A new piece of malware has been created, dubbed BadUSB, that can be hidden in the firmware of USB devices and modify the files installed from a removable storage device, as well as divert the Internet traffic by changing the DNS settings.
Karsten Nohl and Jakob Lell from SR Labs are the authors of the BadUSB proof-of-concept malware, against which they say there is no protection solution except restricting the use of USB-connected devices.
They say that turning one device type into another is just a matter of reprogramming the USB controller chips, and that “very widely spread USB controller chips, including those in thumb drives, have no protection from such reprogramming.”
As such, a reprogrammed USB device can emulate another. One example would be a gadget impersonating a keyboard, which can launch commands for stealing data or for installing malware from a specific location. The risk is significant, because there is the possibility to infect other controller chips available on the system.
Another example of how threat actors can use this type of malware is spoofing a network card and proceeding to modify the DNS information and redirect traffic to a system controlled by the attackers.
Also, the method can be used with removable storage devices, which can install malware on the computer before the operating system boots up.
According to the two researchers, there is no effective protection against this sort of threat, because antivirus products don’t have access to the firmware of USB devices. Moreover, at the moment, there is no firewall solution that could block certain device classes.
They also point out that behavioral detection is also a dead end, because when a malicious USB switches to a different device type, the system monitoring mechanism would only record that a new USB device has been hooked to the computer system.
“To make matters worse, cleanup after an incident is hard: simply reinstalling the operating system – the standard response to otherwise ineradicable malware – does not address BadUSB infections at their root,” the researches explain.
“The USB thumb drive, from which the operating system is re-installed, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device may even have replaced the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the USB thumb drive,” they add.
What this means is that once BadUSB has been detected, all USB devices that have been plugged into the computer should be considered infected.
The duo will hold a presentation at the Black Hat USA conference this month, where they will also release the proof-of-concept tools.