Blogwitch

USBDumper - analysis

Wed, 04 Oct 2006 14:05:01 +0200

Test platform MS Win2k.
The executable is distributed with source code. I did not re-compile but gave the source a very cursory glance over. Nothing immeditately jumped out at me but remember, I am not a hugely experienced programmer.
InCtrl5 listed no registry entries changed and no files added. The USBDumper executable is clearly visible in Task Manager.
The process has not shown any signs thus far of attempting to access any network facilities.
It does what it claims. In the directory from which it was executed, it creates a folder of todays date and copies the information from the USB memory device into it. If the folder exists the files from the key are copied into it.
It does not always work. My Dell 16MB key - it always copies the data off. My 1GB key - no joy. Both are FAT formatted, I will need to find my NTFS formatted key before I can test.

Requires a little more investigation.

Comments

Not happy with McAfee

Tue, 03 Oct 2006 18:26:59 +0200

OK, McAfee has been detecting the 'psexec.exe' tool from Sysinternals (http://www.sysinternals.com) as 'Unwanted Programs' and as default, automatically deleting it. Since I am using a corporate license at work, I do not have a support contract number easily available to me so I emailed 'Customer Service' to explain that they were detecting (now) Microsoft software as malware. Apparently it is a job for technical support and they were unable, or more likely unwilling, to pass the information on.
So, that will be the last time I contact McAfee directly and they will be removed from my malicious code submission list. I don't suppose they are bothered.

Comments

USBDumper

Tue, 03 Oct 2006 16:22:40 +0200

Not the easiest bit of software to find, I got it here: http://www.secuobs.com/USBDumper.rar

I have not subjected it to my usual testing as my sandbox is not available to me right now, I'll get it tested hopefully by tomorrow. Until then, treat as highly suspicious!

Comments

Infomation Assurance

Tue, 12 Sep 2006 17:25:28 +0200

I am on an Information Assurance course this week so I doub't I'll see any new software this week.

I was pointed to Google mirror today.

http://elgoog.rb-hosting.de/index.cgi

When I get back to work, I'd better check our content filter has this at least categorised and hopefully blocked!

Comments

HIjackThis

Thu, 07 Sep 2006 23:57:04 +0200

http://www.merijn.org/files/hijackthis.zip

HijackThis, don't forget ibprocman while you're there.

Comments

Tiny KeyLogger

Thu, 07 Sep 2006 14:58:11 +0200

http://home.rochester.rr.com/artcfox/TinyKL/TinyKL.exe

Watch out! Make sure you have written consent for the installation of ANY keylogger. This one is great as it's: 1. free 2. small 3. can be easily renamed.

Downside is, some AV software identifies it as a virus/ malware.

Comments

Atguard personal firewall

Wed, 06 Sep 2006 22:17:26 +0200

http://www.es.embnet.org/Services/ftp/misc/Crypt/ftp.hacktic.nl/security/firewall/at_guard/atgd322.exe

NB AtGuard will probably seriously affect your http transfers with Windows2000 SP4 unless you copy the SP3 tcpip.sys over the SP4 versions. I've read that it loses the logging function under XP too but I'm not using XP so I don't care!

Comments

Inctrl5

Wed, 06 Sep 2006 22:00:52 +0200

http://www.devhood.com/tools/tool_details.aspx?tool_id=432

Inctrl5 - system changes monitor.

Comments

Why am I trying to blog again?

Wed, 06 Sep 2006 21:53:37 +0200

Yes again. I started a blog before, updated it only a couple of times and now I can't even remember where it was!
OK, so this time I'm planning to go for a security type blog. I'm not intending to publish this to anyone in particular but if you find the information helpful, so much the better.
The real purpose of this will be to keep a record of stuff I need that I can access from wherever I am.

Comments