Hidden Files on Flash Drive

I was just handed a flash drive by a co-worker. When plugged into a windows machine, some logic on the device opens a run dialog, types in a URL letter by letter, and then presses enter in some way to open the website. I can't find a single file on this flash drive. I've put it in a Mac, Ubuntu Linux, and Windows machine - they all say zero files.

Behavior

Mac - Opened up the App store

Linux - Did nothing

Windows 7 - See above

Question

I'd love to be able to see the file(s) that cause this behavior. Basically, I'd like to do it myself. Any ideas?

James Hill

Posted 2011-10-25T19:35:37.733

Reputation: 979

If you try it on another Windows machine, does it still do the same? – Oded – 2011-10-25T19:37:33.967

Yes, I've tried it on three windows machines - all windows 7. – James Hill – 2011-10-25T19:38:08.193

Does your coworker have access to the Windows machine you've been doing this on? The easiest way that I can think of to do this is to implement a program on the computer that, when something is plugged into the USB drive then the program opens up a form to do what you described. I don't believe it would be too hard to do with C# but I could be wrong. – Jetti – 2011-10-25T19:41:19.140

@Jetti, I've tried it on three different windows machines. The functionality is coming directly from the jump drive - I'm confident of this. – James Hill – 2011-10-25T19:42:33.147

Have you tried Windows SysInternals' RootkitRevealer ? It may be a very well hidden file ? Also, have you checked with Windows Disk Management tool to see how many drives the USB key has ?

– None – 2011-10-25T19:48:12.617

Does http://en.kioskea.net/forum/affich-9313-i-cant-see-my-files-wich-is-not-hidden make it work?

– Jetti – 2011-10-25T19:49:28.297

@Jalayn, RootKitRevealer won't run on my system for some reason. I double click it, it thinks for a second, then nothing. – James Hill – 2011-10-25T20:00:22.893

1You'll need a young priest and an old priest... – Mark Allen – 2011-10-25T21:34:40.257

1Rootkits must be actually running to work. And I don't know of a cross-platform rootkit. If he cannot see files on Linux, Mac, or Windows, it's cross platform. – music2myear – 2011-10-25T21:45:08.413

Can you just write what device manager shows? – mbq – 2011-10-26T18:54:33.290

Answers

It seems this drive also implements USB keyboard which first emit Super+R and then the URL.

On Linux, you can check it in lsusb output or by going to console (not terminal emulator), starting showkey and then plugging in this device.

mbq

Posted 2011-10-25T19:35:37.733

Reputation: 727

This seems feasible. Wouldn't it show up as a keyboard then in the device manager? – James Hill – 2011-10-25T19:50:43.753

Indeed it would. – Adam Maras – 2011-10-25T19:57:39.867

It would probably show as a USB hub with pendrive and keyboard, unless there is some stealth technique used to prevent it (I don't know Windows to well at this level). But try to look if there is any extra HID device. – mbq – 2011-10-25T19:58:51.440

Similar device on ThinkGeek.

– mbq – 2011-10-25T20:01:23.620

USB devices can also be configured to act as a HID (Human Interface Device) such as a keyboard. For more info, check out the USB Rubber Ducky. Many of these types of devices are made from Teensy which can be made to fit inside of a standard thumbdrive case.

Previous to this, there was the USB Switchblade but it requires Autorun in order to work (that's my understanding anyway).

Scott Whitlock

Posted 2011-10-25T19:35:37.733

Reputation: 233

Sounds like a U3 partition is active on the drive. Look for an additional CDRom drive in your drive list (My Computer, for the neophytes). It certainly could autorun something like you're describing. Although the minute it started TYPING something automatically, I would have likely handed it right back to the "friend" who gave it to me. Autorun stuff is evil.

lornix

Posted 2011-10-25T19:35:37.733

Reputation: 9 633

Came here to write this same thing - sounds like U3. +1 to you instead. Though I don't have any direct experience with U3 to know whether or not it types things - I wasn't under that impression. The typing does sound lots more like Teensy as linked above. http://en.wikipedia.org/wiki/U3

– Mark Allen – 2011-10-25T21:31:55.730

Awful lot of work involved to make a teensy device, and it wouldn't LOOK like a regular flash drive, which would've (hopefully) engaged this guy's curiosity. A standard virtual U3 cdrom with autorun.inf set to run a windowless program to insert characters into keyboard queue is far more plausible. sounds like a marketing gimmick, since it types a URL of some sort. Also, virtual cdrom wouldn't be obvious to most window's users since they're looking for 'removable drive', again not obvious on Mac OSX, additional icon on desktop, and linux would likely just automount it silently. – lornix – 2011-10-25T21:37:44.580

This does not explain why AppStore and Run dialog are launched. – mbq – 2011-10-26T18:49:49.147

Are you sure it is a usb drive? What you actually are is a gentlemen agreement. The usb device tells you and you can only hope it doesn't lie to you. Then I think you can switch modes and pretend to be something else. It is useful for "self installing devices". You plug it in, then the software auto installs relevant drivers and you are then good to go.

This requires hardware level access to the usb device, so it is rather difficult to propagate as a virus.

user1190

Posted 2011-10-25T19:35:37.733

Reputation: 569

Can you clarify, "Are you sure it is a usb drive?". It's a 2gb usb drive. I can store files on it and eject it as with any normal usb drive. – James Hill – 2011-10-25T19:53:19.647

A USB drive can identify itself as a HID (human interface device) at which point the computer accepts keyboard codes from it as if you were typing. – Martin Beckett – 2011-10-25T20:41:13.300

How did you mount the disk when mounting it under Linux?

Assuming that you're dealing with actual files (as opposed to something more interesting, like an infection that sits in the control portion of the circuit), they may be hidden. You could try any of the different ways to enable display of hidden files (configure your machine to show hidden files, extensions, and show system files, or running something like the following on the contents of the disk:

attrib -s -r -h *.*

blueberryfields

Posted 2011-10-25T19:35:37.733

Reputation: 784

To reveal hidden files in linux, hit Control+H in most file browsers, or navigate to the folder in the command line and execute ls -a. Or in windows, look for files or folders that start with .

Malfist

Posted 2011-10-25T19:35:37.733

Reputation: 2 761