michaelkirkland.org/blog


USB Shenanigans, part 2

In Part 1 we demonstrated a lean usb bootable system that could be used for shenanigans. That approach requires a rather unattended system, and has the potentially noticeable drawback of requiring a reboot.

Here we'll discuss a method to get similar results without a reboot, and perhaps without even access to the computer in question. That method is the Windows autorun feature, which of course only our friends from Redmond are "helpful" enough to provide.

The autorun feature is a simple script that must be in a file named autorun.inf at the root of a drive. It lets you set a command to be run if the drive is doubleclicked in My Computer, one or more commands to be presented when the drive is inserted, and change the icon used in that list. All very thoughtful and convenient things for people up to no good.

The following is an autorun file that we'll be using:

[autorun]
shellexecute="stuff\stuff.bat"
icon=%systemroot%\system32\shell32.dll,4
action=Open folder to view files
shell\Open\command="stuff\stuff.bat"

This gives us a command in the list displayed that looks very similar to the default "just open the drive" command:

Many people will barely look at the dialog before clicking ok and running whatever shenanigans you have in the command. So long as you do actually open a folder on the drive for them, they may never notice. We can make it less obvious by appealing to our friends in Redmond's tendency to spam about the crapware they like to include. Put an image and audio file on the drive, and Microsoft will happily fill out the dialog with nonsense:

Microsoft has toned down this silliness in Windows 7. You'll not be able to crowd out the real command with spam, and your shenanigans won't be the default action. You can still make your script look inviting, but you'll be a lot less successful as people start upgrading:

I'll assume this is on purpose, most likely at least somewhat due to the multimillion node strong botnet built with the help of this sort of trickery.

However, there are still other ways to pull these shenanigans on Windows machines, without any (human) trickery and we'll cover them in part 3.

Bookmark and Share