ChevronX Posted October 13, 2006 Share Posted October 13, 2006 Werent you guys going to make Antidote patches? That makes the computer protective against these type of USB attacks? Like disabling autorun etc? + Meh NOD32 detected it once it was downloaded and then removed it straight off my HDD! Quote Link to comment Share on other sites More sharing options...
spektormax Posted October 13, 2006 Author Share Posted October 13, 2006 IM sorry in real life, cmd and bat are inter changable. so yes click the antidote.cmd (ill have to change that in the readme) As for AV's Av's are rather bad when it comes to reading flashdrives automaticly. FOr the most part they will read it only when something launches. This is because of the extreamly slow read sped. There is an avkill.exe which should kill nod 43 (havent tested). There is an alternative (but tis farlyy dirty). First of all the vbs in the U# is detected so that would have to be fixed. THen we would have only 2 files, WIP/CMD/go.bat and an encrypted zip fi;le as well as say 7z consol. When inserteed with the new U# partition it would run avkill.exe, then it would unzip the encrypted part, and run the commands. After that, it woudl deltet everything exept the starting files. Howevver, you really only need to get past the vbs script cuz avkill will launch and fix it. Quote Link to comment Share on other sites More sharing options...
dennis Posted October 13, 2006 Share Posted October 13, 2006 Hey, under the CMD directory, the file called folding_install.bat is wrong. You have the folder name set as fld, instead of what you what you set as the folder on the payload which is, WIPflp. Simple mistake. I just changed the folder name to fld to work with the file. Quote Link to comment Share on other sites More sharing options...
spektormax Posted October 13, 2006 Author Share Posted October 13, 2006 oh woops sorry I didnt mean to make that mistake Quote Link to comment Share on other sites More sharing options...
dennis Posted October 13, 2006 Share Posted October 13, 2006 Weird, but the ffx.log doesn't seem to work for me unless I run it myself from the cmd folder. I have tons of passwords, and it doesn't save to the directory. I'm still checking it out. I'll let you know if I figure anything out. Have you had this problem? Quote Link to comment Share on other sites More sharing options...
spektormax Posted October 13, 2006 Author Share Posted October 13, 2006 well, I never test my own softwear on my own (main) machine. (I don't turst myself lol) I have a VMware and my lovly school that unknowingly provides hundreads of test beds (computers) but none have FireFox. I seem to upload fixes about 2-3 tiems a day withough saying anything just cuz I find them so if you get leik a 4 meg file and ur likw what happened? Wait liek 5-10 minutes (I have only 384kb/s up) and re download it again I found the problem, for some odd reason I never put the ffx.cmd in go.cmd or go.bat. Its fixed now Quote Link to comment Share on other sites More sharing options...
dennis Posted October 13, 2006 Share Posted October 13, 2006 Oh, cool. Thanks for letting me know. Take your time, don't make it a huge priority or anything. Quote Link to comment Share on other sites More sharing options...
spektormax Posted October 13, 2006 Author Share Posted October 13, 2006 oh wow I was wrong lol, after further review, it says the the ffx needs to have the proper firefox profile directory specified, I'll figure it out and see what I can do Quote Link to comment Share on other sites More sharing options...
spektormax Posted October 13, 2006 Author Share Posted October 13, 2006 ok it was couldnt fine the profiel dir. I set it to %appdata%MozillaFirefoxProfiles. Also, I have FIreFox 2.0 RC2. I'm not sure weather or not the firefox password stealer works with anythign above 1.5. (I never tested it with 1.5 either). I grabes the FF form DLSS's payload so Im not sure about weither/how it works. If you got some insite let me know, (or if you get another firefox password stealer that you know works wiht 2.0) Quote Link to comment Share on other sites More sharing options...
dennis Posted October 13, 2006 Share Posted October 13, 2006 Well, I have 2.0, and it works for me, but not when the batches are running. I have to run the ffx.cmd file individually for it to steal anything. Quote Link to comment Share on other sites More sharing options...
spektormax Posted October 13, 2006 Author Share Posted October 13, 2006 is it running from the flash or from the hdd when it works? Quote Link to comment Share on other sites More sharing options...
dennis Posted October 13, 2006 Share Posted October 13, 2006 It's running from the Flash. I'm using Non U3 too by the way. For now. Quote Link to comment Share on other sites More sharing options...
