So You Found a USB Stick…


A colleague of mine called me aside for a word. ‘I have a story to tell,’ he said. As we entered his room, I noticed that he has something in his hand. The moment I focused my eyesight on the object lying in his open palm, the topic of our conversation became clear. He was about to start a sentence but I interjected—‘We're being tested?’. ‘We're being tested,’ he echoed in confirmation. ‘—One in the bathroom. One near the printer. The rumor has it that an unlucky fellow plugged one in. Want to have a look?’

We work together for quite some time, so he omitted the indication of the intended kind of looking.

I agreed.

The Stick

It was a plain-looking black USB stick with a blue rotating protector having our company's logo printed in bleak colour ink on a white label. The whole assembly had a cheap, ugly, makeshift look and feel—imagine a life sized model of a USB stick made with painted cardboard.

I duly erased the logotype using GIMP.

I detached the protector

The back side of the sticker is blank.

I took it apart.

One side of the encasement, note the clips

The encasement appeared to be the most primitive snap-in type one can imagine. I could bend it by pressing with three fingers of my hand.

The logic board.

The board features the Taiwanese Macronix' MX30LF1G08AA-TI, a 1G-bit (120Mb) NAND Flash Memory chip.

The back side of the logic board.

The board appears to be produced recently, in last July. Note how poorly the USB connector is soldered to the board, I guess that I could SUI better. Also, pay attention to the large black blob of some molten material—it protects the board from bending and cracking inside the encasement. (A colleague of mine pointed out that this is a standard form of coating a chip that is connected directly to the logic board, which implies that there is a controller under the blob.) This is the face of mass-produced horror; clearly, a throw-away item that is sold by a bucket.

Well, at very least, it is obviously not the USB Killer: there is a memory chip that looks according to its advertised datasheet and nothing else, so I can try to plug it into a computer.

The Filesystem

One of the things that I especially like about OpenBSD is that, in its default configuration, it never does a single move unless it is told to. I can advance one step at a time.

I inserted the stick into a PC and the kernel reported a no-name 120Mb USB mass-storage device. I quickly produced the hexadecimal dump of the first sector of the drive, to see if there is anything that might require special attention. There was ye olde Master Boot Record with a partition table having one VFAT entry. I noted the number of the first logical sector of that partition and started browsing the dump from there. First came the Boot Sector with nothing remarkable in it, so I continued turning the pages of the dump, skipping file allocation tables until I got to the root directory.

Yes, that is what I expected: in the root directory, there was a number of Microsoft Office documents, a PDF file, an ‘Internet shortcut’, and the ‘Information System Volume’ directory. I felt safe enough to mount the disk and take a closer look at those files.

Canarytokens

Since this is a ‘clickbait’ collection of files, its author expected the user to start opening files while giving it little thought, if any thought at all, so first I picked the smallest file that can be double-clicked on Windows, the ‘Internet shortcut’, and printed it on my terminal. The embedded URL pointed to Canarytokens by Thinkst (while their landing page is not interesting unless you are going to use their service, please take a moment to look at the explanation of their operations; they are a legitimate company and their site is safe for visiting).

The appearance of a link to Canarytokens in this particular collection of files is an instance of abuse of Thinkst's service, which is intended for mitigation of real attacks. (At very least, the author of this collection should have downloaded Thinkst's source code, which is freely available, and installed his own server.)

KnowBe4

The next thing, I proceeded to the PDF document, which, also, is quite readable when simply printed on the terminal. The document (a suspiciously short one) was prepared so that the user had to click a button inside Adobe Reader, presumably to view its contents. Unfortunately for the user, in fact, that click triggers a piece of embedded JavaScript that initiates an HTTP GET request addressing https://eu.knowbe4.com/usb_campaigns/report/ (the URL continues with Base64-encoded parameters: cid=xxxxxxxxxxxx&type=pdf&action=open —instead of those twelve letters ‘x’ there appears a hexadecimal number that I removed for the purpose of this publication, for, obviously, it identifies our employer).

KnowBe4 (their slogan reads ‘Human error. Conquered.’) is a ‘leader in security awareness computer-based training’. The company features ‘products’ sometimes having sickening names, such as ‘Kevin Mitnick Security Awareness Training’, if you ever cared to know who Kevin Mitnick is and why he did five years behind bars.

Apparently, I was looking at their free ‘tool’, called ‘USB security test’, I just needed the final proof.

Since I am not one of those ‘security researches’ that enjoy picking Adobe Reader apart for fun and profit, I cannot tell you whether the HTTP request that I found is anonymous or not—I saw no evidence of either, and, in cases like this, I always assume the worst.

Microsoft Office Documents

Now the time for the main course has finally come. A widely known fact, modern Microsoft Office documents are nothing but zip archives, so I listed the files stored in them using unzip(1) with the -l option.

I was looking for a very particular thing, and it was in the second document that I checked: the archive Payroll.xls contained the file xl/vbaProject.bin. I extracted that file to the standard output passing it through the strings(1) and less(1) utilities, reading very carefully. (No, self-esteem would not permit me to hit the low of finding a decompiler for Visual Basic for Applications' binaries.)

On the way to my goal, I came across several interesting things. For instance, this code carried pieces done by a hard-working Czech programmer Antonin Foller as early as 2001 (would you believe that KnowBe4, a large company turning millions of USD in profit yearly, is incapable of developing their own Base64 encoder?). Surprisingly, KnowBe4 is not listed among Mr. Foller's customers. Did KnowBe4 pay for his software, which is not free?

Another piece of that code, developed in 2016, proved that it submits to KnowBe4, at least, the host name and the user name of the account where the document was open. I was amused to discover that in a testing part of the binary that was not removed from a production release and then found the traces of that submission in the part of the binary that was intended for production.

But I was after something else and I found it: I had the login name of the person that saved that Microsoft Excel spreadsheet.

Since employers usually are quite unimaginative when it comes to login names, ten minutes later I obtained this KnowBe4 employee's name, surname, address, a list of relatives, accounts in the ‘social media’, et cetera—much more information than I ever wanted to know—all of that from open sources, legally, without paying a penny, simply by connecting the dots.

In Conclusion

I find subjecting employees to this kind of Pavlovian conditioning to be disgusting and deeply inhuman, for it cynically exploits the best trait that is present in every person—the sincere readiness to help, to offer assistance, to return lost property in this case. (I am not going to elaborate on the fact that some of us are under the religious commandment to do that, even to a foe, as in שמות כ"ג ד' [Exodus 23:4].)

These tactics do nothing good to the employee's trust and loyalty either, for they send a simple message: ‘You are an unwilling subject to an experiment. You are being watched, reported, and counted.’ No amount of typical HR propaganda of being a part of a family and a team can counter that.

Such ‘campaigns’ are utterly irresponsible too. I would be very much surprised to discover that, whoever authorised it, that person indeed checked the binary code that was distributed on these USB sticks. What made this person assume that it is not malicious on itself?

These dirty tricks are prone to causing collateral damage: what makes their perpetrators think that those sticks will not be picked up by technical staff: repairmen, janitors, etc. that may bring one of them home? What about visitors that come to the office for business or for meeting their relatives?

Last but not least: any weapon can be turned against its bearer.

Vadim Penzin, March 11th, 2019


I hereby place this article into the public domain.
I publish this information in the hope that it will be useful, but without ANY WARRANTY.
You are responsible for any and all consequences that may arise as the result of using this information.