SlideShare uma empresa Scribd logo

[SCTI 2011] - (Des)protegendo mídias USB

SCTI UENF
SCTI UENF

Palestrada ministrada por Fernando Mercês na SCTI 2011

TecnologiaNotícias e política
1 de 19
Baixar para ler offline
 Experiência em missão crítica de missão crítica  Pioneira no ensino de Linux à distância  Parceira de treinamento IBM  Primeira com LPI no Brasil  + de 30.000 alunos satisfeitos  Reconhecimento internacional  Inovação com Hackerteen e Boteconet www.4linux.com.br 2 / 19
(Un)protecting USB storage media www.4linux.com.br 3 / 19
Opportunity The reverse engineering researcher cant act at: ● Open source resource reimplementation ● Fork projects creation www.4linux.com.br 4 / 19
$ whoami ● Open Source Software Consultant at 4Linux. ● C language fan (RIP DMR). ● Free and Open Source Software lover. ● Maintainer of pev, T50, hdump, USBForce and other little tools. ● LPIC-2, A+. ● Reverse Engineering enthusiast. www.4linux.com.br 5 / 19
Agenda ● Motivation ● Infection via USB ● Existing protection methods ● Protection method idea ● Demonstration ● Writing a tool ● Conclusion ● References www.4linux.com.br 6 / 19
Motivation ● High infection risk. ● Lack of effective protections. ● Network security bypass. ● Hard administration. ● Users want USB! www.4linux.com.br 7 / 19
Infection via USB ● autorun.inf (obfuscated or not). ● Not easy to detect (normal users). ● Automatic and fast. www.4linux.com.br 8 / 19
Existing protections methods ● Disable Autorun (Windows registry). ● USB Antivirus/”firewalls”. ● Windows policies. ● USBForce does this work. www.4linux.com.br 9 / 19
Protection method idea ● Make autorun.inf read-only. ● The storage partition needs to be still writable. ● Immunize USB storage media against infections. ● There is proprietary tool to do it called Panda USB Vaccine. ● I don't know yet HOW (internally) works, but it works. I need to learn the method. www.4linux.com.br 10 / 19
Demonstration Video: Reversing Vaccine Technique www.4linux.com.br 11 / 19
Writing a tool ● FAT-32 attributes byte Bit 0 – 0x01 – read only Bit 1 – 0x02 – hidden Bit 2 – 0x04 – system Bit 3 – 0x08 – volume name Bit 4 – 0x10 – subdirectory Bit 5 – 0x20 – archive Bit 6 – 0x40 – unused 1 Bit 7 – 0x80 – unused 2 www.4linux.com.br 12 / 19
Writing a tool ●Windows API function CreateFile does not recognize 0x40 attribute. ● libfat (Linux) also does not work. ● ioctl does not work =( ● The unused attributes are undefined (probably reserved for future use). ● Creates an “undeletable” autorun.inf. ● Sets the attributes 0x40 (unused) and 0x02 (hidden). ● Free and Open Source Software. www.4linux.com.br 13 / 19
Writing a tool 1. Create a regular autorun.inf file. 2. Identify FAT-32 structures. 3. Read structures to search for autorun.inf file entry in table. 4. Look for attribute byte. 5. Set 0x40 attribute. It's a good idea to set 0x02 attribute too. www.4linux.com.br 14 / 19
The new tool: OpenVaccine ● Written in C. ● Originally designed for Linux. ● Creates an autorun.inf file. ● Immunize USB storage medias. ● Creates an “undeletable” autorun.inf. ● Sets the attributes 0x02 (hidden) and 0x40 (unused). ● Free and Open Source Software (GPLv3). ● USE AT OWN RISK. Backup first. ;) www.4linux.com.br 15 / 19
The new tool: OpenVaccine $ sudo ./openvaccine /dev/sdd1 /media/DANI1G/ OpenVaccine 0.8 by Fernando Mercês (fernando@mentebinaria.com.br) Partition /dev/sdd1  + FAT32 (mkdosfs)  + 1.86G (1949696 bytes)  + mirroring enabled  + 1952690 sectors  + 512 bytes per sector  + 4k clusters  + serial is 3673364101 autorun.inf created at sector 0xf04, byte 0x20 (offset  0x1e0620). www.4linux.com.br 16 / 19
Conclusion ● I have studied FAT-32 filesystems only. ●OpenVaccine will create an “undeletable” autorun.inf, so with source code, it's easy to write a tool that deletes it. ● I think USB will still be a problem, but this tool can minimize risks. ● Use reversing for open source reimplementation! www.4linux.com.br 17 / 19
References ● Paper (in Portuguese) www.mentebinaria.com.br/textos#0x1a ● OpenVaccine http://openvaccine.sf.net ● USBForce http://usbforce.sf.net ● Demo video http://va.mu/J4yY (case sensitive) www.4linux.com.br 18 / 19
Thank you! Fernando Mercês (@MenteBinaria) fernando.merces@4linux.com.br www.4linux.com.br www.hackerteen.com twitter.com/4LinuxBR +55 (11) 2125-4747 www.4linux.com.br 19 / 19

