OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: USB delivered attacks

mak_penhotmail.com
Date: Thu Jun 03 2004 - 14:38:44 CDT

In-Reply-To: <40BCBB44.7050202linuxbox.org>

the mere fact that its usb has nothing to do with the attack its self. what is to blame is that autorun is enabled by default on windows XP. that is why the attack works. usb makes it convenient to stick the memmory stick in any computer and have the user just open the memmory stick and the attack works and no antivirus or anything detects this till now.

in short,
usb = convenience
autorun = culprit (so to speak)

>Received: (qmail 25692 invoked from network); 1 Jun 2004 18:40:52 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
> by mail.securityfocus.com with SMTP; 1 Jun 2004 18:40:52 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id AC217143788; Tue, 1 Jun 2004 20:31:57 -0600 (MDT)
>Mailing-List: contact pen-test-helpsecurityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <pen-test.list-id.securityfocus.com>
>List-Post: <mailto:pen-testsecurityfocus.com>
>List-Help: <mailto:pen-test-helpsecurityfocus.com>
>List-Unsubscribe: <mailto:pen-test-unsubscribesecurityfocus.com>
>List-Subscribe: <mailto:pen-test-subscribesecurityfocus.com>
>Delivered-To: mailing list pen-testsecurityfocus.com
>Delivered-To: moderator for pen-testsecurityfocus.com
>Received: (qmail 7550 invoked from network); 1 Jun 2004 16:09:32 -0000
>Message-ID: <40BCBB44.7050202linuxbox.org>
>Date: Tue, 01 Jun 2004 19:22:12 +0200
>From: Gadi Evron <gelinuxbox.org>
>User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502)
>X-Accept-Language: en
>MIME-Version: 1.0
>To: "Antonio Fontes 'Saphyr'" <saphyrnxtg.net>
>Cc: pen-testsecurityfocus.com
>Subject: Re: USB delivered attacks
>References: <002401c44458$53b94c80$9701010aJASEVO> <000c01c4475b$e1ed7c50$6401a8c0phoenix> <007101c447b7$55ffa0e0$c1fc17d4shania>
>In-Reply-To: <007101c447b7$55ffa0e0$c1fc17d4shania>
>X-Enigmail-Version: 0.84.0.0
>X-Enigmail-Supports: pgp-inline, pgp-mime
>Content-Type: text/plain; charset=us-ascii; format=flowed
>Content-Transfer-Encoding: 7bit
>X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham
> version=2.63
>X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on linuxbox.org
>
>> In order to put some 'practice' on this attack, I ve been trying this night
>> to effectively use autorun mechanisms and see what could be possible.
>>
>> After reading the MSDN specs about autorun.inf file creation, I added
>> an autorun.inf into my USB device along with a little batch script whose
>> purpose was to copy the 'SAM' table and copy of the 'SET' command
>> result into a specific folder on the usb device.
>>
>> Nothing happens... Even after being sure auto-run is enabled. Something
>> should be missing... are there specific operating systems that disable
>> auto-run by default ? (I am using windows 2000)
>>
>> However, burning the batch + autorun file onto a cd-rom and inserting
>> it into the tray makes the auto-run sequence loading...
>>
>> So 2-cents question: which os'es do really use USB devices auto-run
>> and on which USB devices does it work ? (not a usb hard-disk key it
>> seems)...
>
>USB devices install a driver, nothing to do with autorun.inf that I know
>of.. You mis-understood.
>
>As your test suggested, it does work when using a CD.
>:)
>
> Gadi.
>
>--
>Email: gelinuxbox.org. Work: gadiecbs.gov.il. Backup: gewarp.mx.dk.
>Phone: +972-50-428610 (Cell).
>
>PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
>ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06
>GPG key for encrypted email:
>http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
>ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7 D450
>
>