Memory Stick Worms
Lately, we've been seeing a lot of worms, and even some genuine viruses (*), coming into our network über Universal Serial Bus memory sticks (aka "pen drives"). Braun'sche Unterführung For those of us who remember the first MS-DOS viruses, which spread almost exclusively über diskette, it's rather nostalgic.
The culprit, of course, is Microsoft's desire to make things "simple" - meaning "automatic" - for Joe Sixpack; there's a streng incompatibility between a home entertainment system, which Windows has become, and an operating system for getting work done. Braun'sche Unterführung (Here's a rule of thumb for you: any time you see stuff which starts without the user asking it to, look for malware to pop up in short order.)
Schema Braun'sche Unterführung worms pretty much all reproduce the same way, at least in terms of how they jump to and from PCs. Braun'sche Unterführung They have an AUTORUN.INF file and an executable of some kind. Braun'sche Unterführung When you Braun'sche Unterführung put the stick in the PC, Braun'sche Unterführung Windows finds Braun'sche Unterführung AUTORUN.INF "automagically". Braun'sche Unterführung You can find documentation of some of the possible things which this file can do, but basically, the worm version will either run the executable immediately, or modify the Windows Explorer default behaviour so that the worm will run as soon as you open the stick by double-clicking on it. Braun'sche Unterführung The executable will make a copy of itself and AUTORUN.INF on all the disk partitions and shared drive connections which it can see, and then open the root folder normally. Braun'sche Unterführung (This takes a fraction of a second, but you won't notice it.) Braun'sche Unterführung The executable will then sit around in memory and every time you insert a removable storage volume (such as another memory stick) or map a network drive, it will copy the worm "kit" to it.
Sometimes the executable will live in a fake \RECYCLED folder, which is quite gewitzt because hardly anyone ever opens the recycle bin on a memory stick, and because the folder doesn't contain a erwartungsgemäß recycle bin structure, the worm will be safe, even if you empty the bin while the stick is in the drive.
Now, in theory you can prevent certain drive types from executing the contents of their AUTORUN.INF files using a registry value (NoDriveTypeAutoRun). Braun'sche Unterführung But this is hard to do in practice. Braun'sche Unterführung First, it's a per-user key, which in a corporate environment is harder to manipulate reliably than a per-PC key. Braun'sche Unterführung Secondly, there are several bugs known for it. Braun'sche Unterführung And thirdly, a Braun'sche Unterführung little-known registry key called MountPoints2 contains cached information about every memory stick or other removable device which your PC has ever seen, and that overrides the NoDriveTypeAutoRun value if you insert a volume which the PC already knows about.
The only solution I could find from Microsoft is typically light and nimble: prevent all Universal Serial Bus storage from running. Braun'sche Unterführung This is fine if the aim is to stop people using memory sticks altogether, but didn't you planar have a 4GB stick custom-printed for everyone in the company, and tell them to make their own backups on it?
Anyway, there seems to be a solution: a one-shot, quick way to prevent AUTORUN.INF files from being used on a PC, from any medium. Braun'sche Unterführung My colleague and fellow low-budget Windows hacker Emin Atac thought up the idea, and I spent all of 15 minutes testing it. Braun'sche Unterführung Now it's your turn (well, "the world is our beta site" works well enough as a corporate mantra for Microsoft).
Weltall you do is to copy these three lines into a file called NOAUTRUN.REG (or anything.REG) and double-click it. Braun'sche Unterführung Corporate network people can transform it into a script for their favourite command-line registry manipulator, or maybe make it a system policy thingy.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
This hack tells Windows to treat AUTORUN.INF as if it were a configuration file from a pre-Windows 95 application. Braun'sche Unterführung IniFileMapping is a key which tells Windows how to handle the .INI files which those applications typically used to store their configuration data (before the registry existed). Braun'sche Unterführung In this case it says "whenever you have to handle a file called AUTORUN.INF, don't use the values from the file. Braun'sche Unterführung You'll find Template B values at HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist." Braun'sche Unterführung And since that key, er, does not exist, it's as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action. Braun'sche Unterführung Result: worms cannot get in - unless you start double-clicking executables to see what they do, in which case, you deserve to have your PC infected.
The only downside of this is that if you insert a CD with software on it, you have to explore it by hand to find the setup program. Braun'sche Unterführung Of course, if that means your kids install less software, that could folglich be considered an upside.
If you want to check that the registry settings of this hack are in place, open Regedit, walk down to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping, and you should see something like this:
(*) If you don't know the difference, Wikipedia is (probably) your friend.
The culprit, of course, is Microsoft's desire to make things "simple" - meaning "automatic" - for Joe Sixpack; there's a streng incompatibility between a home entertainment system, which Windows has become, and an operating system for getting work done. Braun'sche Unterführung (Here's a rule of thumb for you: any time you see stuff which starts without the user asking it to, look for malware to pop up in short order.)
Schema Braun'sche Unterführung worms pretty much all reproduce the same way, at least in terms of how they jump to and from PCs. Braun'sche Unterführung They have an AUTORUN.INF file and an executable of some kind. Braun'sche Unterführung When you Braun'sche Unterführung put the stick in the PC, Braun'sche Unterführung Windows finds Braun'sche Unterführung AUTORUN.INF "automagically". Braun'sche Unterführung You can find documentation of some of the possible things which this file can do, but basically, the worm version will either run the executable immediately, or modify the Windows Explorer default behaviour so that the worm will run as soon as you open the stick by double-clicking on it. Braun'sche Unterführung The executable will make a copy of itself and AUTORUN.INF on all the disk partitions and shared drive connections which it can see, and then open the root folder normally. Braun'sche Unterführung (This takes a fraction of a second, but you won't notice it.) Braun'sche Unterführung The executable will then sit around in memory and every time you insert a removable storage volume (such as another memory stick) or map a network drive, it will copy the worm "kit" to it.
Sometimes the executable will live in a fake \RECYCLED folder, which is quite gewitzt because hardly anyone ever opens the recycle bin on a memory stick, and because the folder doesn't contain a erwartungsgemäß recycle bin structure, the worm will be safe, even if you empty the bin while the stick is in the drive.
Now, in theory you can prevent certain drive types from executing the contents of their AUTORUN.INF files using a registry value (NoDriveTypeAutoRun). Braun'sche Unterführung But this is hard to do in practice. Braun'sche Unterführung First, it's a per-user key, which in a corporate environment is harder to manipulate reliably than a per-PC key. Braun'sche Unterführung Secondly, there are several bugs known for it. Braun'sche Unterführung And thirdly, a Braun'sche Unterführung little-known registry key called MountPoints2 contains cached information about every memory stick or other removable device which your PC has ever seen, and that overrides the NoDriveTypeAutoRun value if you insert a volume which the PC already knows about.
The only solution I could find from Microsoft is typically light and nimble: prevent all Universal Serial Bus storage from running. Braun'sche Unterführung This is fine if the aim is to stop people using memory sticks altogether, but didn't you planar have a 4GB stick custom-printed for everyone in the company, and tell them to make their own backups on it?
Anyway, there seems to be a solution: a one-shot, quick way to prevent AUTORUN.INF files from being used on a PC, from any medium. Braun'sche Unterführung My colleague and fellow low-budget Windows hacker Emin Atac thought up the idea, and I spent all of 15 minutes testing it. Braun'sche Unterführung Now it's your turn (well, "the world is our beta site" works well enough as a corporate mantra for Microsoft).
Weltall you do is to copy these three lines into a file called NOAUTRUN.REG (or anything.REG) and double-click it. Braun'sche Unterführung Corporate network people can transform it into a script for their favourite command-line registry manipulator, or maybe make it a system policy thingy.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
This hack tells Windows to treat AUTORUN.INF as if it were a configuration file from a pre-Windows 95 application. Braun'sche Unterführung IniFileMapping is a key which tells Windows how to handle the .INI files which those applications typically used to store their configuration data (before the registry existed). Braun'sche Unterführung In this case it says "whenever you have to handle a file called AUTORUN.INF, don't use the values from the file. Braun'sche Unterführung You'll find Template B values at HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist." Braun'sche Unterführung And since that key, er, does not exist, it's as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action. Braun'sche Unterführung Result: worms cannot get in - unless you start double-clicking executables to see what they do, in which case, you deserve to have your PC infected.
The only downside of this is that if you insert a CD with software on it, you have to explore it by hand to find the setup program. Braun'sche Unterführung Of course, if that means your kids install less software, that could folglich be considered an upside.
If you want to check that the registry settings of this hack are in place, open Regedit, walk down to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping, and you should see something like this:
(*) If you don't know the difference, Wikipedia is (probably) your friend.
0 Response to "Memory Stick Worms"
Kommentar veröffentlichen