If anyones been keeping up with the development of u3, a newer usb tech. You have probly heard of the software that is being black hatted that uses these drives to basicaly own a win2k box or greater simply by plugging it in. The open source project which I found quite alarming only requires the u3 usb device to be plugged in and auto discovered and opened to install what ever software has been configured as a payload. No keyboard interaction required, no admin access needed.
I know that turning off auto exec for usb devices will slow the person down, but that just leave the payload to be manually activated, and that disabling usb altogether is the best idea but not always possible. I have only glimpsed at the project and source, but the trend seems to be to hide the payload as a ms update in $winnt-uninstall-kb-blah blah. What I am thinking is that the detection of the installation would have to involve going into add remove programs and actually noting each update. What I would like to know is there a way to automatically pull the update names to a text file? Either from the reg or some other place that I don't know of, so that a batch file could pole the windows updates uninstall folders residing in c:\windows and compare them to the actual updates that have been installed? If its possible then a pretty simple batch script, (or prog lang of your choice) could be used to actually detect the machine has been comprimised and even tell you where the suspect folder is, mabey even pop open any suspect folder for manual inspection. From there it would have to be a standard clean up I guess but since I havent heard of anything that can truely detect the exploit even most of the time.
Any input on the subject is welcome.
I might have answered my own question. The c:\windows\WindowsUpdate.log seems to have the info, just need to parse it.
October 13th, 2006, 05:02 AM
Having software automatically install is always a bad idea. I have one of these drives and have not been very pleased with the U3 software.
Here is a link to uninstall the U3 software.
*warning* Will remove all data on flash drive.
You missed my point entirely. It's not my usb drive Im worried about.
October 13th, 2006, 01:50 PM
It is all a question of physical security. CD and DVD drives pose the same threat as the USB drive ;)
October 13th, 2006, 03:58 PM
If someone can gain access to a PC and, for a bonus, they have no-one looking over their shoulder whilst they're doing whatever they want, it's game over as far as the PC's security is concerned.
I know that the U3 technology allows the dirty work to be done silently whilst apparantly (for instance) simply printing out a document from the USB via the PC.
The moral is to disable autoplay or press Shift as the U3 USB is inserted.
October 13th, 2006, 04:19 PM
Mabey I was a little too drawn out in my first post. What I am trying to do is devise a method of identifing that the machine has been compromised, mabey in a hap hazard fasion. anything will do until Ms releases a patch or until an AV company or the people behind spybot release an update that will detect the machine been bugged. The update log would work for pulling the update names, but I would actually prefer to pull it from the same place that the add remove programs list does, I just dont know where that would be or if it would be at all possible.
I'm hoping some of the old timers could give me a little advise here.