[SCTI 2011] - (Des)protegendo mídias USB

•

1 gostou•261 visualizações

SCTI UENF

Palestrada ministrada por Fernando Mercês na SCTI 2011

Tecnologia Notícias e política

 Experiência em missão crítica de missão crítica

 Pioneira no ensino de Linux à distância

 Parceira de treinamento IBM

 Primeira com LPI no Brasil

 + de 30.000 alunos satisfeitos

 Reconhecimento internacional

 Inovação com Hackerteen e Boteconet

www.4linux.com.br 2 / 19

(Un)protecting USB
storage media

www.4linux.com.br 3 / 19

Opportunity

The reverse engineering researcher cant act at:

● Open source resource reimplementation
● Fork projects creation

www.4linux.com.br 4 / 19

$ whoami

● Open Source Software Consultant at 4Linux.

● C language fan (RIP DMR).

● Free and Open Source Software lover.

● Maintainer of pev, T50, hdump, USBForce and other little
tools.

● LPIC-2, A+.

● Reverse Engineering enthusiast.

www.4linux.com.br 5 / 19

Agenda
● Motivation

● Infection via USB

● Existing protection methods

● Protection method idea

● Demonstration

● Writing a tool

● Conclusion

● References
www.4linux.com.br 6 / 19

Motivation

● High infection risk.

● Lack of effective protections.

● Network security bypass.

● Hard administration.

● Users want USB!

www.4linux.com.br 7 / 19

Infection via USB

● autorun.inf (obfuscated or not).

● Not easy to detect (normal users).

● Automatic and fast.

www.4linux.com.br 8 / 19

Existing protections methods

● Disable Autorun (Windows registry).

● USB Antivirus/”firewalls”.

● Windows policies.

● USBForce does this work.

www.4linux.com.br 9 / 19

Protection method idea
● Make autorun.inf read-only.

● The storage partition needs to be still writable.

● Immunize USB storage media against infections.

● There is proprietary tool to do it called Panda USB Vaccine.

● I don't know yet HOW (internally) works, but it works. I need
to learn the method.

www.4linux.com.br 10 / 19

Demonstration

Video: Reversing Vaccine Technique

www.4linux.com.br 11 / 19

Writing a tool
● FAT-32 attributes byte

Bit 0 – 0x01 – read only
Bit 1 – 0x02 – hidden
Bit 2 – 0x04 – system
Bit 3 – 0x08 – volume name
Bit 4 – 0x10 – subdirectory
Bit 5 – 0x20 – archive
Bit 6 – 0x40 – unused 1
Bit 7 – 0x80 – unused 2

www.4linux.com.br 12 / 19

Writing a tool
●Windows API function CreateFile does not recognize 0x40
attribute.

● libfat (Linux) also does not work.

● ioctl does not work =(

● The unused attributes are undefined (probably reserved for
future use).

● Creates an “undeletable” autorun.inf.

● Sets the attributes 0x40 (unused) and 0x02 (hidden).

● Free and Open Source Software.
www.4linux.com.br 13 / 19

Writing a tool

1. Create a regular autorun.inf file.

2. Identify FAT-32 structures.

3. Read structures to search for autorun.inf file entry in table.

4. Look for attribute byte.

5. Set 0x40 attribute. It's a good idea to set 0x02 attribute
too.

www.4linux.com.br 14 / 19

The new tool: OpenVaccine
● Written in C.

● Originally designed for Linux.

● Creates an autorun.inf file.

● Immunize USB storage medias.

● Creates an “undeletable” autorun.inf.

● Sets the attributes 0x02 (hidden) and 0x40 (unused).

● Free and Open Source Software (GPLv3).

● USE AT OWN RISK. Backup first. ;)
www.4linux.com.br 15 / 19

The new tool: OpenVaccine

$ sudo ./openvaccine /dev/sdd1 /media/DANI1G/
OpenVaccine 0.8
by Fernando Mercês (fernando@mentebinaria.com.br)
Partition /dev/sdd1
+ FAT32 (mkdosfs)
+ 1.86G (1949696 bytes)
+ mirroring enabled
+ 1952690 sectors
+ 512 bytes per sector
+ 4k clusters
+ serial is 3673364101
autorun.inf created at sector 0xf04, byte 0x20 (offset
0x1e0620).

www.4linux.com.br 16 / 19

Conclusion

● I have studied FAT-32 filesystems only.

●OpenVaccine will create an “undeletable” autorun.inf, so
with source code, it's easy to write a tool that deletes it.

● I think USB will still be a problem, but this tool can minimize
risks.

● Use reversing for open source reimplementation!

www.4linux.com.br 17 / 19

References
● Paper (in Portuguese)
www.mentebinaria.com.br/textos#0x1a

● OpenVaccine
http://openvaccine.sf.net

● USBForce
http://usbforce.sf.net

● Demo video
http://va.mu/J4yY (case sensitive)

www.4linux.com.br 18 / 19

Thank you!

Fernando Mercês (@MenteBinaria)
fernando.merces@4linux.com.br
www.4linux.com.br
www.hackerteen.com
twitter.com/4LinuxBR

+55 (11) 2125-4747
www.4linux.com.br 19 / 19

Mais conteúdo relacionado

Semelhante a [SCTI 2011] - (Des)protegendo mídias USB

(Un)Protecting USB Storage Media

Fernando Mercês

Android Variants, Hacks, Tricks and Resources presented at AnDevConII

Opersys inc.

Headless Android

Opersys inc.

Malware analysis, threat intelligence and reverse engineering

bartblaze

IoT: LoRa and Java on the PI

JWORKS powered by Ordina

Hello, Python

hardwyrd

Introduction to iOS Penetration Testing

OWASP

Pentester++

CTruncer

Embedded Linux primer

Drew Fustini

Android Hacks, Variants, Tricks and Resources ESC SV 2012

Opersys inc.

Part 1 of 'Introduction to Linux for bioinformatics': Introduction

Joachim Jacob

IoT Session Thomas More

Kevin Van den Abeele

Cc internet of things @ Thomas More

JWORKS powered by Ordina

Leveraging Android's Linux Heritage at AnDevCon IV

Opersys inc.

Management Zabbix with Terraform

Aécio Pires

IoT em tempo real com Firebase e JavaScript

Henri Cavalcante

Combining Machine Learning with Physical Computing - June 2022

Hal Speed

Linux, a free and open-source operating system, runs more than 100 million websites and it is getting more and more popular running laptop/desktop computers. Windows and even Macintosh users are usually intimidated by Linux because they think that you must be a computer scientist or hacker to install and use it proficiently. This is not true anymore! In this session, Chad Mairn will provide 10 tips to help Linux newbies and/or users thinking of making the switch to become more confident running Linux on their computers.

Top 10 Tips for Beginning Linux Users

St. Petersburg College

DT2014-15 S01: Digital Toolbox

Carlos Cámara

Get your FLOSS problems solved

Rex Tsai

Semelhante a [SCTI 2011] - (Des)protegendo mídias USB (20)

(Un)Protecting USB Storage Media

Android Variants, Hacks, Tricks and Resources presented at AnDevConII

Headless Android

Malware analysis, threat intelligence and reverse engineering

IoT: LoRa and Java on the PI

Hello, Python

Introduction to iOS Penetration Testing

Pentester++

Embedded Linux primer

Android Hacks, Variants, Tricks and Resources ESC SV 2012

Part 1 of 'Introduction to Linux for bioinformatics': Introduction

IoT Session Thomas More

Cc internet of things @ Thomas More

Leveraging Android's Linux Heritage at AnDevCon IV

Management Zabbix with Terraform

IoT em tempo real com Firebase e JavaScript

Combining Machine Learning with Physical Computing - June 2022

Top 10 Tips for Beginning Linux Users

DT2014-15 S01: Digital Toolbox

Get your FLOSS problems solved

Último

Scalable LLM APIs for AI and Generative AI Application Development Ettikan Karuppiah, Director/Technologist - NVIDIA Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...

apidays

Architecting Cloud Native Applications

WSO2

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

DBX First Quarter 2024 Investor Presentation

Dropbox

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Navi Mumbai Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Navi Mumbai Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Navi Mumbai Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

Real Time Object Detection Using Open CV

Khem

A Beginners Guide to Building a RAG App Using Open Source Milvus

Zilliz

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

[SCTI 2011] - (Des)protegendo mídias USB

2.  Experiência em missão crítica de missão crítica  Pioneira no ensino de Linux à distância  Parceira de treinamento IBM  Primeira com LPI no Brasil  + de 30.000 alunos satisfeitos  Reconhecimento internacional  Inovação com Hackerteen e Boteconet www.4linux.com.br 2 / 19

3. (Un)protecting USB storage media www.4linux.com.br 3 / 19

4. Opportunity The reverse engineering researcher cant act at: ● Open source resource reimplementation ● Fork projects creation www.4linux.com.br 4 / 19

