Last chance to enter The Hackaday Prize.

Malware In A Mouse

mouser

Keyloggers, in both hardware and software forms, have been around for a long, long time. More devious keyloggers are smart enough to ‘type’ commands into a computer and install Trojans, back doors, and other really nasty stuff. What about mice, though? Surely there’s no way the humble USB mouse could become an avenue of attack for some crazy security shenanigans, right?

As it turns out, yes, breaking into a computer with nothing but a USB mouse is possible. The folks over at CT Magazine, the preeminent German computer rag, have made the Trojan mouse (German, terrible Google translation)

The only input a mouse receives are button presses, scroll wheel ticks, and the view from a tiny, crappy camera embedded in the base. The build reads this camera with an Arduino, and when a certain pattern of gray and grayer pixels appear, it triggers a command to download a file from the Internet. From there, and from a security standpoint, Bob’s your uncle.

Looking through the camera inside a mouse is nothing new; it’s been done over the Internet and turned into the worst scanner ever made. Still, being able to process that image data and do something with it is very cool. Just don’t accept mouse pads from strangers.

Danke [Ianmcmill] for the tip.

Comments

  1. edonovan says:

    I would like to know the keystrokes it uses to invisibly download and install malware.

    • KitKat says:

      There are ne keystrokes, this is the magazine’s annual April Fools’ joke.

      • ICS says:

        I agree with you, and for the same reasons. However I must note that some pentesting organizations have managed to stuff a tiny usb hub and an autorun backdoor into mice. They often use it as ‘swag’ for the companies they are testing. Theory goes that the proud manager that handles RFCs will use it and maybe, just maybe, somebody will have misconfigured autorun settings. Of course it isn’t a real attack. That sort of thing has not worked reliably in over a decade.

        • matt says:

          It isnt that hard to do on a windows machine with a HID device. Press the Windows and R key, then enter in whatever command you want. if you dont know the drive letter, then just loop through them all.

    • Ast says:

      I didn’t read the article (I don’t own the magazine), but my guess is that the mouse behaves harmlessly to stay undiscovered until the pattern triggers the malware to also register as a keyboard and use keystrokes to do its evil business.

      Also, from the first excerpt it seems like they discovered this behaviour in an old mouse of theirs while playing around with it and an arduino. They did NOT build the malware mouse, it is already in the wild.

  2. That was published in the last edition, which is the one still on sale next Tuesday (hint hint…) ;-)

  3. Hattori Hanzo says:

    The c’t magazine is known for its april fools jokes. They had a couple of really good ones that seemed very plausible, even after a second read.

    I am pretty sure this one of them. Having worked with opgtical mice sensors and interfacing with them directly, there’s a lot of things that don’t work as described. Try getting raw image data from the sensor in a usable framerate for doing your own optical flow afterwards…

  4. cpldcpu says:

    Uhm. This seems to be their aprils fools joke, because the full article actually appeared in print in the April issue. Note the lack of any information in the article…

  5. BeatJunkie says:

    I hope you guys know that the c’t magazine has an annual April fool hidden as an article… And now look at the date.

  6. Mental2k says:

    I’m not saying it’s not an April fools joke (and I haven’t read the original article in the interest of full disclosure), but couldn’t this be done with something like an atmega32u2 and lufa. Starts as a mouse, pattern triggers keyboard mode then revert.

  7. der_nachbauer says:

    Reading this article a week ago (release date of the current issue for subscribers), I shortly wondered how this “hack” could work actually but then concluded that it had to be an april fools joke.
    As well there are some hints in the article, e.g. the picture of a sample malware activation code is ridiculous [huge frame, tiny content], as is the instruction of what to observe in case of malware “activation” – the article tells to observe for *any* HID device showing up; current computer setups can be expected to show some, or does anybody out there still use PS/2 keyboards ?
    And eventually there is a “typo” in the article which I strongly doubt would happen to the magazines authors but on purpose: they expand HID to “human *interception* device” … this was the final cue that eventually convinced me it had to be april’s fool.

  8. Andi says:

    You all know this is meant to be an april fool, dont you?

  9. ITS AN APRIL FOOL!

    c’t is actually well known for doing these in the issue that is the current one on april first.

  10. Winnetou says:

    There is no fix yet so better disconnect your mouse and keyboard. To avoid negative impact you can set your iTunes to repeat eternally, you can only read facebook though.

