Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Monday, July 26, 2010

Panda USB vaccine

October 8, 2009: New version released.
The Microsoft Windows Operating Systems use the AUTORUN.INF file from removable drives in order to know which actions to perform when a new external storage device, such as a USB drive or CD/DVD, is inserted into the PC. The AUTORUN.INF file is a configuration file that is normally located in the root directory of removable media and contains, among other things, a reference to the icon that will be shown associated to the removable drive or volume, a description of its content and also the possibility to define a program which should be executed automatically when the unit is mounted.
The problem is that this feature, widely critizised by the security community, is used by malware in order to spread by infecting as soon as a new drive is inserted in a computer. The malware achieves this by copying a malicious executable in the drive and modifying the AUTORUN.INF file so that Windows opens the malicious file silently as soon as the drive is mounted.
The most recent examples of this are the W32/Sality, W32/Virutas and also the W32/Conficker worm which, in addition to spreading via a vulnerability and network shares, also spreads via USB drives.
Due to the large amount of malware-related problems associated with Microsoft AutoRun we have created a free utility for our user community called Panda USB Vaccine.
USBVaccine incorporates some command-line arguments that can be used for distribution and management within a network’s endpoints. They are the following:
USBVaccine [ +system|-system ] [ /resident [/hidetray] [/autovaccinate] ] [/experimentalntfs] [/agreelicense] [drive units]
Open Panda USB Vaccine and hit F1 to get the full description of each one of these arguments.
Nice tool, but the technique used to “permanently” vaccinate USB pen drives, since v1.0.1.4 (before this version, it used the autorun.inf folder + reserved names like LPT1), involves a risky operation, i.e. direct editing of the FAT tables, described here:
Be careful…

No comments: