Pages: [1]   Go Down
Author Topic: virus/trojan malware usb transport.  (Read 1251 times)
0 Members and 1 Guest are viewing this topic.
Offline Offline
Faraday Member
**
Karma: 30
Posts: 2526
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Hackers are merely leaving usb infected sticks around which copy to the victim's machine and copy to any new usb sticks discovered...

Here's the catch, these infected sticks are starting to see code to communicate and upload to microcontrollers in one example infecting via the stick inside a nuclear station where it dpread machine to machine looking for hardware controllers then speeding up the servos or slowing thrm down to destroy rods i think...


So trojans infecting arduino's ? :o
Logged

Offline Offline
God Member
*****
Karma: 7
Posts: 647
"In this house, we obey the Laws of Thermodynamics" Homer J. Simpson
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

You seemto be talking about the stuxnet worm which could attack Programmable Logic Controllers (PLC)s. It seems to be very sophisticated and required large resources to develop.

USBs are now spreading malware in the same way floppy disks used to.
I can see the PC on which you run your IDE getting infected though I doubt the arduino could get infected in any meaningful way i.e. somebody being able to control something.
Logged

Global Moderator
Netherlands
Offline Offline
Shannon Member
*****
Karma: 227
Posts: 14026
In theory there is no difference between theory and practice, however in practice there are many...
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Maybe we can make a sketch for an Arduino with USB shield as Virus/malware detector

- simple check if it has autorun features and report them on an LCD (red led /green led)
Logged

Rob Tillaart

Nederlandse sectie - http://arduino.cc/forum/index.php/board,77.0.html -
(Please do not PM for private consultancy)

Maine
Offline Offline
Sr. Member
****
Karma: 14
Posts: 418
Caution: Explosives in use.
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

You seemto be talking about the stuxnet worm which could attack Programmable Logic Controllers (PLC)s. It seems to be very sophisticated and required large resources to develop.

USBs are now spreading malware in the same way floppy disks used to.
I can see the PC on which you run your IDE getting infected though I doubt the arduino could get infected in any meaningful way i.e. somebody being able to control something.

And those PLCs were usually plugged into computers running unpatched or pirated versions of Windows XP.  smiley-eek

Its a really cool attack vector though. Just buy a bunch of bulk USB drives on ebay, load virus, sprinkle them around in the parking lot of "Competing Company A", and then profit. Smart sysadmins disable auto-run and USB ports though.

The problem is, a lot of these older industrial control programs only run on old operating systems. They cost so much to initially develop, that the company doesn't want to pay a programmer to make a new controller. It wouldn't be too big of a deal, but people can't live without Facebook and Twitter now, so these machines are plugged into the local network so their users can screw around all day instead of working.
Logged

"Anyone who isn't confused really doesn't understand the situation."

Electronic props for Airsoft, paintball, and laser tag -> www.nightscapetech.com

The Netherlands
Offline Offline
Edison Member
*
Karma: 51
Posts: 1729
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Quote from: wizdum
And those PLCs were usually plugged into computers running unpatched or pirated versions of Windows XP.  

That reads as the words of some spokesman of Microsoft trying to convince the world to buy their latest products (over and over and over again).
Unpatched computers are no problem whatsoever and are more or less standard in SCADA systems that are not connected to an other than the internal network.
That means no internet connection whatsoever.
Internet has no business in nuclear reactor control rooms.
Patching systems that are part of critical (nuclear) processes is something that has to be tested extensively before applying that patch.
You won't be able to do that every "patch tuesday".
So if the base is stable, and you have no external (network) connections why would you need to patch/update of which you don't know what that will do with stability.
If you do need to backup or update/restore the SCADA application, you should use media that is only used for that goal and that is loaded from a system that meets the same conditions or is up to date.
Logged

Have a look at "blink without delay".
Did you connect the grounds ?
Je kunt hier ook in het Nederlands terecht: http://arduino.cc/forum/index.php/board,77.0.html

Global Moderator
Netherlands
Offline Offline
Shannon Member
*****
Karma: 227
Posts: 14026
In theory there is no difference between theory and practice, however in practice there are many...
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Quote
Internet has no business in nuclear reactor control rooms.
Did you check Homer Simpson? smiley-wink

More serious, I think you mean:
The computers in the control room controlling the nuclear reactor should never be connected to the Internet.
There may be additional computers for communication documentation simulation etc
Logged

Rob Tillaart

Nederlandse sectie - http://arduino.cc/forum/index.php/board,77.0.html -
(Please do not PM for private consultancy)

Maine
Offline Offline
Sr. Member
****
Karma: 14
Posts: 418
Caution: Explosives in use.
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

Quote from: wizdum
And those PLCs were usually plugged into computers running unpatched or pirated versions of Windows XP.  

That reads as the words of some spokesman of Microsoft trying to convince the world to buy their latest products (over and over and over again).
Unpatched computers are no problem whatsoever and are more or less standard in SCADA systems that are not connected to an other than the internal network.
That means no internet connection whatsoever.
Internet has no business in nuclear reactor control rooms.
Patching systems that are part of critical (nuclear) processes is something that has to be tested extensively before applying that patch.
You won't be able to do that every "patch tuesday".
So if the base is stable, and you have no external (network) connections why would you need to patch/update of which you don't know what that will do with stability.
If you do need to backup or update/restore the SCADA application, you should use media that is only used for that goal and that is loaded from a system that meets the same conditions or is up to date.


I have no love for MS, so take that crap elsewhere. One of the early patches for Windows XP removed the USB Autorun "Feature". So yes, a Patch Tuesday patch would have prevented that. There are more complex auto-execution hacks, but they still require the user to run them manually (and hopefully people working in these places no not to run random .exe files they find on a thumbdrive in the parking lot). Windows XP is 12 years old. Is 12 years enough time to "test extensively before applying that patch"? As I said in my previous post, these systems were never supposed to be online in the first place, but they are placed on the public network to make users happy. The problem is threefold: lazy sysadmins, cheap upper management, and outdated software. Obviously jumping on the RTM version of Windows 8.1 is a bad idea, but how about trying an OS that was created in THIS decade? Or better yet, get rid of Windows entirely and use a stripped down variant of Linux with no GUI or USB support.
Logged

"Anyone who isn't confused really doesn't understand the situation."

Electronic props for Airsoft, paintball, and laser tag -> www.nightscapetech.com

Global Moderator
UK
Offline Offline
Brattain Member
*****
Karma: 310
Posts: 26627
I don't think you connected the grounds, Dave.
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Quote
these infected sticks are starting to see code to communicate and upload to microcontrollers PLCs in one example infecting via the stick inside a nuclear station uranium enrichment plant where it dpread [sic] machine to machine looking for hardware controllers then speeding up the servos gas centrifuges or slowing thrm[sic] down to destroy rods/ disrupt yield i think...
Close, but no cigar.
(old news, BTW)

The stuxnet dossier is a good read.
« Last Edit: August 21, 2013, 11:19:32 am by AWOL » Logged

"Pete, it's a fool looks for logic in the chambers of the human heart." Ulysses Everett McGill.
Do not send technical questions via personal messaging - they will be ignored.

SE USA
Offline Offline
Faraday Member
**
Karma: 41
Posts: 3783
@ssh0le
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

And those PLCs were usually plugged into computers running unpatched or pirated versions of Windows XP.  smiley-eek

I have dozens of PLC's under my control at work, none of them require attachment to a PC, and when they do its typically via a GPIO interface (ISA PCI USB whatever) sending single bits on single channels

not saying that machines dont use direct computer connections over some bus, but its typically a very simple bus, much like an arduino ... so unless your saving raw data from a plc, packing it up and running it as a windows exe, its not that big of a deal
Logged


Maine
Offline Offline
Sr. Member
****
Karma: 14
Posts: 418
Caution: Explosives in use.
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

And those PLCs were usually plugged into computers running unpatched or pirated versions of Windows XP.  smiley-eek

I have dozens of PLC's under my control at work, none of them require attachment to a PC, and when they do its typically via a GPIO interface (ISA PCI USB whatever) sending single bits on single channels

not saying that machines dont use direct computer connections over some bus, but its typically a very simple bus, much like an arduino ... so unless your saving raw data from a plc, packing it up and running it as a windows exe, its not that big of a deal

I'm not sure how these were interfaced with a Windows PC, but they were able to change some of the instructions for the PLCs from the Windows environment. Wikipedia says they used this: http://en.wikipedia.org/wiki/WinCC.
Quote
Stuxnet installs malware into memory block DB890 of the PLC that monitors the Profibus messaging bus of the system.[40] When certain criteria are met, it periodically modifies the frequency to 1410 Hz and then to 2 Hz and then to 1064 Hz, and thus affects the operation of the connected motors by changing their rotational speed.[46] It also installs a rootkit – the first such documented case on this platform – that hides the malware on the system and masks the changes in rotational speed from monitoring systems.
http://en.wikipedia.org/wiki/Stuxnet

The other kinds of SCADA "vulnerabilities" are as you say, not a big deal. The one that comes to mind is a nuclear power plant in France. The system is on the internet, and you can access it remotely using default telnet credentials. The only thing it gets you is a page of statistics. You can see their total power output, output per reactor, temperatures, stuff like that.
« Last Edit: August 22, 2013, 11:20:57 am by wizdum » Logged

"Anyone who isn't confused really doesn't understand the situation."

Electronic props for Airsoft, paintball, and laser tag -> www.nightscapetech.com

Pages: [1]   Go Up
Jump to: