Recently, researchers from Ben-Gurion University of the Negev in Israel have discovered 29 (yes, you read it correctly) ways someone can insert malware into your computer or smartphone via USB port. Luckily, the team of experts suggested solutions on how to stay safe and what to do if attacked.
All 29 malware attacks are divided into four categories:
- Attacks that reprogram the
- Attacks that reprogram USB’s firmware.
- Malware that takes advantage of the flaws in the operating
- Electrical attacks.
This shorty guide will try to shed some light on these pieces of malware and what steps you can take to protect your data—whether your computer has already been infected or to prevent the infection in the first place.
Note that these steps are very general, and they might not work against all these threats, that’s why we placed the “What to do now?” section at the end of this guide (with the exception of those threats that have had their protective measures specifically identified by the researchers).
1. Rubber Ducky
Rubber Ducky is a ransomware threat developed in 2010 with a primary aim to encrypt your files by acting as a keyboard with pre-entered keystrokes. It works on every operating system that recognizes USB stick as the main input device—keyboard.
The most probable scenario is that the attacker will offer a PIN code to decrypt the files in exchange for money. Unfortunately, a simple Google search shows that the Rubber Ducky USB stick is available for purchase for a mere $50.
This malware works on the same principle as Rubber Ducky, with a subtle difference that allows the attacker(s) to choose a specific time to activate the keystrokes thanks to a programmed timer.
Evilduino uses an Arduino microcontroller, reprograms it and injects malicious keyboard and mouse strokes in your computer.
What to do if you are infected with Evilduino:
You can try to uninstall it with a third-party tool that will scan your computer and look for malware and other issues that can affect your device. Make sure to use a trusted tool that can identify Evilduino, locate it and uninstall it. Try one of these:
Another malware that reprograms microcontrollers and uses a pre-entered keyboard and mouse strokes is USBdriveby. This malware changes DNS settings and unlocks the computer. The device, called Teensy, is one of the commonly used products for this purpose. It can be purchased on Amazon for just $20.
5. USB Hardware Trojan
The USB hardware Trojan uses USB channels such as speakers and keyboard to exfiltrate and compromise users’ data. This Trojan uses two types of channels that are not safeguarded by endpoint security protections—kernel-space and user-space.
What to do if your computer is infected with the USB Hardware Trojan?
One of the solutions experts recommend is Real-Time Protection, which identifies and blocks the threat before it starts extracting data. If you are Windows 10 user:
1. Go to Settings/ Windows Defender
6. RIT (Read it Twice) Attack Via USB Mass Storage
This malware monitors the target user’s activity and alters files on the infected computer by using a USB mass storage device. RIT can be transmitted not only by USB devices but also by any other external storage unit.
How to remove RIT from your computer:
To get rid of RIT, try an anti-malware program (Comodo, for example). To install Comodo and remove the threat from your computer, follow these steps.
7. Attacks on Wireless USB Dongles
One of the most famous attacks from this category is KeySweeper. It is a USB wall charger that collects data from all wireless keyboards that are in range. The malware attacks Microsoft keyboards manufactured before 2011. Luckily, later models are more difficult to hack.
How to protect your computer:
To stay safe even if your computer is in KeySweeper’s range, use a keyboard that operates by using Bluetooth technology.
This USB spyware tool was inspired by the National Security Agency’s Cottonmouth program, whose main purpose was to spy on people of interest, collect data and take control of a target’s computer. Needless to say, the device is controlled by radio.
9. Default Gateway Override
In this scenario, the infected USB stick affects the functioning of the Ethernet adapter and changes the DNS settings. This way, all data is transferred to the hacker’s server.
10. Smartphone-based HID attacks
Another type of threat vector are attacks where hackers reprogram USB’s firmware. The malware changes the way a smartphone interacts with the keyboard and mouse. It mimics these peripherals and sends pre-entered keystrokes to the victim’s smartphone.
11. Keyboard Emulation by Modified USB Firmware
This is another example of how tampered USB firmware can be used for simulating the keyboard. As already mentioned, this type of malware sends pre-determined keystrokes to the victim’s computer.
12. Hidden Partition Patch
The USB drive is used as a hidden partition acting like a normal drive, only it cannot be detected or formatted. The purpose of this virus is to exfiltrate data from your computer.
13. DNS Override by Modified USB Firmware
Similar to the Default Gateway Override, this malware changes DNS settings and redirects traffic to the attacker’s server. However, in this case, it is not the microcontroller that is altered, but the USB’s firmware.
Possible protective measures:
There’s not much you can do—if infected with this type of malware, you will probably have to reinstall the entire operating system.
14. Boot Sector Virus
The infected USB stick recognizes the type of operating system based on how it interacts with it. Then, the malware boots the system from the USB.
15. Password Protection Bypass Patch
Password Protection Bypass Patch does just what its name suggests—it enables access to password-protected content by altering the USB’s firmware.
16. Virtual Machine Break-Out
In this scenario, researchers have shown how reprogrammed USB firmware can hijack the user’s VirtualBox or their laptop camera for spying.
Similar to the previous example, researchers have shown how reprogrammed USB firmware can be used for spying on users with their own cameras. The virus even disabled the LED light on the camera, so the user is not even aware that they are being monitored.
This malware, together with the below Fanny Worm, uses unprogrammed USB devices and operating system flaws for the purpose of cyber espionage. The malware was famously used to spy on the Iranian nuclear program.
