Panda usb and autorun vaccine a cure for autorunvirus on flash - 16 Марта 2011

Main » 2011 » Март » 16 » Panda usb and autorun vaccine a cure for autorunvirus on flash

13:21

Panda usb and autorun vaccine a cure for autorunvirus on flash

March 5, I wrote an article about the script AUTOSTOP to protect flash drives from the autorun-viruses which has received considerable response. And just today I was going to write a new article on an alternative (more reliable) method, as one of the resources, the topic of the discussion of the script, I suggested the program Panda USB and AutoRun Vaccine, working specifically on the method that I wanted to describe. And working just brilliantly! File autorun.inf, created it on a flash drive (to prevent the creation of such a file virus) can neither remove nor rename (which was a weakness in my script) or modify, or open.

Let's get acquainted with the program closer look at its features and a method which is based on the principle of operation.

METHOD

First of all, tell you about the method.

A few days after the publication of my article, you Learn __x_tra
write in my LJ about alternative methods of protection from flash autorun-virus, which he invented: the flash drive, a file or directory named AUTORUN.INF, and with the help of WinHex this file or directory exhibited an invalid attribute. Let me remind you that according to the FAT32 File System Specification, better known as FATGEN (here we consider the protection of flash drives with FAT):

File attributes:
ATTR_READ_ONLY 0x01
ATTR_HIDDEN 0x02
ATTR_SYSTEM 0x04
ATTR_VOLUME_ID 0x08
ATTR_DIRECTORY 0x10
ATTR_ARCHIVE 0x20
ATTR_LONG_NAME ATTR_READ_ONLY | ATTR_HIDDEN | ATTR_SYSTEM | ATTR_VOLUME_ID
The upper two bits of the attribute byte are reserved and should always be set to 0 when a file is created and never modified or looked at after that.

In the version of the same fictional __x_tra asked to put the top two bits is not 0, and 1. Byte attributes are obtained in this: 0xF7 (ATTR_ARCHIVE + ATTR_DIRECTORY + ATTR_SYSTEM + ATTR_HIDDEN + ATTR_READ_ONLY + two bits are 11). Another suggested possible options in the form 0xC7, 0xD7, 0xE7. I have tested the method - it was working! AUTORUN.INF on a given attribute such a way, it was impossible to open, rename, and modify. I only bothered 2 factors:

The correctness of this method: how it will affect the performance file system.
Recurrence of fashion: how to explain that such a simple user WinHex, and what it eats.

PROGRAM

We now return to the program Panda USB and AutoRun Vaccine.

Let me remind you that «Panda USB Vaccine currently only works on FAT & FAT32 USB drives». Small file size (only 393Kb), and spartan interface - everything is thought out, nothing more. I should add that the program is free.

To start with the buttons «Vaccinate USB». I specifically created in advance on a flash drive an autorun.inf file with the attributes of RAHS - this does not prevent the program by pressing the mentioned key, overwrite it his eponymous file, which, as I said at the beginning of the article "can neither remove nor rename (in what was a weakness in my script), nor modify, nor open." Open flash in WinHex, look attribute file autorun.inf. And what we see:

We see that the same way __x_tra, changed file attribute: 0h40. In article FAT12, FAT16 and FAT32 Windows File System find a transcript, which is not in FATGEN:

0x40 Device (internal use only, never found on disk)
0x80 Unused

Ie attribute 0x40 is not so "flawed" - it is "within specifications". Frankly speaking, I am very glad that the guys from Panda Software have implemented this method in a tiny program, just the touch of a button - without forcing the user to resort to WinHex.

Note that means the program can not be canceled vaccination stick. If so there is a need to create on your flash drive autorun.inf (for example, to make it bootable) - WinHex is to help you, or reformat (for this purpose, by the way, good to use HP USB Disk Storage Format Tool).

The second button of the program «Vaccinate computer». verify that it does:

This is familiar to me (before the creation of a script AUTOSTOP, I have used this method), coined by Nick Brown way:

REGEDIT4
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ IniFileMapping \ Autorun.inf]
@ = "@ SYS: DoesNotExist"

@ SYS: DoesNotExist says explorer'u that he had not read startup options from the file Autorun.inf, and read them from the registry branch HKEY_LOCAL_MACHINE \ SOFTWARE \ DoesNotExist, which does not exist. As a result, if the external storage device contains a file named Autorun.inf - when you connect the media to the computer, Autorun.inf will not start. Moreover - and he does not start when double-clicking on the drive letter of this carrier in the conductor.

The method is good (note that the program has a function undo this, just in case if avtoran users still need carried out by pressing the button, the inscription on which is «Remove vaccine»), but add that to completely disable autorun will need to add 3 registry key (in this syntax are dobavlayutsya me through the bat-file):

REG ADD «HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ AutoplayHandlers \ CancelAutoplay \ Files »/ v "*.*" / d" "/ f
In CancelAutoplay \ Files are text entries that contain file names, finding that on a medium built AutoRun will not run and will run through the media autorun.inf . Add a string parameter as follows: *.* (all files).
REG ADD «HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer» / v NoDriveTypeAutoRun / t REG_DWORD / d 255 / f
With NoDriveAutoRun prohibited from downloading from certain drives by their letter designation, and NoDriveTypeAutoRun prevents booting from certain drives by their type. Since we avtoran generally not needed, use the second.
REG ADD «HKLM \ SYSTEM \ CurrentControlSet \ Services \ Cdrom» / v AutoRun / t REG_DWORD / d 0 / f
Cdrom - blackout any support autorun CD-ROM drive (even manual).

Of the additional features of the program noted the following: if you run the program with a key (except this key there are a few - see program page)

USBVaccine.exe / resident

it will hang resident, and connecting a new USB drive, will offer its vatsinirovat:

Conclusions

I know of to date ways to protect flash drives with the FAT from the autorun-virus is most reliable. It is clear that if such things can do the program from Panda Software, then sooner or later, virus writers, too, can learn this - but it's a matter of time, but in this case, the won, and gain the benefit of protection.

* It is interesting that the program is Panda USB Vaccine 1.0.0.19 beta released March 5 - the same day when it was written in my article about the script AUTOSTOP. Maybe in the future on March 5 will be called an international day of struggle against autorun-virus:)

UPD:

The comments raised the idea that it would be logical to make created «Panda USB and AutoRun Vaccine» secure file autorun.inf hidden (not seen by the user and does not provoke him to reformat the flash drive, destroying the defense). And Inskin found an elegant solution, which, in general, lay on the surface: the file attributes - bitwise. Fold 0x40 (01000000) + 0x01 (00000001) + 0x02 (00000010) + 0x04 (00000100), we get 0x47 (01000111), and have protected file attributes RHS. The figure on top-line fragment of WinHex, under it - part of the window FAR:

I contacted __x_tra, and he graciously agreed to help.
A modified version, exposing the file attribute 0x47 (use at your own risk): USBVaccine_47.zip (USBVaccine_47.exe, size - 1,182,464 bytes, size greater than the original version, because the original compressed UPX, MD5: 5e3eb34bb09b1dda31dae0dfd8cd3521).

Views: 683 | Added by: w1zard | Rating: 0.0/0

Total comments: 0


Имя *:
Email *:

Код *: