In 2006 I spent a lot of time researching USB based malware, even wrote a few tools to show the need for network administrators to manage and control removable media devices that were being introduced in the companies and organizations. To help security researchers and network administrators I made many of the tools that were developed by others as well as my own available for testing purposes on the USBHacks.com site. Much of my research was included in a module titled “Hacking USB Devices” in the Certified Ethical Hacker training materials by EC-Council.
As a result of posting these tools I had some interesting inquiries over the past few years from both sides of the law, as such I chose to bring the site down. However, if you are a security researcher and wish to download the tools posted in the Certified Ethical Hacker training guide for module 41 contact me and I can provide the tools to you. If you plan to use these tools for anything illegal please do not contact me, these tools are for research purposes only. If you use these tools I am not responsible for the damage they may do to your system or any other damage that you may do as a result. These tools are designed to steal and destroy data on systems and across networks, as well as provide backdoors into systems and other actions that are illegal if you are not using the tools on test systems you own.
Here is a brief outline of a few of the tools:
USB Switchblade /Hacksaw
USB Switchblade is the outcome of a community project to merge various tools and techniques that take advantage of Microsoft Windows security vulnerabilities; the majority of which are related to USB ports. The primary purpose of the tool is to silently recover information from Windows systems, such as password hashes, LSA secrets, IP information, as well as browser history, and auto-fill information as well as create a backdoor to the target system for later access. The tool creates a Frankenstein application through community development and exposes some serious security vulnerabilities in Windows.
The tool took advantage of a security hole in U3 drives that created a virtual CD-ROM drive, which allows the Windows autorun feature to work. Even if the autorun or a U3 drive is not used the application can be started by executing a single script on the drive. The most damaging component of the tool is the ability to extract password hashes from the target system and load them onto the drive for cracking later through the use of Rainbow tables. The weakness of Windows LM hashes is fairly well known. The tool allowed someone to grab the data within a few seconds of connecting a flash drive to the target system. In addition the tool pulls browser history ( IE & Firefox) along with autofill information, AIM and MSN Messenger passwords as well as product keys for Microsoft products. One version of the tool also creates ghost admin account providing a backdoor into the system.
USB Dumper is an application that when installed on a system runs a background process that copies files from any USB flash drive installed on it. Once activated the application runs in the background on a system and any USB device connected will automatically have its entire contents downloaded to the system. The theoretical attack vector for the tool was conferences, where a shared system for presentations might be uses, as well as shared hotel systems that are provided for business users. The tool was expanded later to not just store data on the local system but also transmit it remotely through encrypted channels.