Hack U3 USB Smart Drive to Become Ultimate Hack Tool
We all know that Windows doesn’t autoplay autorun.inf for normal USB flash drives but then there is a type of USB flash drive called U3 smart drive which will automatically launch “U3 Launchpad” when plugged into a computer. What hackers do is the remove the U3 Launchpad and replace it with malicious programs. This is very dangerous because the hacker can program a script to extract and steal sensitive information such as visited sites, saved email and instant messenger passwords, wi-fi password, auto complete entries and etc… Other than stealing information, it can also be used to delete everything on a hard drive. Just wanted to clarify that it is not possible to do that on normal traditional USB flash drives. You will need a U3 smart drive such as SanDisk Cruzer Micro, SanDisk Cruzer Titanium and Memorex Mini TravelDrive.
U3 smart drive are slightly more expensive than traditional USB flash drives. I purposely went and bought a SanDisk Cruzer Titanium 4GB at the price of USD45 to test it out and then write an article for you to read… How nice of me! Here’s how I hacked my U3 smart drive to autorun malicious programs.
The concept of how can U3 smart drive autorun program is quite simple. Normal USB flash drives only has 1 drive letter but for U3 smart drive, it has 2 drives. One is the normal storage drive and the other one is an emulated CD drive.
It’s the emulated CD drive that autorun malicious scripts or programs to collect information and then copies the stolen information to the storage drive.
There are 3 main ready made payload called USB Switchblade, USB Hacksaw and USB Chainsaw(still in early development).
USB Switchblade goal is to silently recover information from computers running Windows 2000 or higher. It is able to get password hashes, LSA secrets, IP information, etc… USB Switchblade also requires administrative privileges in order to run the payload. I will demonstrate on how to hack U3 smart drive with -=GonZor=- SwitchBlade technique.
1. Download -=GonZor=- Payload V2.0
2. Download Universal Customizer
3. Unzip the Universal Customizer to “C:\Universal_Customizer”
4. Unzip the -=GonZor=- Payload V2.0 to “C:\Payload”
5. Copy the file U3CUSTOM.ISO from C:\Payload to C:\Universal_Customizer\BIN replacing the old one.
6. Run C:\Universal_Customizer\Universal_Customizer.exe and plug in U3 smart drive.
- Select Accept and click Next.
- Close all U3 applications and any applications that access your U3 drive and click Next.
- Set a password for the backup zip file (Empty password not allowed)
- Click Next and it will start backing up data. Wait for the Universal Customizer to modify your CD partition and replace your files to the flash drive.
- The modification should now be complete, Unplug your U3 Drive and plug it back in
7. Copy “C:\Payload\SBConfig.exe” to the mass storage of the flash drive
8. Run SBConfig.exe from flash drive
- Select the check boxes of the Payload options you would like to use
- Enter your email address and password for the HackSaw if you wish to use it.
- Click “Update Config” button, a message box should appear to confirm this is completed
- Toggle between using the payload or not by clicking the “Turn PL On”/”Turn PL Off” button
- Toggle between using the U3 Launcher or not by clicking the “Turn U3 Launchpad On”/”Turn U3 Launchpad Off” button
9. You now have -=GonZor=- Payload V2.0 in your U3 smart drive which can automatically steal password once it is plugged in to a computer with administrative privileges.
I’ve tested it and it’s very scary because when I plugged in the hacked U3 smart drive with USB Switchblade payload, the payload ran silently and invisibly! It did not modify any system settings nor sent any network traffic. There is a log file created at F:\System\Logs\COMPUTERNAME (F: drive is the storage drive) by the payload and I am shocked to see that my network configurations, router password, Windows Live Messenger password, Google Talk password, Gmail password, all Firefox passwords, Internet Explorer passwords, ICQ password, Windows Product Keys and etc being recorded in that log file!
There are other techniques available for USB Switchblade payload that you might want to check it out.
As for the USB Hacksaw, it is an evolution of the popular USB Switchblade that uses a modified version of USBDumper, Blat, Stunnel, and Gmail to automatically infect Windows PCs with a payload that will retrieve documents from USB drives plugged into the target machine and securely transmit them to an email account. You can get more information about USB Hacksaw here.
As you can see, it wasn’t really hard to hack my U3 USB smart drive to become the ultimate hack tool. So be very careful when someone wants to plug in their USB flash drive, ESPECIALLY U3 smart drive into your computer.
If you accidentally used the payload on yourself or someone that you didn’t want to, I found two antidotes to remove it. The first antidote is by Spektormax. In Spektormax’s antidote, there are 2 antidotes, antidote(HOME).cmd and antidote(PRO).cmd. This is because Windows XP Pro has the tool taskill while HOME only has tskill. The PRO one can force stop a process even while it doesn’t want to be, the home cannot. Use the PRO if you can, use HOME if you only have XP home.
[ Download Antidote by Spektormax ]
The second antidote is called USB Antidote which is still in early planning stages with the goal of becoming a tool for systems administrators to defend against other USB based attacks, including autorun workarounds, anti-virus updating, operating system patching, and automatic configuration of other USB attack mitigation techniques. This is not just an antidote for the Switchblade, but it is a complete toolkit for quickly securing a pc, with registry tweaks, virus, spyware, and rootkit scanning, and an overall cleanup.
[ Info ]