Recomendados

4910BasicProjectManagement
4910BasicProjectManagement4910BasicProjectManagement
4910BasicProjectManagementMichael Birdsong
 
[SCTI 2011] - CLI: sobrevivendo na linha de comando
[SCTI 2011] - CLI: sobrevivendo na linha de comando[SCTI 2011] - CLI: sobrevivendo na linha de comando
[SCTI 2011] - CLI: sobrevivendo na linha de comandoSCTI UENF
 
[SCTI 2011] - Groupwares e os Espaços Virtuais: problemas, soluções e desafios
[SCTI 2011] - Groupwares e os Espaços Virtuais: problemas, soluções e desafios[SCTI 2011] - Groupwares e os Espaços Virtuais: problemas, soluções e desafios
[SCTI 2011] - Groupwares e os Espaços Virtuais: problemas, soluções e desafiosSCTI UENF
 
Segurança em Servidores de Games - (Minicraft)
Segurança em Servidores de Games - (Minicraft)Segurança em Servidores de Games - (Minicraft)
Segurança em Servidores de Games - (Minicraft)Bruno Alexandre
 
Seminario Seguranca da Informação
Seminario Seguranca da InformaçãoSeminario Seguranca da Informação
Seminario Seguranca da InformaçãoMariana Gonçalves Spanghero
 
[SCTI 2011] - Fundamentos da Segurança da Informação
[SCTI 2011] - Fundamentos da Segurança da Informação[SCTI 2011] - Fundamentos da Segurança da Informação
[SCTI 2011] - Fundamentos da Segurança da InformaçãoSCTI UENF
 
Palestra: Pentest - Intrusão de Redes
Palestra: Pentest - Intrusão de RedesPalestra: Pentest - Intrusão de Redes
Palestra: Pentest - Intrusão de RedesBruno Alexandre
 
Técnicas forenses para a recuperação de arquivos
Técnicas forenses para a recuperação de arquivosTécnicas forenses para a recuperação de arquivos
Técnicas forenses para a recuperação de arquivosCampus Party Brasil
 

Recomendados

4910BasicProjectManagement
4910BasicProjectManagement4910BasicProjectManagement
4910BasicProjectManagementMichael Birdsong
 
[SCTI 2011] - CLI: sobrevivendo na linha de comando
[SCTI 2011] - CLI: sobrevivendo na linha de comando[SCTI 2011] - CLI: sobrevivendo na linha de comando
[SCTI 2011] - CLI: sobrevivendo na linha de comandoSCTI UENF
 
[SCTI 2011] - Groupwares e os Espaços Virtuais: problemas, soluções e desafios
[SCTI 2011] - Groupwares e os Espaços Virtuais: problemas, soluções e desafios[SCTI 2011] - Groupwares e os Espaços Virtuais: problemas, soluções e desafios
[SCTI 2011] - Groupwares e os Espaços Virtuais: problemas, soluções e desafiosSCTI UENF
 
Segurança em Servidores de Games - (Minicraft)
Segurança em Servidores de Games - (Minicraft)Segurança em Servidores de Games - (Minicraft)
Segurança em Servidores de Games - (Minicraft)Bruno Alexandre
 
Seminario Seguranca da Informação
Seminario Seguranca da InformaçãoSeminario Seguranca da Informação
Seminario Seguranca da InformaçãoMariana Gonçalves Spanghero
 
