How to check if a USB flash drive is infected before use by using digital signatures

Discussion in 'other security issues & news' started by MrBrian, Sep 30, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Situation: you don't want to infect a computer when you run executables from a USB flash drive that could have been infected when the USB flash drive was used with a different computer.

    Proposed solution: Put two copies of any digitally signed .exe on the flash drive. I use the Prevx installer as the digitally signed file because it's small. Name one of the files "Test Unaltered" and the other file "Test Altered". Use a hex editor such as HxD to slightly alter the Test Altered file. Confirm in Windows Explorer that the digital signature of file Test Unaltered is good. Confirm in Windows Explorer that the digital signature of the file Test Altered is bad.

    When you put the USB flash drive in a computer, use Windows Explorer to verify that the digital signature of file Test Unaltered is good. If the digital signature of file Test Unaltered is bad, then perhaps malware has infected the Test Unaltered file, and probably other files on the USB flash drive. When you first put the USB flash drive in a computer, use Windows Explorer to verify that the digital signature of file Test Altered is bad. If the digital signature of file Test Altered is good, then perhaps malware has compromised the digital signature verification checking code on the computer. If both of the digital signatures are as expected, then proceed to use the USB flash drive.
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Malware with digital signatures do exist, and bypasses many security programs. I would check the hash/checksum, which is far more reliable, and works for any file.
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I've written before about using a hash program such as FileVerifier++ to verify hashes on a USB flash drive. One of the problems with this approach though is that you have to execute the hash program first. If you use a hash program present on the USB flash drive, the hash program itself could have been infected by a file infector. A variant of this method would be to use a digitally signed hash checking program as the test files in post #1, and then if the digital signatures are as expected, use the digitally signed hash checking program to verify the rest of the hashes.

    Regarding your first sentence, if malware were to alter the two test files in such a manner that the digital signatures are both good, then this method would also catch that, because the Test Altered file is supposed to have a bad signature. Typically though, I would think that a file infector would alter the test files in such a manner that both would have bad signatures, which the method also catches.

    Note that this method isn't guaranteed to always work, because a file infector could alter some of the executables on the USB flash drive, but not alter one or both of the test files.
     
    Last edited: Oct 1, 2011
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I don't use hash programs on my usb drive. No need to do 2 things, when you can just do one and save time/resources.

    Both methods aren't safe once exploits, like the infamous LNK one, is used.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Also perhaps vaccinate the USB flash drive with Panda USB Vaccine.
     
  6. x942

    x942 Guest

    I have ESET Nod32 scan all drives immediately with max settings. I also only allow 3 usb devices on my computer everything else won't install Thanks to gpedit.msc :D
     
  7. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Best method would be to sandbox the drive, virtualize whole system, Applocker/SRP or similar with .dll monitoring on, or at least system image in safe location.
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Right, but this might not be possible if it's not your computer that the USB flash drive is being used with.

    The point of this method is to try to avoid situations like this: you use your USB flash drive at Uncle Bob's. Unfortunately Uncle Bob's computer has malware that infects executables on the USB flash drive. Then you run infected programs from the USB flash drive on Uncle Ted's computer, infecting his computer.
     
    Last edited: Oct 1, 2011
Loading...
Thread Status:
Not open for further replies.