[SCTI 2011] - (Des)protegendo mídias USB

•

1 recomendación•261 vistas

SCTI UENF

Palestrada ministrada por Fernando Mercês na SCTI 2011

Tecnología Noticias y política

 Experiência em missão crítica de missão crítica

 Pioneira no ensino de Linux à distância

 Parceira de treinamento IBM

 Primeira com LPI no Brasil

 + de 30.000 alunos satisfeitos

 Reconhecimento internacional

 Inovação com Hackerteen e Boteconet

www.4linux.com.br 2 / 19

(Un)protecting USB
storage media

www.4linux.com.br 3 / 19

Opportunity

The reverse engineering researcher cant act at:

● Open source resource reimplementation
● Fork projects creation

www.4linux.com.br 4 / 19

$ whoami

● Open Source Software Consultant at 4Linux.

● C language fan (RIP DMR).

● Free and Open Source Software lover.

● Maintainer of pev, T50, hdump, USBForce and other little
tools.

● LPIC-2, A+.

● Reverse Engineering enthusiast.

www.4linux.com.br 5 / 19

Agenda
● Motivation

● Infection via USB

● Existing protection methods

● Protection method idea

● Demonstration

● Writing a tool

● Conclusion

● References
www.4linux.com.br 6 / 19

Motivation

● High infection risk.

● Lack of effective protections.

● Network security bypass.

● Hard administration.

● Users want USB!

www.4linux.com.br 7 / 19

Infection via USB

● autorun.inf (obfuscated or not).

● Not easy to detect (normal users).

● Automatic and fast.

www.4linux.com.br 8 / 19

Existing protections methods

● Disable Autorun (Windows registry).

● USB Antivirus/”firewalls”.

● Windows policies.

● USBForce does this work.

www.4linux.com.br 9 / 19

Protection method idea
● Make autorun.inf read-only.

● The storage partition needs to be still writable.

● Immunize USB storage media against infections.

● There is proprietary tool to do it called Panda USB Vaccine.

● I don't know yet HOW (internally) works, but it works. I need
to learn the method.

www.4linux.com.br 10 / 19

Demonstration

Video: Reversing Vaccine Technique

www.4linux.com.br 11 / 19

Writing a tool
● FAT-32 attributes byte

Bit 0 – 0x01 – read only
Bit 1 – 0x02 – hidden
Bit 2 – 0x04 – system
Bit 3 – 0x08 – volume name
Bit 4 – 0x10 – subdirectory
Bit 5 – 0x20 – archive
Bit 6 – 0x40 – unused 1
Bit 7 – 0x80 – unused 2

www.4linux.com.br 12 / 19

Writing a tool
●Windows API function CreateFile does not recognize 0x40
attribute.

● libfat (Linux) also does not work.

● ioctl does not work =(

● The unused attributes are undefined (probably reserved for
future use).

● Creates an “undeletable” autorun.inf.

● Sets the attributes 0x40 (unused) and 0x02 (hidden).

● Free and Open Source Software.
www.4linux.com.br 13 / 19

Writing a tool

1. Create a regular autorun.inf file.

2. Identify FAT-32 structures.

3. Read structures to search for autorun.inf file entry in table.

4. Look for attribute byte.

5. Set 0x40 attribute. It's a good idea to set 0x02 attribute
too.

www.4linux.com.br 14 / 19

The new tool: OpenVaccine
● Written in C.

● Originally designed for Linux.

● Creates an autorun.inf file.

● Immunize USB storage medias.

● Creates an “undeletable” autorun.inf.

● Sets the attributes 0x02 (hidden) and 0x40 (unused).

● Free and Open Source Software (GPLv3).

● USE AT OWN RISK. Backup first. ;)
www.4linux.com.br 15 / 19

The new tool: OpenVaccine

$ sudo ./openvaccine /dev/sdd1 /media/DANI1G/
OpenVaccine 0.8
by Fernando Mercês (fernando@mentebinaria.com.br)
Partition /dev/sdd1
+ FAT32 (mkdosfs)
+ 1.86G (1949696 bytes)
+ mirroring enabled
+ 1952690 sectors
+ 512 bytes per sector
+ 4k clusters
+ serial is 3673364101
autorun.inf created at sector 0xf04, byte 0x20 (offset
0x1e0620).

www.4linux.com.br 16 / 19

Conclusion

● I have studied FAT-32 filesystems only.