[SCTI 2011] - Fundamentos da Segurança da Informação
[SCTI 2011] - Fundamentos da Segurança da Informação[SCTI 2011] - Fundamentos da Segurança da Informação
[SCTI 2011] - Fundamentos da Segurança da InformaçãoSCTI UENF
 
Palestra: Pentest - Intrusão de Redes
Palestra: Pentest - Intrusão de RedesPalestra: Pentest - Intrusão de Redes
Palestra: Pentest - Intrusão de RedesBruno Alexandre
 
Técnicas forenses para a recuperação de arquivos
Técnicas forenses para a recuperação de arquivosTécnicas forenses para a recuperação de arquivos
Técnicas forenses para a recuperação de arquivosCampus Party Brasil
 
(Un)Protecting USB Storage Media
(Un)Protecting USB Storage Media(Un)Protecting USB Storage Media
(Un)Protecting USB Storage MediaFernando Mercês
 
Android Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConIIAndroid Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConIIOpersys inc.
 
Headless Android
Headless AndroidHeadless Android
Headless AndroidOpersys inc.
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
IoT: LoRa and Java on the PI
IoT: LoRa and Java on the PIIoT: LoRa and Java on the PI
IoT: LoRa and Java on the PIJWORKS powered by Ordina
 
Hello, Python
Hello, PythonHello, Python
Hello, Pythonhardwyrd
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
Embedded Linux primer
Embedded Linux primerEmbedded Linux primer
Embedded Linux primerDrew Fustini
 
Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012Opersys inc.
 
Part 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': IntroductionPart 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': IntroductionJoachim Jacob
 
IoT Session Thomas More
IoT Session Thomas MoreIoT Session Thomas More
IoT Session Thomas MoreKevin Van den Abeele
 
Cc internet of things @ Thomas More
Cc internet of things @ Thomas MoreCc internet of things @ Thomas More
Cc internet of things @ Thomas MoreJWORKS powered by Ordina
 
Leveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IVLeveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IVOpersys inc.
 
Management Zabbix with Terraform
Management Zabbix with TerraformManagement Zabbix with Terraform
Management Zabbix with TerraformAécio Pires
 
IoT em tempo real com Firebase e JavaScript
IoT em tempo real com Firebase e JavaScriptIoT em tempo real com Firebase e JavaScript
IoT em tempo real com Firebase e JavaScriptHenri Cavalcante
 
Combining Machine Learning with Physical Computing - June 2022
Combining Machine Learning with Physical Computing - June 2022Combining Machine Learning with Physical Computing - June 2022
Combining Machine Learning with Physical Computing - June 2022Hal Speed
 
Top 10 Tips for Beginning Linux Users
Top 10 Tips for Beginning Linux UsersTop 10 Tips for Beginning Linux Users
Top 10 Tips for Beginning Linux UsersSt. Petersburg College
 
DT2014-15 S01: Digital Toolbox
DT2014-15 S01: Digital ToolboxDT2014-15 S01: Digital Toolbox
DT2014-15 S01: Digital ToolboxCarlos Cámara
 
Get your FLOSS problems solved
Get your FLOSS problems solvedGet your FLOSS problems solved
Get your FLOSS problems solvedRex Tsai
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Mais conteúdo relacionado

Semelhante a [SCTI 2011] - (Des)protegendo mídias USB

(Un)Protecting USB Storage Media
(Un)Protecting USB Storage Media(Un)Protecting USB Storage Media
(Un)Protecting USB Storage MediaFernando Mercês
 
Android Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConIIAndroid Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConIIOpersys inc.
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Hello, Python
Hello, PythonHello, Python
Hello, Pythonhardwyrd
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
Embedded Linux primer
Embedded Linux primerEmbedded Linux primer
Embedded Linux primerDrew Fustini
 
Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012Opersys inc.
 
Part 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': IntroductionPart 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': IntroductionJoachim Jacob
 
Leveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IVLeveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IVOpersys inc.
 
