Thread replies: 51
Thread images: 11
Thread images: 11
File: 453334423532765453.jpg (120KB, 620x413px) Image search:
[Google]
120KB, 620x413px
Did anyone ever run a deleted file search on a brand new flash drive? I just found some weirdass files that apparently once were on a just freshly bought one. This file is among them:
https://malwr.com/analysis/N2Q3MDZiZmQzMGUwNDM5YWIzYjZkMDI3ZWE1ZTc2ZjE/
It's this fucking file, the hashes match.
>Signatures
>Performs some HTTP requests
>Installs itself for autorun at Windows startup
Wtf is this? The files are deleted from the filesystem's point of view, but can be easily undeleted intact, the data itself still sits there. Could some malware in the flash drive's firmware access such "hidden" data on a seemingly empty flash drive to infect the OS it is connected to?
>>
>>57915040
Wow there is such a site? Flashchips are recycled very often. You probably had someone elses data
>>
>>57915040
Its possible it was infected in the factory.
>>
>>57915040
>You probably had someone elses data
I don't quite think so. There's 7 files in total which all together are just a few megabytes in size, and their contents seem like gibberish when viewed in a hex editor (also have gibberish names). What normal user would keep such data on there?
Also, what do you mean by flashchips being recycled? Trying to salvage possibly working chips from discarded flash drives would seem like way too much hassle.
>>
>>57915040
What make and model of flash drive?
>>
>>57915132
>There's 7 files in total which all together are just a few megabytes in size
Post them.
>>
>>57915040
I think you're into something anon.
>>
File: Untitled.png (600KB, 968x926px) Image search:
[Google]
600KB, 968x926px
>>57915421
>>57915830
>>
>>57915421
This.
>>
>>57916663
See screenshot above for some basic info.
>>
Former nostream shills, how do you feel now? Please no lies or "I was just pretending".
>>
>>57915040
Tell us the brand, model, when and where it was purchased. Somebody else may have one and can do a similar recovery to see if this is systematic
>>
>>57915040
What make and model. Please provide all info. It's research time!!
>>
>>57916655
Any chance you could upload them somewhere?
>>
File: iKekked.jpg (35KB, 414x432px) Image search:
[Google]
35KB, 414x432px
>>57915040
>related images not related.
>>
File: kingston_dtig4_8gb_8gb_datatraveler_g4_usb_1019596.jpg (73KB, 2000x2000px) Image search:
[Google]
73KB, 2000x2000px
>>57917456
>>57917463
As seen in the screenshot >>57916655, it's a Kingston DataTraveler G4 8GB (really 7.75GB/7.22GiB) (DTIG4-8GB). Looks like pic related.
https://www.kingston.com/datasheets/DTIG4_us.pdf
Purchased in eastern Europe just a few days ago. Recovered directories have a modification date of 13th September this year, though the files themselves a much earlier one (17th April 2008). There are seven files of which two are a duplicate and other two are just a few bytes long (one containing 0x6161 ("aa") and the other 0x61736466 ("asdf")). That leaves four distinct longer files, of which one is recognized at https://malwr.com/analysis/N2Q3MDZiZmQzMGUwNDM5YWIzYjZkMDI3ZWE1ZTc2ZjE/ . All of the files seem to have none or almost no discernible structure (possibly encrypted?).
>>
>>57917792
>Purchased in eastern Europe just a few days ago.
Sounds like what you thought was a brand new drive was nothing of the sort.
>>
How did you detect those files?
>>
http://rationallyparanoid.com/articles/malware-in-commercial-products-list.html
Not the first time a device would ship with some "preinstalled features"
>>
>>57917877
Standard methods for file recovery, except ran on a newly bought flash drive just in case. The flash drive was only connected to a running live OS so far.
>>57917855
It came in original packaging which didn't look like it was tampered with. Also, as said above, these files don't look like they belonged to some random user.
>>
>>57915040
>Not running shred on every new drive on an air gapped machine
lol
>>
Last week I bought a 8gb micro SD for £2 and ended up being a Sandisk, plugged it in and there was some remnants of a flash file.
Blew away the partitions and paved over it.
>>
>>57915040
>Could some malware in the flash drive's firmware access such "hidden" data on a seemingly empty flash drive to infect the OS it is connected to?
Yes, absolutely.
Though it's much more likely it was just normal malware and then the flash drive was wiped and now it's inoperable.
>>
Well fuck me.
So if I'm building a brand new computer with all new components including an SSD and HDD, is there any way to avoid being infected with malware from day 1?
>>
>>57918872
Not without trusting the hardware you install
>>
>>57918872
Use Linux and format yourself the drives. If you use the cuck OS you're on your own.