●OpenVaccine will create an “undeletable” autorun.inf, so
with source code, it's easy to write a tool that deletes it.

● I think USB will still be a problem, but this tool can minimize
risks.

● Use reversing for open source reimplementation!

www.4linux.com.br 17 / 19

References
● Paper (in Portuguese)
www.mentebinaria.com.br/textos#0x1a

● OpenVaccine
http://openvaccine.sf.net

● USBForce
http://usbforce.sf.net

● Demo video
http://va.mu/J4yY (case sensitive)

www.4linux.com.br 18 / 19

Thank you!

Fernando Mercês (@MenteBinaria)
fernando.merces@4linux.com.br
www.4linux.com.br
www.hackerteen.com
twitter.com/4LinuxBR

+55 (11) 2125-4747
www.4linux.com.br 19 / 19

Más contenido relacionado

Similar a [SCTI 2011] - (Des)protegendo mídias USB

(Un)Protecting USB Storage Media

Fernando Mercês

Android Variants, Hacks, Tricks and Resources presented at AnDevConII

Opersys inc.

Headless Android

Opersys inc.

Malware analysis, threat intelligence and reverse engineering

bartblaze

IoT: LoRa and Java on the PI

JWORKS powered by Ordina

Hello, Python

hardwyrd

Introduction to iOS Penetration Testing

OWASP

Pentester++

CTruncer

Embedded Linux primer

Drew Fustini

Android Hacks, Variants, Tricks and Resources ESC SV 2012

Opersys inc.

Part 1 of 'Introduction to Linux for bioinformatics': Introduction

Joachim Jacob

IoT Session Thomas More

Kevin Van den Abeele

Cc internet of things @ Thomas More

JWORKS powered by Ordina

Leveraging Android's Linux Heritage at AnDevCon IV

Opersys inc.

Management Zabbix with Terraform

Aécio Pires

IoT em tempo real com Firebase e JavaScript

Henri Cavalcante

Combining Machine Learning with Physical Computing - June 2022

Hal Speed

Linux, a free and open-source operating system, runs more than 100 million websites and it is getting more and more popular running laptop/desktop computers. Windows and even Macintosh users are usually intimidated by Linux because they think that you must be a computer scientist or hacker to install and use it proficiently. This is not true anymore! In this session, Chad Mairn will provide 10 tips to help Linux newbies and/or users thinking of making the switch to become more confident running Linux on their computers.

Top 10 Tips for Beginning Linux Users

St. Petersburg College

DT2014-15 S01: Digital Toolbox

Carlos Cámara

Get your FLOSS problems solved

Rex Tsai

Similar a [SCTI 2011] - (Des)protegendo mídias USB (20)

(Un)Protecting USB Storage Media

Android Variants, Hacks, Tricks and Resources presented at AnDevConII

Headless Android

Malware analysis, threat intelligence and reverse engineering

IoT: LoRa and Java on the PI

Hello, Python

Introduction to iOS Penetration Testing

Pentester++

Embedded Linux primer

Android Hacks, Variants, Tricks and Resources ESC SV 2012

Part 1 of 'Introduction to Linux for bioinformatics': Introduction

IoT Session Thomas More

Cc internet of things @ Thomas More

Leveraging Android's Linux Heritage at AnDevCon IV

Management Zabbix with Terraform

IoT em tempo real com Firebase e JavaScript

Combining Machine Learning with Physical Computing - June 2022

Top 10 Tips for Beginning Linux Users

DT2014-15 S01: Digital Toolbox

Get your FLOSS problems solved

Último

I'm excited to share my latest predictions on how AI, robotics, and other technological advancements will reshape industries in the coming years. The slides explore the exponential growth of computational power, the future of AI and robotics, and their profound impact on various sectors. Why this matters: The success of new products and investments hinges on precise timing and foresight into emerging categories. This deck equips founders, VCs, and industry leaders with insights to align future products with upcoming tech developments. These insights enhance the ability to forecast industry trends, improve market timing, and predict competitor actions. Highlights: ▪ Exponential Growth in Compute: How $1000 will soon buy the computational power of a human brain ▪ Scaling of AI Models: The journey towards beyond human-scale models and intelligent edge computing ▪ Transformative Technologies: From advanced robotics and brain interfaces to automated healthcare and beyond ▪ Future of Work: How automation will redefine jobs and economic structures by 2040 With so many predictions presented here, some will inevitably be wrong or mistimed, especially with potential external disruptions. For instance, a conflict in Taiwan could severely impact global semiconductor production, affecting compute costs and related advancements. Nonetheless, these slides are intended to guide intuition on future technological trends.

