[SCTI 2011] - (Des)protegendo mídias USB

2 / 19www.4linux.com.br

Experiência em missão crítica de missão crítica

Pioneira no ensino de Linux à distância

Parceira de treinamento IBM

Primeira com LPI no Brasil

+ de 30.000 alunos satisfeitos

Reconhecimento internacional

Inovação com Hackerteen e Boteconet


(Un)protecting USB storage media


Opportunity

The reverse engineering researcher cant act at:

● Open source resource reimplementation

● Fork projects creation


$ whoami

● Open Source Software Consultant at 4Linux.

● C language fan (RIP DMR).

● Free and Open Source Software lover.

● Maintainer of pev, T50, hdump, USBForce and other little tools.

● LPIC-2, A+.

● Reverse Engineering enthusiast.


Agenda● Motivation

● Infection via USB

● Existing protection methods

● Protection method idea

● Demonstration

● Writing a tool

● Conclusion

● References


Motivation

● High infection risk.

● Lack of effective protections.

● Network security bypass.

● Hard administration.

● Users want USB!


Infection via USB

● autorun.inf (obfuscated or not).

● Not easy to detect (normal users).

● Automatic and fast.


Existing protections methods

● Disable Autorun (Windows registry).

● USB Antivirus/”firewalls”.

● Windows policies.

● USBForce does this work.


Protection method idea

● Make autorun.inf read-only.

● The storage partition needs to be still writable.

● Immunize USB storage media against infections.

● There is proprietary tool to do it called Panda USB Vaccine.

● I don't know yet HOW (internally) works, but it works. I need to learn the method.


Demonstration

Video: Reversing Vaccine Technique


Writing a tool

● FAT-32 attributes byte

Bit 0 – 0x01 – read onlyBit 1 – 0x02 – hiddenBit 2 – 0x04 – systemBit 3 – 0x08 – volume nameBit 4 – 0x10 – subdirectoryBit 5 – 0x20 – archiveBit 6 – 0x40 – unused 1Bit 7 – 0x80 – unused 2


Writing a tool

● Windows API function CreateFile does not recognize 0x40 attribute.

● libfat (Linux) also does not work.

● ioctl does not work =(

● The unused attributes are undefined (probably reserved for future use).

● Creates an “undeletable” autorun.inf.

● Sets the attributes 0x40 (unused) and 0x02 (hidden).

● Free and Open Source Software.


Writing a tool

1. Create a regular autorun.inf file.

2. Identify FAT-32 structures.

3. Read structures to search for autorun.inf file entry in table.

4. Look for attribute byte.

5. Set 0x40 attribute. It's a good idea to set 0x02 attribute too.


The new tool: OpenVaccine

● Written in C.

● Originally designed for Linux.

● Creates an autorun.inf file.

● Immunize USB storage medias.

● Creates an “undeletable” autorun.inf.

● Sets the attributes 0x02 (hidden) and 0x40 (unused).

● Free and Open Source Software (GPLv3).

● USE AT OWN RISK. Backup first. ;)


The new tool: OpenVaccine

$ sudo ./openvaccine /dev/sdd1 /media/DANI1G/OpenVaccine 0.8by Fernando Mercês ([email protected])Partition /dev/sdd1 + FAT32 (mkdosfs) + 1.86G (1949696 bytes) + mirroring enabled + 1952690 sectors + 512 bytes per sector + 4k clusters + serial is 3673364101autorun.inf created at sector 0xf04, byte 0x20 (offset 0x1e0620).


Conclusion

● I have studied FAT-32 filesystems only.

● OpenVaccine will create an “undeletable” autorun.inf, so with source code, it's easy to write a tool that deletes it.

● I think USB will still be a problem, but this tool can minimize risks.

● Use reversing for open source reimplementation!


References

● Paper (in Portuguese)www.mentebinaria.com.br/textos#0x1a

● OpenVaccinehttp://openvaccine.sf.net

● USBForcehttp://usbforce.sf.net

● Demo videohttp://va.mu/J4yY (case sensitive)

http://www.mentebinaria.com.br/textos#0x1a

http://openvaccine.sf.net/

http://usbforce.sf.net/

http://va.mu/J4yY


Thank you!

Fernando Mercês (@MenteBinaria)[email protected]

www.4linux.com.brwww.hackerteen.comtwitter.com/4LinuxBR

+55 (11) 2125-4747

mailto:[email protected]

http://www.4linux.com.br/

http://www.hackerteen.com/

[SCTI 2011] - (Des)protegendo mídias USB

Technology