Jump to content

Think I might have been hacked... Can anyone confirm?


ninjaflu

Recommended Posts

Someone gave me a USB drive, telling me they'd just bought it but it didn't work on their PC so could I try it on mine to see if it worked.

It was an Archos ARCDrive 4gb like this: hxxp: www. amazon. com/Archos-ARCDrive-Hard-Drive-USB/dp/B0007KVK84

I plugged it in without much thought (silly me).

XP recognised it as a removable drive and installed the drivers automatically. 

Then I can't remember exactly what i did. . .  I think autorun(?) started (as in searching for the type of files on the drive before it asks what I want to do) but I cancelled it and went to My Computer and tried to open the drive from there.  But maybe I waited for autorun(?) to finish and then clicked on "open folder to view files".  I can't remember for sure but I think I canceled it (whether or not that makes any difference I don't know. . . )

Anyway, when I tried to open the drive, Windows Explorer locked up for a while.  During this time, the light on the usb drive was flashing as though there was a lot of activity on it.  This lasted for a minute or two and eventually I got a prompt telling me the drive was not formatted and did I want to format it.  I clicked No.

Does it sound like a possibility? I've read around a bit but haven't seen any mention of the formatting thing anywhere.  Could that have been added intentionally? Is there any way to know for sure? Would any traces have been left anywhere? I've checked to see if any user accounts had been added to XP but it doesn't look like it. 

Or could this all be normal behaviour for a faulty or non formatted drive and I'm just being Paranoid?

Thanks in advance for any input.

Link to comment
Share on other sites

Honestly is sounds like a bad USB drive to me...

Link to comment
Share on other sites

Ok thanks, you've nearly put my mind at rest  :-P

I do have Nod32 AV but thought I'd read that this didn't get picked up by most AVs.

I also thought I'd read somewhere that even with a non U3 drive there was a way of running it without having to click on anything? Is that not correct? Even with other similar exploits? (ie not switchblade but others that do similar things?)

How do these things normally manifest themselves on the infected PC? Is it completely invisible? Does my Windows Explorer lockup and the formatting window not coincide with the symptoms?

Also, if I run the antidote and it turns out I haven't bene infected, do I risk breaking anything?

Cheers

Link to comment
Share on other sites

You arn't letting windows waste enough of your time.

I am actually being serious if no one realised. If you plug in a slowish memory stick into a computer running windows, and the stick happens to contain allot of files windows can 'understand' (images and audio files mainly), you will get strange 'access denied' messages until windows has finished parsing the stick for the files it contains, even if you click 'cancel' to the auto run file scanner thing and windows ultimately does nothing with the files because you pressed cancel and the window disappeared long ago. Hence "You arn't letting windows waste enough of your time.".

Link to comment
Share on other sites

  • 1 month later...
Can anyone vouch for this app?

Has anyone decompiled and checked it for nasty suprises?

Just asking before I use it,

Thanks

Sorry, I don't quite understand how that helps to answer my question.

Since no-one else is answering, I guess I will.

It won't mean much coming from me, but I can assure you that there is no malicious code in that app. I only have my position as moderator to offer as assurance that I'm not a malware writer and even that doesn't say a lot. I understand your concern though, I would be just as suspicious of random downloads (though, this is the USB Hacks section, random poisoned downloads is pretty much the reason this subforum exists...)

The source is available in the appropriate thread, I think I put it in the Applications and Coding subforum. I had a little trouble uploading the ejector tool source though, so you'll have to take my word on that part.

Anyway, I suggest if you hang out in places like this that you make good use of emulators and virtualisers, or if you have them, spare machines with disposable OS installations on them. That way you don't have to worry about malicious software because if something shows up then you just zap the OS and you're back to normal.

As for the app, just make sure you read the readme and all will be well.

Link to comment
Share on other sites

Sorry, I don't quite understand how that helps to answer my question.

I was been sarcastic. Decompiling programs basically only makes the job of analyzing software slightly easier, the code is hard to understand because it was thrown together by a compiler. The way companies that look for software that does things' it probably shouldn't is run the program and see what it does, it's far easier to do it that way than trying to understand the assembly code of the program that was created by. If some one did embark on such a project, they would run in to all kinds of problem not including the problem of understanding assembly. For example, the actual program that dose the 'some thing' could be encrypted inside a wrapper program.

Basically, it's a waste of time.

Link to comment
Share on other sites

Thanks for the replies.

I didn't know that the app was written by you, moonlit, hens the asking.

However, I believe that testing the app on a VM will do little if there's a well thought out keylogger built in.

That said, I'm using the tool now.

Thanks

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...