U3 still works in most cases since it appears as a USB CDrom device. As for go.bat being detected, I've had great luck using the standard autorun and renaming my payload launchu3.exe. I generally use executable payloads, so that probably wouldn't work with a batch file.
On Nov 23, 2009, at 2:48 PM, Tim Mugherini <[email protected]> wrote: > thought u3 was not disabled by MS update > > http://blogs.technet.com/srd/archive/2009/04/28/autorun-changes-in-windows-7.aspx > > > On Mon, Nov 23, 2009 at 3:18 PM, Butturini, Russell > <[email protected]> wrote: >> To a degree. One thing that is great though is the fact that >> everything is stored inside an ISO image, meaning AV can't wipe out >> your toolsets, and it's harder for anyone to mess with the payload/ >> tools you have included. >> >> -----Original Message----- >> From: [email protected] [mailto:pauldotcom- >> [email protected]] On Behalf Of Robert Portvliet >> Sent: Monday, November 23, 2009 1:33 PM >> To: PaulDotCom Security Weekly Mailing List >> Subject: Re: [Pauldotcom] U3 enabled device >> >> Didn't Microsoft disable autorun with an update a while back to >> disable one of Conficker's attack vectors? >> >> This would pretty much kill the usefulness of the U3 switch-blades, >> right? >> >> >> >> On Mon, Nov 23, 2009 at 12:17 PM, Butturini, Russell >> <[email protected]> wrote: >>> So I think Gonz0r's site has been down for quite a while. You do >>> need a different version of the U3 universal customizer to work on >>> Vista. Also, one of the issues with the original payload is about >>> 95% of the tools on it are snared by AV. Of course the benefit of >>> having them loaded on the U3 side is that antivirus can't erase >>> the files. >>> >>> Check here for some update information. The U3 solution presented >>> here is a different concept than attack, but you should be able to >>> take the information and create your own solution)Once again I'm a >>> shameless self promoter): >>> >>> http://www.irongeek.com/i.php?page=videos/incident-response-u3-switchblade >>> >>> I hope you share your work with all of us! Feel free to reach out >>> to me if you have more questions. >>> >>> -----Original Message----- >>> From: [email protected] [mailto:pauldotcom- >>> [email protected]] On Behalf Of Bert Van Kets >>> Sent: Monday, November 23, 2009 4:15 AM >>> To: PaulDotCom Security Weekly Mailing List >>> Subject: [Pauldotcom] U3 enabled device >>> >>> Hi guys, >>> >>> I got me a 2GB U3 enable Sandisk Cruizer for 3€ on Friday. :-D >>> I've been looking into turning this into a switchblade/hacksaw but >>> the >>> info I find - mostly on Hak5 of course - is more than three years >>> old. >>> I have a copy of the Universal Customizer version 1.0.0.8 with the >>> included payload. I can not find any info on the real content of the >>> payload, nor on the way to actually use it (ex. where is the >>> retrieved >>> data stored). Is there a better method, installer or payload? >>> Does anybody have an update on this? >>> >>> Thanks. >>> >>> Bert >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >>> *** >>> *** >>> *** >>> *** >>> ****************************************************************** >>> This email contains confidential and proprietary information and >>> is not to be used or disclosed to anyone other than the named >>> recipient of this email, >>> and is to be used only for the intended purpose of this >>> communication. >>> *** >>> *** >>> *** >>> *** >>> ****************************************************************** >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> *** >> *** >> *** >> ********************************************************************* >> This email contains confidential and proprietary information and is >> not to be used or disclosed to anyone other than the named >> recipient of this email, >> and is to be used only for the intended purpose of this >> communication. >> *** >> *** >> *** >> ********************************************************************* >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
