Sick of Flash Drive Virus's? Read Me!

Viruses, hackers and crackers
User avatar
Ron2K
Forum Technical Administrator
Posts: 9050
Joined: 04 Jul 2006, 16:45
Location: Upper Hutt, New Zealand
Contact:

Re: Sick of Flash Drive Virus's? Read Me!

Post by Ron2K »

Nice topic. Going to sticky this...
Kia kaha, Kia māia, Kia manawanui.
User avatar
Prime
Registered User
Posts: 27729
Joined: 01 Mar 2004, 02:00
Location: Getting into trouble
Contact:

Re: Sick of Flash Drive Virus's? Read Me!

Post by Prime »

Tribble wrote:But your client's drives may not be better than USB ports :lol:
external CD writer + dvd < R400. roughly same cost as a moderately priced, reasonable quality flash drive?

garp Those little write protect buttons are the weakest part of the flash drive. they are the only moving part on the entire drive and can be argued to be the weakest spot.

Another good strategy: always close the popup that launches when you plug in your flash disk and open the drive through explorer (right click on the drive in my computer and click explore). this prevents your computer executing any autorun script that might be hiding on the disk.
Screeper
Registered User
Posts: 3692
Joined: 04 Apr 2003, 02:00
Contact:

Re: Sick of Flash Drive Virus's? Read Me!

Post by Screeper »

Prime wrote: Another good strategy: always close the popup that launches when you plug in your flash disk and open the drive through explorer (right click on the drive in my computer and click explore).
I think it is too late by then. Isn't that popup also part of the autorun?

A colleague and I played around with one of those autorun.inf viruses that was infecting one of the laboratories that we support.
We found that by holding down shift (and continuing to hold it) as you plug in your flash drive seemed to stop the virus from making the leap to the PC.
There are 10 types of people in this world.
Those who understand binary and those who do not.
User avatar
Synthesis
Registered User
Posts: 14517
Joined: 25 May 2006, 02:00
Location: Location, Location
Contact:

Re: Sick of Flash Drive Virus's? Read Me!

Post by Synthesis »

garp, yes, now you're on the right rack. I'm already stuck with a 16GB flash drive and use pretty much all of it.

ryanrich, rustypup, Thank you. This will work and exactly what I'm after. Naevius has done but it costs. After testing the trial I saw that all it does is create a locked autorun.inf file. I did it myself and hopefully it works. There's still a bother in the back of my mind that this isnt enough and someone will think of another way to carry a virus on a flash drive without an autorun.inf file.

Prime, Stop with the cd's. It's just not as practical as a flash drive. The autorun feature you speak of is a common "workaround" on the internet. Unfortunately it's not a fix. Just not practical enough for me to disable every computers autorun I stick my flash into.

Once we start to take all these long workaround precautions, the virus creators have won. I refuse to give in to them. I hate the bastids and will not make my life more difficult 'cos of them.
Image
Monty
Forum Moderator
Posts: 10000
Joined: 05 Feb 2004, 02:00
Processor: Intel i5-4690K @ 4.5GHZ
Motherboard: ASUS Maximus VII Formula
Graphics card: ASUS GTX970 Strix
Memory: 4 x 4GB Corsair Dominators
Location: Messing with your Mind
Contact:

Re: Sick of Flash Drive Virus's? Read Me!

Post by Monty »

Prime, its a bit expensive to burn a new cd/dvd everytime a virus definitions update come out.
Art Williams wrote:I'm not telling you it is going to be easy, I'm telling you it's going to be worth it.
DeathStrike
Registered User
Posts: 2663
Joined: 29 Jul 2004, 02:00
Location: hidden deep in the depths of the underworld is my home.
Contact:

Re: Sick of Flash Drive Virus's? Read Me!