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl

Peter Udo Diehl

Heather Hedden, Senior Consultant at Enterprise Knowledge, presented “Enterprise Knowledge Graphs: The Importance of Semantics” on May 9, 2024, at the annual Data Summit in Boston. In her presentation, Hedden describes the components of an enterprise knowledge graph and provides further insight into the semantic layer – or knowledge model – component, which includes an ontology and controlled vocabularies, such as taxonomies, for controlled metadata. While data experts tend to focus on the graph database components (RDF triple store or a label property graph), Hedden emphasizes they should not overlook the importance of the semantic layer.

Enterprise Knowledge Graphs - Data Summit 2024

Enterprise Knowledge

Intrigued by why some of the world's largest companies (Netflix, Google, Cisco, Twitter, Uber etc) are using gRPC? In this demo based talk we delve into the world of gRPC in .Net, what it does and why we should use it. We compare the interface with both Rest and graphQL. We will show you how to implement grpc server-side in .net and in the web. Finally, I will show you how the tooling helps you deliver powerful interfaces and interact with them quickly and simply.

Demystifying gRPC in .Net by John Staveley

John Staveley

When you think of a highly secure meeting environment, do you instantly think 'Microsoft Teams'!? Or do you think about some unknown application, troublesome UI and daunting login process...? If you think the latter - let's change that! In this session Femke will show you how using Teams Premium features can create secure, but also good looking meetings! PRETTY. Make sure your company's brand is represented before, during and after the meeting with Customization policies in place. SECURE. Lets utilize Meeting templates and Sensitivity Labels to protect your meeting and data to prevent sensitive information from being leaked. After this session, you will have a clear understanding of the capabilities of Teams Premium features and how to set up the perfect meeting that suits your organizational requirements!

ECS 2024 Teams Premium - Pretty Secure

Femke de Vroome

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf

FIDO Alliance

This talk offers actionable insights at an executive level for enhancing productivity and refining your portfolio management approach to propel your organization to greater heights. Key Points Covered: 1. Experience Transformation: - The core challenge remains consistent across organizations: converting budget into user-centric designs. - Strategies for deploying design resources effectively in both startups and large enterprises. 2. Strategic Frameworks: - Introduction to the "Ziggurat of Impact" model, detailing layers from basic system interactions to comprehensive customer experiences. - Practical insights on creating frameworks that scale with organizational complexity. 3. Organizational Impact: - Real-world examples of navigating design in large settings, focusing on the synthesis of consumer products and customer experiences. - Emphasis on the importance of designing systems that directly influence customer interactions. 4. Design Execution: - Detailed walkthrough of organizational layers affecting design execution, from touchpoints and customer activities to shared capabilities. - How to ensure design influences both the micro and macro aspects of customer interactions. 5. Measurement and Adaptation: - Techniques for measuring the impact of design decisions and adapting strategies based on data-driven insights. - The critical role of continuous improvement and feedback in refining customer experiences.

Structuring Teams and Portfolios for Success

UXDXConf

Join me in this session where I'll share our journey of building a fully serverless application that flawlessly managed check-ins for an event with a staggering 80 thousand registrations. We'll dive into three key strategies that made this possible. Firstly, by harnessing DynamoDB global tables, we ensured global service availability and data replication across regions, boosting performance and disaster recovery. Next, we'll explore how we seamlessly integrated real-time updates into the app using Appsync subscriptions, making the experience dynamic and engaging for users. Finally, I'll discuss how provisioned concurrency not only improved performance but also kept costs in check, highlighting the cost-effectiveness of serverless architectures. Through these strategies and the inherent scalability of serverless technology, our application effortlessly handled massive user loads without manual intervention. This session is a real world example to the power and efficiency of modern cloud-based solutions in enabling seamless scalability and robust performance with Serverless

