Why the “dead drop” idea is dumb.

I couldn’t help but laugh the other day while on Facebook. I saw this “project” where you cement USB drives into walls to share files. The ‘movement’ seems pretty dead based on the comments on their website but I still see people sharing their video on Facebook. Even aside from plugging your $1000 computer into a wall, this is why you shouldn’t stick anything into your computer that you don’t know what’s on it. This article is geared toward the not-so-tech-savvy or people not in infosec, so I know this is very high level stuff for the professionals but for the regular joe this is geared towards I think this is as technical as it could be.

So the first thing is to make the malicious executable using the Social-Engineering Toolkit.

1

From here I choose option 1 and I get a menu of attacks I can spawn.

set

For this I’ll be using [3], Infectious Media Generator.

Here’s the description of what it does. For the less tech savvy, it makes creates a file that will automatically run the malicious executable when it’s plugged in.

3.PNG

Going with option 2, Standard Metasploit Executable, gives this screen.

4.PNG

Which we’ll select Windows Reverse_TCP Metepreter. What this means is it will create a connection between your computer and the attackers, allowing the attacker to pass commands to your computer. Selecting [2] from the menu above then gives this screen.

5.PNG

The IP address and port are irrelevant as they’re on a virtual machine. In a real life scenario the attacker would be using a VPN & proxy connection so the true attacker’s IP wouldn’t be revealed. It then creates a trojan virus in an executable program [.exe] and I start up the listener. A listener is the part of the attack where the attacker is ‘listening’ for that executable to infect the victim’s computer and talk back to the attacker.

6.PNG

I take the trojan titled “payload.exe” and put it on my USB drive and rename it something that people will actually click on, like AdobePhotoshopInstall, because who doesn’t want free Photoshop?

7.PNG

 

Now that this is the part where the USB is done and I go drop it in a parking lot or cement it into a wall in New York. Next is what happens when someone plugs into it.

8.PNG

USB Drive is plugged in, .exe is ran automatically because of AutoPlay.

Here’s the malicious executable that was made

9.PNG

And here it is, running silently in the background like nothing happened.

10.PNG

This is what the attacker sees

set2

So what does the above text mean? It means that there’s now a backdoor on your computer and the attacker is able to pass commands to your computer now. Here’s a list of what the attacker can do.

123

Webcam stream and desktop stream are the two big notable ones and this does not require administrator privileges, so even if you have a non-administrator account, this would still work. Here’s a picture of desktop stream in action.

Screenshot from 2016-08-05 00-01-47

With this, they can steal your files, wipe your hard drive, install more viruses on your computer, basically whatever they want because they have full access to your PC. This took me about 5 minutes to set up total and the malicious executable/trojan was made in about 2 seconds. So how do you protect against it? Well, simply, don’t plug stuff into your PC that you don’t know. That’s why the dead drop idea is dumb. You wouldn’t let a stranger in your house because they’re promising free cable right? Why is it different with a USB drive? Alternatively, most anti-virus does catch this particular exploit I showed since it’s quite old and I did not encode it. However relying on Anti-virus is always bad and your first line of defense should be common sense.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s