AR150 router

Keep in mind what you want to do with this lab. If it is for malware analysis, you propably want to keep everything isolated and not connect this to any other network or the internet.
But its great to have DHCP available and an option to easiy connect to your ESXI host and remote access your various machines.

## Install ESXI

It’s very easy to do, you have to choose if you want to install it on the SSD, lose a little bit of disk space, but have nothing sticking out of the NUC, or install it on the USB drive and spare the disk space.

## Install 2nd network card to Intel NUC

The NUC’s (so far) don’t come with a secondary network – so we have to play with this a little bit to get things going.
It is very possible to do most of it with only one network, but I wanted to have the option available – and it’s fairly straight forward to do.

Step 0.) Download the ESXi 6.5 USB Ethernet Adapter Driver VIB or ESXi 6.5 USB Ethernet Adapter Driver Offline Bundle and upload it to your ESXi host

Step 1.) If you are upgrading from an existing ESXi 5.5 or 6.0 environment, the first thing you will want to do is uninstall the old driver by running the following command (specify the correct name of the driver):

$ esxcli software vib remove -n vghetto-ax88179-esxi60u2

If you have a fresh install of ESXi 6.5, jump straight to Step 2.

Step 2.) – Install the VIB by running the following ESXCLI command to install:

$ esxcli software vib install -v /vghetto-ax88179-esxi65.vib -f

Step 3.) – Next, you will need to disable the USB native driver to be able to use this driver. To do so, run the following command:

$ esxcli system module set -m=vmkusb -e=FALSE

Step 4.) – Lastly, for the changes to go into effect, you will need to reboot your ESXi host. Once your system has rebooted, it should now automatically load the USB Ethernet driver and you should see your USB Ethernet Adapter as shown in the screenshot below.

MORE:
1.) Install drivers

USB 3.0 Ethernet Adapter (NIC) driver for ESXi 6.5

2.) configure network card

Functional USB 3.0 Ethernet Adapter (NIC) driver for ESXi 5.5 & 6.0

## Get things going

Now we should be ready to start installing our software.
Based on whatever your later project may be, you can install your VM’s on the ESXI host now.

For what it is, its quite a powerful toolkit to have at hand – it’s of low power consumption, almost silent and very affordable.