Management Zabbix with Terraform
Management Zabbix with TerraformManagement Zabbix with Terraform
Management Zabbix with TerraformAécio Pires
 
IoT em tempo real com Firebase e JavaScript
IoT em tempo real com Firebase e JavaScriptIoT em tempo real com Firebase e JavaScript
IoT em tempo real com Firebase e JavaScriptHenri Cavalcante
 
Combining Machine Learning with Physical Computing - June 2022
Combining Machine Learning with Physical Computing - June 2022Combining Machine Learning with Physical Computing - June 2022
Combining Machine Learning with Physical Computing - June 2022Hal Speed
 
DT2014-15 S01: Digital Toolbox
DT2014-15 S01: Digital ToolboxDT2014-15 S01: Digital Toolbox
DT2014-15 S01: Digital ToolboxCarlos Cámara
 
Get your FLOSS problems solved
Get your FLOSS problems solvedGet your FLOSS problems solved
Get your FLOSS problems solvedRex Tsai
 

Semelhante a [SCTI 2011] - (Des)protegendo mídias USB (20)

(Un)Protecting USB Storage Media
(Un)Protecting USB Storage Media(Un)Protecting USB Storage Media
(Un)Protecting USB Storage Media
 
Android Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConIIAndroid Variants, Hacks, Tricks and Resources presented at AnDevConII
Android Variants, Hacks, Tricks and Resources presented at AnDevConII
 
Headless Android
Headless AndroidHeadless Android
Headless Android
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
IoT: LoRa and Java on the PI
IoT: LoRa and Java on the PIIoT: LoRa and Java on the PI
IoT: LoRa and Java on the PI
 
Hello, Python
Hello, PythonHello, Python
Hello, Python
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 
Pentester++
Pentester++Pentester++
Pentester++
 
Embedded Linux primer
Embedded Linux primerEmbedded Linux primer
Embedded Linux primer
 
Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012Android Hacks, Variants, Tricks and Resources ESC SV 2012
Android Hacks, Variants, Tricks and Resources ESC SV 2012
 
Part 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': IntroductionPart 1 of 'Introduction to Linux for bioinformatics': Introduction
Part 1 of 'Introduction to Linux for bioinformatics': Introduction
 
IoT Session Thomas More
IoT Session Thomas MoreIoT Session Thomas More
IoT Session Thomas More
 
Cc internet of things @ Thomas More
Cc internet of things @ Thomas MoreCc internet of things @ Thomas More
Cc internet of things @ Thomas More
 
Leveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IVLeveraging Android's Linux Heritage at AnDevCon IV
Leveraging Android's Linux Heritage at AnDevCon IV
 
Management Zabbix with Terraform
Management Zabbix with TerraformManagement Zabbix with Terraform
Management Zabbix with Terraform
 
IoT em tempo real com Firebase e JavaScript
IoT em tempo real com Firebase e JavaScriptIoT em tempo real com Firebase e JavaScript
IoT em tempo real com Firebase e JavaScript
 
Combining Machine Learning with Physical Computing - June 2022
Combining Machine Learning with Physical Computing - June 2022Combining Machine Learning with Physical Computing - June 2022
Combining Machine Learning with Physical Computing - June 2022
 
Top 10 Tips for Beginning Linux Users
Top 10 Tips for Beginning Linux UsersTop 10 Tips for Beginning Linux Users
Top 10 Tips for Beginning Linux Users
 
DT2014-15 S01: Digital Toolbox
DT2014-15 S01: Digital ToolboxDT2014-15 S01: Digital Toolbox
DT2014-15 S01: Digital Toolbox
 
Get your FLOSS problems solved
Get your FLOSS problems solvedGet your FLOSS problems solved
Get your FLOSS problems solved
 

Último

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Último (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

