I've been wondering lately how these USB execution attacks happen. Surely no modern system auto-runs things from a USB, so there has to be some kind of executable on the drive which the user of the drive either A. Expects to be there, or B. Doesn't notice is there. A sounds a bit strange, but maybe the system is updated over USB, that means that the hackers got into the update pipeline which is very bad. B might be more likely, create an EXE with the thumbnail of an image and maybe you could trick a user into clicking it. Or maybe some nefarious excel macro. But in this case it's strange that the system allows these things to be executed.

Does anyone have more details on how this is done?

This was described in the original post[1].

> It is probable that this unknown component finds the last modified directory on the USB drive, hides it, and renames itself with the name of this directory, which is done by JackalWorm. We also believe that the component uses a folder icon, to entice the user to run it when the USB drive is inserted in an air-gapped system, which again is done by JackalWorm.

[1] https://www.welivesecurity.com/en/eset-research/mind-air-gap...

Does the malware EXE that now looks like a Folder icon with same name as the last modified actual folder (which is now hidden) ... also redirect the user to the actual folder and its contents in file Explorer after successfully delivering its malicious payload?

THAT would probably ensure the user does not suspect anything nefarious has happened, even after the fact.

Now how Windows Defender and other heuristics based firewalls would not treat the malicious EXE with folder icon as a threat and quarantine it immediately -- I dont know.

>how Windows Defender and other heuristics based firewalls would not treat the malicious EXE with folder icon as a threat and quarantine it immediately -- I dont know.

The "malicious" exe, as I understood it, just boots up Python to run a script, where the actual malice lies. Windows Defender has to treat an executable that does only this as benign - because Python's packaging tools provide such executables (so that Windows users can get applications - including (upgrades to) Pip itself - from PyPI that "just work" in a world without shebangs and +x bits). For that matter, standard tools like Setuptools could well have been used as part of crafting the malware suite.

Presumably they could notice that an .exe has the normal folder icon. But presumably that icon could also be slightly modified in ways that would defeat heuristic recognition but still appear like a folder icon to a not-especially-attentive human.

>Does the malware EXE that now looks like a Folder icon with same name as the last modified actual folder (which is now hidden) ... also redirect the user to the actual folder and its contents in file Explorer after successfully delivering its malicious payload?

I didn't see anything about that in the description of the attack. But I assume that the Python script could accomplish this by just making an appropriate `subprocess.run` call to `explorer.exe`.

And also, which person setting up an air gapped system allows execution from a removable media? You'd think with that level of paranoia you'd have a couple more rules in place.

Huh, so it was B then. And good idea to use the folder, that's something you'd be more likely to click on than a regular file.

There are many ways. A simple way is to simulate a USB hub with an input device and a usb drive. You use the input device to execute whatever is on the drive. Another way is to identify as a device whose driver has some vulnerability. Windows auto-installs that driver, then you exploit it.

Sure, if you're the one who created the USB drive then you could make it not actually a USB drive. But this sounds like an infected machine infecting previously safe USB drives and turn them into malicious ones. And I'm not sure I get how a USB drive can be turned malicious. I vaguely remember there was a bit you could flip in older USB drives to make them appear as disk drives and enable autorun, but I doubt that's how this is done.

I think its the firmware. Outside of the main drive, there are smaller chips that work with the OS to r/w the main drive. Each chip has firmware whose memory is usually r/w as well.

Once you can manipulate the code on the firmware, its probably pretty easy to find a kernel level exploit.

Here is a reference with a virus. https://superuser.com/questions/854918/manipulating-firmware...

> simulate a USB hub with an input device and a usb drive

Yea but that has to be a custom or specific kind of programmable USB device. Or one that somehow unintentionally allows you to reflash its firmware to something else.

And also if anyone ever plugs your malicious USB device into a Mac, they will get a pop-up from macOS that asks you to identify the keyboard. Although maybe if it fakes a specific USB keyboard that macOS knows out of the box, you could avoid that?

As explained in the other reply, though, the attack was not actually dependent on a USB vulnerability.

You might want to have a look at svgbob or typograms then. I used the former for creating diagrams for a guide on Git and it worked really well. Of course Markdown editors could be better at "drawing" things, which would solve the pain in creating these diagrams.

Great language, would highly recommend at least trying it out.

Doesn't happen a lot, but it does happen from time to time. Of course only if you actually update your Nim version, so it's not like interpreted languages like Python where stuff stops working if a new version comes out and your package manager upgrades it.

Haven't heard of self-texting before, didn't even know it was possible. But I've been having a similar idea to this based off-of writing in a physical notebook. Basically my notes there end up sequentially, and I was missing this with my digital tools. My idea however was more of a "book mode" for a regular note-taking app where notes would be placed one after another on a long scrolling page.

Which has the same battery size as this machine. Considering my own experience with Linux on laptops (granted with i3 and not KDE) this machine could be a beast in terms of battery life.

Oh this is cool! I recently wrapped libfuse in Nim and after porting the 'hello' filesystem example I made one which is more or less exactly this. However my version you pipe data and have to provide a mountpoint, then when it's done it writes the result over stdout. That means you can inline it in a pipe chain but also that you have to make sure to grab the output.

At the moment I'm exploring other stuff which could be made into file systems. I've got a statusbar thing for the Nimdow window manager which allows you to write contents to individual files and it creates a bar with blocks on them as the output. It makes it super easy to swap out what is on your bar which is pretty neat.

