Autorun

All posts tagged Autorun

An article was posted last year on milw0rm.com by Robin Bailey mentioning how to prevent the spread of USB malware by protecting the autorun.inf file. In one of my previous posts I mentioned how plugging in an infected USB key infects the host machine and I advised how to protect machines from automatically loading programs from USB keys. This post mentions how to protect the USB key from an infected machine.

Malware infects USB keys by normally dropping its malware on the key along with an autorun.inf file. This autorun.inf file is read by the Windows operating system when plugged into a machine which in turn loads up the malware. Our goal would be to make the USB key read only in particular the autorun.inf file thus protecting the file from being modified by malware. Purchasing USB keys with a read only switch will do the trick but is hard to find these devices on the market. Another approach would be to use SD cards which come with read only switch along with an SD reader would serve its purpose. But having read only USB keys has its drawbacks in that in order for us to write to it we have to remove the read only protection and putting the device at risk of being infected.

Along comes Robin’s idea which works brilliantly. He mentioned how to only lock the autorun.inf file from being modified, deleted, opened, overwritten or the file attributes changed. The idea works by modified the file attribute on the disk level using a disk hex editor.

First we create a blank autorun.inf on the USB key. Even we wanted to load up our own programs via autorun.inf it will not be possible as once the change is done to disk the autorun.inf file cannot be even opened for it to load so therefore best to just keep it blank.

Next we use our disk hex editor to open up our USB device in read and write mode. Its best to make sure the USB key is blank or data backed up before editing the disk. We then search the disk for the string “autorun” in non-unicode form.

41  55  54  4F  52  55  4E  20 49 4E 46 20
A   U   T   O    R   U    N         I    N    F  

The last byte we are only interested in and will need to be changed. The current value of the byte is 0×20 has the archive bit set. We change this byte to 0×40, which sets the device bit, which is never normally found on a disk. We save our changes and exit out of our hex editor.

41  55  54  4F  52  55  4E  20 49 4E 46 40
A   U   T   O    R   U    N         I    N    F   @

Finally to test to see if our autorun.inf is protected we try to delete the file where then it will popup with an error.

Reference:

http://www.milw0rm.com/papers/314

Windows operating system has a number of ways on how to automatically run programs with a little user intervention. The “Conficker” worm uses a number of techniques for propagation, one such technique is the use of removable storage devices such as usb keys. Conficker was not the first to use this technique as the “Sality” virus has been seen to use the autorun feature around a year ago.

Looking into the autorun.inf file of an infected usb key by the Sality virus shows that is uses a number of commands to execute the same virus. The code below has been cleaned up and modified with comments but basically it uses four methods to execute the same malware.

[AutoRun]

; right-click “Open” {double-clicking on drive also opens program1.exe}
shell\open\command = program1.exe
shell\open\default=1

; right-click “AutoPlay”
shell\autoplay\command = program2.exe

; right-click “Install or run program”
open = program3.exe

; right-click “Explore”
shell\explore\command = program4.exe

The diagram below taken from Windows Vista points out the menu commands which runs the relevant program.

Conficker uses the shellexecute command in the autorun.inf file as shown in the example below:

shellexecute = program5.exe

CERT issued an advisory mentioning how to mitigate autorun functionality completely by adding a registry entry as shown below. This text can be saved as a reg file and imported just by double-clicking on it.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”

Once the entry has been imported and the machine rebooted, Windows will stop parsing the autorun.inf file located in any existing and new storage devices connecting to your system. Also you will notice that right-clicking on the drive will now only display “open” and “Explore” and both will just open a window when clicked and not executing any programs.

To enable the autorun features all you need to do is delete the entry. This can be easily done by saving the below text as a reg file and importing it.

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

References:

http://vil.nai.com/vil/content/v_153711.htm
http://vil.nai.com/vil/content/v_153724.htm
http://www.us-cert.gov/cas/techalerts/TA09-020A.html
http://www.symantec.com/security_response/writeup.jsp?docid=2008-042106-1847-99&tabid=2