  11. ejonesss says:

    “The build reads this camera with an Arduino, and when a certain pattern of gray and grayer pixels appear, it triggers a command to download a file from the Internet”

    that requires major modifications to the mouse and i doubt there is enough room inside the mouse to get even one of them Arduino minis inside unless you unsoldered the chip from the stamp and dead bugged it inside the mouse.

    using the mouse as a scanner if your intent is to sneak the means to copy a book into a library then making a scanner for the blind would work better with one of them hanging book cameras and some software that can capture the image and read the book as speech and the library will be none the wiser if they see the setup and hear it reading the book.

  12. ninaundmomo says:

    You better disconnect your iput devices until a permanent solusion s found. To avoid negative impact on your computing set iTunes to repeat eternally. There is no fix for facebook though.

  13. hiswif says:

    I have read the article. It was definitely the April joke. Pwnd ;)

  14. fartface says:

    This is an april Fools joke.

  15. As pointed out by a many previous posts, it’s an april joke.

    Also the summary of the article here is a bit off.
    In fact the article is not about adding an arduino to the mouse.
    Instead it warned that there a mice out there, which have the malware integrated inside the optical sensor and the usb controller firmware.
    The article states that they’ve been given free mousepads at the CeBIT which had tiny QR-Codes on them to activate the malware.
    The ardiuno stuff is only a side story on how they found the codes.

    So next time you fall for a German April fool, try at least to get the summary right.

  16. Jim Hung says:

    Even though this is obviously an April fools joke, the concept of a malicious attack delivered via a trojanized mouse isn’t new and has been used successfully. These attacks often use the HID emulation function of the Teensy 2 and similar AVR boards to type out the vbscript attack bootstrap code into notepad extremely quickly, which then reach out to staging servers to pull down a metasploit payload, etc… These attacks require some technical naiviety on the part of the user, and a fair bit of luck in timing and setup in my experience.

    Such an attack using a Logitech mouse was covered by Hackaday in 2011: http://hackaday.com/2011/06/28/teensy-avrs-used-in-penetration-testing/

    Here’s the original article from Netrasoft: http://pentest.snosoft.com/2011/06/24/netragards-hacker-interface-device-hid/

  17. drrickdaglessmd says:

    Even though this is obviously an April fools joke, the concept of a malicious attack delivered via a trojanized mouse isn’t new and has been used successfully. These attacks often use the HID emulation function of the Teensy 2 and similar AVR boards to type out the vbscript attack bootstrap code into notepad extremely quickly, which then reach out to staging servers to pull down a metasploit payload, etc… These attacks require some technical naiviety on the part of the user, and a fair bit of luck in timing and setup in my experience.

    Such an attack using a Logitech mouse was covered by Hackaday in 2011: http://hackaday.com/2011/06/28/teensy-avrs-used-in-penetration-testing/

    Here’s the original article from Netrasoft: http://pentest.snosoft.com/2011/06/24/netragards-hacker-interface-device-hid/

  18. ianmcmill says:

    Doh. Anyways cool story.

  19. Brandon says:
  20. Indyaner says:

    I got inspired by this post today and made my own version of a infiltrary mouse device
    MouseHack: https://imgur.com/a/uOhyn

    Check out the Video of the device working.

  21. Hirudinea says:

    That ain’t a mouse, it’s a RAT!

  22. What ever if you’re using the Uno to do this it’s cheating if you’ve hacked the controller firmware on the mouse then this would be cool but from the picture looks crap.

  23. Zack Kummer says:

    Pretty obvious joke, and wouldn’t be very good anyway…but it wouldn’t be too hard to load malware from a hacked mouse or keyboard.

    Picture this:
    1.) Microsoft disabled autorun on external drives and flash drives, but not on optical drives.
    2.) Make a USB device that simulates a USB CD-ROM drive with a virus on the “disk”.
    3.) Put a 2-port USB switch chip in the mouse.
    4.) The first port is normally connected (the mouse signal)
    5.) The second port is on a timer; it only connects after 3 hours of inactivity from the mouse…and then only connects for 30 seconds

    So, your target plugs in the mouse, uses it all day, and loves it (because if you went through all this trouble then obviously you started with a nice mouse). The target goes home for the day…three hours later a CD-ROM drive shows up, malware installs, and then the virtual drive disappears. Malware installed, even on a stand-alone system. While you were at it, you might even incorporate a WiFi module with a unique ID…so every night when it switches on your malware can transmit data to someone outside of the sealed room containing the stand-alone system…and it only happens at night so it is really hard to sweep for the signal.

    • qbert says:

      All mice shipped to Iraq are in fact enhanced by the CIA and NSA… think about it.. what a good way to get the infected stuff into a system, the mouse sits in stealth mode for months, then does R and off we go, random system reboot and you never see it…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 91,159 other followers