Well go.bat can be renamed to anything, as long as you make the corresponding changes in the VBScript referenced in the autorun.inf file. I use forensicsstart.bat and forensicsstart.vbs.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of John Miller Sent: Monday, November 23, 2009 6:16 PM To: PaulDotCom Security Weekly Mailing List Cc: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] U3 enabled device U3 still works in most cases since it appears as a USB CDrom device. As for go.bat being detected, I've had great luck using the standard autorun and renaming my payload launchu3.exe. I generally use executable payloads, so that probably wouldn't work with a batch file. On Nov 23, 2009, at 2:48 PM, Tim Mugherini <[email protected]> wrote: > thought u3 was not disabled by MS update > > http://blogs.technet.com/srd/archive/2009/04/28/autorun-changes-in-windows-7.aspx > > > On Mon, Nov 23, 2009 at 3:18 PM, Butturini, Russell > <[email protected]> wrote: >> To a degree. One thing that is great though is the fact that >> everything is stored inside an ISO image, meaning AV can't wipe out >> your toolsets, and it's harder for anyone to mess with the payload/ >> tools you have included. >> >> -----Original Message----- >> From: [email protected] [mailto:pauldotcom- >> [email protected]] On Behalf Of Robert Portvliet >> Sent: Monday, November 23, 2009 1:33 PM >> To: PaulDotCom Security Weekly Mailing List >> Subject: Re: [Pauldotcom] U3 enabled device >> >> Didn't Microsoft disable autorun with an update a while back to >> disable one of Conficker's attack vectors? >> >> This would pretty much kill the usefulness of the U3 switch-blades, >> right? >> >> >> >> On Mon, Nov 23, 2009 at 12:17 PM, Butturini, Russell >> <[email protected]> wrote: >>> So I think Gonz0r's site has been down for quite a while. You do >>> need a different version of the U3 universal customizer to work on >>> Vista. Also, one of the issues with the original payload is about >>> 95% of the tools on it are snared by AV. Of course the benefit of >>> having them loaded on the U3 side is that antivirus can't erase >>> the files. >>> >>> Check here for some update information. The U3 solution presented >>> here is a different concept than attack, but you should be able to >>> take the information and create your own solution)Once again I'm a >>> shameless self promoter): >>> >>> http://www.irongeek.com/i.php?page=videos/incident-response-u3-switchblade >>> >>> I hope you share your work with all of us! Feel free to reach out >>> to me if you have more questions. >>> >>> -----Original Message----- >>> From: [email protected] [mailto:pauldotcom- >>> [email protected]] On Behalf Of Bert Van Kets >>> Sent: Monday, November 23, 2009 4:15 AM >>> To: PaulDotCom Security Weekly Mailing List >>> Subject: [Pauldotcom] U3 enabled device >>> >>> Hi guys, >>> >>> I got me a 2GB U3 enable Sandisk Cruizer for 3€ on Friday. :-D >>> I've been looking into turning this into a switchblade/hacksaw but >>> the >>> info I find - mostly on Hak5 of course - is more than three years >>> old. >>> I have a copy of the Universal Customizer version 1.0.0.8 with the >>> included payload. I can not find any info on the real content of the >>> payload, nor on the way to actually use it (ex. where is the >>> retrieved >>> data stored). Is there a better method, installer or payload? >>> Does anybody have an update on this? >>> >>> Thanks. >>> >>> Bert >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >>> *** >>> *** >>> *** >>> *** >>> ****************************************************************** >>> This email contains confidential and proprietary information and >>> is not to be used or disclosed to anyone other than the named >>> recipient of this email, >>> and is to be used only for the intended purpose of this >>> communication. >>> *** >>> *** >>> *** >>> *** >>> ****************************************************************** >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> *** >> *** >> *** >> ********************************************************************* >> This email contains confidential and proprietary information and is >> not to be used or disclosed to anyone other than the named >> recipient of this email, >> and is to be used only for the intended purpose of this >> communication. >> *** >> *** >> *** >> ********************************************************************* >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com ****************************************************************************** This email contains confidential and proprietary information and is not to be used or disclosed to anyone other than the named recipient of this email, and is to be used only for the intended purpose of this communication. ****************************************************************************** _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