How we scaled to 80K users by doing nothing!.pdf

Srushith Repakula

As an SEO expert specializing in the IPTV and VPN niches with over five years of experience, I navigate the unique challenges of these industries adeptly. My strategic approach encompasses competitive analysis, targeted keyword research, content optimization, and high-quality backlink creation. My goal is to optimize my clients' online visibility, generating targeted organic traffic and maximizing their return on investment. With a results-driven approach and a passion for innovation, I'm poised to assist my clients in thriving in an ever-evolving digital landscape. <a href="https://iptvreel.com">

THE BEST IPTV in GERMANY for 2024: IPTVreel

reely ones

Unlock the mysteries of successful Salesforce interviews in this insightful session hosted by Hugo Rosario (Salesforce Customer), a seasoned hiring manager that leads the Salesforce Department of multinational company with over 100 interviews under their belt. Step into the manager's chair and gain exclusive behind-the-scenes insights into what makes a Salesforce consultant stand out during the interview process. From deciphering the unspoken cues to mastering key strategies, we'll explore the intricacies of the interview process and provide practical tips for consultants looking to not only pass interviews but also thrive in their roles. Whether you're a seasoned professional or just starting your Salesforce journey, this session is your backstage pass to the secrets that hiring managers wish you knew.

Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...

CzechDreamin

What's New in Teams Calling, Meetings and Devices April 2024

Stephanie Beckett

Screen flow is a powerful automation tool that is commonly designed for internal and external users. However, what about the guest users? We will dive into various methods of launching screen flows and understand how to make them publicly accessible, extending their usability to a broader audience. The presentation will also cover the implementation of security layers and highlight best practices for a smooth and protected user experience. Discover the potential of screen flows beyond conventional use and learn how to leverage them effectively.

Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade

CzechDreamin

Discover the top Symfony development companies that excel in creating robust and scalable web applications. Our latest blog highlights the best firms specializing in Symfony, known for their expertise in delivering high-performance solutions. Whether you’re looking to start a new project or enhance an existing one, these companies offer the skills and experience needed to bring your vision to life. Read more to find your perfect Symfony development partner.

Top 10 Symfony Development Companies 2024

TopCSSGallery

Google I/O Extended 2024 Warsaw

GDSC PJATK

Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)

Julian Hyde

FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...

FIDO Alliance

How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf

FIDO Alliance

ScyllaDB has the potential to deliver impressive performance and scalability. The better you understand how it works, the more you can squeeze out of it. But before you squeeze, make sure you know what to monitor! Watch our experienced Postgres developer work through monitoring and performance strategies that help him understand what mistakes he’s made moving to NoSQL. And learn with him as our database performance expert offers friendly guidance on how to use monitoring and performance tuning to get his sample Rust application on the right track. This webinar focuses on using monitoring and performance tuning to discover and correct mistakes that commonly occur when developers move from SQL to NoSQL. For example: - Common issues getting up and running with the monitoring stack - Using the CQL optimizations dashboard - Common issues causing high latency in a node - Common issues causing replica imbalance - What a healthy system looks like in terms of memory - Key metrics to keep an eye on This isn’t “Death-by-Powerpoint.” We’ll walk through problems encountered while migrating a real application from Postgres to ScyllaDB – and try to fix them live as well.

Optimizing NoSQL Performance Through Observability

ScyllaDB

Speed Wins: From Kafka to APIs in Minutes

confluent

WebAssembly is Key to Better LLM Performance

Samy Fodil

TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...

marcuskenyatta275

[SCTI 2011] - (Des)protegendo mídias USB

2.  Experiência em missão crítica de missão crítica  Pioneira no ensino de Linux à distância  Parceira de treinamento IBM  Primeira com LPI no Brasil  + de 30.000 alunos satisfeitos  Reconhecimento internacional  Inovação com Hackerteen e Boteconet www.4linux.com.br 2 / 19

3. (Un)protecting USB storage media www.4linux.com.br 3 / 19

4. Opportunity The reverse engineering researcher cant act at: ● Open source resource reimplementation ● Fork projects creation www.4linux.com.br 4 / 19

5. $ whoami ● Open Source Software Consultant at 4Linux. ● C language fan (RIP DMR). ● Free and Open Source Software lover. ● Maintainer of pev, T50, hdump, USBForce and other little tools. ● LPIC-2, A+. ● Reverse Engineering enthusiast. www.4linux.com.br 5 / 19

