It can use two main methds to spread throught memory sticks-
namely, either by infecting the executables files in the memory stick or by the 'autorun.inf' which is automatically executed by windows when the device is connected which makes the problem worse as there is no user interaction.
Now this problem can be solved by preventing access to the autorun.inf file in the memory stick before it can be infected!
to do this:
we require a simple hex editor
Code:
http://mh-nexus.de/en/hxd/
"Make sure that the memory stick has NO data on it- cause this procedure, may result in data loss! Also make sure that the pendrive is not in use by any other program."
First create a blank `autorun.inf` file on the memory stick, then open up the disk in hex editor in read/write mode
now search for the string 'autorun' as a non-Unicode string text string. the area we need to take care of is as follows
Code:
41 55 54 4F 52 55 4E 20 49 4E 46 20
A U T O R U N I N F
The current value of the byte (0x20) has just the archive bit set. Now change this byte to 0x40, which sets the device bit, which is never normally found on a disk. The block will now look like this.
Code:
41 55 54 4F 52 55 4E 20 49 4E 46 40
A U T O R U N I N F @
Once this has been saved to disk, ignoring any warning that this might corrupt the disk, unmount and remount the volume. Now, when you browse to the disk, the autorun.inf file can be seen, but it cannot be deleted, opened, edited, overwritten, or have its attributes changed.
When this memory stick is connected to an infected machine, which will try to create an autorun.inf file on it, it will fail with an error, (Cannot create file), meaning that this memory stick cannot be infected, and thus cannot pass an infection on to any other computers.
Extracted from --++[Preventing the spread of USB malware]++-- by Robin Bailey and edited to make it understandable.
0 comments:
Post a Comment