How to prevent infections from flash drives?

I think this issue is fairly similar to network security: you need a firewall because you’re connected to other computers; but you’re also connected through removable drives, it doesn’t matter that the connection is occasional instead of permanent. Just like the Internet, removable drives are intrinsecally dirty because you may (will) need to plug them to computers outside of your control. (I know the Internet can be even more dangerous because you needn’t try to connect to something for that something to try and connect with you, but bear with me.) And if you hadn’t the need to plug them back in your computer, you wouldn’t be using them.

Foremost question: is the autoplay feature the only danger, or is there another way for a nastie in a removable drive to enter a computer? I mean without any action from the user other than plugging the drive; double-clicking a virus program that happened to have found its way into the drive wouldn’t count even if there was no user action in the first infected computer when the virus entered. Only without user action in the target computer, like autorun (when enabled).

If there are other ways for a nastie to slip into my computer with autoplay disabled and no action from my part, please let me know. :o

Well a bit sophistacated nastie will more likely enable the autorun back, but CFP should alert you on this :slight_smile:
There are tools to prevent writing from flash drives completly :slight_smile:

where do i get it then ???
btw, i’ve disabled the autorun function from removable disk on my laptop, but i forget how did i do it (:TNG)

Try this tool

I had to do a little research on this one. My information is from “Windows XP Inside and Out” 2nd edition.

Autoplay can be turned off on a drive-by-drive basis, for all “CD-ROM” drives, or for “all drives”. The “all drives” is everything: CD’s, network drives, compact flash cards, and other non-disk media. “CD-ROM” includes CD’s, DVD’s, removable drives (I presume that to mean USB sticks), and networked drives.

Considering that things like USB sticks don’t get a drive letter until they’re plugged in, you have a chicken-egg problem in trying to avoid autoplay. I think the “all drives” is the only viable choice.

XP Pro can use Group Policy to set the “all drives” using gpedit.msc in ComputerConfig\AdminTemplates\System. XP Home has to use regedit to enter a new key and corresponding Dword value.

While all that turns off Autoplay, I seem to recall there being some other run-this setting when the machine is booting up and searching for connected drives that have installable drivers, kind of like the old config.sys from the DOS days. I haven’t researched that one.

KEWL! downloading… ;D

If it were able to run code before autoplay was enabled, in order to enable it, then it wouldn’t need to do so, since the only reason why autoplay is dangerous is because it includes code. :wink:

But anyway, is it really so? We could just accept the theoretical possibiliy of a sophisticated enough nastie, but what I want to know is, does such thing really exist, can it really exist?

I remember some program for DOS that formatted floppies with 2.00 MB capacity instead of 1.44, and the way it worked was amazingly low-level. When it asked you to insert a blank diskette, it wouldn’t ask you to press a key once the diskette was inserted, instead it would detect the insertion on its own. In order to load the driver so you could read the 2MB diskettes it created, you didn’t have to load it in CONFIG.SYS or the command line: you just had to boot the computer with one of the 2MB diskettes inserted, they all had been written the controlling software somewhere you (or DOS) couldn’t see; and I think the diskette didn’t have to be bootable, if it wasn’t the program would make the BIOS proceed to the hard drive instead of asking to retry or remove the diskette as usual. So it actually worked below the operating system level, somehow like a rootkit, and an incredibly clever one too. Recalling it now it sounds impossible and seems as if I’m remembering wrong, but I think I’m not bananas…

With this example in mind, could we just state that everything’s possible and cower in fear? Still I’d like some expert opinion if possible. (And I bet most malware authors won’t bother with this stuff if they can make their nasties with the Windows API and it will work with 90+ per cent of the people who’re not careful…) Besides low-level code could stop working after changes in the specific hardware.

CFP should alert you on this

Yes of course, D+. (M) But I was thinking about something that’s not a full HIPS.

That’s closer to what I was thinking, along the lines of what I first said:

I wonder if there’s some “drive firewall”, or better yet if Windows itself can do the trick. Still that program makes pretty much the opposite of what I’d be looking for. If a drive is infected my concern is blocking unsolicited data flow from it, not towards it. Following the networking analogy, that program is like a firewall that can block your ability to connect to the Internet, but lets anyone connect to you (no inbound protection). I don’t see a lot of applications for it, although there may be a few.

Yes I think I stumbled upon the reduced admin interface in my XP Home. :frowning: I guess autoplay can be switched manually editing the registry, but you may find that you need to create a key that doesn’t exist and so you don’t only have to know what value to assign it, but also where to create it, and as which type of key.

What I used and recommend is Microsoft’s TweakUI, which lets you friendily interface with many other settings as well:

By the way, with this tool autoplay can be enabled or disabled on a drive letter basis, or on a drive type (CD and also removable, separately). :-TU

So I think autoplay is covered. But again, is it really the only danger? Is otherwise a full HIPS the only solution? And if the nastie is so badass that it runs below the operating system, wouldn’t the HIPS itself be helpless? :o

So I think autoplay is covered. But again, is it really the only danger? Is otherwise a full HIPS the only solution? And if the nastie is so badass that it runs below the operating system, wouldn't the HIPS itself be helpless? Shocked
I kind of doubt that Autoplay is the only hazard. The way that Windows, in any of its versions, is constructed has more than enough hooks and toe-holds to allow entry. HIPS is one defense, and a very effective one. There are other things that can be done that can make things much much more difficult for malware to inject itself or do damage once it gets in.

Consider NTFS file system permissions. XP Home doesn’t make it easy to use. XP Pro on the other hand can really lock down a box just with permissions. Add-ons like DeepFreeze ( ) and Portslock ( ) extend the concept of permissions considerably. From my own limited experience, anything that can get past those and a full HIPS is not going to be your average malware.

Beyond that, it comes down to policy and user awareness. Even the most secure system is useless against stupidity, unless the box is turned off (and I wouldn’t guarantee that being enough, either).

And the DOS floppy thing was a TSR, as I recall. It got it’s hooks in, and played some really unusal sector layouts to get the density packing up there. Article at 2M (DOS) - Wikipedia

Not very impressive tips but…

That’s a good list. Thank you.

Let me flip the question around.

Here’s the context: I get called in to scan a machine for possible malware. I load up a USB stick with some basic tools, and go use that stick to run a set of scans on a potentially infected machine. Granted that scans aren’t 100% effective, I may have an undetected infected machine that has now infected my USB stick. That makes me very reluctant to take that stick back to the office without a very through cleansing first (done on a different class of machine, usually an *ix/BSD box where I can control mountpoints).

So this question: how to have a USB stick be readonly, and thus uninfectable. There are some USB sticks that have a hardware switch, like the floppy disks have their write-protect tab. These hardware switch sticks have been a bit on the expensive side, of the few that I’ve been able to find. Software write-protect isn’t as protective, as the driver can be bypassed, and a rootkit infected machine would take advantage of the driver.

Besides buying cheap “small” USB sticks by the bag, what other methods are available? The hardware switch sticks seem to be very uncommon, or I’ve just been looking in the wrong place or using the wrong search terms.

Well I suggest that a hips and some virtual technology must be implemented on usb and flashdrives too! This is what I have suggested before, maybe it will be reality some day…

Usb sticks with write protection switches are uncommon I guess manufacturer overlooked this feature but IIRC those switches were subject to usage malfunction and the key could remain read only. There should be no difference in costs.

On a sidenote IIRC, holding shift key should be able to temporarily disable autorun.

It’s easier in a floppy, it was only a mechanical swtich that the reader itself was designed to expect. In a USB drive it would have to be an electronic circuit that allowed current in one direction and blocked it in the other on the same conductor. Tricky.

Yes we hadn’t mentioned it, a good precaution to have at times if you chose not to disable autorun or if at someone else’s machine.

There is a new usb specification, for usb 3.0 this should bring some new stuff to it besides high transfer speeds, I guess there would be some electronical switch as you mentioned

Come to think of this, it wouldn’t be so hard with diodes and thyristors. But come to think of it, in computing a data flow needn’t mean that the electronic current is flowing in that direction or the opposite. So even trickier.

They should have thought before they designed the USB standard, of course, just like for the floppies.

In fact virtually all UFD’s have a read-only switch, problem is most
manufacturers don’t provide the software to enable it .