Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Understanding USB malware execution & security


  • Please log in to reply
8 replies to this topic

#1 downloaderfan

downloaderfan

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 16 March 2017 - 03:45 AM

Alright, I was recently doing some research about how my PC could get infected by insertion of an infected USB drive & found that most malware relies on the execution of autorun.inf. Now, since I have Windows 10 with autoplay enabled, whenever I insert a new USB drive, windows by default asks me what to do i.e. Open folder to view files, Take no action, Run the application that is configured to run in autorun.inf etc. Now, since I always follow certain security measures, I never run autorun.inf, instead I open the folder to view files & if I find a doubtful exe file, I would use Sandboxie to test that file. 

 

So I wanted to know if malware exists for USB drives that can execute automatically in the background on insertion without asking any permission or indication whatsoever? Are there any tools which I can use to prevent such auto executing malware if they exist? While researching, I found some tools like USB Immunizer which modify the autorun.inf file & wondered if they add any security to my PC if I never ran autorun.inf in the first place.

 

Another question - Now let's say I use my own USB drive & plug it into different public computers, how could I protect my USB drive from getting infected if I plug it into an infected computer? 

 

 



BC AdBot (Login to Remove)

 


#2 JohnnyJammer

JohnnyJammer

  • Members
  • 1,122 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:02:40 PM

Posted 16 March 2017 - 05:36 PM

Yes it does exist and they use spoofing to enable this, ever heard of using a GUID of a keyboard to bypass how windows detects hardware?.



#3 downloaderfan

downloaderfan
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 17 March 2017 - 10:39 AM

Yes it does exist and they use spoofing to enable this, ever heard of using a GUID of a keyboard to bypass how windows detects hardware?.

Hi, thanks for your reply.

 

It seems something like that would also work on MacOS & Linux according to this video, so correct me if I'm wrong, the only way to safely insert & test data from any USB drive out there would be to mount the USB drive directly inside VMware workstation.



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 17 March 2017 - 03:55 PM

If you can spent a bit of money on a Raspberry Pi, take a look at this: https://www.circl.lu/projects/CIRCLean/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 downloaderfan

downloaderfan
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 18 March 2017 - 07:04 AM

If you can spent a bit of money on a Raspberry Pi, take a look at this: https://www.circl.lu/projects/CIRCLean/

 

Hi Didier Stevens, thanks for mentioning that.

 

I couldn't find too much information about that product elsewhere online but what I understood from reading it's documentation is that, it behaves like a hardware antivirus disinfecting files on the unsafe USB drive & copying it to another safe USB drive. Depending on the sophistication of malware, in theory, something like this could be hit or miss when it comes to detecting malware since, again, I couldn't find too much online about it's reliability. That's the reason I prefer sandbox solutions to test potentially unsafe files so that even if my system were to get compromised, it would be the sandboxed system & not my actual system.  



#6 Just_One_Question

Just_One_Question

  • Members
  • 1,400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:07:40 AM

Posted 18 March 2017 - 06:35 PM

...Another question - Now let's say I use my own USB drive & plug it into different public computers, how could I protect my USB drive from getting infected if I plug it into an infected computer?


That...that...that was weirdly sexual lol

#7 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:04:40 PM

Posted 18 March 2017 - 07:40 PM

How to View Hidden Partitions on a Flash Drive. https://www.techwalla.com/articles/how-to-view-hidden-partitions-on-a-flash-drive

Create a Hidden Partition on USB Flash Drive Which Stays Even After Formatting. http://www.instructables.com/id/Create-a-Hidden-Partition-on-USB-Flash-Drive-which/

Properly Delete Extra Partitions on USB Drive using DiskPart. https://www.all4os.com/windows/properly-delete-a-partition-on-usb-drive-using-diskpart.html
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:40 AM

Posted 19 March 2017 - 01:56 PM

You're running a risk testing executables with your sandbox.

 

You do know that there is malware that detects it is running inside a sandbox or VM, and does then behave differently?

Such malware often does nothing when run inside a sandbox.

 

So you would test the exe in a sandbox, nothing would happen, you would think it is safe and then you use it on your physical system which gets infected.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 downloaderfan

downloaderfan
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 19 March 2017 - 11:48 PM

How to View Hidden Partitions on a Flash Drive. https://www.techwalla.com/articles/how-to-view-hidden-partitions-on-a-flash-drive

Create a Hidden Partition on USB Flash Drive Which Stays Even After Formatting. http://www.instructables.com/id/Create-a-Hidden-Partition-on-USB-Flash-Drive-which/

Properly Delete Extra Partitions on USB Drive using DiskPart. https://www.all4os.com/windows/properly-delete-a-partition-on-usb-drive-using-diskpart.html

 

Thanks, I'm now using EaseUS partition manager to create a separate hidden partition with all of my encrypted confidential files & bootable ISOs. 

 

 

You're running a risk testing executables with your sandbox.

 

You do know that there is malware that detects it is running inside a sandbox or VM, and does then behave differently?

Such malware often does nothing when run inside a sandbox.

 

So you would test the exe in a sandbox, nothing would happen, you would think it is safe and then you use it on your physical system which gets infected.

 

Yes, I've known about such malware for quite a white. But since the VM is running full windows 10, I could use any of my virus scanning techniques such as uploading to VirusTotal or scanning with Emsisoft Emergency Kit. I could even reformat the USB drive if needed, then insert it into my main system. 

Another option is to skip the VM altogether & use shadow mode of Shadow Defender when inserting the USB.

 

From the shadow defender website,

Shadow Defender can run your system in a virtual environment called 'Shadow Mode'. 'Shadow Mode' redirects each system change to a virtual environment with no change to your real environment. If you experience malicious activities and/or unwanted changes, perform a reboot to restore your system back to its original state, as if nothing happened.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users