[SCTI 2011] - (Des)protegendo mídias USB

294 views
251 views

Published on

Palestrada ministrada por Fernando Mercês na SCTI 2011

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
294
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
8
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

[SCTI 2011] - (Des)protegendo mídias USB

  1. 1.  Experiência em missão crítica de missão crítica Pioneira no ensino de Linux à distância Parceira de treinamento IBM Primeira com LPI no Brasil + de 30.000 alunos satisfeitos Reconhecimento internacional Inovação com Hackerteen e Boteconet www.4linux.com.br 2 / 19
  2. 2. (Un)protecting USB storage media www.4linux.com.br 3 / 19
  3. 3. OpportunityThe reverse engineering researcher cant act at:● Open source resource reimplementation● Fork projects creation www.4linux.com.br 4 / 19
  4. 4. $ whoami● Open Source Software Consultant at 4Linux.● C language fan (RIP DMR).● Free and Open Source Software lover.● Maintainer of pev, T50, hdump, USBForce and other littletools.● LPIC-2, A+.● Reverse Engineering enthusiast. www.4linux.com.br 5 / 19
  5. 5. Agenda● Motivation● Infection via USB● Existing protection methods● Protection method idea● Demonstration● Writing a tool● Conclusion● References www.4linux.com.br 6 / 19
  6. 6. Motivation● High infection risk.● Lack of effective protections.● Network security bypass.● Hard administration.● Users want USB! www.4linux.com.br 7 / 19
  7. 7. Infection via USB● autorun.inf (obfuscated or not).● Not easy to detect (normal users).● Automatic and fast. www.4linux.com.br 8 / 19
  8. 8. Existing protections methods● Disable Autorun (Windows registry).● USB Antivirus/”firewalls”.● Windows policies.● USBForce does this work. www.4linux.com.br 9 / 19
  9. 9. Protection method idea● Make autorun.inf read-only.● The storage partition needs to be still writable.● Immunize USB storage media against infections.● There is proprietary tool to do it called Panda USB Vaccine.● I dont know yet HOW (internally) works, but it works. I needto learn the method. www.4linux.com.br 10 / 19
  10. 10. Demonstration Video: Reversing Vaccine Technique www.4linux.com.br 11 / 19
  11. 11. Writing a tool● FAT-32 attributes byte Bit 0 – 0x01 – read only Bit 1 – 0x02 – hidden Bit 2 – 0x04 – system Bit 3 – 0x08 – volume name Bit 4 – 0x10 – subdirectory Bit 5 – 0x20 – archive Bit 6 – 0x40 – unused 1 Bit 7 – 0x80 – unused 2 www.4linux.com.br 12 / 19
  12. 12. Writing a tool●Windows API function CreateFile does not recognize 0x40attribute.● libfat (Linux) also does not work.● ioctl does not work =(● The unused attributes are undefined (probably reserved forfuture use).● Creates an “undeletable” autorun.inf.● Sets the attributes 0x40 (unused) and 0x02 (hidden).● Free and Open Source Software. www.4linux.com.br 13 / 19
  13. 13. Writing a tool1. Create a regular autorun.inf file.2. Identify FAT-32 structures.3. Read structures to search for autorun.inf file entry in table.4. Look for attribute byte. 5. Set 0x40 attribute. Its a good idea to set 0x02 attributetoo. www.4linux.com.br 14 / 19
  14. 14. The new tool: OpenVaccine● Written in C.● Originally designed for Linux.● Creates an autorun.inf file.● Immunize USB storage medias.● Creates an “undeletable” autorun.inf.● Sets the attributes 0x02 (hidden) and 0x40 (unused).● Free and Open Source Software (GPLv3).● USE AT OWN RISK. Backup first. ;) www.4linux.com.br 15 / 19
  15. 15. The new tool: OpenVaccine$ sudo ./openvaccine /dev/sdd1 /media/DANI1G/OpenVaccine 0.8by Fernando Mercês (fernando@mentebinaria.com.br)Partition /dev/sdd1 + FAT32 (mkdosfs) + 1.86G (1949696 bytes) + mirroring enabled + 1952690 sectors + 512 bytes per sector + 4k clusters + serial is 3673364101autorun.inf created at sector 0xf04, byte 0x20 (offset 0x1e0620). www.4linux.com.br 16 / 19
  16. 16. Conclusion● I have studied FAT-32 filesystems only.●OpenVaccine will create an “undeletable” autorun.inf, sowith source code, its easy to write a tool that deletes it.● I think USB will still be a problem, but this tool can minimizerisks.● Use reversing for open source reimplementation! www.4linux.com.br 17 / 19
  17. 17. References● Paper (in Portuguese) www.mentebinaria.com.br/textos#0x1a● OpenVaccine http://openvaccine.sf.net● USBForce http://usbforce.sf.net● Demo video http://va.mu/J4yY (case sensitive) www.4linux.com.br 18 / 19
  18. 18. Thank you! Fernando Mercês (@MenteBinaria) fernando.merces@4linux.com.br www.4linux.com.br www.hackerteen.com twitter.com/4LinuxBR +55 (11) 2125-4747 www.4linux.com.br 19 / 19

×