Test your defenses against malicious USB flash drives

The latest malicious software to spread to untold millions of computers goes by the names Downadup and Conficker.

Computerworld’s Gregg Keizer calls its spread the “biggest attack in years”. One way the software spreads is by infecting USB flash drives (a.k.a. thumb drives, pen drives, flash drives, memory sticks, etc).

This is certainly not the first malicious worm to spread by infecting flash drives.

A couple months ago, the Department of Defense dealt with a variant of the SillyFDC worm known as Agent.btz by banning the use of USB flash drives on government computers.  In September 2008, a computer on board the International Space Station was infected with malicious software that spread via a flash drive. In December 2007, Randy Abrams at ESET, the company behind the NOD32 antivirus program, wrote that “Trojans using autorun to infect computers have been one of the most prevalent threats that we have been seeing for several months now.” And I’ll never forget this 2006 story, Social Engineering, the USB Way, about how a company was infected by malicious thumb drives dropped in the parking lot outside their office. 

Here I’ll show the tricks used by malicious software on USB flash drives and provide a safe sample file that can be used to test how well a computer is defended from the tricks that the bad guys use.

Autorun.inf is the key 

An infected USB flash drive contains the malicious software paired with a malicious autorun.inf file. The autorun.inf file is used to trick the user into running the malware on the flash drive. 

When a flash drive is inserted in a Windows computer, the operating system looks in the root directory for an autorun.inf file, and takes a number of actions, demonstrated below, based on the contents of the file.

The most dangerous action, of course, is running a program and there are four different mechanisms (that I know of) for running programs that reside on USB flash drives. The two most popular approaches are called AutoRun and AutoPlay. But, the terms can be vague, so I’ll avoid using them as much as possible. In How to correct “disable Autorun registry key” enforcement in Windows Microsoft goes so far as to say “Autorun is also known as AutoPlay”.

Interestingly, the most dangerous of the three approaches is often overlooked. I myself, overlooked it back in March 2008 when I blogged about turning off autorun at CNET. In the worst case, the end user (you) has no visual clue that a program was run.

To get a bit ahead of myself, this happens when you double click on the drive letter for the USB flash drive in My Computer. All Windows users know that this brings up  a list of the files and folders on the flash drive. But, a malicious AutoRun.inf file can tell Windows to run a program instead of listing the files/folders.

Below is a sample autorun.inf file. It safely illustrates the things that an autorun.inf file can control, including how to run a program rather than list files when the drive letter is double-clicked on.

I modeled this off the examples found in USB Drive AutoRun.inf Tweaking over a Daily Cup of Tech. You can copy/paste the text below or download the file directly using a link at the bottom of this posting.

This AutoRun.inf is designed to run a copy of the age-old Paint program, a copy that resides on a USB flash drive. If your computer is well defended, it can’t run Paint. My guess is that the vast majority of you will find that Paint does, in fact, run. A Windows computer that lets this autorun.inf file execute Paint, is an accident waiting to happen.

On both Windows XP and Vista, Paint is file mspaint.exe and it resides in the C:windowssystem32 folder. Copy it to the root directory of a USB flash drive along with the sample autorun.inf file below. Other files can reside on the flash drive too, they are irrelevant to this testing.

[autorun]

;—————————————————-

; Test your defenses against infected a USB flash drives

;

; Note: Lines that start with a semicolon are comments

;   and are ignored by Windows

;

; Place this in a file in the root directory of a USB flash drive

; The file name must be autorun.inf

; Also in the root folder, place a copy of Paint (mspaint.exe)

;

; Created by Michael Horowitz January 2009

;—————————————————-

; This shows up in the first line of the Autoplay menu

action=Testing autoplay: Run paint from usbdrive

; This causes the AutoPlay window to run Paint from the flash drive

open=mspaint.exe

; Right click on the drive letter to see this

shellFromFlash=Testing context: run paint from usbdrive

shellFromFlashcommand=mspaint.exe

; Run this when double click on drive letter in My Computer

; Because of the line above, this invokes Paint

shell=FromFlash

; The icon for the drive letter is taken from here  

icon=mspaint.exe

; This is the volume name of the USB flash drive

label=Testing AutoRun Stuff

After putting these two files on a USB flash drive, eject it from the computer and then physically re-insert it. If Autoplay is enabled, a window like that shown below (from an XP Professional machine) will pop up in a couple seconds.

The sample autorun.inf file accounts for the first option “Testing autoplay: Run paint from usbdrive”. The text comes from the “action=” line. The action that Windows takes, when you select this option, comes from the “open=” line. In this case, it runs Paint from the flash drive. The Paint icon (paintbrushes in the clear glass) comes from the “icon=” line.

Beware of AutoPlay Tricks

Bad guys abuse this to trick people into running malicious software that’s on the removable drive.

Specifically,  Downadup (a.k.a. Conficker) makes its new entry in the Autoplay menu look like the normally safe “Open folder to view files” entry.

Below is a Windows XP example of how this looks. Fortunately, there is an obvious clue that the first entry is running software on the flash drive, the second line says “using the program provided on the device”. I don’t know if this too can be changed. Still, even as it now stands, this will certainly fool some people.

The SANS Internet Storm Center has an example of this how this trick appears to Vista users (see Conficker’s autorun and social engineering). They also describe the changes made by Downadup to an autorun.inf file. The malicious software isn’t stored on the flash drive in an obvious place, such as an EXE file in the root folder, rather it’s stored on the flash drive as a .vmx file in a  phony copy of the Recycle Bin.

