-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Under Windows there are many ways of doing this, under Linux there is even more (especially just making the shell for "root" a program that corrupts the HDD, it can play with HDPARM and make it entirely incompatible with the system and then write anything to the HDD... EXTHS is a bitch to recover, plus make the program wipe specific areas such as /ver./spool/* and .bash_history /etc/passwd and other such locations) A good thing to teach is not to allow people to run programs that are on these computers, plus there are MANY ways of paranoid people boobytrapping a PC. Fire up Visual Basic and create a program that overwrites the hard drive with '0's or some other nasty thing.. or just overwrite random parts of all files it can find on the hard drive (and network shares if you like) like the MAGISTR worm, make it have the same Icon as a folder. If you can, also make it launch the flash bios prog for that PC (Win 9x only). Place this executable in the root directory of the hard drive and place shortcuts to it all over the place called all sorts of nice things. Also copy the program into the Windows directory as "NOTEPAD.EXE" Make your default screen saver 3D Pipes, and set the delay. Put a copy in the start-up menu and in a link to it in /HKCU/Software/Microsoft/Windows/Currentversion/Run in the registry. Copy the bad file as SSPIPES.SCR overwriting the original (DO NOT GO INTO THE SCREEN SAVER PROPERTIES WHILE THIS FILE EXISTS WITH THIS NAME). Create a config sys menu like this: (9x only) [MENU] Normal,BAD Logged,BAD Safe Mode,BAD Safe Mode with Networking,GOOD and make the entry for [BAD] the default and make it load a line in autoexec.bat that destroys many things instead of booting. Under Win NT, edit boot.ini to make the default look like the normal one to choose and point to a destructive prog as well. Also overwrite logon.scr with this file if you have NT or Win2k. The end result is this. If they let it load the screen saver - They loose (they better think quick or keep tapping keys) They load Notepad.EXE and they loose. They open the "Folder" that they see, they loose. They log in with the username on the screen (give it an easy password) and they loose. They chose anything besides "safe mode with networking" or just hold down both ctrl keys (9x only) to get into the REAL boot menu, they loose. In the CMOS setup of the PC, Password protect the CMOS settings, make it boot to C drive first and maybe disable the CD-ROM (they can reset the password with DEBUG.EXE using outputs to ports, you may rename debug and put a trojan there in its place if you are really cruel, or they can get a password resetting or cracking prog on some disk if they can figure out a way of getting software on there.. (serial ports may work.. copy com1 /b aaa /b - delete or trojan MODE.EXE if you want to be cruel). They can be down to COPY CON and that is it :) I hope you got some Ideas (besides hard wiring reset to be power and power to just flick a relay and put mains voltage right into the HDD on the +5v rail, and some well placed quickmatch and thermite [Iron Oxide + Aluminium] so that nobody can open the case without it melting everything. And of course putting a small magnet in the FDD to pretty much screw and FDD that goes in there) - -- Benjamin Holmes (PS. You try all this at your won risk, and make sure you don't like the PC or at least its software very much.) > -----Original Message----- > From: Darren Welch [mailto:WELCHDat_private] > Sent: Friday, 30 November 2001 2:00 AM > To: forensicsat_private > Subject: boobytraps > > > Hi Everyone, > > I want to set up a pc in my lab that has boobytraps and/ or > logic bombs set (for boot or shut down). The intent is to > design several traps that an investigator may encounter when > making an acquisition in the field. The purpose is to > recreate practical scenarios so that examiners have had face > time with one of these types of traps, will recognize it > working, and will follow proper procedure in order to > preserve evidence. Does anyone know of canned scripts or > software that can be install that will set up the above > environment and/or written procedures for handling logic > bombs aside from pulling the plug? Appreciate the help. > > Darren Welch > Manager, Information Security > Technical Applications > 150 N. Radnor-Chester Road > St. David's, PA 19087 > 610-902-2676 > welchdat_private > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> Comment: Pee Gee Peeeeee! iQA/AwUBPAcGm3LvuelW5gClEQLgsgCfVBSgdGbhkygRpODc3geLmGQD4sgAoOeJ mYvT17jfvDe3wuYDkUl2ZVR7 =D5aG -----END PGP SIGNATURE----- ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 05:08:59 PST