>>
>>57918390
As I said, the flash drive was connected while running a live OS so far, so it hardly could persistently infect anything. It is going to be wiped, I decided to look at it first and well, this strange stuff was found.
>>
File: FallingDown_002Pyxurz.jpg (240KB, 1600x1203px) Image search:
[Google]
240KB, 1600x1203px
This is why I hate /g/
If you are too inept to analyze the files yourself (past the point of opening them in a hex editor, looking at the bytes and going "hmm, it looks encrypted"), perhaps you could upload them?
Cuckoo was able to execute it but doesn't even show what the dropped files are.
>>
>>57919263
(not the css and image)
>>
Lemurs a cute
>>
>>57915830
>>57917501
>>57919263
Here are the files recovered from the flash drive (directory structure and modification dates are preserved):
http://s000.tinyupload.com/index.php?file_id=06715296432944073348
MD5: BB7A76AE72CDC0EC618466D12A2EF11B
>>
>>57919468
Btw I didn't upload them immediately as I was hoping to dump the firmware and include it as well, but doesn't seem that straightforward unfortunately.
>>
This flashdrive happens to have no LED at all, meaning there is no physical I/O indication whatsoever - is this a new "standard" to be expected more and more often?
>>
File: 1464313735040.jpg (68KB, 800x600px) Image search:
[Google]
68KB, 800x600px
>>57915040
Nigger, that shit didn't even execute. All you're seeing is an analysis of the "search file association online" tool included in Windows.
>>
File: 1478147272474.png (26KB, 528x112px) Image search:
[Google]
26KB, 528x112px
The fucking file doesn't even have a valid PE header.
>inb4, it's encrypted
What's the point of encrypting it if then you can't execute it? The OS has no way to know the file is an encrypted executable and magically guess the decryption password.
>>
>>57920726
Then whoever analyzed it would have been pretty dumb then, don't you think? Such an "analysis" would be a major embarrassment. Do all the details specified there fit the file association tool?
Anyway, the fact that those files were even there is puzzling in itself - what are these files?
>>
File: 1475155323423.png (69KB, 1388x556px) Image search:
[Google]
69KB, 1388x556px
And these are the HTTP requests logged, it doesn't look at all like malware.
It's just garbage data stored in the flash drive that looks like a file entry, this kind of stuff always happens with file recovery software.
>>
>>57920806
It was suggested right in the first post that the firmware might use the data stored in the files (or anywhere on the flashdrive really) and another anon confirmed >>57918871. If it was a regular executable it would have been much easier to examine it. You have a preview of its head in this screenshot >>57916655 anyway.
>>
>>57920848
It's just a bot that tries to execute the file and clicks OK/Next/Continue in any message box that appears.
>>
>>57920863
>this kind of stuff always happens with file recovery software.
Interesting, somehow it never happened to me before. Strangely enough in other regions of the flashdrive there isn't seemingly random data but just zeros or sequences of repeating bytes.
>>
>>57920910
Did you see though that the exact same file was discovered and submitted way in January this year? Someone found the exact same "garbage data" somewhere? It just doesn't make any sense.
>>
>>57920889
Why would the firmware execute random data stored in the drive? If you wanted to include malware, why not making it part of the firmware itself instead of placing it somewhere where it can be read or overwritten by the user?
>>
>>57915040
I guess it's some spyware from the company.
>>
>>57920995
The firmware is probably smaller than the files, and it could decrypt obfuscated data. The file names and offsets can be hardcoded into the firmware. That's why dumping and examining it would be useful.
>>
File: fuckyou_fagget.jpg (90KB, 360x305px) Image search:
[Google]
90KB, 360x305px
>>57920974
>>
>>57917792
They tested the drive in the factory?
>>
>>57921057
With some suspicious af looking weirdass files of all things?
>>
File: 1458000812153.jpg (356KB, 1600x1347px) Image search:
[Google]
356KB, 1600x1347px
>>57921032
And why placing the data in user-readable area? You could simply put it in a block that can't be trivially accessed.
>>57920974
Pretty much >>57921057
It's probably data left over from automatic tests performed before selling them, it probably came from the same model or brand of flash drive.
Pic related.
>>
File: 1428163328855s.jpg (6KB, 231x218px) Image search:
[Google]
6KB, 231x218px
>>57921086
>everything generally being botnetted these days
>examination of new flash drive uncovers some weird af files to be present
>website identifies one of them as confirmed for being malware-related
You wouldn't be concerned even one bit?
>>
>>57921526
>>website identifies one of them as confirmed for being malware-related
But that didn't happen. See >>57920863 and >>57920726
>>
Can you possibly open the drive and get pics of the chips themselves? Clear pictures of the text on the chips would be perfect. We can look at the manufacturing dates on them and see if they all line up.
Thread posts: 51
Thread images: 11
Thread images: 11