Monthly Archives: February 2010

Protecting the Autorun.inf file from malware

An article was posted last year on milw0rm.com by Robin Bailey mentioning how to prevent the spread of USB malware by protecting the autorun.inf file. In one of my previous posts I mentioned how plugging in an infected USB key infects the host machine and I advised how to protect machines from automatically loading programs from USB keys. This post mentions how to protect the USB key from an infected machine.

Malware infects USB keys by normally dropping its malware on the key along with an autorun.inf file. This autorun.inf file is read by the Windows operating system when plugged into a machine which in turn loads up the malware. Our goal would be to make the USB key read only in particular the autorun.inf file thus protecting the file from being modified by malware. Purchasing USB keys with a read only switch will do the trick but is hard to find these devices on the market. Another approach would be to use SD cards which come with read only switch along with an SD reader would serve its purpose. But having read only USB keys has its drawbacks in that in order for us to write to it we have to remove the read only protection and putting the device at risk of being infected.

Along comes Robin’s idea which works brilliantly. He mentioned how to only lock the autorun.inf file from being modified, deleted, opened, overwritten or the file attributes changed. The idea works by modified the file attribute on the disk level using a disk hex editor.

First we create a blank autorun.inf on the USB key. Even we wanted to load up our own programs via autorun.inf it will not be possible as once the change is done to disk the autorun.inf file cannot be even opened for it to load so therefore best to just keep it blank.

Next we use our disk hex editor to open up our USB device in read and write mode. Its best to make sure the USB key is blank or data backed up before editing the disk. We then search the disk for the string “autorun” in non-unicode form.

41  55  54  4F  52  55  4E  20 49 4E 46 20
A   U   T   O    R   U    N         I    N    F  

The last byte we are only interested in and will need to be changed. The current value of the byte is 0x20 has the archive bit set. We change this byte to 0x40, which sets the device bit, which is never normally found on a disk. We save our changes and exit out of our hex editor.

41  55  54  4F  52  55  4E  20 49 4E 46 40
A   U   T   O    R   U    N         I    N    F   @

Finally to test to see if our autorun.inf is protected we try to delete the file where then it will popup with an error.

Reference:

http://www.milw0rm.com/papers/314