SlideShare une entreprise Scribd logo
1  sur  17
Télécharger pour lire hors ligne
(Un)protecting USB storage media



            Fernando Mercês
            @MenteBinaria
        www.mentebinaria.com.br



        H2HC 8th Edition – 2011
             São Paulo - SP
$ whoami
●   Open Source Software Consultant at 4Linux.
●   C language fan (RIP DMR).
●   Free and Open Source Software lover.
●   Maintainer of pev, T50, hdump, USBForce and
     other little tools.
●   LPIC-2, A+.
●   Reverse Engineering enthusiast.
Agenda
●   Motivation
●   Infection via USB
●   Existing protection methods
●   Protection method idea
●   Demonstration
●   Writing a tool
●   Conclusion
●   References
Motivation
●   High infection risk.
●   Lack of effective protections.
●   Network security bypass.
●   Hard administration.
●   Users want USB!
Infection via USB
●   autorun.inf (obfuscated or not).
●   Not easy to detect (normal users).
●   Automatic and fast.
Existing protection methods
●   Disable Autorun (Windows registry).
●   USB Antivirus/”firewalls”.
●   Windows policies.
●   USBForce does this work.
Protection method idea
●   Make autorun.inf read-only.
●   The storage partition needs to be still writable.
●   Immunize USB storage media against infections.
●   There is proprietary tool to do it called Panda USB
     Vaccine.
●   I don't know yet HOW (internally) works, but it
      works. I need to learn the method.
Demonstration
Reversing Panda Vaccine to understand protection.
Writing a tool
●   FAT-32 attributes byte
         Bit 0 – 0x01 – read only
         Bit 1 – 0x02 – hidden
         Bit 2 – 0x04 – system
         Bit 3 – 0x08 – volume name
         Bit 4 – 0x10 – subdirectory
         Bit 5 – 0x20 – archive
         Bit 6 – 0x40 – unused 1
         Bit 7 – 0x80 – unused 2
Writing a tool
●   Windows API function CreateFile does not
     recognize 0x40 attribute.
●   libfat (Linux) also does not work.
●   ioctl does not work =(
●   The unused attributes are undefined (probably
     reserved for future use)
●   Creates an “undeletable” autorun.inf.
●   Sets the attributes 0x40 (unused) and 0x02
      (hidden).
●   Free and Open Source Software.
Writing a tool
1. Create a regular autorun.inf file.
2. Identify FAT-32 structures.
3. Read structures to search for autorun.inf file
  entry in table.
4. Look for attribute byte.
4. Set 0x40 attribute. It's a good idea to set 0x02
  attribute too.
The new tool: OpenVaccine
●   Written in C.
●   Originally designed for Linux.
●   Creates an autorun.inf file.
●   Immunize USB storage medias.
●   Creates an “undeletable” autorun.inf.
●   Sets the attributes 0x02 (hidden) and 0x40
      (unused).
●   Free and Open Source Software (GPLv3).
●   USE AT OWN RISK. Backup first. ;)
The new tool: OpenVaccine
$ sudo ./openvaccine /dev/sdd1 /media/DANI1G/
OpenVaccine 0.8
by Fernando Mercês (fernando@mentebinaria.com.br)
Partition /dev/sdd1
 + FAT32 (mkdosfs)
 + 1.86G (1949696 bytes)
 + mirroring enabled
 + 1952690 sectors
 + 512 bytes per sector
 + 4k clusters
 + serial is 3673364101
autorun.inf created at sector 0xf04, byte 0x20 (offset 0x1e0620).
The new tool: OpenVaccine
$ sudo ./openvaccine /dev/sdd1 /media/DANI1G/
OpenVaccine 0.8
by Fernando Mercês (fernando@mentebinaria.com.br)
Partition /dev/sdd1
 + FAT32 (mkdosfs)
 + 1.86G (1949696 bytes)
 + mirroring enabled
 + 1952690 sectors
 + 512 bytes per sector
 + 4k clusters
 + serial is 3673364101
autorun.inf created at sector 0xf04, byte 0x20 (offset 0x1e0620).
Conclusion
●   I have studied FAT-32 filesystems only.
●   OpenVaccine will create an “undeletable”
     autorun.inf, so with source code, it's easy to write
     a tool that deletes it.
●   I think USB will still be a problem, but this tool can
       minimize risks.
●   Use reversing for open source reimplementation!
References
●   Paper (in Portuguese)
    www.mentebinaria.com.br/textos#0x1a
●   OpenVaccine
    http://openvaccine.sf.net
●   USBForce
    http://usbforce.sf.net
●   Demo video
    http://va.mu/J4yY (case sensitive)
●   This presentation
    http://www.mentebinaria.com.br/eventos
Thank you!
       Questions?
fernando@mentebinaria.com.br
       @MenteBinaria
   www.mentebinaria.com.br

