08448380779 Call Girls In Civil Lines Women Seeking Men
[SCTI 2011] - (Des)protegendo mídias USB
1.
2. Experiência em missão crítica de missão crítica
Pioneira no ensino de Linux à distância
Parceira de treinamento IBM
Primeira com LPI no Brasil
+ de 30.000 alunos satisfeitos
Reconhecimento internacional
Inovação com Hackerteen e Boteconet
www.4linux.com.br 2 / 19
5. $ whoami
● Open Source Software Consultant at 4Linux.
● C language fan (RIP DMR).
● Free and Open Source Software lover.
● Maintainer of pev, T50, hdump, USBForce and other little
tools.
● LPIC-2, A+.
● Reverse Engineering enthusiast.
www.4linux.com.br 5 / 19
6. Agenda
● Motivation
● Infection via USB
● Existing protection methods
● Protection method idea
● Demonstration
● Writing a tool
● Conclusion
● References
www.4linux.com.br 6 / 19
7. Motivation
● High infection risk.
● Lack of effective protections.
● Network security bypass.
● Hard administration.
● Users want USB!
www.4linux.com.br 7 / 19
8. Infection via USB
● autorun.inf (obfuscated or not).
● Not easy to detect (normal users).
● Automatic and fast.
www.4linux.com.br 8 / 19
9. Existing protections methods
● Disable Autorun (Windows registry).
● USB Antivirus/”firewalls”.
● Windows policies.
● USBForce does this work.
www.4linux.com.br 9 / 19
10. Protection method idea
● Make autorun.inf read-only.
● The storage partition needs to be still writable.
● Immunize USB storage media against infections.
● There is proprietary tool to do it called Panda USB Vaccine.
● I don't know yet HOW (internally) works, but it works. I need
to learn the method.
www.4linux.com.br 10 / 19
12. Writing a tool
● FAT-32 attributes byte
Bit 0 – 0x01 – read only
Bit 1 – 0x02 – hidden
Bit 2 – 0x04 – system
Bit 3 – 0x08 – volume name
Bit 4 – 0x10 – subdirectory
Bit 5 – 0x20 – archive
Bit 6 – 0x40 – unused 1
Bit 7 – 0x80 – unused 2
www.4linux.com.br 12 / 19
13. Writing a tool
●Windows API function CreateFile does not recognize 0x40
attribute.
● libfat (Linux) also does not work.
● ioctl does not work =(
● The unused attributes are undefined (probably reserved for
future use).
● Creates an “undeletable” autorun.inf.
● Sets the attributes 0x40 (unused) and 0x02 (hidden).
● Free and Open Source Software.
www.4linux.com.br 13 / 19
14. Writing a tool
1. Create a regular autorun.inf file.
2. Identify FAT-32 structures.
3. Read structures to search for autorun.inf file entry in table.
4. Look for attribute byte.
5. Set 0x40 attribute. It's a good idea to set 0x02 attribute
too.
www.4linux.com.br 14 / 19
15. The new tool: OpenVaccine
● Written in C.
● Originally designed for Linux.
● Creates an autorun.inf file.
● Immunize USB storage medias.
● Creates an “undeletable” autorun.inf.
● Sets the attributes 0x02 (hidden) and 0x40 (unused).
● Free and Open Source Software (GPLv3).
● USE AT OWN RISK. Backup first. ;)
www.4linux.com.br 15 / 19
16. The new tool: OpenVaccine
$ sudo ./openvaccine /dev/sdd1 /media/DANI1G/
OpenVaccine 0.8
by Fernando Mercês (fernando@mentebinaria.com.br)
Partition /dev/sdd1
+ FAT32 (mkdosfs)
+ 1.86G (1949696 bytes)
+ mirroring enabled
+ 1952690 sectors
+ 512 bytes per sector
+ 4k clusters
+ serial is 3673364101
autorun.inf created at sector 0xf04, byte 0x20 (offset
0x1e0620).
www.4linux.com.br 16 / 19
17. Conclusion
● I have studied FAT-32 filesystems only.
●OpenVaccine will create an “undeletable” autorun.inf, so
with source code, it's easy to write a tool that deletes it.
● I think USB will still be a problem, but this tool can minimize
risks.
● Use reversing for open source reimplementation!
www.4linux.com.br 17 / 19
18. References
● Paper (in Portuguese)
www.mentebinaria.com.br/textos#0x1a
● OpenVaccine
http://openvaccine.sf.net
● USBForce
http://usbforce.sf.net
● Demo video
http://va.mu/J4yY (case sensitive)
www.4linux.com.br 18 / 19