I am by no means promoting this by posting it, however I think the people here should be especially aware of this Hack. Basically, The contents of your USB drive can be copied and e-mailed to someone simply by you plugging in your USB drive to an infected PC. This particular version listed below is picked up by Symantec Anti Virus which will quarantine sbs.exe and send.bat. There are ways to keep it from being recognized however. If you encrypt the private stuff on your USB Key with something like Challenger, or True Crypt, the encrypted files will be emailed Encrypted, therefore useless to the hacker. Here are some links that explain better as to what this hack actually does...
Watch the first few minutes of this episode of Hak5 for a better explanation.
http://www.youtube.com/watch?v=b1XfIoVMhL8
Here is the info on the Hak5 Website...
http://wiki.hak5.org/wiki/USB_Hacksaw
USB Hacksaw
-
Ameri-CAIN
- Posts: 121
- Joined: Thu Nov 01, 2007 9:11 am
- Location: Orange County, California
I swear if I see anybody posting asking how to use the Hacksaw/Switchblade, I might scream.
Please remove the link to the Hak5 wiki, although your intentions are honourable - posting a link to the information on how to build such a device is only asking for trouble.
Wouldn't it be better to link to the USB antidote?
And Portable ClamWin...
Please remove the link to the Hak5 wiki, although your intentions are honourable - posting a link to the information on how to build such a device is only asking for trouble.
Wouldn't it be better to link to the USB antidote?
And Portable ClamWin...
-
Onesimus Prime
- Posts: 133
- Joined: Wed Sep 05, 2007 8:42 pm
Hmmm, not good. Glad to be aware of it, at least. As far as the antidote is concerned, M@tty, from reading the site it looks like the cure's packaged with the disease - does somebody trusted and established on this forum (a Mod. would be good) maybe want to download Hacksaw, extract just the antidote, then zip and post it someplace else for download? Andrew, AlephX, Fluffy, etc.? Or is there another antidote, not from the makers of Hacksaw?
Would Portable Clamwin (or even other anti-virus tools) catch this? Sure, it's apparently been around since February, and Symantec will find some variants according to Ameri-CAIN. But this article mentions that AV programs may or may not notice Hacksaw since it's a compilation of programs that aren't technically viruses. Gah!
I wonder if this would work: have the antidote on your key, and have it in your autorun, or similar. Then run it first thing on any public computer. The provided antidote supposedly "will kill USB Hacksaw processes, delete files, and remove registry changes." So even if Hacksaw had started working already, this would stop it and remove it from the system, leaving the would-be thief with next to nothing? I could be wrong though...
I'd also never heard of Sawblade before either.
I scrolled through the list of packages/packagers...remind me never to borrow Silvrenion's USB drive! 
As far as an "antidote," or maybe countermeasure, for that one, what about Write USB Protector (page translated by Google) from Gaijin.at ? It apparently prevents write-access to (all?) USB drives. Doesn't help if you need to copy something to a "foreign" drive, but if you just need to read/copy from it, then this might work?
Off-topic but related:
Does the existence of these threats imply (on the positive side) that there's still hope for somehow auto-running, say, PStart, even when on a public computer?
Would Portable Clamwin (or even other anti-virus tools) catch this? Sure, it's apparently been around since February, and Symantec will find some variants according to Ameri-CAIN. But this article mentions that AV programs may or may not notice Hacksaw since it's a compilation of programs that aren't technically viruses. Gah!
I wonder if this would work: have the antidote on your key, and have it in your autorun, or similar. Then run it first thing on any public computer. The provided antidote supposedly "will kill USB Hacksaw processes, delete files, and remove registry changes." So even if Hacksaw had started working already, this would stop it and remove it from the system, leaving the would-be thief with next to nothing? I could be wrong though...
I'd also never heard of Sawblade before either.
