My whitehat U3 payload

[remkow]

Since all current payloads are kinda grey/blackhat, I thought I'd make a whitehat one. This payload does some small security fixes, removes temporary files and such, speeds up windows, and does a check for spyware and viruses.

It's still very small, and I am planning to add more stuff to it, with some help and suggestions of you guys :D .

Features:

- Removes all traces from the Switchblade/Hacksaw

- Disables CDrom autorun

- Disables LM hashes

- Disables anonymous access

- Disables the clearing of the pagefile at shutdown

- Sets prefetch to cache both normal and system files

- Disables the thing which shows when a file was last accessed. This increases the overall speed of windows

- Deletes temporary files

- Updates antivirus, and then scans for viruses and spyware

- Scans for rootkits

- Performs a chkdsk to repair any damage to the HDD

- Defragments the C: drive

- Creates a system restore point

Download:

Mirror 1

Mirror 2

Mirror 3 OLD FILE by Spartain X

Wiki page

Sorry for the large file, but that's the antivirus/antispyware component.

[Spartain X]

Mirror

it would be useful if you include a list of new features and modification

anyway besides that it's good to see more usb hack development, i'm going to be seeing how this one ticks and works :)

[remkow]

List of features has been added to the original post. And thanks for mirroring :D

[CaveMan]

very clever :P

[Spartain X]

maybe add the usb antidote and you have a true white hat and anti usb attack device

[remkow]

I've added the antidote, and included a registry change which disables autorun, so there wont be any future hacksaw/switchblade attacks.

[Jester]

Good work have been thinking about doing this myself and now its done HaHa :). 8)

[remkow]

Yeah at first I thought there would be someone else to make it soon, but noone did it.. so I thought, why not?

[CaveMan]

i can add some mirrors if you wish

[remkow]

I don't think that's really necessary, but if you want to, go ahead :P

[burn]

Nice .... I'm getting it!

[remkow]

I've now also added a rootkit scan (rootkitrevealer). The scanning unofrtunately runs as a GUI, so it's not hidden, but it does automatically exit after finishing the scanning and reparations.

[SomeoneE1se]

You should update the wiki VERY nice work...

http://www.hak5.org/wiki/USB_Antidote

[remkow]

VERY nice work...

Thanks :D

and I've added the entire thing to the wiki.

[Spartain X]

i will be posting a mirror with the new files on the wiki

http://www.sif.u-wh.com/mirror/whitehat_payload_v1.3.rar

[Guest Twilight Zone]

It's great.I work with 30 non-techy peoples and clean computers for them,this is for mass actions.Howewer,is it posible to remove chkdsk and defragments the C: drive ? it's takes too much time and I think in most cases unnesessary.

[remkow]

Yeah sure, just edit the WIPgo.cmd, and change this:

:: a simple checkdisk

chkdsk C: /F



:: defragmenting the hard drive

defrag C:

into this:

:: a simple checkdisk

:: chkdsk C: /F



:: defragmenting the hard drive

:: defrag C:

[Guest Twilight Zone]

Great job man,really...

[Paladin]

Is there anyway to make it so that this is not hidden? I really like this antidote but everything is so hidden and I am not sure why. I would actually like some sort of progress bar myself. But if it would at least show a console window with the output I would be happy. I tried to dump the dir to my desktop but it disappeared. Revealing hidden files does not work and so I just deleted it using linux. Being so hidden makes me feel as though something underhanded is going on here. I want it to be a useful tool with progress easily seen so I know how long to leave it in and such.

Any help would be much appreciated

[remkow]

You also have to enable `view system files and folders` in order to view the files. You can then just edit the go.cmd and see there is nothing scary going on. I think I will add a progress thingie along with it, like you said, which shows what task it is performing, and which are done.. stay tuned :D

[CaveMan]

pm me when your done with the status thing

ill post up another mirror and start mass running it

[Paladin]

Any word on the "progress thingy" BTW thanks for the info on how the files were hidden.

[remkow]

lol i forgot about it :oops:

i'm very busy with school and such, but when i have the time i will edit it

[Paladin]

any idea why I might not be able to autorun this USBAntidote on my laptop? I enabled autorun and reinstalled U3 and it autoruns. But when I use Antidote it does not. If I right click on the faux cdrom and choose autorun it does nothing. If I click on the vbe script it does nothing but if I click on go.cmd it does run.

Does anyone have a way to see whats in the encrypted vbe on the iso so I can see whats going on? I am really a n00b to this but could there be something on my laptop that won't run vbe's or somthing like that preventing it from autorunning? I have take no action to stop it from running. This is a Dell Lattitude D620.

So anyway I would love to get a peak at the vbe and also would like to know why I can't autorun the antidote or any cutom payload.

P.S. For reference I ran the hacked lpinstaller for sandisk as I have a cruzer. I then copied over the payload to the root dir of the flash drive. Pop it in and nada. I tried the lpinstaller from all the different payloads thinking that maybe the one I initially used was corrupt but nothing. Although I can reinstall U3 and it works "perfectly".

[remkow]

Do you mean the vbe on the autorun partition??

Maybe you have disabled the Windows Script Host, so it won't run vbs/vbe files?