Unfortunately, you just became another statistic in information theft. The entire contents of your pen drive have been “backed up,” sliced into small pieces, compressed to a smaller file size and conveniently emailed to an attacker on an encrypted channel — all in a few minutes and completely unknown to you.
This threat is real and the potential danger of this attack is immeasurable due to the sheer amount of public computers today. All an attacker has to do to infect a computer is take a modified USB pen drive, plug it into a computer and wait about 15 seconds and leave.
The specific tool is called Hacksaw and is freely downloadable. The tool’s actions are directed by a text file (send.bat), and there are several suggested payload modifications which would allow anyone to adjust the effectiveness and activity of this attack — from stealing documents and passwords to infecting the company network. It has been suggested that with the proper modification it can also infect your USB memory device so that it infects any other computer it’s plugged into — a manual virus attack.
Specifically, what happens during the attack is that a hidden directory is created within the C:Windows directory. Hacksaw’s scripts and tools are then placed into this directory and the attack is executed from there. Once an unsuspecting USB memory device is plugged into this computer, the files are immediately copied to the hidden folder at which point the data is sliced, diced and emailed to the attacker. The tool is even kind enough to delete the copied files once they have been emailed.
Even the most updated anti-virus tool is ineffective against this attack because the tools used are not viruses. Hacksaw combines the use of the following tools: USBDumper to grab the contents of the USB device; RAR to slice and compress the data; Stunnel to create the encrypted communications channel; and Blat to email the data out.
Protecting your computer can be done by disabling the computer’s Autorun and using monitoring software such as GFI LANguard System Integrity Monitor to track changes to your computer. Software restrictions via local and/or domain security policies can also be applied to prevent the execution of these tools.
But the greatest security threat with Hacksaw isn’t your personal computer, it’s the public computers located in hotels, cyber cafés and sandwich shops. Many of these provide a kiosk front-end (some more restrictive than others) so that most users are restricted to specific activities on the computer. However, by default, Windows has Autorun turned on and therefore exposes many public computers to this attack. Even if the kiosk owner restricts writing to the Windows directory, Hacksaw can be modified to write and save to the temporary directory used by the internet browser.
My best suggestions to you in preventing a successful Hacksaw attack are to:
Use public computers with caution. Consider the potential damage that may occur should you plug your USB device in and the data is stolen.
Only carry the data you need on your device. Do you really need two gigs of documents and software on the pen drive or can much of it be archived?
Use your own computer as much as possible. Disable Autorun and use file monitoring software and software restrictions.
Ask the administrator to check their computers for this infection. Many administrators will comply to reduce their liability.
If you’re still in doubt as to the security of a public computer, don’t use it.
– Mark Spivey is the author of Practical Hacking Techniques and Countermeasures (Taylor & Francis, 2007).