How to prevent automatic USB based infections without a resident AV?

Discussion in 'other anti-malware software' started by AlexC, Jul 20, 2010.

Thread Status:
Not open for further replies.
  1. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    What´s the best (simplest, efecctive, low resouse usage) way to stop USB based infections (that automaticaly infect the computer in the moment you plug), without using a anti-virus resident shield (i´m running Windows 7 x64)?
    I´m not sure if sandboxie (paid) can do that.
    thanks
     
  2. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,081
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
  4. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    I think that windows 7 already have autorun disabled by default.
    I guess Panda USB vaccine and a software like the one refered by Rmus will
    only prevent infections that work using autorun.inf, but not this one, for instance: https://www.wilderssecurity.com/showthread.php?t=276994
    Maybe its possible to automatically run virtualized a inserted usb?
     
  5. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Not correct.

    Any White Listing product will block the running of any executable not on the White List, no matter what the triggering mechanism is, whether autorun.inf file or link shortcut file.

    While it's not feasible to test the complete exploit you refer to, since the specially crafted .lnk files point to a specific USB device, I simulated the vulnerability by manually executing my own shortcut .lnk file to the malware executable:

    https://www.wilderssecurity.com/showpost.php?p=1713962&postcount=98

    The same result would occur if the .lnk file were started by remote code execution (automatically).

    In another forum, Anti-Executable v.2 was tested against the current PoC of this exploit floating around, and it blocked it successfully. Any similar solution would also effectively block it.

    ----
    rich
     
  7. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    The above resumes very well what kind of protection anti-executable technology provides. If it can not execute, it can not infect.

    AE´s weak point is, as usual, how to know if a program can be trusted (executed) or not.
     
  8. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    Originally posted by AlexC
    Limited User Account
    Windows Security Policies
    Windows Permissions
    Read Only/Read Write (switchable) USB Flash Drive
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well Buster (driving on a BSA :D ),

    What about having paid for it makes it thrustworthy? What about programs from trusted vendors or signed programs? Most download portals provide a stamp 'virus' checked.

    Malware and Adware has killed the idea of the lean client, which loaded aps or 'beans' or for the sake of it active-X from the web when the customer needed it.

    People tend to communicate through virtual channels more and more. Having a USB stick means you actually got real phisical contact with some one who put something on you on your USB stick. This in itself is rare for most heavy PC users.

    Above trends greatly reduce the problem of the user making a correct decision. On top of that some one :p provided amature malware analists with a nice tool called Buster Sandbox analyser which can be used in combo with a really solid application virtualisation tool.

    Regards Kees
     
    Last edited: Jul 21, 2010
  10. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    Thanks!:thumb:
     
  11. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Nice, i noticed my thread got deleted but this one helped a lot! :D :thumb: :thumb:
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    PE Guard 2.1;)
     
  13. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
Loading...
Thread Status:
Not open for further replies.