• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

USB key auto installing trojan/backdoor

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering

View previous topic :: View next topic  
Author Message
WaKkO
Just Arrived
Just Arrived


Joined: 08 May 2004
Posts: 0


Offline

PostPosted: Tue Apr 24, 2007 1:35 pm    Post subject: USB key auto installing trojan/backdoor Reply with quote

Hello,

Is anybody aware of any downloadable images preconfigured so after plugging in, a keylogger, backdoor, ... or other things are automatically installed (ex: connect to IRC botnet channel) ?

I need this for a security awareness session at a client. I have been looking around, but could't find it yet.
Back to top
View user's profile Send private message
PhiBer
SF Mod
SF Mod


Joined: 11 Mar 2003
Posts: 20
Location: Your MBR

Offline

PostPosted: Tue Apr 24, 2007 8:45 pm    Post subject: Reply with quote

You are looking for some pre-configured malware that has an easy to use GUI interface that will automatically push trojan and keylogger installations?
Back to top
View user's profile Send private message
WaKkO
Just Arrived
Just Arrived


Joined: 08 May 2004
Posts: 0


Offline

PostPosted: Wed Apr 25, 2007 11:39 am    Post subject: Reply with quote

Indeed, as stated before, for a security awareness session.

It doesn't need a GUI, just needs to launch some applications (for example a keylogger) that is automatically launched after insertion of a usb stick
Back to top
View user's profile Send private message
EOS
Just Arrived
Just Arrived


Joined: 24 Sep 2005
Posts: 1


Offline

PostPosted: Wed Apr 25, 2007 2:29 pm    Post subject: Reply with quote

WaKko - Good luck with this.

A friend of mine was trying to do this exact same thing for his senior project in college and was unable to get any feedback from security sites because, as you probably know, the question comes off as suspicious activity that most people will not help with.

He ended up getting one of his programming buddies to write some sample code for him so he at least had a small demonstration.
Back to top
View user's profile Send private message
WaKkO
Just Arrived
Just Arrived


Joined: 08 May 2004
Posts: 0


Offline

PostPosted: Thu Apr 26, 2007 1:44 pm    Post subject: Reply with quote

EOS, you are right. The security community does not seem to give any input. The hacking community did however Wink

Some usefull info I received:

- USB sticks need to be of the type "U3" otherwise autorun won't work

- USB Hacksaw , written by the Hak5 crew is some tool that does stuff like this. I didn't find a valid download until now though
Back to top
View user's profile Send private message
PhiBer
SF Mod
SF Mod


Joined: 11 Mar 2003
Posts: 20
Location: Your MBR

Offline

PostPosted: Fri Apr 27, 2007 7:01 pm    Post subject: Reply with quote

Quote:
- USB sticks need to be of the type "U3" otherwise autorun won't work


It appeared to me that you were looking for something on the lines of this, a program that uses a USB key to infect a computer and install keylogger and rootkit technologies. The hacksaw program basically podslurps everything off of USB and external drives. In addition, even if a usb stick is U3, an administrator can disable autorun via group policy to prevent attacks such as these.

Your original post said:
Quote:
Is anybody aware of any downloadable images preconfigured so after plugging in, a keylogger, backdoor, ... or other things are automatically installed (ex: connect to IRC botnet channel) ?


I interpret this as, "after plugging in a USB drive, a keylogger or backdoor will be installed on the host PC." Please correct me if I am wrong.
Back to top
View user's profile Send private message
WaKkO
Just Arrived
Just Arrived


Joined: 08 May 2004
Posts: 0


Offline

PostPosted: Wed May 02, 2007 2:18 pm    Post subject: Reply with quote

PhiBer wrote:
It appeared to me that you were looking for something on the lines of this, a program that uses a USB key to infect a computer and install keylogger and rootkit technologies.


That's right.


PhiBer wrote:

Your original post said:
Quote:
Is anybody aware of any downloadable images preconfigured so after plugging in, a keylogger, backdoor, ... or other things are automatically installed (ex: connect to IRC botnet channel) ?

I interpret this as, "after plugging in a USB drive, a keylogger or backdoor will be installed on the host PC." Please correct me if I am wrong.


Indeed, that's what i'm looking for.
Back to top
View user's profile Send private message
PhiBer
SF Mod
SF Mod


Joined: 11 Mar 2003
Posts: 20
Location: Your MBR

Offline

PostPosted: Wed May 02, 2007 6:24 pm    Post subject: Reply with quote

Quote:
Indeed, that's what i'm looking for.

If the above is true, then the below is false (as Hacksaw is not that program):
Quote:
- USB Hacksaw , written by the Hak5 crew is some tool that does stuff like this. I didn't find a valid download until now though


What you are looking for would require the following components:

1. U3 capable drive or non-U3 USB drive that has been altered to appear as non-removable to Windows (a requirement for regular USB to autorun)

Per Microsoft in regards to autorun capability and non-U3 drives:

Quote:
Q: What must I do to trigger Autorun on my USB storage device?
The Autorun capabilities are restricted to CD-ROM drives and fixed disk drives. If you need to make a USB storage device perform Autorun, the device must not be marked as a removable media device and the device must contain an Autorun.inf file and a startup application.

The removable media device setting is a flag contained within the SCSI Inquiry Data response to the SCSI Inquiry command. Bit 7 of byte 1 (indexed from 0) is the Removable Media Bit (RMB). A RMB set to zero indicates that the device is not a removable media device. A RMB of one indicates that the device is a removable media device. Drivers obtain this information by using the StorageDeviceProperty request.


Autorun USB might do the trick for you, but I have not used nor tested it. You may need to do some research on getting USB to appear as non-removable.

2. That autorun functionality has not been disabled - If you are a smart sysadmin, this should be done by default via GPO.

3. That the installed antivirus software will not automatically detect the trojan/malware

After the above prerequisites have been met, you should be able to tweak just about any keylogger or trojan to run. Is there a corporate version that does this? I have not seen any, and in my opinion, there is good reason for this, especially with the amount of data theft that has been going on as of late.

Edit: By the way, in the social engineering attack, Autorun was *not* used. The bank employees merely clicked on executables that were marked as picture.jpeg.exe (with the exe extensions being hidden by default within windows).
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register