[scti 2011] - (des)protegendo mídias usb
DESCRIPTION
Palestrada ministrada por Fernando Mercês na SCTI 2011TRANSCRIPT
2 / 19www.4linux.com.br
Experiência em missão crítica de missão crítica
Pioneira no ensino de Linux à distância
Parceira de treinamento IBM
Primeira com LPI no Brasil
+ de 30.000 alunos satisfeitos
Reconhecimento internacional
Inovação com Hackerteen e Boteconet
3 / 19www.4linux.com.br
(Un)protecting USB storage media
4 / 19www.4linux.com.br
Opportunity
The reverse engineering researcher cant act at:
● Open source resource reimplementation
● Fork projects creation
5 / 19www.4linux.com.br
$ whoami
● Open Source Software Consultant at 4Linux.
● C language fan (RIP DMR).
● Free and Open Source Software lover.
● Maintainer of pev, T50, hdump, USBForce and other little tools.
● LPIC-2, A+.
● Reverse Engineering enthusiast.
6 / 19www.4linux.com.br
Agenda● Motivation
● Infection via USB
● Existing protection methods
● Protection method idea
● Demonstration
● Writing a tool
● Conclusion
● References
7 / 19www.4linux.com.br
Motivation
● High infection risk.
● Lack of effective protections.
● Network security bypass.
● Hard administration.
● Users want USB!
8 / 19www.4linux.com.br
Infection via USB
● autorun.inf (obfuscated or not).
● Not easy to detect (normal users).
● Automatic and fast.
9 / 19www.4linux.com.br
Existing protections methods
● Disable Autorun (Windows registry).
● USB Antivirus/”firewalls”.
● Windows policies.
● USBForce does this work.
10 / 19www.4linux.com.br
Protection method idea
● Make autorun.inf read-only.
● The storage partition needs to be still writable.
● Immunize USB storage media against infections.
● There is proprietary tool to do it called Panda USB Vaccine.
● I don't know yet HOW (internally) works, but it works. I need to learn the method.
11 / 19www.4linux.com.br
Demonstration
Video: Reversing Vaccine Technique
12 / 19www.4linux.com.br
Writing a tool
● FAT-32 attributes byte
Bit 0 – 0x01 – read onlyBit 1 – 0x02 – hiddenBit 2 – 0x04 – systemBit 3 – 0x08 – volume nameBit 4 – 0x10 – subdirectoryBit 5 – 0x20 – archiveBit 6 – 0x40 – unused 1Bit 7 – 0x80 – unused 2
13 / 19www.4linux.com.br
Writing a tool
● Windows API function CreateFile does not recognize 0x40 attribute.
● libfat (Linux) also does not work.
● ioctl does not work =(
● The unused attributes are undefined (probably reserved for future use).
● Creates an “undeletable” autorun.inf.
● Sets the attributes 0x40 (unused) and 0x02 (hidden).
● Free and Open Source Software.
14 / 19www.4linux.com.br
Writing a tool
1. Create a regular autorun.inf file.
2. Identify FAT-32 structures.
3. Read structures to search for autorun.inf file entry in table.
4. Look for attribute byte.
5. Set 0x40 attribute. It's a good idea to set 0x02 attribute too.
15 / 19www.4linux.com.br
The new tool: OpenVaccine
● Written in C.
● Originally designed for Linux.
● Creates an autorun.inf file.
● Immunize USB storage medias.
● Creates an “undeletable” autorun.inf.
● Sets the attributes 0x02 (hidden) and 0x40 (unused).
● Free and Open Source Software (GPLv3).
● USE AT OWN RISK. Backup first. ;)
16 / 19www.4linux.com.br
The new tool: OpenVaccine
$ sudo ./openvaccine /dev/sdd1 /media/DANI1G/OpenVaccine 0.8by Fernando Mercês ([email protected])Partition /dev/sdd1 + FAT32 (mkdosfs) + 1.86G (1949696 bytes) + mirroring enabled + 1952690 sectors + 512 bytes per sector + 4k clusters + serial is 3673364101autorun.inf created at sector 0xf04, byte 0x20 (offset 0x1e0620).
17 / 19www.4linux.com.br
Conclusion
● I have studied FAT-32 filesystems only.
● OpenVaccine will create an “undeletable” autorun.inf, so with source code, it's easy to write a tool that deletes it.
● I think USB will still be a problem, but this tool can minimize risks.
● Use reversing for open source reimplementation!
18 / 19www.4linux.com.br
References
● Paper (in Portuguese)www.mentebinaria.com.br/textos#0x1a
● OpenVaccinehttp://openvaccine.sf.net
● USBForcehttp://usbforce.sf.net
● Demo videohttp://va.mu/J4yY (case sensitive)
19 / 19www.4linux.com.br
Thank you!
Fernando Mercês (@MenteBinaria)[email protected]
www.4linux.com.brwww.hackerteen.comtwitter.com/4LinuxBR
+55 (11) 2125-4747