Evil autorun CD - ideas ? downloadable exploits anywhere ?

On the Internet there is much talk about hacking through "evil USB sticks"
:
http://www.theregister.co.uk/2007/04/25/usb_malware/

I was inspired by a talk by John Craddock where he told the following
anecdote:
- He would bake a stack of CD's and bring them to a conference. The stack
would gradually "evaporate" as people took a CD - even though the stack
was not marked as "free for taking". When people inserted the CD a tune
would be played. Gradually he would start hearing tunes in the
neighbourhood as people inserted the CD ...

It would be fun to make a few of these CD's and use them during a pentest.
Of course the payload should be more malicious then.

Question: Has anyone tried this before? Did it work?

Greetings, Petr Kazil


I will try to build a CD that will contain a photo viewer and a set of
innocent pictures. But it will try to install a keylogger and send the
collected data to a temporary server that I will install on the network.

My hope is that if I download C++ keylogger source code, modify it a bit
and compile it myself, that I will be able to evade virus checkers. I also
might compile and install a network listener backdoor. At the moment I'm
not even dreaming about rootkits and encrypted channels to the outside
world - that's much too difficult for me.

I don't think it will be able to collect password hashes or Active
Directory passwords because the script and programs will be running as a
normal domain user. But anyway it will be an interesting proof of concept.

I wasn't able to find any exploit details on Google. I just get a lot of
articles about the risks of autorun and ways to disable it ...

This idea has one big risk - suppose someone takes the CD home. Then I
would be committing a criminal act if I exploited his home computer. The
articles about USB-stick pentesting don't mention this risk.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

Relevant Pages

  • Re: Friendly Warning For Mr. Strevel (and others)
    ... :>Don wrote in another thread that he uses a remote access program ... :>actually, physically, at the home computer. ... :>risk some may want to take.But the risk Don is accepting here goes way ... :>on his PC.They could install trojan horses or keyloggers.They could ...
    (alt.vacation.las-vegas)
  • Friendly Warning For Mr. Strevel (and others)
    ... Don wrote in another thread that he uses a remote access program ... actually, physically, at the home computer. ... risk some may want to take.But the risk Don is accepting here goes way ... on his PC.They could install trojan horses or keyloggers.They could ...
    (alt.vacation.las-vegas)
  • Re: SBMJOB #LIBRARY problem.
    ... You can install it on the machine that does not have a #LIBRARY. ... the library you specified omit the command. ... first entry in the call stack. ... the first entry in the call stack. ...
    (comp.sys.ibm.as400.misc)
  • Re: big bale
    ... bale stack in the dutch barn. ... We hauled out bales as ... us kids when he discovered that we'd installed a trapeze and sliding ... are a potential risk area, whatever the legislation has to say on the ...
    (uk.business.agriculture)
  • Re: Online THREATS
    ... >magically install themselves on anyone's computer. ... That commercial malware installs "by user's consent" is the ... When the system takes risk on behalf of the user, ... - risk management is done by system administrator on user's behalf ...
    (microsoft.public.security.virus)