Fortunately, there are telltale giveaways in Vista too, if you know what to look for. (My only copy of Vista is virtual and it doesn’t do USB drives at all. In fairness, this may be a VMware issue)

The real instance of “Open folder to view files” says “using Windows Explorer” on the second line, the phony copy says “Publisher not specified” on the second line. Also, the two copies are right underneath each other in Vista. In Windows XP the real “Open folder to view files” was buried near the bottom of the list of available options and not immediately visible.  

Woody Leonhard also wrote about this, and his Vista screen shot also says “Publisher not specified” on the second line.

Not to spend too much time on Conficker/Downadup, but an F-Secure blog (the company specializes in anti-malware software) shows how the changes it makes to autorun.inf are obscured with random binary garbage in an attempt to fool antivirus programs. 

F-Secure also has a Vista screen shot of the phony “Open folder to view files”, but in their case the giveaway on the second line says “Published by Microsoft Windows”. Again, if the second line under “Open folder to view files” does not say “using Windows Explorer”, don’t click on it.

F-Secure tried the same trick with Windows 7 and found it to be just as vulnerable to this type of malicious autorun.inf file as Windows XP and Vista.

Don’t Double-Click That Drive Letter 

Some Windows computers have Autoplay disabled. Even without it however, a malicious autorun.inf file can still trick people into running malware from a USB flash drive.

At least with AutoPlay you see a window and know that something is happening. Far more insidious is when an autorun.inf files takes advantage of double-clicking on the drive letter to run a program rather than (or in addition to) listing the files/folders.

If a computer is vulnerable to this type of attack, then my test autorun.inf file will run Paint when you double-click on the drive letter for the USB flash drive. This action comes from the “shell=” line. It will not list the files/folders on the drive, but you can see them by right clicking on the drive letter and selecting either Open or Explore.

Context menu  

There’s actually a third way that a malicious autorun.inf file can try to trick someone into running a program. It can modify the context menu, the menu that pops up when you right click on the drive letter in My Computer.

My test autorun.inf adds a new entry at the top of the context menu as shown below.

The option I added has the obvious name “Testing context: run paint from usbdrive”. The text comes from the “shellFromFlash=” line and the action that it invokes comes from the “shellFromFlashcommand=” line.

Rather than add a new entry to this menu, a bad guy would probably re-define an existing menu entry. For example, with the directives below, clicking on the “Open” menu entry would run Paint. 

shellOpencommand=mspaint.exe

shell=Open 

Immediately running a program

All my testing was done on Windows XP with ServicePack 2. According to Wikipedia, the rules for autorun and autoplay vary based on the drive type, the version of Windows, the service pack applied to Windows and how the operating system is configured. It’s very complicated, but under certain conditions, Windows will run a program on a USB flash drive immediately as soon as the drive is inserted with no visual clue to the end user.

That is, there have been times when malware didn’t need to wait for a double-click on the drive letter.

Jesper M. Johansson, formerly of Microsoft, explained in January 2008 how U3 flash drives trick Windows into immediately running software: 

In a nutshell, a U3-enabled flash drive lies about itself. It tells the OS that it is actually a USB hub with a flash drive and a CD plugged into it. Windows® versions prior to Windows Vista® will, by default, automatically run programs designated in the autorun.inf file on CDs, but not on USB drives. By lying about itself, the U3-enabled USB flash drive fools the OS into autorunning something called the U3 launcher. The U3 launcher, in turn, can start programs…

Immediately running software is probably rare nowadays, but if you are testing with this sample autorun.inf file and Paint runs as soon as the flash drive is inserted, your computer is extremely vulnerable. 

Othere Changes

Two other, relatively minor, changes that an autorun.inf file can inflict are changing the name and icon of the USB flash drive.

My test file changes the drive icon displayed in My Computer (see below) to be the Paint icon, paintbrushes in a glass.

It also changes the volume name to “Testing AutoPlay and AutoRun”. 

We also saw these changes in the first AutoPlay screen shot above. The volume name appeared in the blue stripe at the top of the Autoplay window.

A hidden autorun.inf file isn’t hidden from Windows, so these changes can indicate the presence of an autorun.inf file even on machines configured not to display hidden files.

Jesper M. Johansson came up with an interesting wrinkle that combines methods to entice someone to click on an Autoplay window (see Figure 5). He posits that by making the drive letter name “My Secret Stuff” and by making the text in the Autoplay window say “My Porn Stash”  that many users would probably click on it. Forewarned is forearmed.  

Help is on the way

Soon, I’ll go over a number of ways to defend a computer from malicious autorun.inf files and infected USB flash drives. Suffice it to say, it’s much harder than it should be, which is why millions of Windows PCs are at risk. 

Next up: Autorun and Autoplay: screwed by terminology where I explain that a large part of the problem here is not just poor design (though there’s that), or software bugs (got that too) or even the old stand-by, poor documentation (got it). This quagmire suffers from yet another problem, poor terminology, that gets in the way of fully understanding the issues at hand. 

January 26,2009: This was updated to reflect the fact that normal menu options on the context menu can be compromised. Also added the quote from  Jesper M. Johansson.

January 27,2009: Updated to include Mr. Johansson’s enticement using a combination of methods.

January 30, 2009: For the solution see The best way to disable Autorun for protection from infected USB flash drives