[SCTI 2011] - (Des)protegendo mídias USB

•

1 gefällt mir•261 views

SCTI UENF

Palestrada ministrada por Fernando Mercês na SCTI 2011

Technologie News & Politik

 Experiência em missão crítica de missão crítica

 Pioneira no ensino de Linux à distância

 Parceira de treinamento IBM

 Primeira com LPI no Brasil

 + de 30.000 alunos satisfeitos

 Reconhecimento internacional

 Inovação com Hackerteen e Boteconet

www.4linux.com.br 2 / 19

(Un)protecting USB
storage media

www.4linux.com.br 3 / 19

Opportunity

The reverse engineering researcher cant act at:

● Open source resource reimplementation
● Fork projects creation

www.4linux.com.br 4 / 19

$ whoami

● Open Source Software Consultant at 4Linux.

● C language fan (RIP DMR).

● Free and Open Source Software lover.

● Maintainer of pev, T50, hdump, USBForce and other little
tools.

● LPIC-2, A+.

● Reverse Engineering enthusiast.

www.4linux.com.br 5 / 19

Agenda
● Motivation

● Infection via USB

● Existing protection methods

● Protection method idea

● Demonstration

● Writing a tool

● Conclusion

● References
www.4linux.com.br 6 / 19

Motivation

● High infection risk.

● Lack of effective protections.

● Network security bypass.

● Hard administration.

● Users want USB!

www.4linux.com.br 7 / 19

Infection via USB

● autorun.inf (obfuscated or not).

● Not easy to detect (normal users).

● Automatic and fast.

www.4linux.com.br 8 / 19

Existing protections methods

● Disable Autorun (Windows registry).

● USB Antivirus/”firewalls”.

● Windows policies.

● USBForce does this work.

www.4linux.com.br 9 / 19

Protection method idea
● Make autorun.inf read-only.

● The storage partition needs to be still writable.

● Immunize USB storage media against infections.

● There is proprietary tool to do it called Panda USB Vaccine.

● I don't know yet HOW (internally) works, but it works. I need
to learn the method.

www.4linux.com.br 10 / 19

Demonstration

Video: Reversing Vaccine Technique

www.4linux.com.br 11 / 19

Writing a tool
● FAT-32 attributes byte

Bit 0 – 0x01 – read only
Bit 1 – 0x02 – hidden
Bit 2 – 0x04 – system
Bit 3 – 0x08 – volume name
Bit 4 – 0x10 – subdirectory
Bit 5 – 0x20 – archive
Bit 6 – 0x40 – unused 1
Bit 7 – 0x80 – unused 2

www.4linux.com.br 12 / 19

Writing a tool
●Windows API function CreateFile does not recognize 0x40
attribute.

● libfat (Linux) also does not work.

● ioctl does not work =(

● The unused attributes are undefined (probably reserved for
future use).

● Creates an “undeletable” autorun.inf.

● Sets the attributes 0x40 (unused) and 0x02 (hidden).

● Free and Open Source Software.
www.4linux.com.br 13 / 19

Writing a tool

1. Create a regular autorun.inf file.

2. Identify FAT-32 structures.

3. Read structures to search for autorun.inf file entry in table.

4. Look for attribute byte.

5. Set 0x40 attribute. It's a good idea to set 0x02 attribute
too.

www.4linux.com.br 14 / 19

The new tool: OpenVaccine
● Written in C.

● Originally designed for Linux.

● Creates an autorun.inf file.

● Immunize USB storage medias.

● Creates an “undeletable” autorun.inf.

● Sets the attributes 0x02 (hidden) and 0x40 (unused).

● Free and Open Source Software (GPLv3).

● USE AT OWN RISK. Backup first. ;)
www.4linux.com.br 15 / 19

The new tool: OpenVaccine

$ sudo ./openvaccine /dev/sdd1 /media/DANI1G/
OpenVaccine 0.8
by Fernando Mercês (fernando@mentebinaria.com.br)
Partition /dev/sdd1
+ FAT32 (mkdosfs)
+ 1.86G (1949696 bytes)
+ mirroring enabled
+ 1952690 sectors
+ 512 bytes per sector
+ 4k clusters
+ serial is 3673364101
autorun.inf created at sector 0xf04, byte 0x20 (offset
0x1e0620).

www.4linux.com.br 16 / 19

Conclusion

● I have studied FAT-32 filesystems only.

●OpenVaccine will create an “undeletable” autorun.inf, so
with source code, it's easy to write a tool that deletes it.

● I think USB will still be a problem, but this tool can minimize
risks.

● Use reversing for open source reimplementation!

www.4linux.com.br 17 / 19

References
● Paper (in Portuguese)
www.mentebinaria.com.br/textos#0x1a

● OpenVaccine
http://openvaccine.sf.net

● USBForce
http://usbforce.sf.net

● Demo video
http://va.mu/J4yY (case sensitive)

www.4linux.com.br 18 / 19

Thank you!

Fernando Mercês (@MenteBinaria)
fernando.merces@4linux.com.br
www.4linux.com.br
www.hackerteen.com
twitter.com/4LinuxBR

+55 (11) 2125-4747
www.4linux.com.br 19 / 19

Weitere ähnliche Inhalte

Ähnlich wie [SCTI 2011] - (Des)protegendo mídias USB

(Un)Protecting USB Storage Media

Fernando Mercês

Android Variants, Hacks, Tricks and Resources presented at AnDevConII

Opersys inc.

Headless Android

Opersys inc.

Malware analysis, threat intelligence and reverse engineering

bartblaze

IoT: LoRa and Java on the PI

JWORKS powered by Ordina

Hello, Python

hardwyrd

Introduction to iOS Penetration Testing

OWASP

Pentester++

CTruncer

Embedded Linux primer

Drew Fustini

Android Hacks, Variants, Tricks and Resources ESC SV 2012

Opersys inc.

Part 1 of 'Introduction to Linux for bioinformatics': Introduction

Joachim Jacob

IoT Session Thomas More

Kevin Van den Abeele

Cc internet of things @ Thomas More

JWORKS powered by Ordina

Leveraging Android's Linux Heritage at AnDevCon IV

Opersys inc.

Management Zabbix with Terraform

Aécio Pires

IoT em tempo real com Firebase e JavaScript

Henri Cavalcante

Combining Machine Learning with Physical Computing - June 2022

Hal Speed

Linux, a free and open-source operating system, runs more than 100 million websites and it is getting more and more popular running laptop/desktop computers. Windows and even Macintosh users are usually intimidated by Linux because they think that you must be a computer scientist or hacker to install and use it proficiently. This is not true anymore! In this session, Chad Mairn will provide 10 tips to help Linux newbies and/or users thinking of making the switch to become more confident running Linux on their computers.

Top 10 Tips for Beginning Linux Users

St. Petersburg College

DT2014-15 S01: Digital Toolbox

Carlos Cámara

Get your FLOSS problems solved

Rex Tsai

Ähnlich wie [SCTI 2011] - (Des)protegendo mídias USB (20)

