1. (Un)protecting USB storage media
Fernando Mercês
@MenteBinaria
www.mentebinaria.com.br
H2HC 8th Edition – 2011
São Paulo - SP
2. $ whoami
● Open Source Software Consultant at 4Linux.
● C language fan (RIP DMR).
● Free and Open Source Software lover.
● Maintainer of pev, T50, hdump, USBForce and
other little tools.
● LPIC-2, A+.
● Reverse Engineering enthusiast.
3. Agenda
● Motivation
● Infection via USB
● Existing protection methods
● Protection method idea
● Demonstration
● Writing a tool
● Conclusion
● References
4. Motivation
● High infection risk.
● Lack of effective protections.
● Network security bypass.
● Hard administration.
● Users want USB!
5. Infection via USB
● autorun.inf (obfuscated or not).
● Not easy to detect (normal users).
● Automatic and fast.
6. Existing protection methods
● Disable Autorun (Windows registry).
● USB Antivirus/”firewalls”.
● Windows policies.
● USBForce does this work.
7. Protection method idea
● Make autorun.inf read-only.
● The storage partition needs to be still writable.
● Immunize USB storage media against infections.
● There is proprietary tool to do it called Panda USB
Vaccine.
● I don't know yet HOW (internally) works, but it
works. I need to learn the method.
9. Writing a tool
● FAT-32 attributes byte
Bit 0 – 0x01 – read only
Bit 1 – 0x02 – hidden
Bit 2 – 0x04 – system
Bit 3 – 0x08 – volume name
Bit 4 – 0x10 – subdirectory
Bit 5 – 0x20 – archive
Bit 6 – 0x40 – unused 1
Bit 7 – 0x80 – unused 2
10. Writing a tool
● Windows API function CreateFile does not
recognize 0x40 attribute.
● libfat (Linux) also does not work.
● ioctl does not work =(
● The unused attributes are undefined (probably
reserved for future use)
● Creates an “undeletable” autorun.inf.
● Sets the attributes 0x40 (unused) and 0x02
(hidden).
● Free and Open Source Software.
11. Writing a tool
1. Create a regular autorun.inf file.
2. Identify FAT-32 structures.
3. Read structures to search for autorun.inf file
entry in table.
4. Look for attribute byte.
4. Set 0x40 attribute. It's a good idea to set 0x02
attribute too.
12. The new tool: OpenVaccine
● Written in C.
● Originally designed for Linux.
● Creates an autorun.inf file.
● Immunize USB storage medias.
● Creates an “undeletable” autorun.inf.
● Sets the attributes 0x02 (hidden) and 0x40
(unused).
● Free and Open Source Software (GPLv3).
● USE AT OWN RISK. Backup first. ;)
13. The new tool: OpenVaccine
$ sudo ./openvaccine /dev/sdd1 /media/DANI1G/
OpenVaccine 0.8
by Fernando Mercês (fernando@mentebinaria.com.br)
Partition /dev/sdd1
+ FAT32 (mkdosfs)
+ 1.86G (1949696 bytes)
+ mirroring enabled
+ 1952690 sectors
+ 512 bytes per sector
+ 4k clusters
+ serial is 3673364101
autorun.inf created at sector 0xf04, byte 0x20 (offset 0x1e0620).
14. The new tool: OpenVaccine
$ sudo ./openvaccine /dev/sdd1 /media/DANI1G/
OpenVaccine 0.8
by Fernando Mercês (fernando@mentebinaria.com.br)
Partition /dev/sdd1
+ FAT32 (mkdosfs)
+ 1.86G (1949696 bytes)
+ mirroring enabled
+ 1952690 sectors
+ 512 bytes per sector
+ 4k clusters
+ serial is 3673364101
autorun.inf created at sector 0xf04, byte 0x20 (offset 0x1e0620).
15. Conclusion
● I have studied FAT-32 filesystems only.
● OpenVaccine will create an “undeletable”
autorun.inf, so with source code, it's easy to write
a tool that deletes it.
● I think USB will still be a problem, but this tool can
minimize risks.
● Use reversing for open source reimplementation!
16. References
● Paper (in Portuguese)
www.mentebinaria.com.br/textos#0x1a
● OpenVaccine
http://openvaccine.sf.net
● USBForce
http://usbforce.sf.net
● Demo video
http://va.mu/J4yY (case sensitive)
● This presentation
http://www.mentebinaria.com.br/eventos