USB key auto installing trojan/backdoor

Networking/Security Forums -> Physical Security and Social Engineering

Author: WaKkO PostPosted: Tue Apr 24, 2007 1:35 pm    Post subject: USB key auto installing trojan/backdoor
    ----
Hello,

Is anybody aware of any downloadable images preconfigured so after plugging in, a keylogger, backdoor, ... or other things are automatically installed (ex: connect to IRC botnet channel) ?

I need this for a security awareness session at a client. I have been looking around, but could't find it yet.

Author: PhiBerLocation: Your MBR PostPosted: Tue Apr 24, 2007 8:45 pm    Post subject:
    ----
You are looking for some pre-configured malware that has an easy to use GUI interface that will automatically push trojan and keylogger installations?

Author: WaKkO PostPosted: Wed Apr 25, 2007 11:39 am    Post subject:
    ----
Indeed, as stated before, for a security awareness session.

It doesn't need a GUI, just needs to launch some applications (for example a keylogger) that is automatically launched after insertion of a usb stick

Author: EOS PostPosted: Wed Apr 25, 2007 2:29 pm    Post subject:
    ----
WaKko - Good luck with this.

A friend of mine was trying to do this exact same thing for his senior project in college and was unable to get any feedback from security sites because, as you probably know, the question comes off as suspicious activity that most people will not help with.

He ended up getting one of his programming buddies to write some sample code for him so he at least had a small demonstration.

Author: WaKkO PostPosted: Thu Apr 26, 2007 1:44 pm    Post subject:
    ----
EOS, you are right. The security community does not seem to give any input. The hacking community did however Wink

Some usefull info I received:

- USB sticks need to be of the type "U3" otherwise autorun won't work

- USB Hacksaw , written by the Hak5 crew is some tool that does stuff like this. I didn't find a valid download until now though

Author: PhiBerLocation: Your MBR PostPosted: Fri Apr 27, 2007 7:01 pm    Post subject:
    ----
Quote:
- USB sticks need to be of the type "U3" otherwise autorun won't work


It appeared to me that you were looking for something on the lines of this, a program that uses a USB key to infect a computer and install keylogger and rootkit technologies. The hacksaw program basically podslurps everything off of USB and external drives. In addition, even if a usb stick is U3, an administrator can disable autorun via group policy to prevent attacks such as these.

Your original post said:
Quote:
Is anybody aware of any downloadable images preconfigured so after plugging in, a keylogger, backdoor, ... or other things are automatically installed (ex: connect to IRC botnet channel) ?


I interpret this as, "after plugging in a USB drive, a keylogger or backdoor will be installed on the host PC." Please correct me if I am wrong.

Author: WaKkO PostPosted: Wed May 02, 2007 2:18 pm    Post subject:
    ----
PhiBer wrote:
It appeared to me that you were looking for something on the lines of this, a program that uses a USB key to infect a computer and install keylogger and rootkit technologies.


That's right.


PhiBer wrote:

Your original post said:
Quote:
Is anybody aware of any downloadable images preconfigured so after plugging in, a keylogger, backdoor, ... or other things are automatically installed (ex: connect to IRC botnet channel) ?

I interpret this as, "after plugging in a USB drive, a keylogger or backdoor will be installed on the host PC." Please correct me if I am wrong.


Indeed, that's what i'm looking for.

Author: PhiBerLocation: Your MBR PostPosted: Wed May 02, 2007 6:24 pm    Post subject:
    ----
Quote:
Indeed, that's what i'm looking for.

If the above is true, then the below is false (as Hacksaw is not that program):
Quote:
- USB Hacksaw , written by the Hak5 crew is some tool that does stuff like this. I didn't find a valid download until now though


What you are looking for would require the following components:

1. U3 capable drive or non-U3 USB drive that has been altered to appear as non-removable to Windows (a requirement for regular USB to autorun)

Per Microsoft in regards to autorun capability and non-U3 drives:

Quote:
Q: What must I do to trigger Autorun on my USB storage device?
The Autorun capabilities are restricted to CD-ROM drives and fixed disk drives. If you need to make a USB storage device perform Autorun, the device must not be marked as a removable media device and the device must contain an Autorun.inf file and a startup application.

The removable media device setting is a flag contained within the SCSI Inquiry Data response to the SCSI Inquiry command. Bit 7 of byte 1 (indexed from 0) is the Removable Media Bit (RMB). A RMB set to zero indicates that the device is not a removable media device. A RMB of one indicates that the device is a removable media device. Drivers obtain this information by using the StorageDeviceProperty request.


Autorun USB might do the trick for you, but I have not used nor tested it. You may need to do some research on getting USB to appear as non-removable.

2. That autorun functionality has not been disabled - If you are a smart sysadmin, this should be done by default via GPO.

3. That the installed antivirus software will not automatically detect the trojan/malware

After the above prerequisites have been met, you should be able to tweak just about any keylogger or trojan to run. Is there a corporate version that does this? I have not seen any, and in my opinion, there is good reason for this, especially with the amount of data theft that has been going on as of late.

Edit: By the way, in the social engineering attack, Autorun was *not* used. The bank employees merely clicked on executables that were marked as picture.jpeg.exe (with the exe extensions being hidden by default within windows).



Networking/Security Forums -> Physical Security and Social Engineering


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group