(Un)Protecting USB Storage Media

Android Variants, Hacks, Tricks and Resources presented at AnDevConII

Headless Android

Malware analysis, threat intelligence and reverse engineering

IoT: LoRa and Java on the PI

Hello, Python

Introduction to iOS Penetration Testing

Pentester++

Embedded Linux primer

Android Hacks, Variants, Tricks and Resources ESC SV 2012

Part 1 of 'Introduction to Linux for bioinformatics': Introduction

IoT Session Thomas More

Cc internet of things @ Thomas More

Leveraging Android's Linux Heritage at AnDevCon IV

Management Zabbix with Terraform

IoT em tempo real com Firebase e JavaScript

Combining Machine Learning with Physical Computing - June 2022

Top 10 Tips for Beginning Linux Users

DT2014-15 S01: Digital Toolbox

Get your FLOSS problems solved

Kürzlich hochgeladen

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

Exploring Multimodal Embeddings with Milvus

Zilliz

Angeliki Cooney has spent over twenty years at the forefront of the life sciences industry, working out of Wynantskill, NY. She is highly regarded for her dedication to advancing the development and accessibility of innovative treatments for chronic diseases, rare disorders, and cancer. Her professional journey has centered on strategic consulting for biopharmaceutical companies, facilitating digital transformation, enhancing omnichannel engagement, and refining strategic commercial practices. Angeliki's innovative contributions include pioneering several software-as-a-service (SaaS) products for the life sciences sector, earning her three patents. As the Senior Vice President of Life Sciences at Avenga, Angeliki orchestrated the firm's strategic entry into the U.S. market. Avenga, a renowned digital engineering and consulting firm, partners with significant entities in the pharmaceutical and biotechnology fields. Her leadership was instrumental in expanding Avenga's client base and establishing its presence in the competitive U.S. market.

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Angeliki Cooney

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Architecting Cloud Native Applications

WSO2

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

In this keynote, Asanka Abeysinghe, CTO,WSO2 will explore the shift towards platformless technology ecosystems and their importance in driving digital adaptability and innovation. We will discuss strategies for leveraging decentralized architectures and integrating diverse technologies, with a focus on building resilient, flexible, and future-ready IT infrastructures. We will also highlight WSO2's roadmap, emphasizing our commitment to supporting this transformative journey with our evolving product suite.

Platformless Horizons for Digital Adaptability

WSO2

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Retrieval augmented generation (RAG) is the most popular style of large language model application to emerge from 2023. The most basic style of RAG works by vectorizing your data and injecting it into a vector database like Milvus for retrieval to augment the text output generated by an LLM. This is just the beginning. One of the ways that we can extend RAG, and extend AI, is through multilingual use cases. Typical RAG is done in English using embedding models that are trained in English. In this talk, we’ll explore how RAG could work in languages other than English. We’ll explore French, Chinese, and Polish.

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Zilliz

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Understanding the FAA Part 107 License ..

Christopher Logan Kennedy

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Bhuvaneswari Subramani

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Kürzlich hochgeladen (20)

[BuildWithAI] Introduction to Gemini.pdf

Exploring Multimodal Embeddings with Milvus

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Architecting Cloud Native Applications

How to Troubleshoot Apps for the Modern Connected Worker

Strategies for Landing an Oracle DBA Job as a Fresher

Vector Search -An Introduction in Oracle Database 23ai.pptx

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Platformless Horizons for Digital Adaptability

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Introduction to Multilingual Retrieval Augmented Generation (RAG)

FWD Group - Insurer Innovation Award 2024

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Understanding the FAA Part 107 License ..

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Elevate Developer Efficiency & build GenAI Application with Amazon Q

MS Copilot expands with MS Graph connectors

[SCTI 2011] - (Des)protegendo mídias USB

2.  Experiência em missão crítica de missão crítica  Pioneira no ensino de Linux à distância  Parceira de treinamento IBM  Primeira com LPI no Brasil  + de 30.000 alunos satisfeitos  Reconhecimento internacional  Inovação com Hackerteen e Boteconet www.4linux.com.br 2 / 19

3. (Un)protecting USB storage media www.4linux.com.br 3 / 19

4. Opportunity The reverse engineering researcher cant act at: ● Open source resource reimplementation ● Fork projects creation www.4linux.com.br 4 / 19

5. $ whoami ● Open Source Software Consultant at 4Linux. ● C language fan (RIP DMR). ● Free and Open Source Software lover. ● Maintainer of pev, T50, hdump, USBForce and other little tools. ● LPIC-2, A+. ● Reverse Engineering enthusiast. www.4linux.com.br 5 / 19

6. Agenda ● Motivation ● Infection via USB ● Existing protection methods ● Protection method idea ● Demonstration ● Writing a tool ● Conclusion ● References www.4linux.com.br 6 / 19

7. Motivation ● High infection risk. ● Lack of effective protections. ● Network security bypass. ● Hard administration. ● Users want USB! www.4linux.com.br 7 / 19

