USB Rubber Ducky Detection by using Heuristic Rules

Abstract

With the rise in tightening of the Cybersecurity rules and policies implemented by the corporate houses, the work that malicious hackers need to do to compromise a system has risen exponentially. A significant part of a hacker's work goes into the bypassing of the firewalls and intrusion into the main systems. A comparatively easy way to bypass all systems is USB rubber ducky, which is a simple USB stick that impersonates a keyboard by changing its hardware ID and thus executing commands as if a user was manually typing them. This attack has proved to exploit the least proficient part of cyber-defense that is humans. In this research paper, we discuss a utility that can easily detect malicious USB by using heuristic checks. This utility, named ducky-detector, can easily segregate keyboard input by finding the discrepancies that arise due to the automated functioning of the USB rubber ducky device. Ducky-Detector has proved to out-smarten all the present solutions to this problem with almost perfect accuracy, no false positives, and really low computational power required. Ducky detector has been tested against a wide variety of commercial and free Antivirus software with variable payloads, thus simulating a real-life scenario where payloads can vary to any extent. Ducky-detector induces a mere 0.9% overhead on a Linux distribution system.