Cheap rj45 ethernet to USB adapter contains malware (opens in new tab)

(twitter.com)

32 pointsrsecora1y ago25 comments

25 comments

It's worth noting that there's basically zero proper evidence that there is any malware included with this device -- it runs an exe when inserted, but that exe appears, at a glance, to be a driver installer. Definitely not the right way to do things, but there's a difference between "incompetent" and "malicious".

The only actual "evidence" that was provided was a link to a falcon sandbox run, something which actually requires human analysis to draw conclusions about -- and anyone who has ever used it knows how many false positives it finds.

A better proclamation might be "cheap network adapter comes with an auto-running executable which needs further analysis".

nirui1y ago

Can you call it "auto-running" when they it don't even bother to pack in an autorun.inf? (based on https://x.com/evapro30/status/1878635208582562113)

steffanA1y ago

The autorun.inf would be in the flash drive, not the executable they uploaded to Any.Run. Were any pics of the flash drive contents shared?

gruez1y ago

Seems light on details. How is it executing the payload? Is it doing something like badusb where it emulates a keyboard to run the payload? Wouldn't that be super obvious? Or is it something as simple as telling the user to install a "driver"?

geor9e1y ago

The dongle enumerates as a USB hub with two USB devices plugged into it. One is an ethernet dongle, which is the sort of hardware that may require a driver. The second device is a USB flash drive containing a .exe, which extracts a file called Setup.exe. It won't execute unless the user manually executes it - it's just a USB drive after all. Maybe the .exe contains malware, maybe it doesn't. Maybe antivirus scans give false positives. Maybe the manufacturer found a clever way to save money by combining the two USB devices they normally shipped together. Maybe this twitter account just made a nice paycheck from clickbait engagement.

karotte1y ago

Believe it or not, but 'enumerating as a CD-ROM' drive is actually a documented feature of some Realtek USB Ethernet Interfaces: https://www.lcsc.com/datasheet/lcsc_datasheet_2206141400_Rea... (6.16. Driver Auto-Install Mode, page 24).

johann83841y ago

From the replies it sounds like it mounted as a storage device and ran autorun. It was super obvious which is what caused them to take notice.

geor9e1y ago

Autorun has been disabled since the release of Windows 7 in 2009.

unsnap_biceps1y ago

For what it's worth, I just checked on my windows 11 install and it was (somewhat) enabled.

Settings -> Bluetooth & Devices -> AutoPlay -> Use AutoPlay for all media and devices

Was set to on, and "Removable drive" was set to "Choose a default", which appears to be equivalent to "Ask me every time".

I don't have anything (that I'm aware of) that auto-runs something, but I presume it will prompt me asking if I want to run setup.exe, which seems somewhat reasonable for new hardware.

And from the malware analysis, https://www.hybrid-analysis.com/sample/e3f57d5ebc882a0a0ca96... , it's signed by "Owner: CN=Microsoft Windows Hardware Compatibility Publisher, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Windows Third Party Component CA 2012, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US" which also looks pretty legit.

I can totally see a lot of folks allowing it to run.

1 more reply

hulitu1y ago

> Autorun has been disabled since the release of Windows 7 in 2009.

No. Microsoft just said it will disable it. On some systems, i've seen it disabled (i don't know if by default or by AD policy) but, on the majority of Windows 10, it was not disabled.

1 more reply

olyjohn1y ago

Please tell me Windows doesn't STILL autorun off of external drives? I thought that was solved years ago...

necovek1y ago

I liked the graceful admission of error too: https://x.com/evapro30/status/1880123024474796107

fishstock251y ago

I like when people put their thoughts so out in the open. Makes it much easier to know whom to not work for, since the work culture must be terrible, if they even publicly express themselves that way.

BenjiWiebe1y ago

Twitter is terrible and I can't remember the nitter instance that still works.

gruez1y ago

https://xcancel.com/evapro30/status/1878593145534923124

BenjiWiebe1y ago

thanks!

IamLoading1y ago

Reverse engineering by OALabs - https://www.youtube.com/watch?v=3IfJSGWIrCo

Current verdict - not malware.

ChrisArchitect1y ago

fishstock251y ago

"The chinese" yeah sure. Lmao. Everybody panic, there are two chips inside!

Check out https://news.ycombinator.com/item?id=42743033#42743428 for more lulz

IronWolve1y ago

It ain't just twitter that has armchair experts that are rude. Most social media sites allow this behavior. So many replies with horrible posts "your doing it wrong", "read the docs", etc.

I've seen so many correct responses downvoted and with horrible replies. Anyone who used old moderated email lists will see how culture changed and the decline of actual conversation. Even stack overflow has went downhill.

j / k navigate · click thread line to collapse

25 comments

elfchief1y ago

A better proclamation might be "cheap network adapter comes with an auto-running executable which needs further analysis".

nirui1y ago

Can you call it "auto-running" when they it don't even bother to pack in an autorun.inf? (based on https://x.com/evapro30/status/1878635208582562113)

steffanA1y ago

The autorun.inf would be in the flash drive, not the executable they uploaded to Any.Run. Were any pics of the flash drive contents shared?

gruez1y ago

geor9e1y ago

karotte1y ago

johann83841y ago

From the replies it sounds like it mounted as a storage device and ran autorun. It was super obvious which is what caused them to take notice.

geor9e1y ago

Autorun has been disabled since the release of Windows 7 in 2009.

unsnap_biceps1y ago

For what it's worth, I just checked on my windows 11 install and it was (somewhat) enabled.

Settings -> Bluetooth & Devices -> AutoPlay -> Use AutoPlay for all media and devices

Was set to on, and "Removable drive" was set to "Choose a default", which appears to be equivalent to "Ask me every time".

I don't have anything (that I'm aware of) that auto-runs something, but I presume it will prompt me asking if I want to run setup.exe, which seems somewhat reasonable for new hardware.

I can totally see a lot of folks allowing it to run.

1 more reply

hulitu1y ago

> Autorun has been disabled since the release of Windows 7 in 2009.

No. Microsoft just said it will disable it. On some systems, i've seen it disabled (i don't know if by default or by AD policy) but, on the majority of Windows 10, it was not disabled.

1 more reply

olyjohn1y ago

Please tell me Windows doesn't STILL autorun off of external drives? I thought that was solved years ago...

necovek1y ago

I liked the graceful admission of error too: https://x.com/evapro30/status/1880123024474796107

fishstock251y ago

BenjiWiebe1y ago

Twitter is terrible and I can't remember the nitter instance that still works.

gruez1y ago

https://xcancel.com/evapro30/status/1878593145534923124

BenjiWiebe1y ago

thanks!

IamLoading1y ago

Reverse engineering by OALabs - https://www.youtube.com/watch?v=3IfJSGWIrCo

Current verdict - not malware.

ChrisArchitect1y ago

fishstock251y ago

"The chinese" yeah sure. Lmao. Everybody panic, there are two chips inside!

Check out https://news.ycombinator.com/item?id=42743033#42743428 for more lulz

IronWolve1y ago

It ain't just twitter that has armchair experts that are rude. Most social media sites allow this behavior. So many replies with horrible posts "your doing it wrong", "read the docs", etc.

j / k navigate · click thread line to collapse