I scrolled through the list of packages/packagers...remind me never to borrow Silvrenion's USB drive! As far as an "antidote," or maybe countermeasure, for that one, what about Write USB Protector (page translated by Google) from Gaijin.at ? It apparently prevents write-access to (all?) USB drives. Doesn't help if you need to copy something to a "foreign" drive, but if you just need to read/copy from it, then this might work?Off-topic but related:
Does the existence of these threats imply (on the positive side) that there's still hope for somehow auto-running, say, PStart, even when on a public computer?
-
Ameri-CAIN
- Posts: 121
- Joined: Thu Nov 01, 2007 9:11 am
- Location: Orange County, California
Admin or Moderator,
If you find my post of the wiki or video dangerous, by all means remove it with my sincerest apologies. I don't believe in stifling the flow of information, especially when that information can be useful to the community that it has the potential to harm the most. I meant merely to insight constructive conversation on ideas one can do to protect themselves, and perhaps even positive constructive uses of the ideas presented in the hack itself. (i.e. What can we learn from this to solve that problem we were having getting program x to work with guest permissions, or launch silently.)
M@tty,
I am aware that posting information like this can tempt people to step in and use something like this for bad things, but I think people need to be aware of it. Sometimes we get too comfortable carrying our apps, our passwords, our personal pictures and account information with us on our portable devices. (Especially the people in this community.) I just want everyone to be aware of the importance of safe guarding our information when we are on public computers. Encrypting the sensitive info on our drives is the best defense for such an attack. It appears to only send this information on USB insertion. (If I am wrong about this, someone please post a correction!) If so, then let them email themselves 4 gigs worth of my encrypted data.
The USB hacks on the Hak5 site also brings to light some very interesting techniques that may give some people here some good ideas for positive portable app programing or perhaps, some other sort of defenses against this. It does illustrate how this hack will work whether or not the user has admin privileges to the machine. The information is already out there. I just wanted to make sure everyone here was aware of it and protects themselves from it.
If you find my post of the wiki or video dangerous, by all means remove it with my sincerest apologies. I don't believe in stifling the flow of information, especially when that information can be useful to the community that it has the potential to harm the most. I meant merely to insight constructive conversation on ideas one can do to protect themselves, and perhaps even positive constructive uses of the ideas presented in the hack itself. (i.e. What can we learn from this to solve that problem we were having getting program x to work with guest permissions, or launch silently.)
M@tty,
I am aware that posting information like this can tempt people to step in and use something like this for bad things, but I think people need to be aware of it. Sometimes we get too comfortable carrying our apps, our passwords, our personal pictures and account information with us on our portable devices. (Especially the people in this community.) I just want everyone to be aware of the importance of safe guarding our information when we are on public computers. Encrypting the sensitive info on our drives is the best defense for such an attack. It appears to only send this information on USB insertion. (If I am wrong about this, someone please post a correction!) If so, then let them email themselves 4 gigs worth of my encrypted data.
The USB hacks on the Hak5 site also brings to light some very interesting techniques that may give some people here some good ideas for positive portable app programing or perhaps, some other sort of defenses against this. It does illustrate how this hack will work whether or not the user has admin privileges to the machine. The information is already out there. I just wanted to make sure everyone here was aware of it and protects themselves from it.
Well, I took a chance and downloaded their junk. It's all relatively poorly put together. Luckily many of the download links are broken (probably 50%) so people shouldn't be easily getting their hands on some of the more comprehensive versions that were described.
Basically, they have a mess of small utilities to dump passwords (many from NirSoft) and some very crude batch files (executed using nircmd.exe to be hidden) to get all the information gathered, then the batch file e-mails the gathered information to an e-mail account you set up.
For the stuff that drags files off your flash drive when you plug it in, it uses a pretty simple program that's told to run at startup and triggers a mass file copy whenever a new device is plugged in.
As for the antidote, it's simply a crummy batch file that terminates the program(s) set to run at startup, deletes the misleadingly named folder they hide the programs in and removes the startup entry from the registry. Here are the contents of the ''antidote'' batch file:
taskkill /F /IM sbs.exe
taskkill /f /im blat.exe
taskkill /f /im stunnel-4.11.exe
rmdir /s /q %systemroot%\$NtUninstallKB931337$
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v USBMedia /f
So C:\Windows\$NtUninstallKB931337$ appears to be their ''secret hiding place'' for the stuff. The installation script actually copes with having admin privileges or not, while this antidote only accounts for the situation when an admin-access install occured.
