When hackers from penetration testing firm Netragard were hired to pierce the firewall of a customer, they knew they had their work cut out. The client specifically ruled out the use of social networks, telephones, and other social-engineering vectors, and gaining unauthorized physical access to computers was also off limits.
Deprived of the low-hanging fruit attackers typically rely on to get a toe-hold onto their target, Netragard CTO Adriel Desautels borrowed a technique straight out of a plot from Mission Impossible: He modified a popular, off-the-shelf computer mouse to include a flash drive and a powerful microcontroller that ran custom attack code that compromised whatever computer connected to it.
For the attack to work, the booby-trapped USB Logitech mouse had to look and behave precisely the same as a normal device. But it also needed to include secret capabilities that allowed the mouse to do things no user would ever dream possible.
“The microcontroller acts as if there's a person sitting at the keyboard typing,” Desautels told The Reg. “When a certain set of conditions are met, the microcontroller sends commands to the computer as if somebody was typing those commands in on the keyboard or the mouse.”
Interior view of Logitech mouse modified by penetration testers. Picture supplied by Netragard
The Teensy microcontroller programmed by the Netragard hackers was programmed to wait 60 seconds after being plugged in to a computer and then enter commands into its keyboard that executed malware stored on the custom-built flash drive snuck into the guts of the Logitech mouse. To squelch warnings from McAfee antivirus, which was protecting the customer's PCs, the microcontroller contained undocumented exploit code that subverted the program's dialogue boxes to evade detection.
Desautels said he chose the highly involved method after deciding against a simpler attack that relied only on a USB drive and functionality in Windows that automatically executes its contents when its connected to the computer. As previously reported, malware infections that exploit the widely abused Autorun feature plummeted in the past few months as Microsoft has made it easier for customers to turn it off.
The modified mouse wasn't hemmed in by the change because it didn't rely on Autorun for the malicious code to be executed. The programmable microcontroller, in effect, acted as its own rogue agent that was under the control of the Netragard penetration testers who had programmed it. Because the the attack code is executed by the mini computer on the Teensy card, the technique can work against a variety of operating systems, not just Windows. What's more, no drivers are needed.
“You're plugging in a computer device, in either a keyboard or a mouse, that has a mind of its own,” Desautels explained. “There's no defense, either. Plug one of these in and you're basically screwed.”
To get someone from the target company to use the mouse, Netragard purchased a readily available list names and other data of its employees. After identifying a worker who looked especially promising, they shipped him the modified mouse, which they put back in its original packaging and added marketing materials so the shipment would look like it was part of a promotional event.
Three days later, the malware contained on the mouse connected to a server controlled by Netragard. Much of the malware used in the attack was first dreamed up by security researcher Adrien Crenshaw. Netragard's detailed description of the attack comes as the US Department of Homeland Security released results from a recent test that showed 60 percent of employees who picked up foreign computer discs and USB thumb drives in the parking lots of government buildings and private contractors connected them to their computers. ®
This post was updated to include details about the DHS study.