A Real Malware In A Mouse

mouseagain

After reading an April Fools joke we fell for, [Mortimer] decided to replicate this project that turns the common USB mouse into a powerful tool that can bring down corporations and governments. Actually, he just gave himself one-click access to Hackaday, but that’s just as good.

The guts of this modified mouse are pretty simple; the left click, right click, and wheel click of the mouse are wired up to three pins on an Arduino Pro Micro. The USB port of the ‘duino is configured as a USB HID device and has the ability to send keyboard commands in response to any input on the mouse.

Right now, [Mortimer] has this mouse configured that when the left click button is pressed, it highlights the address bar of his browser and types in http://www.hackaday.com. Not quite as subversive as reading extremely small codes printed on a mousepad with the optical sensor, but enough to build upon this project and do some serious damage to a computer.

Video of [Mort]‘s mouse below.

Comments

  1. Jon says:

    And now for malware in a real mouse: http://www.cdc.gov/rodents/diseases/direct.html

  2. echodelta says:

    Hanta virus is no joke, piano and organ techs have to deal with this.
    I hate mice.

  3. matt says:

    Typing in a URL to HaD is now malware? What more can we expect from a journalism major who doesnt understand security basics and is paid per post.

    • VintagePC says:

      Missing the point and concept of the post? Ah well, what more can we expect from a troll that doesn’t understand proof-of-concept and has nothing better to do than criticize.

    • dext0rb says:

      Holy shit, this post flew entirely over your head. How’s the weather down there?

    • Hirudinea says:

      Yea, like it could never do anything else than type in the HAD address, not like its modifiable is it?

    • Zack Kummer says:

      I wouldn’t consider HaD malware, but I certainly see your point; pulling up a website is hardly the end-all-be-all of attacks, especially if it is designed to only happen when someone is using the computer and will notice it right away. BUT…set it on a 3-5 hour non-activity timer and you know it isn’t going to pop while the user is talking on the phone, eating lunch at their desk, watching a movie, etc…it is only going to pop after they go home for the day. Make the script so that after installing it cleans up after itself and then hides the extra device and you have a winner…assuming the computer has internet access. Of course, if you wanted to cause massive damage to Iran’s uranium enrichment and you know it is a stand-alone network, there are other options. After the last “hacked mouse” I did a bit of checking and found this: http://isostick.com/ . Basically it is a USB DVD drive simulator…on windows this can be used to autoload a virus even without an internet connection (if autoplay hasn’t been turned off). Some Linux distros also have autoplay functionality, even for normal flash drives. What’s more, if you are using a really fancy ergo mouse (and if you want them to plug it in, you use the nicest mouse you can find), you have room for a lot of hardware. Add a small WiFi or BT dongle and the mouse can now transmit wireless data from the sealed room with the stand-alone system, so that the janitor can receive it to his phone as he is mopping outside the door to the sealed room in the middle of the night. So yes…a mouse can be a very effective infiltration tool assuming you can get someone to use it, and also assuming that you are smart about it and don’t design it so that it warns the user that they are infected by pulling up a website right in front of them when they press one of the buttons or move over a certain part of their mousepad. The same can be said about keyboards…and with enough patience, you don’t even need the social engineering part of the puzzle; just mod a few mice and keyboards and put them in the IT “spare parts” closet.

      • spider says:

        Does it really matyer though if it happens while there sitting there? I mean its not like there going to go shit i have a virus hmmn i wonder if that came from my new mouse. Instead there going to scan there system get nothing back ignore it and leave the mouse plugged in.

    • Kev says:

      I feel bad for arguing with this kid in a previous post. He’s obviously got issues.

  4. Perhaps he should have made it go to http://www.trollrepellent.com... ; )

    Sadly, They’re so prevalent, they’re hard to get rid of…

  5. Whatnot says:

    Or you can just build the thing into an USB cable connector like we now know the NSA does from the snowden files.

  6. Jim Turner says:

    how does the mouse know where the address bar is?

    • Whatnot says:

      it sends keyboard commands, and alt-d in firefox selects the addressbar. Not sure what shortcut other browsers use.
      The flaw being that you’d already need a browser open, but there are ways to do it, if you do the keycombo windows-e for instance an explorer window opens, when you enter a URL in the address bar of an explorer window it automatically opens the default browser with that URL opened in it once you hit enter.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s