19. Fanny Worm
Fanny Worm is not just similar to Stuxnet; it’s also possibly related to it. Fanny Worm operates on the same principle and is convenient for spying on computers that are not connected to the internet by exploiting Microsoft’s LNK vulnerability. It was developed by Equation Group, a code name for the NSA as revealed by researchers in 2015.
20. Data Hiding on USB Mass Storage Devices
Researchers have shown that even USB sticks that seem empty can contain malware or stolen data. They can be placed in an invisible file or outside of the regular partition.
21. AutoRun Exploits
Window’s autorun option saved users a lot of time but also opened new horizons for malware lurking on USB sticks. Some of the examples of autorun malware include the Sony BMG Rootkit and the Conficker Worm. Both viruses automatically attack the computer once an infected USB stick or disc is inserted.
How to remove Autorun Malware from your computer:
- Disable the autorun function.
- Search every drive’s root for inf.
- Open the file with Notepad.
- Look for Label= and shellexecute= lines and save the name of the file marked with those lines.
- Close the autorun.inf file.
- Delete it.
- Find the file you have
- Delete that file as well.
22. Driver Update
This is one of the most complicated attacks because it uses the VeriSign Class 3 Organizational Certificate that allows malware to be marked as “verified.” This way, the virus is identified as a trusted Microsoft program. Luckily, this attack is very complicated to pull off, and because of that, it is not that common.
23. RAM Dump Attack
This malware is stored on a USB device, and it harvests the data from RAM. Attackers use memory dump to infiltrate a victim’s computer. Once they do that, they have access to decryption keys and passwords. This malware is especially convenient for extracting data from point-of-sale (POS) systems.
How to avoid RAM Dump Attacks:
- Use strong passwords.
- Use an antivirus program.
- Use firewall.
- Keep the software updated.
- Restrict internet access.
- Disable remote access.
24. Buffer Overflow-Based Attacks
Buffer overflow is an error in the code that occurs when there is more data than the buffer can handle. This is a system’s weak spot, and it can be easily exploited in the service of a malware attack. The code in the malware can be used for gaining access to one’s computer.
25. Device Firmware Upgrade
Another sneaky way of inserting malware into a USB device is replacing the legitimate firmware with an infected version.
What can you do?
To protect your USB device from the malicious upgrade, you can disable firmware updates.
26. USB Thief
USB Thief is malware that operates incognito on USB devices and uses portable apps such as Firefox or TrueCrypt. It has a strong self-protection mechanism and cannot be copied. The purpose of this malware is to collect data from computers that are not connected to the internet.
27. USBee Attack
USBee Attack is, one might say, probably the work of a mastermind. Until this method was invented, somebody had to bring an infected USB device into the building. However, USBee uses devices that are already in the facility and turns them into data transmitters. This attack can be conducted even if the computer is not connected to the internet.
28. Attacks on Smartphones
Malicious programs can be inserted even into smartphones with USB chargers. Make sure not to charge your phone with public chargers in coffee shops or airports because these devices can be corrupted. Also, do not plug in your phone into a computer.
How to remove malware from a smartphone:
- First, you will have to uninstall suspicious apps from your phone. Go to Settings/Applications, select the one you want to uninstall and click Uninstall.
- Restart your phone.
- Scan the phone with a mobile antivirus program, such as Avast’s free mobile security tool.
- Delete all malicious apps.
29. USB Killer
USB Killer is a type of electrical attack. The device has the capacity to physically destroy the entire hardware system. Unfortunately, the computer will not recover from this.
If your computer is infected, here’s what to do:
According to researchers, there are no fully guaranteed methods to get rid of malware coming through USB stick. You can try conventional techniques listed below; however, nobody can guarantee they will work every time or for every type of attack.
1. One of those methods is restoring your operating system to the previous version. If you are Windows 10 user, you can do the following:
- Go to My Computer
- Click Properties
- Click System Protection
- Select System Restore/ Choose a Different Restore Point
- Click Next
- Select the convenient date
- Click Finish
Make sure that all of your files are backed up because once you restore your operating system to the previous version, all programs that were installed after the selected date will be lost.
2. Another method is trying to uninstall the malware from your Programs (Apps) and Features:
- Hold Windows+ X
- Select Apps and Features
- Find the malware
- Select it
- Click Uninstall
Luckily, my computer is not infected with malware, so for demonstration I used Skype.
3. You can also use the uninstall command:
- Hold Windows+ R
- Type regedit
- Find the malware
- Double click on the UninstallString
- Copy Value Data
- Hold Windows+ R
- Paste Value Data
- Click OK
- Follow the wizard
How to Stay Safe
There are several general rules you need to follow to protect your USB stick, computer and smartphone from malware. You can at least try to do so with these recommendations:
- Always use your own
- Do not use USB devices you find in a coffee shop or on the street.
- Connect to the 3G network rather than public Wi-Fi.
- If possible, block USB devices.
- Scan your keyboard, USB stick, mouse and other peripherals for malware.
- Disable updates to your peripheral devices.
For the majority of these malware threats, there is no certain strategy on how to get rid of it once you are infected. You can try the methods listed above, but nobody can guarantee it will work.
Also, in most cases, you have to have enough skill to identify the malware without the help of an outside security program. The last option is to re-install your operating system and hope for the best—sometimes, even this doesn’t help.
On the other hand, there are some measures users can take to make their USB devices and computers safer. For instance, do not use someone else’s USB stick, always bring your own charger, use an antivirus program and scan your systems on a regular basis.