The insaller basically uses the following type of command in a batch file:
:: If admin make windows\$NtUninstallKB931337$, else make %appdata%\sbs
mkdir %systemroot%\$NtUninstallKB931337$ || mkdir "%appdata%\sbs"
In other words, it tries to make the folder in the Windows folder first and if that fails makes a folder in the user's Application Data folder.
It uses the or symbol || quite a few times in the install batch file, so I assume it works reliably. This isn't of much use to those of us who want portability though, since we don't want to touch either of those folders ideally. =P Still, interesting; I didn't know that was something you could do in a batch file.
Uhm, there's not much else to it. The stuff doesn't self-propagate, and it doesn't fight being closed and deleted, so it's not particularly, uhm, malignant. But it still has an underhanded purpose. It's certainly a problem as their ''antidote'' is not comprehensive, and all someone has to do is slightly change the install directory name and/or executable names to foil it.
For the most part, they seem to recommend U3 drives for their reliable autorun capability, so the site provides no insight into getting our legitimate stuff (PStart!) to autorun when we put in a USB drive.
I'm actually rather disappointed though; there aren't any utilities used that are noteworthy as I imagine most of us know of the great NirSoft suite of programs already. On top of that, the batch files are pretty crummy and could've been done with AutoIt or NSIS and been a lot more fault tolerant. About as complex as they get is using some VBScripts for some tasks.
Queue
Basically, they have a mess of small utilities to dump passwords (many from NirSoft) and some very crude batch files (executed using nircmd.exe to be hidden) to get all the information gathered, then the batch file e-mails the gathered information to an e-mail account you set up.
For the stuff that drags files off your flash drive when you plug it in, it uses a pretty simple program that's told to run at startup and triggers a mass file copy whenever a new device is plugged in.
As for the antidote, it's simply a crummy batch file that terminates the program(s) set to run at startup, deletes the misleadingly named folder they hide the programs in and removes the startup entry from the registry. Here are the contents of the ''antidote'' batch file:
taskkill /F /IM sbs.exe
taskkill /f /im blat.exe
taskkill /f /im stunnel-4.11.exe
rmdir /s /q %systemroot%\$NtUninstallKB931337$
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v USBMedia /f
So C:\Windows\$NtUninstallKB931337$ appears to be their ''secret hiding place'' for the stuff. The installation script actually copes with having admin privileges or not, while this antidote only accounts for the situation when an admin-access install occured.
The insaller basically uses the following type of command in a batch file:
:: If admin make windows\$NtUninstallKB931337$, else make %appdata%\sbs
mkdir %systemroot%\$NtUninstallKB931337$ || mkdir "%appdata%\sbs"
In other words, it tries to make the folder in the Windows folder first and if that fails makes a folder in the user's Application Data folder.
It uses the or symbol || quite a few times in the install batch file, so I assume it works reliably. This isn't of much use to those of us who want portability though, since we don't want to touch either of those folders ideally. =P Still, interesting; I didn't know that was something you could do in a batch file.
Uhm, there's not much else to it. The stuff doesn't self-propagate, and it doesn't fight being closed and deleted, so it's not particularly, uhm, malignant. But it still has an underhanded purpose. It's certainly a problem as their ''antidote'' is not comprehensive, and all someone has to do is slightly change the install directory name and/or executable names to foil it.
For the most part, they seem to recommend U3 drives for their reliable autorun capability, so the site provides no insight into getting our legitimate stuff (PStart!) to autorun when we put in a USB drive.
I'm actually rather disappointed though; there aren't any utilities used that are noteworthy as I imagine most of us know of the great NirSoft suite of programs already. On top of that, the batch files are pretty crummy and could've been done with AutoIt or NSIS and been a lot more fault tolerant. About as complex as they get is using some VBScripts for some tasks.
Queue