[SCTI 2011] - (Des)protegendo mídias USB
-
Upload
scti-uenf -
Category
Technology
-
view
203 -
download
4
description
Transcript of [SCTI 2011] - (Des)protegendo mídias USB
![Page 1: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/1.jpg)
![Page 2: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/2.jpg)
2 / 19www.4linux.com.br
Experiência em missão crítica de missão crítica
Pioneira no ensino de Linux à distância
Parceira de treinamento IBM
Primeira com LPI no Brasil
+ de 30.000 alunos satisfeitos
Reconhecimento internacional
Inovação com Hackerteen e Boteconet
![Page 3: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/3.jpg)
3 / 19www.4linux.com.br
(Un)protecting USB storage media
![Page 4: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/4.jpg)
4 / 19www.4linux.com.br
Opportunity
The reverse engineering researcher cant act at:
● Open source resource reimplementation
● Fork projects creation
![Page 5: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/5.jpg)
5 / 19www.4linux.com.br
$ whoami
● Open Source Software Consultant at 4Linux.
● C language fan (RIP DMR).
● Free and Open Source Software lover.
● Maintainer of pev, T50, hdump, USBForce and other little tools.
● LPIC-2, A+.
● Reverse Engineering enthusiast.
![Page 6: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/6.jpg)
6 / 19www.4linux.com.br
Agenda● Motivation
● Infection via USB
● Existing protection methods
● Protection method idea
● Demonstration
● Writing a tool
● Conclusion
● References
![Page 7: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/7.jpg)
7 / 19www.4linux.com.br
Motivation
● High infection risk.
● Lack of effective protections.
● Network security bypass.
● Hard administration.
● Users want USB!
![Page 8: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/8.jpg)
8 / 19www.4linux.com.br
Infection via USB
● autorun.inf (obfuscated or not).
● Not easy to detect (normal users).
● Automatic and fast.
![Page 9: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/9.jpg)
9 / 19www.4linux.com.br
Existing protections methods
● Disable Autorun (Windows registry).
● USB Antivirus/”firewalls”.
● Windows policies.
● USBForce does this work.
![Page 10: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/10.jpg)
10 / 19www.4linux.com.br
Protection method idea
● Make autorun.inf read-only.
● The storage partition needs to be still writable.
● Immunize USB storage media against infections.
● There is proprietary tool to do it called Panda USB Vaccine.
● I don't know yet HOW (internally) works, but it works. I need to learn the method.
![Page 11: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/11.jpg)
11 / 19www.4linux.com.br
Demonstration
Video: Reversing Vaccine Technique
![Page 12: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/12.jpg)
12 / 19www.4linux.com.br
Writing a tool
● FAT-32 attributes byte
Bit 0 – 0x01 – read onlyBit 1 – 0x02 – hiddenBit 2 – 0x04 – systemBit 3 – 0x08 – volume nameBit 4 – 0x10 – subdirectoryBit 5 – 0x20 – archiveBit 6 – 0x40 – unused 1Bit 7 – 0x80 – unused 2
![Page 13: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/13.jpg)
13 / 19www.4linux.com.br
Writing a tool
● Windows API function CreateFile does not recognize 0x40 attribute.
● libfat (Linux) also does not work.
● ioctl does not work =(
● The unused attributes are undefined (probably reserved for future use).
● Creates an “undeletable” autorun.inf.
● Sets the attributes 0x40 (unused) and 0x02 (hidden).
● Free and Open Source Software.
![Page 14: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/14.jpg)
14 / 19www.4linux.com.br
Writing a tool
1. Create a regular autorun.inf file.
2. Identify FAT-32 structures.
3. Read structures to search for autorun.inf file entry in table.
4. Look for attribute byte.
5. Set 0x40 attribute. It's a good idea to set 0x02 attribute too.
![Page 15: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/15.jpg)
15 / 19www.4linux.com.br
The new tool: OpenVaccine
● Written in C.
● Originally designed for Linux.
● Creates an autorun.inf file.
● Immunize USB storage medias.
● Creates an “undeletable” autorun.inf.
● Sets the attributes 0x02 (hidden) and 0x40 (unused).
● Free and Open Source Software (GPLv3).
● USE AT OWN RISK. Backup first. ;)
![Page 16: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/16.jpg)
16 / 19www.4linux.com.br
The new tool: OpenVaccine
$ sudo ./openvaccine /dev/sdd1 /media/DANI1G/OpenVaccine 0.8by Fernando Mercês ([email protected])Partition /dev/sdd1 + FAT32 (mkdosfs) + 1.86G (1949696 bytes) + mirroring enabled + 1952690 sectors + 512 bytes per sector + 4k clusters + serial is 3673364101autorun.inf created at sector 0xf04, byte 0x20 (offset 0x1e0620).
![Page 17: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/17.jpg)
17 / 19www.4linux.com.br
Conclusion
● I have studied FAT-32 filesystems only.
● OpenVaccine will create an “undeletable” autorun.inf, so with source code, it's easy to write a tool that deletes it.
● I think USB will still be a problem, but this tool can minimize risks.
● Use reversing for open source reimplementation!
![Page 18: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/18.jpg)
18 / 19www.4linux.com.br
References
● Paper (in Portuguese)www.mentebinaria.com.br/textos#0x1a
● OpenVaccinehttp://openvaccine.sf.net
● USBForcehttp://usbforce.sf.net
● Demo videohttp://va.mu/J4yY (case sensitive)
![Page 19: [SCTI 2011] - (Des)protegendo mídias USB](https://reader034.fdocument.pub/reader034/viewer/2022052602/559e76de1a28ab6c388b4791/html5/thumbnails/19.jpg)
19 / 19www.4linux.com.br
Thank you!
Fernando Mercês (@MenteBinaria)[email protected]
www.4linux.com.brwww.hackerteen.comtwitter.com/4LinuxBR
+55 (11) 2125-4747