Post by DeathStrike »

Synthesis wrote:DAE_JA_VOO, You are correct. Logically NO antivirus, resident or not, can detect an autorun.inf file being created on your flash drive and being copied to another computer. Each is specific to it's own nature.
Really? have you tried Avast? i swear Avast picked up an autorun.inf file as a virus. not sure how? perhaps as a false positive. :D lol.
Spoiler: (show)
Image
SIG by HMAN 8)
Member of The Pride Of Darkness
DeathStrike on Twitter
About me
Spoiler: (show)
Asus P5KPL-CM motherboard, 4 GIG RAM, Q6600 @ 2.88GHz (Thanks Anthro), GeForce 8600GT, Samsung 2333 23" + CRT 17" Monitors. 500GB + 1.5TB HDD, Compro TV tuner, 350 WATT PSU
User avatar
Prime
Registered User
Posts: 27729
Joined: 01 Mar 2004, 02:00
Location: Getting into trouble
Contact:

Re: Sick of Flash Drive Virus's? Read Me!

Post by Prime »

Synthesis wrote:
Prime, Stop with the cd's. It's just not as practical as a flash drive. The autorun feature you speak of is a common "workaround" on the internet. Unfortunately it's not a fix. Just not practical enough for me to disable every computers autorun I stick my flash into.
who said anything about disabling it? :? you are just not activating it because it only runs if you double click in my computer. :? Though what I am saying really applies to infected flash disks.

And I am perfectly entitled to say I disagree with you given that i trust flash disks about as far as i can throw them.

What happens if your programs on the flash want to write a log file to the disk, out of curiosity?
Synthesis wrote:Once we start to take all these long workaround precautions, the virus creators have won. I refuse to give in to them. I hate the bastids and will not make my life more difficult 'cos of them.
who said anything about disabling it? :? you are just not activating it because it only runs if you double click the drive in my computer. :? Though what I am saying really applies to infected flash disks.

I hate the %^&$ers too. I live with it because there is no practical work around when you need to use your flash disk on a varsity PC. instead i scan my flash whenever i get home and kill any autorun file regardless of what it actually does.


Monty wrote:Prime, its a bit expensive to burn a new cd/dvd everytime a virus definitions update come out.
Buy a rewritable :P
User avatar
Prime
Registered User
Posts: 27729
Joined: 01 Mar 2004, 02:00
Location: Getting into trouble
Contact:

Re: Sick of Flash Drive Virus's? Read Me!

Post by Prime »

DeathStrike wrote:
Synthesis wrote:DAE_JA_VOO, You are correct. Logically NO antivirus, resident or not, can detect an autorun.inf file being created on your flash drive and being copied to another computer. Each is specific to it's own nature.
Really? have you tried Avast? i swear Avast picked up an autorun.inf file as a virus. not sure how? perhaps as a false positive. :D lol.
So did Trend and MacAffee :?
Psi_Co_killa
Registered User
Posts: 39
Joined: 04 Jan 2010, 15:42

Re: Sick of Flash Drive Virus's? Read Me!

Post by Psi_Co_killa »

Hi there

i have also been looking 4 a way to protect my flashdisk from viruses on client PC's
not really much u can do though...except be aware and run a good antivirus :i like Avast pro and Adaware

The most important thing u must do is:tools-folder options and show hidden and system files (what that will do is-allow you to c the hidden dangers when u plug your stick into ur PC-and also if u cant c hidden +system files anymore-it serves as a 1st warning that u r infected)if u already cant c hidden +system files anymore on your pc - ur PC is already infected...EDIT:also the quikest way to check a suspect pc b4 plugging u'r usb-stick inI have looked high+low for usb-sticks with lock button :u just dont get them anymore...(tried sahara+esquire+pinnacle micro+rectron in durban and in capetown...no luck , even tried Incredible Deception{haha}...nothing)
I have a little 128Mb stick with lock-and i plug this into untrusted pc's 1st-on there i have a couple of portable antivirus tools (macafee stingers(old now) +mallwarebytes portable , clamwin portable ,registry cleaners etc...) which i run 1st...

I found an app called flash-disinfector which creates an "autorun.ini" folder in the root of the flashdisk (get it from -pendriveapps.com)
This sorta works - but some clever viruses have been able to delete it and put their own file there (even after i made the
folder and its contents "read-only") such clever viruses have been few + far between tho.

I Also made an autorun.inf text document (read only + not hidden) which i put on the root of my usb-drive
the idea is that :if i can c the autorun.inf file on my flashdisk - generally it means i am not infected (because most viruses will rewrite + hide this file along with other system files)

So i check the contents of this file before removing my stick from a client's PC -open as text doc.if it has my data in there -all good
anything else...just delete it
.


If like most people nowadays u use a USB-menu app (a-suite/codysafe/liberkey etc..) most of these will create an autorun.inf
for you to help the app start when u plug in your stick (i think codysafe will even tell u when changes are made to the autorun.inf)make the autorun.inf "read-only + not hidden" so u can check it before removal

These measures are not garaunteed to keep you safe , but they have gone a long way to keeping lesser infections off my pc

Also - as a last measure -download Spyware terminator and install it - it is a realtime Anti-spyware app (normally i dont have it running - only launch it before plugging a flashdisk in and run it in DENY MODE - THEN PLUG IN THE USB -even if there's a virus on the stick S.T. will block (DENY) its actions , giving u a chance to clean it.

HOPE THIS HELPS
Regards
Psi_
Psi_Co_killa
Registered User
Posts: 39
Joined: 04 Jan 2010, 15:42

Re: Sick of Flash Drive Virus's? Read Me!

Post by Psi_Co_killa »

i have some ideas and would like to know what u guys (gurus) think
i havent got any coding skills and dont really know the inner workings of windows so i might b barking up the wrong tree completely...but just maybe it sparks an idea with some1 with some skills in coding to do something

so rather than just being another complainer i am trying to come up with ideas how we can beat this scourge...
plant the seed + see what happens...

SO HERE IT IS...
basically an application - resident on your flashdisk which can stop the spread of these pesky viruses (hear me out.)
that starts before autoplay - no autoplay window with options - it just starts a browser window to the drive
or when u dbl-click in explorer it opens as well - using its own onboard browser

it would need to be more of an action blocker than a full virus scanner (similar to spyware terminator's Deny Mode - but focussed only on the flashdisk's processes)

as usual - this wouldnt completely stop virus spreading - but i am sure(guessing) that it would definately slow their spreading down
in the work environment - if i stick my flashy into an infected pc i will basically be spreading that infection onto every pc i plug it into untill i get home + my anti-virus picks it up + cleans the flashy.(that can be as many as 5 - 10 pc's every day...)

i do know that windows (xp at least) identifies a flashdisk using whats called the "removable media bit" or RMB 4 short
and i am guessing most viruses use the detection of said RMB to copy themselves onto any sticks plugged into the infected pc

so the app might be initialized by / linked to processes that tells windows a flashdisk is plugged in to launch...
launching the onboard browser/blocker - which supercedes the client pc's OS's own browser + autoplay
it doesnt need to scan and clean the client pc - only stop it from putting its **** onto the stick (in the work environment theres no time 4 scanning)

preventing autorun.inf and any batchfiles (.bat extension) and maybe any hidden files from copying themselves onto the stick...
i think thats it..all it would need is a blocker of hidden files and maybe ( possibly in version 2.0 ) any hidden processes
(cause all viruses are by default hidden files and run as hidden processes) - a nice easy identifyer - no?
no need for extensive lists of virus definitions ??? WHY HAVENT THE AV-VENDORS THOUGHT OF THIS ???

possibly with a dialog which asks if the file / process is 1 u r familiar with or not and if u want to copy / allow it or not
even if the user himself tries to create a hidden file/folder on the drive - the dialog should ask if this is intentional / allowed / not
if an application u are copying has .bat files then the browser/blocker dialog should ask aswell if their allowed

it's the 1 common denominator shared by all viruses / mallware that spread by copying themselves onto flashdrives and into other installers
(hidden files + / hidden processes...then when it gets an explorer "querry" - dont know if thats the right word... - when you plug it into the next pc
(initiated by autoplay usually) - then the virus launches + / copies itself onto the next pc and into the registry + recycler + system restore + temp folder + into system32 folder etc.)

so it would need some kind of browser functionality that has the ability to view hidden files -that doesnt rely on the client pc's operating system's explorer browser (which a virus could have infected-bloking the whole "view hidden files thing")
i am sure i have seen alternative explorer-browsers floating around the portable applications circuit
just dont know if the do the view hidden files thing also...possibly just modifying 1 of them might work

sadly - i think that copying an infected application off some1 else's pc onto u'r flashdisk is unavoidable
and normal antivirus should c these - i dont even think the app should b able to detect these
(if possible tho - cool - maybe version 3.0 - but this opens up the need to update - and i dont think that in a work environment you would have the time / even the internet access needed to do updates everytime u plug ur stick in somewhere...)

u shouldn't trust installers from other ppls pc's to begin with...especially if its in the work environment and u are alredy
suspicios of the clients pc...viruses like mabezat / kavos / virut / kavos could have infected their installer.exe's
i c these every day on ppls pc's and flashdisks.and they are a pain to remove...

the joke is that viruses already have the capabilities that the app would need : (and that i am talking about)
_________________________________________________________________________________
1 )detecting usb sticks
2 )running/copying hidden files onto them using hidden processes
3 )using autoplay to launch processes the second u plug your stick in - even if u close the autoplay window immediately(its too late...)
4 )re-writing deleted autorun.inf files / folders
5 )making certain files undeletable + unchangable(shy of a full format)
so it would be nice to be able to use their own weapons against them...
_________________________________________________________________________________
again - i might be completely wrong in many / all my assumptions - but lets hope some1 can make sense of it all
looking forward to hearing ideas on the matter - especially possible stumbling bloks in my thinking
it always helps to bounce ideas off other people - helps in gaining insight+understanding
i am hoping that your respoNses might help a clever person 2 really do this...we will all benifit

so to recap :
-------------
application main purpose
________________________
stop the spread of hidden nasties onto flashdisks in the work environment
(specifically "hidden" nasties) any file with this as a property is treated as suspicious and blocked immediately
if you dont pick up infection - u cant spread it...

application features
_______________________
1- resident on flashdisk (undeletable - short of a format)
2- app is in an undeletable + read-only folder with an undeletable + read-only autorun.inf
3- starts when autoplay kicks in or on RMB detection /on normal attemps 2 explore the stick(whichever is safest+has priority access to the disk)
4- has own browser with "view hidden" capability and its own "COPY-scanner" (not OS-browser dependant)
5- has a blocker which bloks any "hidden" files/folders/processes from copying onto the stick
6- blocker also blocks autorun.inf + .bat files from copying to the stick - asks for confirmation before copying them (user discression here)
7- has a dialog which asks for confirmation when a "hidden" file-copy/process is detected (code to confirm the copy? - commercial version{hehehe})
8- must be the last process to stop when ejecting a flash stick


ANY THOUGHTS ??? be gentle...
Image
User avatar
Synthesis
Registered User
Posts: 14517
Joined: 25 May 2006, 02:00
Location: Location, Location
Contact:

Re: Sick of Flash Drive Virus's? Read Me!

Post by Synthesis »

Psi_co_killa interesting but it's been done. Most USB "virus vaccinators" create a read-only hidden autorun file so that other's can't be created. Virus's have just gotten more intelligent and I haven't found such a one that helps. Any virus now somehow still overwrites a protected autorun file.

Here's something else to look at before I give you a solution though.

I'll let you do the reading.

Meet the next generation of USB flash drives. The U3 smart drive. It's what's inside that makes them smart
Wiki explanation

Startkey: Microsofts version of u3 on steroids

Now, a simple, logical, yet effective solution to avoid autorun virus's on flash drives being transferred.

When inserting a flash-drive, external hard drive or any other removable media, HOLD IN SHIFT
This disables your device from autorunning. Virus being transferred avoided! :wink:

Then instead of opening my computer and double clicking to open, as this will cause autorun to activate, use windows explorer. Shortcut key is "Windows_key+E"
Select your flash drive on the folder list and access your files on the right preview pane.

So spread this and hopefully everyone starts to adhere and maybe Microsoft will even disable the autorun function on future versions of their products due to it being a security hazard, because you just can't expect every pc user to disable the autorun feature manually on every PC themselves.
Image
Psi_Co_killa
Registered User
Posts: 39
Joined: 04 Jan 2010, 15:42

Re: Sick of Flash Drive Virus's? Read Me!

Post by Psi_Co_killa »

cheers 4 that-holding down shift to stop autoplay - its easy enuf to teach that to clients
its the users of these PC's that cant be controlled-sum1 at work even suggested putting sillicone in the usb ports
(yeh that'll stop em...hehehe)and thats why sum sort of app is required

Starkey looks interresting (from MS) but i think its just gonna be another way 4 viruses to spread(bring all your nasties with u from 1 pc 2 the next)not just 1...remember most of u'r viruses nowadays hide in the "my docs" folder somewere.so bringing all of that with is possibly a bad idea

...and its just another way for microsoft to controll hardware design(just look at Gfx Cards + directX...ms pretty much dictates GFX card design with it)

its just gonna be another way for them to wriggle their way into more areas of computing - a quote from the article :“As mentioned previously, Microsoft plans to publish formal design guidelines in the near future to help(sic...) all flash-based device manufacturers design machines capable of a high-quality Windows experience.” THIS - My Dear Friends :is known as "spin" , just read between the lines.....wriggle wriggle........ ;..( ;.....(

I downloaded the u3 installer - it only works with u3 devices...but from the picture it looks much like the portable apps launcher and every other launcher out there (codysafe,asuite,liberkey,portamenu etc...)these haven't helped me at all-tried them all...)

what im talking about is an app which basically uses bits of virus code to jump the gun on real viruses (as per my rather lenghty description...) "seeing" if its changed + rewriting its own autorun etc -w32/vitro does this even if i make my own autorun file read only. I tried flashdisinfector + panda immuniser but as they are resident on the host pc not the flashdisk it requires further installs...not allowed in the work invironment.What we need is an app-resident on the flashdisk(portable-no install) that bloks any "hidden" files + processes + stuff from getting onto it.I honestly think that the "hidden" property is gonna be the easiest way to identify bad files+processes(all the viruses i have come across were "hidden" files + ran as "hidden" processes) legitamate software has nothing to hide.

so far the best thing i found is autorun eater(posted a thread on it..)but this also only bloks autorun files(not the viruses that come with them)It also requires installation and getting permission from (rather testy - network admins)

i am actively searching for something tho + will definately post in this forum if i find anything that works like i want it 2.
its gotta be out there sumwere...(come on internet....)
found an app called trustport antivirus USB edition ,but as its not free and requires a licence i couldnt test it (+ im prolly gonna get burned now 4 advertising / sumthing...) any1 have any experience with this software ?

sorry - i ramble on + on + on...
Regards
Psi_
Image
DeeVeeDee
Registered User
Posts: 172
Joined: 09 Apr 2010, 15:18

Re: Sick of Flash Drive Virus's? Read Me!

Post by DeeVeeDee »

Also have in mind that when windows autorun has been turned off it cant infect or protect it self on the USB stick
Autorun viruses dont always come from the stick it comes from the PC side aswell, infecting all drives.

So if a PC was infected and autorun was turned off for obvious security reasons or suspecting a virus, it will actually activly work against your idea and do the opposite of protecting. And the stick will only be open to be infected instead of infecting or protecting.
_̴ı̴̴̡̡̡ ̡͌l̡̡̡ ̡͌l̡*̡̡ ̴̡ı̴̴̡ ̡̡͡|̲̲̲͡͡͡ ̲▫̲͡ ̲̲̲͡͡π̲̲͡͡ ̲̲͡▫̲̲͡͡ ̲|̡̡̡ ̡ ̴̡ı̴̡̡ ̡͌l̡̡̡
Post Reply