Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Unexpected USB stick delivered - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Unexpected USB stick delivered
First time poster, please be kind.

This is security forum, so I am not afraid to sound too paranoid. I am seeking an advice from SANS security experts. I purchased a cable from reputable retailer a few days ago and today I received a packaged with the usb/lighting cable. To my surprise it was shipped from China, to my bigger surprise it came along with a funky looking USB stick. Something that I haven't ordered, but the first thing that came to my mind was - "Stuxnet". That's how the virus was likely delivered "free" USB stick.

I haven't connected the key to my computer, but I am curious to find out if there is a safe way to find out if the stick carries something "extra"? I don't care to keep this stick, this is more of a curiosity.

Thank you in advance.
Anonymous

Easiest way is a machine you dedicate to doing malware analysis that you can quickly wipe/reimage after contaminating. If you have an old or unused PC laying around you can try to put a hypervisor on it even and use a VM to make that process easier. Just snapshot the VM in a known clean state and restore each time you play with it.

Keep it off your network. For basic analysis, you don't even really need it on the internet.
xencon

5 Posts
When I rented a cable modem from my cable provider they supplied a USB key that had a configuration program for the modem on it.
Being an IT manager I am comfortable doing the config in a browser.

It could be something along the same lines as what you were sent. That being said I agree that the best way to test the USB key is on a VM that is NOT connected to your network or the internet.
PW

62 Posts
if you don't need it, then just discard it. If you are curious, it is nice to look at it from a disposable Linux system (e.g. Raspberry Zero if you managed to get one :) ). Changes are that it includes meant to be harmless setup and configuration tools, maybe some brochure with more gadgets to buy. So far, pretty much all the infected USB devices I have seen coming direct from manufacturers were infected unintentionally. Of course, they could still cause harm, even if it isn't Stuxnet. Johannes

3085 Posts
ISC Handler
Quoting Anonymous:First time poster, please be kind.

This is security forum, so I am not afraid to sound too paranoid. Thank you in advance.


Greetings! Hope you come back again and again. Do not let China be your qualifier for concern since majority of electronics come from there. Sadly! (But I digress)

I have this as my tagline => "Distrust and caution are the parents of security" - Benjamin Franklin Simply put, when in doubt, toss it out, don't open link, package, Et al.

There is a great post on the Raspberry Zero in the forum should you wish to inquire.

<https://isc.sans.edu/forums/diary/USB+cleaning+device+for+the+masses/20315>

Regards,
IC
ICI2I

62 Posts
It's good to be paranoid in these situations. Like one of the previous posts, not everything malicious comes from China. To be on the safe side, a standalone Linux machine would be the best option. For the fact that there is malware that can hope VM's to the host (not easy to accomplish, but it's possible). Just don't put the USB directly into your host machine. Even if PnP is turned off on your host machine, when you attempt to open a folder, it could be a disguised .lnk file and execute anyway.

What I mentioned and what I like is a standalone Linux machine. To give SANS a plug, they have a Remnux Linux distro for analysis. Don't be afraid, but be curious about the USB and see what you can find out about it.

Another option, is to live boot a Linux distro on your host and view and/or analyze the contents of the USB. There are good distros out there for this: Remnux, Kali, or simple Ubuntu, etc.

Hope this helped.
Anonymous

I use a VM as well. I would recommend examining or sanitizing USB sticks even when you pick up a new one, purchased or a vendor. Image them if you're curious or need setup software, but always sanitize. imo. kfalconspb

1 Posts

Sign Up for Free or Log In to start participating in the conversation!