(Un)Protecting USB Storage Media

525 views

Published on

H2HC 8th

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
525
On SlideShare
0
From Embeds
0
Number of Embeds
23
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

(Un)Protecting USB Storage Media

  1. 1. (Un)protecting USB storage media Fernando Mercês @MenteBinaria www.mentebinaria.com.br H2HC 8th Edition – 2011 São Paulo - SP
  2. 2. $ whoami● Open Source Software Consultant at 4Linux.● C language fan (RIP DMR).● Free and Open Source Software lover.● Maintainer of pev, T50, hdump, USBForce and other little tools.● LPIC-2, A+.● Reverse Engineering enthusiast.
  3. 3. Agenda● Motivation● Infection via USB● Existing protection methods● Protection method idea● Demonstration● Writing a tool● Conclusion● References
  4. 4. Motivation● High infection risk.● Lack of effective protections.● Network security bypass.● Hard administration.● Users want USB!
  5. 5. Infection via USB● autorun.inf (obfuscated or not).● Not easy to detect (normal users).● Automatic and fast.
  6. 6. Existing protection methods● Disable Autorun (Windows registry).● USB Antivirus/”firewalls”.● Windows policies.● USBForce does this work.
  7. 7. Protection method idea● Make autorun.inf read-only.● The storage partition needs to be still writable.● Immunize USB storage media against infections.● There is proprietary tool to do it called Panda USB Vaccine.● I dont know yet HOW (internally) works, but it works. I need to learn the method.
  8. 8. DemonstrationReversing Panda Vaccine to understand protection.
  9. 9. Writing a tool● FAT-32 attributes byte Bit 0 – 0x01 – read only Bit 1 – 0x02 – hidden Bit 2 – 0x04 – system Bit 3 – 0x08 – volume name Bit 4 – 0x10 – subdirectory Bit 5 – 0x20 – archive Bit 6 – 0x40 – unused 1 Bit 7 – 0x80 – unused 2
  10. 10. Writing a tool● Windows API function CreateFile does not recognize 0x40 attribute.● libfat (Linux) also does not work.● ioctl does not work =(● The unused attributes are undefined (probably reserved for future use)● Creates an “undeletable” autorun.inf.● Sets the attributes 0x40 (unused) and 0x02 (hidden).● Free and Open Source Software.
  11. 11. Writing a tool1. Create a regular autorun.inf file.2. Identify FAT-32 structures.3. Read structures to search for autorun.inf file entry in table.4. Look for attribute byte.4. Set 0x40 attribute. Its a good idea to set 0x02 attribute too.
  12. 12. The new tool: OpenVaccine● Written in C.● Originally designed for Linux.● Creates an autorun.inf file.● Immunize USB storage medias.● Creates an “undeletable” autorun.inf.● Sets the attributes 0x02 (hidden) and 0x40 (unused).● Free and Open Source Software (GPLv3).● USE AT OWN RISK. Backup first. ;)
  13. 13. The new tool: OpenVaccine$ sudo ./openvaccine /dev/sdd1 /media/DANI1G/OpenVaccine 0.8by Fernando Mercês (fernando@mentebinaria.com.br)Partition /dev/sdd1 + FAT32 (mkdosfs) + 1.86G (1949696 bytes) + mirroring enabled + 1952690 sectors + 512 bytes per sector + 4k clusters + serial is 3673364101autorun.inf created at sector 0xf04, byte 0x20 (offset 0x1e0620).
  14. 14. The new tool: OpenVaccine$ sudo ./openvaccine /dev/sdd1 /media/DANI1G/OpenVaccine 0.8by Fernando Mercês (fernando@mentebinaria.com.br)Partition /dev/sdd1 + FAT32 (mkdosfs) + 1.86G (1949696 bytes) + mirroring enabled + 1952690 sectors + 512 bytes per sector + 4k clusters + serial is 3673364101autorun.inf created at sector 0xf04, byte 0x20 (offset 0x1e0620).
  15. 15. Conclusion● I have studied FAT-32 filesystems only.● OpenVaccine will create an “undeletable” autorun.inf, so with source code, its easy to write a tool that deletes it.● I think USB will still be a problem, but this tool can minimize risks.● Use reversing for open source reimplementation!
  16. 16. References● Paper (in Portuguese) www.mentebinaria.com.br/textos#0x1a● OpenVaccine http://openvaccine.sf.net● USBForce http://usbforce.sf.net● Demo video http://va.mu/J4yY (case sensitive)● This presentation http://www.mentebinaria.com.br/eventos
  17. 17. Thank you! Questions?fernando@mentebinaria.com.br @MenteBinaria www.mentebinaria.com.br

×