USB gone evil

## Evil USB, whats that again?
Bad USB can work in multiple ways. One is via a reporgramed firmware of a USB stick (or other USB device) giving it a different purpose and funciton.
This doesn’t need to be a USB Mass Storage devide aka “Thumb drive” this can also be a pair of USB Headphones. Re-programming a Firmware is quite easy to do in many cases.
## Why is it working?
Depending on OS – mostly on Windows OS – a plugged in USB device will be automatically mounted and for convinience some files may be executed right away. (Product installer … etc.)
Although this “Autorun” should be turned off – there’s still other attack modes that are sill working. Since the USB device doesnt need to have its “intial purpose” anymore (like a USB Headset) – the Headset can “impersonate” a Keyboard, quickly enter a command and drop the malware.
A Rubber Ducky can fire a script without the user knowlede and input right after the device is plugged in – or even delayed.
If done right – the USB device does not need to be present anymore to execute its malicious intent. (Like a “delayed execution”)

## Why is this relevant?
Not only may USB devices be a planned attack vector – it can as well just be an accident.
Exchanging files with someone who unknowingly has an infected machine may transfer the malware to your clean system.
Even Air-gapped computers or “closed environments” can be infected this way.

In the day’s of “bring your own device” this is particulary relevant – since you always need to be one step ahead.

If you’d drop a handful of cheap USB sticks on the parking-lot in front of your office, you can be almost certain that at least one device will be plugged in (yay! free usb stick!)

Examples for these kinds of attacks are almost endless – and in many environments there’s little protection against this attack vector.

## How do I protect myself and / or my environment?
For Administrators there’s multiple ways to protect an environment from this attack vector from inside the network.
The very crude but effective method would be physically removing or glueing the USB ports of machines. This is quite permanent and implies potential damage to the machines.
Some devices allow disabling USB via the BIOS settings (which then must be locked with a proper password). This though, is not a suitable solution for more than a handful of machines.

GPO’s can be used to disable access to Mass Storage devices. You could also remove the drivers for USB completely and deny installation.
A workaround for some scenarios – not all.
Some “bad usb” devices will not be shown as mass-storage, but for example as keyboard or mouse. On Laptops this could be disabled as well but is rather inconvinient. Also … there are other USB devices still… Modems, and some dont require any kind of driver at all and may not report their intent properly to the OS.

So a Whitelist may be a better solution.
Trend Micro OfficeScan’s Device Control can be used instead to approve certain USB devices.

[Using Device Access Control against Autorun malware – OfficeScan]( “OfficeScan Device Control”)

[Configure USB and CDROM Device Access Control – OfficeScan](
“OfficeScan Device Control”)

This then can still be combined with a GPO or disabled drivers for specific uses.

### Examples

[Evil USB @ GitHub]( “stevelacy/evil-usb ยท GitHub”)

[Bad USB – now with Do-It-Yourself instructions]( “BadUSB”)

[Evil USB Stick Steals PC, Mac Logins in 13 Seconds]( “Steal Login Details in 13 seconds”)

#### More info on OS Hardening

Looking for easily digestable checklist/guide for hardening Windows networks from sysadmin



Microsoft Baseline Security Analyzer 2.3 (for IT Professionals)

Home > STIGs > Security Requirements Guides (SRGs)