5. $ whoami ● Open Source Software Consultant at 4Linux. ● C language fan (RIP DMR). ● Free and Open Source Software lover. ● Maintainer of pev, T50, hdump, USBForce and other little tools. ● LPIC-2, A+. ● Reverse Engineering enthusiast. www.4linux.com.br 5 / 19

6. Agenda ● Motivation ● Infection via USB ● Existing protection methods ● Protection method idea ● Demonstration ● Writing a tool ● Conclusion ● References www.4linux.com.br 6 / 19

7. Motivation ● High infection risk. ● Lack of effective protections. ● Network security bypass. ● Hard administration. ● Users want USB! www.4linux.com.br 7 / 19

8. Infection via USB ● autorun.inf (obfuscated or not). ● Not easy to detect (normal users). ● Automatic and fast. www.4linux.com.br 8 / 19

9. Existing protections methods ● Disable Autorun (Windows registry). ● USB Antivirus/”firewalls”. ● Windows policies. ● USBForce does this work. www.4linux.com.br 9 / 19

10. Protection method idea ● Make autorun.inf read-only. ● The storage partition needs to be still writable. ● Immunize USB storage media against infections. ● There is proprietary tool to do it called Panda USB Vaccine. ● I don't know yet HOW (internally) works, but it works. I need to learn the method. www.4linux.com.br 10 / 19

11. Demonstration Video: Reversing Vaccine Technique www.4linux.com.br 11 / 19

12. Writing a tool ● FAT-32 attributes byte Bit 0 – 0x01 – read only Bit 1 – 0x02 – hidden Bit 2 – 0x04 – system Bit 3 – 0x08 – volume name Bit 4 – 0x10 – subdirectory Bit 5 – 0x20 – archive Bit 6 – 0x40 – unused 1 Bit 7 – 0x80 – unused 2 www.4linux.com.br 12 / 19

13. Writing a tool ●Windows API function CreateFile does not recognize 0x40 attribute. ● libfat (Linux) also does not work. ● ioctl does not work =( ● The unused attributes are undefined (probably reserved for future use). ● Creates an “undeletable” autorun.inf. ● Sets the attributes 0x40 (unused) and 0x02 (hidden). ● Free and Open Source Software. www.4linux.com.br 13 / 19

14. Writing a tool 1. Create a regular autorun.inf file. 2. Identify FAT-32 structures. 3. Read structures to search for autorun.inf file entry in table. 4. Look for attribute byte. 5. Set 0x40 attribute. It's a good idea to set 0x02 attribute too. www.4linux.com.br 14 / 19

15. The new tool: OpenVaccine ● Written in C. ● Originally designed for Linux. ● Creates an autorun.inf file. ● Immunize USB storage medias. ● Creates an “undeletable” autorun.inf. ● Sets the attributes 0x02 (hidden) and 0x40 (unused). ● Free and Open Source Software (GPLv3). ● USE AT OWN RISK. Backup first. ;) www.4linux.com.br 15 / 19

16. The new tool: OpenVaccine $ sudo ./openvaccine /dev/sdd1 /media/DANI1G/ OpenVaccine 0.8 by Fernando Mercês (fernando@mentebinaria.com.br) Partition /dev/sdd1 + FAT32 (mkdosfs) + 1.86G (1949696 bytes) + mirroring enabled + 1952690 sectors + 512 bytes per sector + 4k clusters + serial is 3673364101 autorun.inf created at sector 0xf04, byte 0x20 (offset 0x1e0620). www.4linux.com.br 16 / 19

17. Conclusion ● I have studied FAT-32 filesystems only. ●OpenVaccine will create an “undeletable” autorun.inf, so with source code, it's easy to write a tool that deletes it. ● I think USB will still be a problem, but this tool can minimize risks. ● Use reversing for open source reimplementation! www.4linux.com.br 17 / 19

18. References ● Paper (in Portuguese) www.mentebinaria.com.br/textos#0x1a ● OpenVaccine http://openvaccine.sf.net ● USBForce http://usbforce.sf.net ● Demo video http://va.mu/J4yY (case sensitive) www.4linux.com.br 18 / 19

19. Thank you! Fernando Mercês (@MenteBinaria) fernando.merces@4linux.com.br www.4linux.com.br www.hackerteen.com twitter.com/4LinuxBR +55 (11) 2125-4747 www.4linux.com.br 19 / 19

[SCTI 2011] - (Des)protegendo mídias USB

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a [SCTI 2011] - (Des)protegendo mídias USB

Semelhante a [SCTI 2011] - (Des)protegendo mídias USB (20)

Último

Último (20)

[SCTI 2011] - (Des)protegendo mídias USB