Signalex USB hub possibly containing malware?!

[-rst-]

Just bought a Signalex -port USB hub from local Dealz store for €1.49 - seems to be about this one (slightly different packaging, the sales receipt says 'part of the Poundland family') http://www.poundland.co.uk/product-rang ... t-usb-hub/

When I connected the hub to my RPi (already powered on and booted to login prompt), I noticed that something 'typed' the string 'www.google.com' + enter key. I removed the hub, plugged in the keyboard directly and logged in - then repeatedly inserted and removed the hub: every time the hub was powered on, the same text appeared into the command prompt (bash obviously complaining: unrecognised command).

Now obviously I am suspecting this hub might contain malware (possibly a keylogger) which tries to connect to the internet. Tried to google up any information, but could not find anything specific enough.

I doubt that it would be successful in it's exploits on a Linux system, but even then a bit annoying thing.

Anybody any insight? Any suggestions for computer security related forums to go look/ask?

Thanks

[cyrano]

Sounds more like a "feature" than some form of malware. I suppose the hub had no manual at all?

It would seem something in the hub is emulating a keyboard. But typing "www.google.com + enter" is hardly anything malware would do as it would probably be noticed by the user.

[-rst-]

I am thinking I may be too paranoid about this... Was thinking that on a Windows computer, you would probably not see the text typed and maybe the yoke tried initiating something that failed on RPi and the url ended mistakenly into the stdout... and first hitting google.com to check if there is a network connection would seem rather harmless if some anti-virus/malware app would throw a popup to the user...

And of course no manual or any instructions - well, for that price...

[cyrano]

It's always good to post something like this. Just to inform the world

[-rst-]

Well... not really a surprise: occasionally the hub writes 'rwww.google.com' and further examining this, it is in fact '<windows-key>r', so the bugger tries to execute the Windows Run command to launch a web browser to google... To accomplish this, the bugger appears (to 'lsusb') as two devices: one the hub and another obviously a HID/Keyboard.

Does not look too malicious, but rather annoying anyway ...especially if someone was using this on a windows box - double the drivers etc.

[ghans]

Never heard of that. Such a cheap device having this
"feature" built-in is somehow ... irritating.

If you notice anything else , please post it.


ghans

[redhawk]

Some of the stuff from Poundland is good but their USB 2.0 hubs are really fake USB 1.1 rubbish and I own a few from them.
You could probably hub a USB mouse and keyboard but I wouldn't trust it to handle a webcam, wifi dongle or USB flash drive.

Richard S.

[-rst-]

So I have read. This one looked interesting design-wise (compared to the typical 'UFO' ones) and actually seems to be USB2.0 (even when not advertised as such - only a faint print at the back of the thing saying USB2.0) - plugged into a Windows box (that I am about to re-install anyway soon) and it appears with 'full-speed' in dev mgr and no complaints about 'this device could perform...' ...and no suspicious network activity so far looking at the router log Oh yeah, it actually managed to do 'run www.google.com'... why

[cyrano]

the bugger appears (to 'lsusb') as two devices: one the hub and another obviously a HID/Keyboard.

I'd take it apart to see if it's a hardware add-on or if someone tampered with the firmware. I bet it's the second tho...

[-rst-]

Surprisingly easy to open (and slots nicely back together as well) - nothing suspicious (hi-res of the backside here), so firmware I guess...

[scruss]

That's pretty evil, embedding a webkey into a hub. It looks like it's only calling up Google, but it could have been worse.

[Burngate]

That's pretty evil, embedding a webkey into a hub. It looks like it's only calling up Google, but it could have been worse.

And the next iteration will be worse

[-rst-]

Dealz (Poundland) have not replied to my web enquiry ...well, it's not yet 6 weeks they promise

Don't think I want to waste time going back to the shop - pretty sure there's no one there that would have a clue what I am talking about...

[RaTTuS]

you really want a powered one anyway .....

[-rst-]

Was thinking of DIY powering this one...

[alagregg]

Hi,

They're still selling these dodgy hubs.
Picked one up from poundland today, plugged it in and it ran firefox and loaded google.

