Cute + Malicious == Deadly at ISIS Blogs

In a recent (experimental only) project, I followed one of the multiple guides such as this one on how to make a Lego case for a USB stick. To top it off, I loaded the Hak5 Switchblade packages on the sticks. When used with U3 USB autorun technology, these packages allow automatic theft of various personal data upon insertion of the stick into a Windows computer. Now, doesn’t this just crush the competition (a regular USB stick lost in the parking lot)?

As far as the creation of the case goes, I didn’t really follow any guides. Pretty much all you have to do is buy a mix of legos and strip a USB stick (leaving only the chip and the metal connector). Then, you have to pick a few legos (I used 3, in two different configurations) the combination of which will house the chip. You need to cut out some of their insides with a box cutter to place the chip. Then, you need to glue them together with 3M glue, fill them with transparent construction silicone and place the chip inside. Finally, you need to place some more silicon on the chip and cover the bottom hole with flat lego pieces. The color of lego pieces matters. Yellow allowed the USB LED to shine through it. Selection of the USB stick also matters - I used “SanDisk Cruzer Micro” which are medium in size and come loaded with U3.

As far as the Hak5 package goes, well, I’m not giving a guide for that. But basically, it works by modifying the U3 binaries and autorun configuration files to execute windows batch files (that are also placed on the same stick) upon insertion of the USB. The scripts provided (payloads) vary form system password stealing to IE history viewing. The information stolen is saved on the stick itself. Alternatively, there is a way to email it to yourself. Anyway, don’t pick these up on the street (not that I would part with any ).