Results 1 to 8 of 8

Thread: u3 usb security risks

  1. #1
    Member
    Join Date
    Sep 2006
    Location
    At a keyboard
    Posts
    82

    Question u3 usb security risks

    If anyones been keeping up with the development of u3, a newer usb tech. You have probly heard of the software that is being black hatted that uses these drives to basicaly own a win2k box or greater simply by plugging it in. The open source project which I found quite alarming only requires the u3 usb device to be plugged in and auto discovered and opened to install what ever software has been configured as a payload. No keyboard interaction required, no admin access needed.

    I know that turning off auto exec for usb devices will slow the person down, but that just leave the payload to be manually activated, and that disabling usb altogether is the best idea but not always possible. I have only glimpsed at the project and source, but the trend seems to be to hide the payload as a ms update in $winnt-uninstall-kb-blah blah. What I am thinking is that the detection of the installation would have to involve going into add remove programs and actually noting each update. What I would like to know is there a way to automatically pull the update names to a text file? Either from the reg or some other place that I don't know of, so that a batch file could pole the windows updates uninstall folders residing in c:\windows and compare them to the actual updates that have been installed? If its possible then a pretty simple batch script, (or prog lang of your choice) could be used to actually detect the machine has been comprimised and even tell you where the suspect folder is, mabey even pop open any suspect folder for manual inspection. From there it would have to be a standard clean up I guess but since I havent heard of anything that can truely detect the exploit even most of the time.

    Any input on the subject is welcome.

    -----------------------edit------------------
    I might have answered my own question. The c:\windows\WindowsUpdate.log seems to have the info, just need to parse it.
    "I have died, I will die, It's alright, I don't mind"

  2. #2
    Junior Member
    Join Date
    Feb 2006
    Posts
    12
    Having software automatically install is always a bad idea. I have one of these drives and have not been very pleased with the U3 software.

    Here is a link to uninstall the U3 software.
    *warning* Will remove all data on flash drive.

    http://u3.com/uninstall/

  3. #3
    Member
    Join Date
    Sep 2006
    Location
    At a keyboard
    Posts
    82
    Originally posted here by patrande1
    Having software automatically install is always a bad idea. I have one of these drives and have not been very pleased with the U3 software.

    Here is a link to uninstall the U3 software.
    *warning* Will remove all data on flash drive.

    http://u3.com/uninstall/
    You missed my point entirely. It's not my usb drive Im worried about.
    "I have died, I will die, It's alright, I don't mind"

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    It is all a question of physical security. CD and DVD drives pose the same threat as the USB drive

  5. #5
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    If someone can gain access to a PC and, for a bonus, they have no-one looking over their shoulder whilst they're doing whatever they want, it's game over as far as the PC's security is concerned.

    I know that the U3 technology allows the dirty work to be done silently whilst apparantly (for instance) simply printing out a document from the USB via the PC.

    The moral is to disable autoplay or press Shift as the U3 USB is inserted.

  6. #6
    Member
    Join Date
    Sep 2006
    Location
    At a keyboard
    Posts
    82
    Mabey I was a little too drawn out in my first post. What I am trying to do is devise a method of identifing that the machine has been compromised, mabey in a hap hazard fasion. anything will do until Ms releases a patch or until an AV company or the people behind spybot release an update that will detect the machine been bugged. The update log would work for pulling the update names, but I would actually prefer to pull it from the same place that the add remove programs list does, I just dont know where that would be or if it would be at all possible.

    I'm hoping some of the old timers could give me a little advise here.
    "I have died, I will die, It's alright, I don't mind"

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    You might try something like this:

    http://nzsb.web.elte.hu/antikeyloggeren.html

    And this:

    http://digilander.libero.it/zancart/winsonar.html

    There are some other tools on the second site as well.

    The basic concept is to register valid software and warn you if anything new has been added. Winsonar will also block unknown applications whilst you are connected to the net.

  8. #8
    Member
    Join Date
    Sep 2006
    Location
    At a keyboard
    Posts
    82
    Thinks for the links Nihil, I'll check those out when I get home to see if they will do the trick.
    "I have died, I will die, It's alright, I don't mind"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •