A few weeks ago, I read an article about a Trojan mouse in the German computer magazine “c’t”. As I had a little free time, I decided to build one myself. After a little googling I found the original article by Netragard (http://pentest.snosoft.com/2011/06/24/netragards-hacker-interface-device-hid/). They again based their “Hacker Interface Device” on this blog post by Adrian Crenshaw: http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle.
A good friend of mine, Christian Mallas (thanks a lot pal), helped me with all my electrotechnical questions. He told me not to use the “Teensy” combined with Arduino as mentioned in the above projects, but to use one of Atmel’s megaAVRs (it should work with all of them) and to program it by myself, as this would be more fun.
How does it work?
The megaAVR simulates an USB HID keyboard. It can send any key at any time without any program or setting being able to block it. After some delay it sends the key combination “Windows + R”. Then it types a command to execute a file on a built in storage device. That’s it. Pretty easy, don’t you think? Additionally I added some code to deactivate the card reader after the computer was infected successfully, so the SD card doesn’t show up in the Explorer anymore (which I find really disturbing, but I couldn’t help it. Luckily the average user does not realize, something is wrong).
As malware like Netragard I wrote a little program, which connects back to Metasploit. And I also used meterpreter. I found out, that it is really easy to avoid detection by antivirus programs, as they don’t scan the memory. So if you obfuscate the payload in the source and assemble it in memory, anti virus programs can’t find it. For legal reasons I don’t provide the source code for my malware here. Just google a little bit, you will find all the information you need.
First we need a mouse. I bought the cheepest Logitech mouse I could find at a local computer store.
Second we need a storage device. I bought a really small micro SD card reader and a 2 GB micro SD card (the smallest one I could get).
Third we need all the components to build a HID device with the megaAVR. I don’t want to list everything here, so look at the schematics later on in this post.
And last we need a really small USB Hub to connect all the devices. I bougth this one and extracted the board.
Everything has to fit into the mouse!
The HID Keyboard
First the schematics:
Basically the schematics are the same as on the v-usb website: http://www.obdev.at/Images/vusb/circuit-zoomed.gif. I used three diodes, as with two I still had a potential of 3.6V, which works, but is a little too high. So I added a Schottky diode (of course recommended by Christian). The two MOSFETs in the right lower corner are used to switch on and off the card reader and the mouse.
Here’s the source code. For USB support I used V-USB. And I removed the malware in the zip file:
While programming the device I looked at the Teensy source generated by the Social Engineering Toolkit (SET) and realized, that my device works much faster (16ms vs. up to 56ms per character). So it really is an advantage not to use Arduino.
That’s it. Have fun experimenting ;).