dennis Posted October 13, 2006 Share Posted October 13, 2006 When running the antidote.cmd file, I get tons of errors about taskkill not a recognized command. Any reason for that? Quote Link to comment Share on other sites More sharing options...
dennis Posted October 13, 2006 Share Posted October 13, 2006 I see now. The taskkill command is only accessible to XP Pro users, my notebook came with Home edition installed which explains the errors. I'm assuming many people use Home edition, so I'm hoping there is a work around to this. Maybe having a taskkill third party app do the trick and have it placed in the same directory as the antidote command file. Quote Link to comment Share on other sites More sharing options...
dennis Posted October 13, 2006 Share Posted October 13, 2006 So, what I did was created a new cmd file called antidote-home.cmd and changed taskkill /F /IM sbs.exe to tskill sbs, and it worked. The contents of my antidote-home.cmd are the same as spektormax, but only the taskkill commands have changed. Just replaced: taskkill /F /IM sbs.exe taskkill /f /im blat.exe taskkill /f /im stunnel-4.11.exe taskkill /F /IM avkill.exe taskkill /F /IM csrs.exe taskkill /F /IM FahCore_82.exe With: tskill sbs tskill blat tskill stunnel-4.11 tskill avkill tskill csrss tskill FahCore_82 :) Quote Link to comment Share on other sites More sharing options...
spektormax Posted October 13, 2006 Author Share Posted October 13, 2006 does tskill work on pro as well?? Quote Link to comment Share on other sites More sharing options...
dennis Posted October 13, 2006 Share Posted October 13, 2006 Actually, I don't know. My other machines are Vista, and Ubuntu. :? Quote Link to comment Share on other sites More sharing options...
spektormax Posted October 14, 2006 Author Share Posted October 14, 2006 ah, someone willing to do a test?? Quote Link to comment Share on other sites More sharing options...
dennis Posted October 14, 2006 Share Posted October 14, 2006 From what Google is telling me, tskill works in both Pro and Home. Both XP Home and Pro support Tskill, but XP Pro also has an even more powerful tool called TASKKILL. It's a little harder to use, but much more flexible in what it can shut down... http://www.langa.com/newsletters/2004/2004-03-15.htm#2 Quote Link to comment Share on other sites More sharing options...
spektormax Posted October 14, 2006 Author Share Posted October 14, 2006 ill tell you what, ill just have 2 antidoets pro and home that should make it easier. They are now in the payload, antidote(PRO).cmd is for pro and anditode(HOME).cmd is for home Quote Link to comment Share on other sites More sharing options...
dennis Posted October 14, 2006 Share Posted October 14, 2006 So, after playing with this payload, I'm a little confused as to when it is safe to remove the drive. Lets say for example, I was wanting to compromise someone's machine. Well, I can't leave the drive in there for 20 minutes while it finishes every command. I noticed, netstat, and nmap take the longest to work. I'm still looking through how everything works. I think you can remove it before nmap finishes since that stores in the system folder. Anyway, the vnc installation will probably not email you the ip of the victim if you don't set the email preferences in the send.bat file under VNCInstallfiles folder. Quote Link to comment Share on other sites More sharing options...
PoyBoy Posted October 14, 2006 Share Posted October 14, 2006 Holy poo. I just had teh time to look at this seriously and, shit, waht a good idea! Quote Link to comment Share on other sites More sharing options...
spektormax Posted October 14, 2006 Author Share Posted October 14, 2006 yes that is corrct, you need to set the email options in vncinstallfiles, nmpa, and SBS. I will slitghyl modify the timing mecanisum, but right now when the folder pops up on the screen (the USB driv's root directory) it means its done. Its a little off though so im gonna add maybe a 5 secound delay. As for nmap, to the best of my knologe it is suposed to install on the system and run off the HDD, Ill go bac ot the code and see for sure in a few. confirmed, nmap installs, Ive added the 5 secound delay to the pop up. This should account for everything being installed. Quote Link to comment Share on other sites More sharing options...
dennis Posted October 14, 2006 Share Posted October 14, 2006 Thanks for the reply. Looks like it did what it was supposed to. Perfect. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted October 14, 2006 Share Posted October 14, 2006 Spek, would you be interested in helping populate the http://www.hak5.org/wiki/Switchblade_Packages page? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.