<

Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Bad USB - time to fight back!

Published on
12,947 Points
2,447 Views
15 Endorsements
Last Modified:
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks without using non-microsoft tools or even security software that we would have to pay for.

Let me show the attack types that can be easily defeated:

1 your computer is found unattended and someone connects his USB drive (stick or hard drive or smartphone) to collect some of your data
2 your computer is found unattended and someone tries to run a script to infect your computer. Knowing, that we are prepared for item-1-attacks, he comes with a USB rubber ducky style device, that is a special USB memory stick that camouflages as keyboard to circumvent countermeasures against USB sticks. That way, it can act as a keyboard and type in thousands of code lines per minute…malicious code.The rubber ducky attack  is very dangerous since your computer can be infected in seconds even with current anti-virus software.


The concept:
The usb device, as any other device, needs to be installed in order to work. This takes a few seconds and is long enough to launch a counter-attack and uninstall that devices again before the attacker can use them. Starting with windows 8, the event log will record usb device installations so that we can use these events to trigger the counter attack, namely a scheduled task. That task simply uses devcon.exe, a command line tool by Microsoft to uninstall these newly connected devices within less than a second.

You can deploy these tasks and scripts using group policy preferences, so that they are active on whole networks.

The way:
1 First, obtain devcon.exe - make sure to realize that there are two versions, one for 32 bit and one for 64 bit windows. Use version 6.1.7600.16385 and deploy it to c:\windows, so that it lies within the path.

2 Then, create a whitelist of devices that you actually use and would like to exclude from becoming uninstalled, using this code, for example inside your domain startup script (please note: starting with win8, domain startup scripts are NOT regularly processed when fast startup is in use, so you might have to look for another way to ensure that script runs)
devcon findall =keyboard>%temp%\whitekey.txt
del %windir%\admin\whitekey.txt
for /f %%a in ('findstr /v "matching" %temp%\whitekey.txt') do echo %%a>>%windir%\admin\whitekey.txt

Open in new window

3 Now we proceed to deploying the task (for instructions, see https://technet.microsoft.com/en-us/library/cc725745.aspx ):

Taskname: Keyboardguard

->executing account: system
->trigger:  on event, Log: Microsoft-Windows-Kernel-PnP/Device Configuration, Source: Kernel-PnP, Event ID:410
->Action: start c:\windows\keybguard.bat
Keybguard.bat is a batch file that you need to deploy to the windows directory, too.  Code is
if not exist %windir%\admin\whitekey.txt goto end
devcon findall =keyboard >%temp%\keyb.txt
del %temp%\keyb2.txt
for /f %%a in ('findstr /v "matching" %temp%\keyb.txt') do echo %%a>>%temp%\keyb2.txt
for /f "tokens=1,2,3 delims=\" %%a in (%temp%\keyb2.txt) do findstr "%%a\%%b" %windir%\admin\whitekey.txt || devcon.exe remove "@%%a\%%b\%%c"
:end

Open in new window

That’s it. Mission accomplished, no more rubber ducky attacks. Whenever a ducky device is connected, it gets uninstalled in less than a second, leaving it with no time to execute even one line of malicious code. Of course you can modify this a bit so that a central whitelist is used instead of a per-machine-whitelist. But: if your (huge) company has many many different keyboard types, this list gets long and might even have a negative effect on script performance, that’s why I suggest to use one whitelist per machine.
Now, let me add two task scripts that will uninstall unknown MTP Devices (Phones) and USB drives.
Again, we deploy two scheduled task that execute scripts

Taskname: Kill_Phones

->executing account: system
->trigger:  on event, Log: Microsoft-Windows-WPD-MTPClassDriver/Operational | Source: WPD-MTPClassDriver | EventID:1000
->Action: start c:\windows\kill_phones.bat with code
for /f "tokens=1 delims=:, " %%a in ('devcon listclass wpd') do devcon.exe remove "@%%a"

Open in new window

(please note that this uninstalls all phones and does not look for a whitelist – you could use a whitelist like in the previous section, of course. I would not use one since most phones can be charged without being installed and I don’t like seeing BYOD devices on my network)
Edit: This has one drawback: Apple Iphones are special. They will not charge via USB unless a data connection is detected. So my task won't let them charge. If you plan to let Iphones charge, don't use this task but use these 2 GPOs instead:
WPD Devices: Deny read access 
WPD Devices: Deny write access 

Taskname: Kill_USBDrives

->executing account: system
->trigger:  on event, Log: Microsoft-Windows-Kernel-PnP/Device, Source: Kernel-PnP, EventID: 410
->Action: start c:\windows\kill_USBDrives.bat with code
xcopy \\server\share\allowlist.txt c:\windows\ /y
devcon.exe findall * |findstr "USB.Mass" >%temp%\usb.txt
del %temp%\usb2.txt
for /f %%a in (%temp%\usb.txt) do echo %%a>>%temp%\usb2.txt
for /f "tokens=1,2,3 delims=\" %%a in (%temp%\usb2.txt) do findstr "%%a\%%b" c:\windows\allowlist.txt || devcon.exe remove "@%%a\%%b\%%c"

Open in new window

Please note that this is again using an allowlist (=whitelist) that is being picked up from a network share and allows central modification. It would contain lines with device IDs, that look like this:

USBSTOR\DiskSanDisk_Cruzer_Orbit____1.26

Open in new window

Note that this can be single devices or device classes (like in the above line), just as you like!

That’s all. Feel  free to use and modify these scripts. You might still want to implement logging and alarming (mails/popups). Keep in mind that setting up these protective measures will always have a downside: whenever new keyboards/cordless presenters/USB drives or phones are introduced, you will have to whitelist them from now on.
15
Comment
Author:McKnife
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 56

Author Comment

by:McKnife
Thanks Jim.

I guess at the moment I am pretty fed up with frustration about questions. I have a feeling that it gets worse and worse for us experts. I don't know about the SQL sections, but in the typical system administrator sections (and OS security), I am tempted to say that nowadays 2 out of three questions are really hard to work with for one or the other reason.

Ok, I will try not to let it frustrate me too much.
0
 
LVL 41

Expert Comment

by:footech
I might suggest correcting some capitalization and bullet points.

I hadn't heard of USB rubber-ducky devices before.  Thanks for the info!
0
 

Expert Comment

by:JamesLambert
Hi Mcknife,

I had honestly never thought of anything like this so thanks for the heads up. Could you do the same thing but only activate if an .exe or  .com was run from the USB.  This would allow legitimate use of the USB but still protect the PC. We do it already with GPO to deny running *.exe etc from particular drive letters but your way sounds good too,
Cheers
0
 
LVL 56

Author Comment

by:McKnife
Hi James.

When an .exe is run, it's already too late. So until the removal action would have started (triggered by some mechanism, doesn't matter), the exe code is already inside the RAM of your computer and it will not help to uninstall the device, then.
What we could do, is trigger certain actions when the device is plugged in, like for example search the whole device for *.exe or *.com and if found, uninstall the device. But that might take a few seconds and it could be that this process is too slow, so that the exe is already started manually while the search is still on it.
0
 
LVL 56

Author Comment

by:McKnife
Oh James, somthing that will interest you!
I just "strolled" through our GPOs and came across a setting that I almost forgot: starting with win7, we can deny not only read/write but also execute access (separately) on removable devices by GPO! See https://technet.microsoft.com/de-de/library/hh125922%28v=ws.10%29.aspx?
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Join & Write a Comment

In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month