8. Infection via USB ● autorun.inf (obfuscated or not). ● Not easy to detect (normal users). ● Automatic and fast. www.4linux.com.br 8 / 19

9. Existing protections methods ● Disable Autorun (Windows registry). ● USB Antivirus/”firewalls”. ● Windows policies. ● USBForce does this work. www.4linux.com.br 9 / 19

10. Protection method idea ● Make autorun.inf read-only. ● The storage partition needs to be still writable. ● Immunize USB storage media against infections. ● There is proprietary tool to do it called Panda USB Vaccine. ● I don't know yet HOW (internally) works, but it works. I need to learn the method. www.4linux.com.br 10 / 19

11. Demonstration Video: Reversing Vaccine Technique www.4linux.com.br 11 / 19

12. Writing a tool ● FAT-32 attributes byte Bit 0 – 0x01 – read only Bit 1 – 0x02 – hidden Bit 2 – 0x04 – system Bit 3 – 0x08 – volume name Bit 4 – 0x10 – subdirectory Bit 5 – 0x20 – archive Bit 6 – 0x40 – unused 1 Bit 7 – 0x80 – unused 2 www.4linux.com.br 12 / 19

13. Writing a tool ●Windows API function CreateFile does not recognize 0x40 attribute. ● libfat (Linux) also does not work. ● ioctl does not work =( ● The unused attributes are undefined (probably reserved for future use). ● Creates an “undeletable” autorun.inf. ● Sets the attributes 0x40 (unused) and 0x02 (hidden). ● Free and Open Source Software. www.4linux.com.br 13 / 19

14. Writing a tool 1. Create a regular autorun.inf file. 2. Identify FAT-32 structures. 3. Read structures to search for autorun.inf file entry in table. 4. Look for attribute byte. 5. Set 0x40 attribute. It's a good idea to set 0x02 attribute too. www.4linux.com.br 14 / 19

15. The new tool: OpenVaccine ● Written in C. ● Originally designed for Linux. ● Creates an autorun.inf file. ● Immunize USB storage medias. ● Creates an “undeletable” autorun.inf. ● Sets the attributes 0x02 (hidden) and 0x40 (unused). ● Free and Open Source Software (GPLv3). ● USE AT OWN RISK. Backup first. ;) www.4linux.com.br 15 / 19

16. The new tool: OpenVaccine $ sudo ./openvaccine /dev/sdd1 /media/DANI1G/ OpenVaccine 0.8 by Fernando Mercês (fernando@mentebinaria.com.br) Partition /dev/sdd1 + FAT32 (mkdosfs) + 1.86G (1949696 bytes) + mirroring enabled + 1952690 sectors + 512 bytes per sector + 4k clusters + serial is 3673364101 autorun.inf created at sector 0xf04, byte 0x20 (offset 0x1e0620). www.4linux.com.br 16 / 19

17. Conclusion ● I have studied FAT-32 filesystems only. ●OpenVaccine will create an “undeletable” autorun.inf, so with source code, it's easy to write a tool that deletes it. ● I think USB will still be a problem, but this tool can minimize risks. ● Use reversing for open source reimplementation! www.4linux.com.br 17 / 19

18. References ● Paper (in Portuguese) www.mentebinaria.com.br/textos#0x1a ● OpenVaccine http://openvaccine.sf.net ● USBForce http://usbforce.sf.net ● Demo video http://va.mu/J4yY (case sensitive) www.4linux.com.br 18 / 19

19. Thank you! Fernando Mercês (@MenteBinaria) fernando.merces@4linux.com.br www.4linux.com.br www.hackerteen.com twitter.com/4LinuxBR +55 (11) 2125-4747 www.4linux.com.br 19 / 19

[SCTI 2011] - (Des)protegendo mídias USB

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie [SCTI 2011] - (Des)protegendo mídias USB

Ähnlich wie [SCTI 2011] - (Des)protegendo mídias USB (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

[SCTI 2011] - (Des)protegendo mídias USB