6. Agenda ● Motivation ● Infection via USB ● Existing protection methods ● Protection method idea ● Demonstration ● Writing a tool ● Conclusion ● References www.4linux.com.br 6 / 19

7. Motivation ● High infection risk. ● Lack of effective protections. ● Network security bypass. ● Hard administration. ● Users want USB! www.4linux.com.br 7 / 19

8. Infection via USB ● autorun.inf (obfuscated or not). ● Not easy to detect (normal users). ● Automatic and fast. www.4linux.com.br 8 / 19

9. Existing protections methods ● Disable Autorun (Windows registry). ● USB Antivirus/”firewalls”. ● Windows policies. ● USBForce does this work. www.4linux.com.br 9 / 19

10. Protection method idea ● Make autorun.inf read-only. ● The storage partition needs to be still writable. ● Immunize USB storage media against infections. ● There is proprietary tool to do it called Panda USB Vaccine. ● I don't know yet HOW (internally) works, but it works. I need to learn the method. www.4linux.com.br 10 / 19

11. Demonstration Video: Reversing Vaccine Technique www.4linux.com.br 11 / 19

12. Writing a tool ● FAT-32 attributes byte Bit 0 – 0x01 – read only Bit 1 – 0x02 – hidden Bit 2 – 0x04 – system Bit 3 – 0x08 – volume name Bit 4 – 0x10 – subdirectory Bit 5 – 0x20 – archive Bit 6 – 0x40 – unused 1 Bit 7 – 0x80 – unused 2 www.4linux.com.br 12 / 19

13. Writing a tool ●Windows API function CreateFile does not recognize 0x40 attribute. ● libfat (Linux) also does not work. ● ioctl does not work =( ● The unused attributes are undefined (probably reserved for future use). ● Creates an “undeletable” autorun.inf. ● Sets the attributes 0x40 (unused) and 0x02 (hidden). ● Free and Open Source Software. www.4linux.com.br 13 / 19

14. Writing a tool 1. Create a regular autorun.inf file. 2. Identify FAT-32 structures. 3. Read structures to search for autorun.inf file entry in table. 4. Look for attribute byte. 5. Set 0x40 attribute. It's a good idea to set 0x02 attribute too. www.4linux.com.br 14 / 19

15. The new tool: OpenVaccine ● Written in C. ● Originally designed for Linux. ● Creates an autorun.inf file. ● Immunize USB storage medias. ● Creates an “undeletable” autorun.inf. ● Sets the attributes 0x02 (hidden) and 0x40 (unused). ● Free and Open Source Software (GPLv3). ● USE AT OWN RISK. Backup first. ;) www.4linux.com.br 15 / 19

16. The new tool: OpenVaccine $ sudo ./openvaccine /dev/sdd1 /media/DANI1G/ OpenVaccine 0.8 by Fernando Mercês (fernando@mentebinaria.com.br) Partition /dev/sdd1 + FAT32 (mkdosfs) + 1.86G (1949696 bytes) + mirroring enabled + 1952690 sectors + 512 bytes per sector + 4k clusters + serial is 3673364101 autorun.inf created at sector 0xf04, byte 0x20 (offset 0x1e0620). www.4linux.com.br 16 / 19

17. Conclusion ● I have studied FAT-32 filesystems only. ●OpenVaccine will create an “undeletable” autorun.inf, so with source code, it's easy to write a tool that deletes it. ● I think USB will still be a problem, but this tool can minimize risks. ● Use reversing for open source reimplementation! www.4linux.com.br 17 / 19

18. References ● Paper (in Portuguese) www.mentebinaria.com.br/textos#0x1a ● OpenVaccine http://openvaccine.sf.net ● USBForce http://usbforce.sf.net ● Demo video http://va.mu/J4yY (case sensitive) www.4linux.com.br 18 / 19

19. Thank you! Fernando Mercês (@MenteBinaria) fernando.merces@4linux.com.br www.4linux.com.br www.hackerteen.com twitter.com/4LinuxBR +55 (11) 2125-4747 www.4linux.com.br 19 / 19

[SCTI 2011] - (Des)protegendo mídias USB

Recomendados

Recomendados

Más contenido relacionado

Similar a [SCTI 2011] - (Des)protegendo mídias USB

Similar a [SCTI 2011] - (Des)protegendo mídias USB (20)

Último

Último (20)

[SCTI 2011] - (Des)protegendo mídias USB