[SCTI 2011] - (Des)protegendo mídias USB

  • 1.
  • 2. Experiência em missão crítica de missão crítica  Pioneira no ensino de Linux à distância  Parceira de treinamento IBM  Primeira com LPI no Brasil  + de 30.000 alunos satisfeitos  Reconhecimento internacional  Inovação com Hackerteen e Boteconet www.4linux.com.br 2 / 19
  • 3. (Un)protecting USB storage media www.4linux.com.br 3 / 19
  • 4. Opportunity The reverse engineering researcher cant act at: ● Open source resource reimplementation ● Fork projects creation www.4linux.com.br 4 / 19
  • 5. $ whoami ● Open Source Software Consultant at 4Linux. ● C language fan (RIP DMR). ● Free and Open Source Software lover. ● Maintainer of pev, T50, hdump, USBForce and other little tools. ● LPIC-2, A+. ● Reverse Engineering enthusiast. www.4linux.com.br 5 / 19
  • 6. Agenda ● Motivation ● Infection via USB ● Existing protection methods ● Protection method idea ● Demonstration ● Writing a tool ● Conclusion ● References www.4linux.com.br 6 / 19
  • 7. Motivation ● High infection risk. ● Lack of effective protections. ● Network security bypass. ● Hard administration. ● Users want USB! www.4linux.com.br 7 / 19
  • 8. Infection via USB ● autorun.inf (obfuscated or not). ● Not easy to detect (normal users). ● Automatic and fast. www.4linux.com.br 8 / 19
  • 9. Existing protections methods ● Disable Autorun (Windows registry). ● USB Antivirus/”firewalls”. ● Windows policies. ● USBForce does this work. www.4linux.com.br 9 / 19
  • 10. Protection method idea ● Make autorun.inf read-only. ● The storage partition needs to be still writable. ● Immunize USB storage media against infections. ● There is proprietary tool to do it called Panda USB Vaccine. ● I don't know yet HOW (internally) works, but it works. I need to learn the method. www.4linux.com.br 10 / 19
  • 11. Demonstration Video: Reversing Vaccine Technique www.4linux.com.br 11 / 19
  • 12. Writing a tool ● FAT-32 attributes byte Bit 0 – 0x01 – read only Bit 1 – 0x02 – hidden Bit 2 – 0x04 – system Bit 3 – 0x08 – volume name Bit 4 – 0x10 – subdirectory Bit 5 – 0x20 – archive Bit 6 – 0x40 – unused 1 Bit 7 – 0x80 – unused 2 www.4linux.com.br 12 / 19
  • 13. Writing a tool ●Windows API function CreateFile does not recognize 0x40 attribute. ● libfat (Linux) also does not work. ● ioctl does not work =( ● The unused attributes are undefined (probably reserved for future use). ● Creates an “undeletable” autorun.inf. ● Sets the attributes 0x40 (unused) and 0x02 (hidden). ● Free and Open Source Software. www.4linux.com.br 13 / 19
  • 14. Writing a tool 1. Create a regular autorun.inf file. 2. Identify FAT-32 structures. 3. Read structures to search for autorun.inf file entry in table. 4. Look for attribute byte. 5. Set 0x40 attribute. It's a good idea to set 0x02 attribute too. www.4linux.com.br 14 / 19
  • 15. The new tool: OpenVaccine ● Written in C. ● Originally designed for Linux. ● Creates an autorun.inf file. ● Immunize USB storage medias. ● Creates an “undeletable” autorun.inf. ● Sets the attributes 0x02 (hidden) and 0x40 (unused). ● Free and Open Source Software (GPLv3). ● USE AT OWN RISK. Backup first. ;) www.4linux.com.br 15 / 19
  • 16. The new tool: OpenVaccine $ sudo ./openvaccine /dev/sdd1 /media/DANI1G/ OpenVaccine 0.8 by Fernando Mercês (fernando@mentebinaria.com.br) Partition /dev/sdd1  + FAT32 (mkdosfs)  + 1.86G (1949696 bytes)  + mirroring enabled  + 1952690 sectors  + 512 bytes per sector  + 4k clusters  + serial is 3673364101 autorun.inf created at sector 0xf04, byte 0x20 (offset  0x1e0620). www.4linux.com.br 16 / 19
  • 17. Conclusion ● I have studied FAT-32 filesystems only. ●OpenVaccine will create an “undeletable” autorun.inf, so with source code, it's easy to write a tool that deletes it. ● I think USB will still be a problem, but this tool can minimize risks. ● Use reversing for open source reimplementation! www.4linux.com.br 17 / 19
  • 18. References ● Paper (in Portuguese) www.mentebinaria.com.br/textos#0x1a ● OpenVaccine http://openvaccine.sf.net ● USBForce http://usbforce.sf.net ● Demo video http://va.mu/J4yY (case sensitive) www.4linux.com.br 18 / 19
  • 19. Thank you! Fernando Mercês (@MenteBinaria) fernando.merces@4linux.com.br www.4linux.com.br www.hackerteen.com twitter.com/4LinuxBR +55 (11) 2125-4747 www.4linux.com.br 19 / 19