Another tool I've made is a music player. It uses libvlc and when given a folder it reads all the media with ID3 tags and sets up folders like 'by-artist', 'by-album', etc. Each file is named as '<track number> - <song title>' and contains the full path to the actual file. To play a song you cat one of these files into 'control/current' and write the word play to 'control/command'. There's a bit more to it like that like a playlist feature and some more commands, but that's the basic idea. The goal is to have a super-scriptable music player.

Here's an idea: recursively mount code files/projects. Use something like tree-sitter to extract class and function definitions and make each into a "file" within the directory representing the actual file. Need to get an idea for how a codebase is structured? Just `tree` it :)

Getting deeper into the rabbit hole, maybe imports could be resolved into symlinks and such. Plenty of interesting possibilities!

Would you mind sharing the Nim code? I've been interested in working with FUSE for a while, and use Nim for a few projects.

No worries if not, I'm just curious!

Not PMunch, but bindings¹ and statusbar².

Nimble has a couple of fuse projects and wrappers registered too.

¹ https://github.com/PMunch/libfuse-nim

² https://github.com/PMunch/statusbar

The audio player is unfortunately not on GitHub yet, I've still got a few kinks to work out before it's in a shareable state. The statusbar project was also shared mostly so the other Nimdow users could play around with it, so the code quality is quite sub-par.

JNRowe beat me to it! Feel free to browse the rest of my GitHub, its mostly Nim code. And if you want to talk Nim or Fuse you can join the Nim Discord server (or the Matrix or IRC bridge) or post on the Nim forum.

This makes me think, it would be nice if there was an easy built-in way to expose information about a process using the filesystem. Something like "cat /proc/$pid/fs/current_track" to get a name of a current song from a music player, or "ls /proc/$pid/fs/tabs" to list open tabs in my browser (and maybe use this to grab the html or embedded images).

I mean right now it's possible to do this using FUSE, but that's convoluted and nobody does it.

Can you actually write to the /proc directory? Working with libfuse I've had much of the same ideas, basically allow programs to expose information as files. The beauty of the fuse system is also that you only have to respond to requests when they happen. So you don't have to actually create all these files until someone asks for them. Another idea I've had is to expose the configuration of a program through a filesystem. Instead of having a config file and a refresh command or a complicated IPC you could simply write to files to change the config.

I still wish someone would take up the torch from ZLauncher. I still use it on my phone as it's just such a great launcher. I tried Niagara, but I found myself looking for the letters too much. With ZLauncher I can type the letter without even looking at my phone. You might think it would be annoying to have to write multiple letters (like you see people doing in many of the videos about the launcher) but the launcher remembers you most searched for apps for a certain letter. So after a couple searches your frequently used apps will be on top after only one letter. I do wish it had better support for widgets though, especially something like the pop-up widgets from the Blackberry Priv. But all in all it's a great launcher and it's a shame it was discontinued..

I recently had to draw some diagrams for documenting something. After looking at various Markdown-friendly options I landed on svgbob[1]. I believe it's a superior solution to these kinds of graph drawing tools for Markdown for one specific reason: the code is still readable. When I go to look at a Markdown file I don't always open the output. I will commonly open up a README file in Vim or just cat it to the terminal. In this case diagrams like those in this post is next to useless. I'm not going to read through some complex drawing definitions and try to visualise the results. With svgbob (or Typograms[2] or any of the other similar options) you can still read the Markdown text document and see the diagrams which is great!

Of course this comes with a tradeoff, drawing the diagrams can be a bit of a pain. But I believe this can be solved by a good Markdown editor or editor plugin. Alternatively a spec like this could be converted into an svgbob-compatible diagram.

[1]https://ivanceras.github.io/svgbob-editor/ [2]https://google.github.io/typograms/

Seems like the use-cases are kind of different from the two.

Pikchr seems to be made specifically for A) ease of editing and B) compile to graphs after being embedded in markdown code fences

svgbob I guess would work fine for B, but seems like a hassle to use it for A, but then I've never done ASCII art manually, maybe that's why it seems cumbersome to me?

If you come across this graph and want to edit it, how would you approach it? Because I'm guessing you're not manually moving characters around? Seems like a big hassle if so, even if I'm a daily user of vim which could help a lot.

                ,─.
               ( 0 )
                `-'
              /     \
             /       \
            V         V
           ,─.         ,─.
          ( 1 )       ( 4 )
           `-'         `-' .
         /   \         |  \ `.
        /     \        |   \  `.
       V       V       |    \   `.
      ,─.      ,─.     V     V    V
     ( 2 )    ( 3 )    ,─.   ,─.   ,─.
      `─'      `─'    ( 5 ) ( 6 ) ( 7 )
                       `─'   `─'   `─'

Yeah this is the drawback I was talking about. Vim certainly helps a bit, but some kind of editor or plugin which allowed you to more easily move stuff around, draw lines, draw boxes and circles, etc. would be very handy. The current approach is moving characters around by hand, which is quite tedious.

There is an "artist mode" in Emacs that allows you to draw ascii art with your mouse.

The trick with the water sensor is really neat, might have to look more into that. I also wish that more companies would design some of these building block smart devices for us hobbyist. Don't tie it specifically to water, maybe have a pot to trim the sensitivity, et voila you now have a pretty handy all-round ADC thing.

For my bed detection though I just have Tasker on our phones telling the system when they charge. If it's after a certain point of day and our phones are charging that's a good indicator that we've gone to bed. Doesn't require any extra hardware, making it super cheap. Although accuracy obviously won't be 100%.