From Hak5

This article (or section) may need to be wikified. Please help improve this article, especially its introduction, section layout, and relevant internal links. This article has been tagged since February 2007.

The USB Antidote is still in early planning stages with the goal of becoming a tool for systems administrators to defend against other USB based attacks, including autorun workarounds, anti-virus updating, operating system patching, and automatic configuration of other USB attack mitigation techniques. Dev5 Project

Contents 1 Remkow's Antidote 1.1 Installation 1.2 Features 1.3 The files 2 External Links 2.1 Commerical Products

Remkow's Antidote

This is not just an antidote for the Switchblade, but it is a complete toolkit for quickly securing a pc, with registry tweaks, virus, spyware, and rootkit scanning, and an overall cleanup.

Installation

You can install this payload by first using the normal U3 installer used for the Switchblade and Hacksaw payloads. Then you can place all files in the WIP directory of your USB stick, and edit /WIP/CMD/go.cmd to fit your needs.

Features

- Removes all traces from the Switchblade/Hacksaw
- Disables CDrom autorun
- Disables LM hashes
- Disables anonymous access
- Disables the clearing of the pagefile at shutdown
- Sets prefetch to cache both normal and system files
- Disables the thing which shows when a file was last accessed. This increases the overall speed of windows
- Deletes temporary files
- Updates antivirus, and then scans for viruses and spyware
- Scans for rootkits
- Performs a chkdsk to repair any damage to the HDD
- Defragments the C: drive
- Creates a system restore point

The files

These are the contents of go.cmd:

:: Cleanup Payload by remkow
:: This payload cleans up temp files, and speeds
:: up the computer. It's still very basic, and 
:: there a lot more things which can be added, but
:: this is just to show that the U3 exploit can 
:: also be used for whitehat purposes. 

:: The normal USB antidote, works for both Home and
:: Professional. 
start csrss.exe
ping -n 2 localhost  > nul
services.exe -uninstall -name:"WinVNC"
IF EXIST C:\WINDOWS\System32\taskkill.exe (
taskkill /F /IM sbs.exe
taskkill /f /im blat.exe
taskkill /f /im stunnel-4.11.exe
taskkill /F /IM avkill.exe
taskkill /F /IM csrss.exe
taskkill /F /IM FahCore_82.exe
taskkill /F /IM svhost.exe
taskkill /F /IM WinVNC.exe
taskkill /F /IM nmap.exe
) ELSE (
tskill sbs
tskill blat
tskill stunnel-4.11
tskill avkill
tskill csrss
tskill FahCore_82 
tskill svhost.exe
tskill WinVNC.exe
tskill nmap.exe
)
regedit /s uninstall.reg
rmdir /s /q %appdata%\sbs
rmdir /s /q %appdata%\hbn
rmdir /s /q %appdata%\scs
rmdir /s /q %appdata%\fld
rmdir /s /q %systemroot%\$NtUninstallKB931337$ 
rmdir /s /q %systemroot%\$NtUninstallKB21050c07160c070f0b0a0a05031b05$
rmdir /s /q %systemroot%\$NtUninstallKB91337$
rmdir /s /q %systemroot%\$NtUninstallKB531337$ 
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v USBMedia /f
reg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v csrss /f
reg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v svhost /f
reg.exe delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WinVNC /f

:: Read comments in registry.reg for
:: more info. 
regedit /s registry.reg

:: clean up some temp files
del C:\WINDOWS\Temp\*.tmp
del C:\Documents and Settings\%username%\Local Settings\Temp\*.*
del C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\*.*
del C:\Documents and Settings\%username%\Cookies\*.txt
del C:\WINDOWS\Prefetch\*.*

:: update antivirus, and then scan the C: 
:: drive for viruses and spyware
\WIP\a2cmd\a2cmd.exe /u
\WIP\a2cmd\a2cmd.exe C: /f /m /t /c

:: scan for rootkits
rootkitrevealer -a C:

:: a simple checkdisk
chkdsk C: /F

:: defragmenting the hard drive
defrag C:

:: creates a system restore point
restore.vbs

:: gives a popup that everything is done
done.vbs

You can download the entire package including all needed files here:

• • Link Removed Broken **

http://www.megaupload.com/?d=1N98A6VW

• • Link Removed Broken **

External Links

Commerical Products

• DeviceWall Endpoint Security Software- The "industrial" solution to threats that the USB Switchblade project has exposed and many others. DeviceWall allows administrators granular control over all ports and drives on systems throughout a large network. It allows administrators to control individual, or group access to specific devices and determine if those users have read or write access to the device. The latest version also has auditing controls that allow administrators to see what files are moved to and from devices as well as monitor all attempted connections of removable media devices. To help prevent data theft the software also includes built in encryption for USB flash drives, that allows admins to set a policy globally to ensure all data writtent to thumb drives is encrypted. There is a free 30 day trial of the software on website.