Don't know if it does anything else, but seeing as it has the hardware to be a human-interface-device/keyboard I'm not going to use it. Who knows what else it could try and run.

Be interesting to hear if poundland gets back to you.

[-rst-]

I have been contemplating whether this is serious enough issue to phone them right away, but guess I'll wait until their promised response time just to see and only then phone them.

[redhawk]

If you check with lsusb with the hub connected does it list a HID device as well as the hub??

Richard S.

[pwinwood]

If you check with lsusb with the hub connected does it list a HID device as well as the hub??

Yes it reports a keyboard HID device as well as a hub.
Works well enough as a full speed (but not high speed) USB 2.0 device.
I have made mine powered - there are tracks to the edge for a power supply and provision for a short PCB mount capacitor.

[redhawk]

Could you copy and paste lsusb results I am curious about the vendor and product id for the hub / HID.

I did some searching on Google but apart from this forum no one else has reported this strange behaviour yet.
Perhaps there are only a handful of affected devices in circulation who knows I just hope my wifi dongle isnt secretly communicating with script kiddies.

Richard S.

[-rst-]

I can try to (time... you know) do that when I get home this evening - I am pretty much sure the output was missing the vendor/product info...

I am pretty much sure that most Poundland/Dealz customers would just not realise there was something odd with this

[cyrano]

Could you copy and paste lsusb results I am curious about the vendor and product id for the hub / HID.

I did some searching on Google but apart from this forum no one else has reported this strange behaviour yet.
Perhaps there are only a handful of affected devices in circulation who knows I just hope my wifi dongle isnt secretly communicating with script kiddies.

Richard S.

Stuff like this seldom gets to the mainstream online press. I seem to remember at least a couple of reported cases. And there was also a harddisk that was really a USB stick. It just deleted older files when the USB stick filled up. If you can imagine writing special firmware to sell a couple of "harddisks", writing something like this seems easy.

[-rst-]

After boot with just keyboard:

Code: Select all

Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 0424:9512 Standard Microsystems Corp.
Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp.
Bus 001 Device 005: ID 0603:00f2 Novatek Microelectronics Corp.

After inserting the hub (and witnessing the 'www.google.com' appearing with 'command not found'):

Code: Select all

Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 0424:9512 Standard Microsystems Corp.
Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp.
Bus 001 Device 005: ID 0603:00f2 Novatek Microelectronics Corp.
Bus 001 Device 006: ID 0000:0606
Bus 001 Device 007: ID 0000:0606

And the verbose for ID 0000:0606:

Code: Select all

Bus 001 Device 006: ID 0000:0606
Couldn't open device, some information will be missing
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0         8
  idVendor           0x0000
  idProduct          0x0606
  bcdDevice            7.02
  iManufacturer           1
  iProduct                2
  iSerial                 0
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           25
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0
    bmAttributes         0xe0
      Self Powered
      Remote Wakeup
    MaxPower              100mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         9 Hub
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 Full speed (or root) hub
      iInterface              0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0001  1x 1 bytes
        bInterval             255

Bus 001 Device 007: ID 0000:0606
Couldn't open device, some information will be missing
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0         8
  idVendor           0x0000
  idProduct          0x0606
  bcdDevice            7.02
  iManufacturer           1
  iProduct                2
  iSerial                 0
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           34
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              100mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      1 Boot Interface Subclass
      bInterfaceProtocol      1 Keyboard
      iInterface              0
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.10
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      95
         Report Descriptors:
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval             255

...surprised it didn't output something along 'Hackerz Inc - U R pwned'

[ant_thomas]

Bought one of these from Poundland then remembered this thread. It does exactly the same. Winkey+R then "www.google.com"

I know my soldering is pretty bad but this is disgusting for a retail device...

[RPickers]

Hi all!

I am looking at making a cheap powered usb hub and bought one of these in poundland today and noticed the shoddy soldering but figured I could put it right; however this browser issue has me concerned. Any update?

Otherwise I really want a hub which is a linear row of sockets, rather than the star, as I was hoping to mount the usb board in a custom box - any other recommendations for hardware?

Thank you!