Contenu connexe

Similaire à (Un)Protecting USB Storage Media

[SCTI 2011] - (Des)protegendo mídias USB
[SCTI 2011] -  (Des)protegendo mídias USB[SCTI 2011] -  (Des)protegendo mídias USB
[SCTI 2011] - (Des)protegendo mídias USBSCTI UENF
 
I Am Linux-Introductory Module on Linux
I Am Linux-Introductory Module on LinuxI Am Linux-Introductory Module on Linux
I Am Linux-Introductory Module on LinuxSagar Kumar
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Get Starte with MicroPython ESP32
Get Starte with MicroPython ESP32Get Starte with MicroPython ESP32
Get Starte with MicroPython ESP32fanghe22
 
Get Started with MicroPython ESP32
Get Started with MicroPython ESP32Get Started with MicroPython ESP32
Get Started with MicroPython ESP32fanghe22
 
DT2014-15 S01: Digital Toolbox
DT2014-15 S01: Digital ToolboxDT2014-15 S01: Digital Toolbox
DT2014-15 S01: Digital ToolboxCarlos Cámara
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
Embedded Linux from Scratch to Yocto
Embedded Linux from Scratch to YoctoEmbedded Linux from Scratch to Yocto
Embedded Linux from Scratch to YoctoSherif Mousa
 
Windows internals Essentials
Windows internals EssentialsWindows internals Essentials
Windows internals EssentialsJohn Ombagi
 
Introduction to Linux for bioinformatics
Introduction to Linux for bioinformaticsIntroduction to Linux for bioinformatics
Introduction to Linux for bioinformaticsBITS
 
Intoduction to Linux
Intoduction to LinuxIntoduction to Linux
Intoduction to LinuxAnshul Sharma
 
Reverse Engineering in Linux - The tools showcase
Reverse Engineering in Linux - The tools showcaseReverse Engineering in Linux - The tools showcase
Reverse Engineering in Linux - The tools showcaseLevis Nickaster
 
2.2. Introduction to Arduino
2.2. Introduction to Arduino2.2. Introduction to Arduino
2.2. Introduction to Arduinodefconmoscow
 

Similaire à (Un)Protecting USB Storage Media (20)

[SCTI 2011] - (Des)protegendo mídias USB
[SCTI 2011] -  (Des)protegendo mídias USB[SCTI 2011] -  (Des)protegendo mídias USB
[SCTI 2011] - (Des)protegendo mídias USB
 
I Am Linux-Introductory Module on Linux
I Am Linux-Introductory Module on LinuxI Am Linux-Introductory Module on Linux
I Am Linux-Introductory Module on Linux
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Getting Started with Python
Getting Started with PythonGetting Started with Python
Getting Started with Python
 
Deft v7
Deft v7Deft v7
Deft v7
 
Get Starte with MicroPython ESP32
Get Starte with MicroPython ESP32Get Starte with MicroPython ESP32
Get Starte with MicroPython ESP32
 
Get Started with MicroPython ESP32
Get Started with MicroPython ESP32Get Started with MicroPython ESP32
Get Started with MicroPython ESP32
 
Lucidlynxslides
LucidlynxslidesLucidlynxslides
Lucidlynxslides
 
Hardware hacking
Hardware hackingHardware hacking
Hardware hacking
 
DT2014-15 S01: Digital Toolbox
DT2014-15 S01: Digital ToolboxDT2014-15 S01: Digital Toolbox
DT2014-15 S01: Digital Toolbox
 
Chapter 2(answer)2
Chapter 2(answer)2Chapter 2(answer)2
Chapter 2(answer)2
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
notes about Arduino
notes about Arduinonotes about Arduino
notes about Arduino
 
Embedded Linux from Scratch to Yocto
Embedded Linux from Scratch to YoctoEmbedded Linux from Scratch to Yocto
Embedded Linux from Scratch to Yocto
 
Windows internals Essentials
Windows internals EssentialsWindows internals Essentials
Windows internals Essentials
 
Introduction to Linux for bioinformatics
Introduction to Linux for bioinformaticsIntroduction to Linux for bioinformatics
Introduction to Linux for bioinformatics
 
Intoduction to Linux
Intoduction to LinuxIntoduction to Linux
Intoduction to Linux
 
Reverse Engineering in Linux - The tools showcase
Reverse Engineering in Linux - The tools showcaseReverse Engineering in Linux - The tools showcase
Reverse Engineering in Linux - The tools showcase
 
2.2. Introduction to Arduino
2.2. Introduction to Arduino2.2. Introduction to Arduino
2.2. Introduction to Arduino
 
Python_Module_1.pdf
Python_Module_1.pdfPython_Module_1.pdf
Python_Module_1.pdf
 

Dernier

Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 

Dernier (20)

Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 

(Un)Protecting USB Storage Media

  • 1. (Un)protecting USB storage media Fernando Mercês @MenteBinaria www.mentebinaria.com.br H2HC 8th Edition – 2011 São Paulo - SP
  • 2. $ whoami ● Open Source Software Consultant at 4Linux. ● C language fan (RIP DMR). ● Free and Open Source Software lover. ● Maintainer of pev, T50, hdump, USBForce and other little tools. ● LPIC-2, A+. ● Reverse Engineering enthusiast.
  • 3. Agenda ● Motivation ● Infection via USB ● Existing protection methods ● Protection method idea ● Demonstration ● Writing a tool ● Conclusion ● References
  • 4. Motivation ● High infection risk. ● Lack of effective protections. ● Network security bypass. ● Hard administration. ● Users want USB!
  • 5. Infection via USB ● autorun.inf (obfuscated or not). ● Not easy to detect (normal users). ● Automatic and fast.
  • 6. Existing protection methods ● Disable Autorun (Windows registry). ● USB Antivirus/”firewalls”. ● Windows policies. ● USBForce does this work.
  • 7. Protection method idea ● Make autorun.inf read-only. ● The storage partition needs to be still writable. ● Immunize USB storage media against infections. ● There is proprietary tool to do it called Panda USB Vaccine. ● I don't know yet HOW (internally) works, but it works. I need to learn the method.
  • 8. Demonstration Reversing Panda Vaccine to understand protection.
  • 9. Writing a tool ● FAT-32 attributes byte Bit 0 – 0x01 – read only Bit 1 – 0x02 – hidden Bit 2 – 0x04 – system Bit 3 – 0x08 – volume name Bit 4 – 0x10 – subdirectory Bit 5 – 0x20 – archive Bit 6 – 0x40 – unused 1 Bit 7 – 0x80 – unused 2
  • 10. Writing a tool ● Windows API function CreateFile does not recognize 0x40 attribute. ● libfat (Linux) also does not work. ● ioctl does not work =( ● The unused attributes are undefined (probably reserved for future use) ● Creates an “undeletable” autorun.inf. ● Sets the attributes 0x40 (unused) and 0x02 (hidden). ● Free and Open Source Software.
  • 11. Writing a tool 1. Create a regular autorun.inf file. 2. Identify FAT-32 structures. 3. Read structures to search for autorun.inf file entry in table. 4. Look for attribute byte. 4. Set 0x40 attribute. It's a good idea to set 0x02 attribute too.
  • 12. The new tool: OpenVaccine ● Written in C. ● Originally designed for Linux. ● Creates an autorun.inf file. ● Immunize USB storage medias. ● Creates an “undeletable” autorun.inf. ● Sets the attributes 0x02 (hidden) and 0x40 (unused). ● Free and Open Source Software (GPLv3). ● USE AT OWN RISK. Backup first. ;)
  • 13. The new tool: OpenVaccine $ sudo ./openvaccine /dev/sdd1 /media/DANI1G/ OpenVaccine 0.8 by Fernando Mercês (fernando@mentebinaria.com.br) Partition /dev/sdd1  + FAT32 (mkdosfs)  + 1.86G (1949696 bytes)  + mirroring enabled  + 1952690 sectors  + 512 bytes per sector  + 4k clusters  + serial is 3673364101 autorun.inf created at sector 0xf04, byte 0x20 (offset 0x1e0620).
  • 14. The new tool: OpenVaccine $ sudo ./openvaccine /dev/sdd1 /media/DANI1G/ OpenVaccine 0.8 by Fernando Mercês (fernando@mentebinaria.com.br) Partition /dev/sdd1  + FAT32 (mkdosfs)  + 1.86G (1949696 bytes)  + mirroring enabled  + 1952690 sectors  + 512 bytes per sector  + 4k clusters  + serial is 3673364101 autorun.inf created at sector 0xf04, byte 0x20 (offset 0x1e0620).
  • 15. Conclusion ● I have studied FAT-32 filesystems only. ● OpenVaccine will create an “undeletable” autorun.inf, so with source code, it's easy to write a tool that deletes it. ● I think USB will still be a problem, but this tool can minimize risks. ● Use reversing for open source reimplementation!
  • 16. References ● Paper (in Portuguese) www.mentebinaria.com.br/textos#0x1a ● OpenVaccine http://openvaccine.sf.net ● USBForce http://usbforce.sf.net ● Demo video http://va.mu/J4yY (case sensitive) ● This presentation http://www.mentebinaria.com.br/eventos
  • 17. Thank you! Questions? fernando@mentebinaria.com.br @MenteBinaria www.mentebinaria.com.br