What Utility can block scripts auto-running from flashdisks?

Discussion in 'malware problems & news' started by pepoluan, Dec 10, 2007.

Thread Status:
Not open for further replies.
  1. pepoluan

    pepoluan Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    7
    Location:
    Jakarta, ID
    Dear All,

    In my country, viral infections now spread through flash disks. Many an entrerprising programmer (read: hacker) created a virus that's effectively an autorun.inf, and a VBscript with a name such as "win32.dll.vbs".

    Infection happened when an unsuspecting user chucks in a flash disk into an infected computer. The virus/worm will then create those two files on the flash disk. The flash disk now becomes a vector, carried to another PC, chucked in again, and the autorun.inf executes the win32.dll.vbs script.

    Well-known antiviral programs, although they *can* clean the infection, are at a disadvantage because they don't get the virus sample until a user submits it to them. Some scripts are even able to delete the antivirus in the Hard Disk.

    What I want to know is, how can I protect my computers from such flashdisk-based worms? What steps to take, and/or what programs to install?

    I have tried the free EXE Lockdown from HDS, but on my main PC it conflicts with Firefox causing a BSOD.

    Do you have other recommendations?

    Thanks in advance.
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
  3. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Disable the Autorun feature
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    ScriptSentry and similar programs block Windows from invoking the Open command as entered in the Registry
    when a user double-clicks on a script file (I'm using the finjan.vbs test file):

    vbs-1.gif
    _____________________________________________________

    Unfortunately, these programs will not prevent the file from running via a command to start wscript.exe.

    Make a test AutoRun file with this syntax:

    Code:
    [AutoRun]
    shellexecute=wscript.exe finjan.vbs
    Put the Autorun.inf file along with yourtestfile.vbs in the root of a flash drive or external USB HD.

    Or run this command from a Command Prompt or from within a batch file:

    Code:
    start wscript.exe finjan.vbs
    The .vbs file will happily oblige:

    vbs-2.gif
    ___________________________________________________


    ----
    rich
     
  5. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    With TweakUI you can disable Autorun.. I did it today :D
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello, pepoluan,

    I was curious, so I took time this evening to look a bit more closely at this. First, these "enterprising programmers" maybe didn't have to create anything - this autorun/vbs exploit has been around for a while and code is readily available to copy|modify from the internet.

    A couple of write-ups describe how the technique works:

    Worm.VBS.Solow.A
    http://www.bitdefender.com/VIRUS-1000187-en--Worm.VBS.Solow.A.html

    VBS/Small.Sasan.A - VBS script virus
    http://www.avira.com/en/threats/section/fulldetails/id_vir/4012/vbs_small.sasan.a.html

    User precautions:

    1) Someone using a flash disk in another computer can view the contents of the flash disk before removing it -- using the "dir" command from a Command Prompt to check for Hidden files.

    2) People permitting someone else's flash drive to run on their computer can temporarily disable AutoRun by holding down the left SHIFT key as the drive is connected, or by unchecking AutoRun in TweakUI, as HURST suggested, and then view the contents of the drive as above.

    Since the Autorun.inf file has:

    Code:
     shellexecute=wscript.exe
    a program that can block specific executables might work.

    One of the scripts modifies the Registry. A Registry Watcher program might help here.

    Other people may have some suggestions...


    ----
    rich
     
  7. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    This has been happenning to me very frequently: Plugging into my computer a 'flash disk' or 'memory sticks' it would instantly trigger a reaction from the Antivirus. All of the advice given so far is good, in my case i've always had my system sandboxed, with an antivirus running.

    A sandbox is perfect for such a situation, the only problem is that if you want to retain some of the stuff from the flash disk you should make sure that it is clean, which means you need some kind of anti malware.

    Sandboxes/virtual systems that you can trial are: DeepFreeze, Returnil (free for personal use), PowerShadow, ShadowUser/Surfer, Sandboxie (free). There are more and a search on the Wilders forums will give a lot of info. Returnil is worth trying first, as it is free and very effective, their support is also remarkable.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Were these your disks? If so, how do you think they became infected? What was on the disks that triggered your AV?

    EDIT: never mind - I remember from a previous thread - you load students' disks onto your computer.


    ----
    rich
     
    Last edited: Dec 11, 2007
  9. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I had that when plugging my USB-drive in a friends laptop. My AV never jumped, but when I plugged it in his, his AV (NOD32 2.7) warned about autorun.inf
     
  10. pepoluan

    pepoluan Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    7
    Location:
    Jakarta, ID
    Last week a colleague plugged in his flash disk into a workstation that I frequently use (not my personal workstation, but my 'other' workstation in the office).

    The next day I used the computer and discovered that I can no longer double-click on the C: or D: drive icons on the right pane of Explorer to open them drives. Having read about autorun.inf worms, I feared the worst.

    I opened IE, and sure enough, IE's title bar has a message from the worm maker. Based on the language used, the worm is a 'domestic' worm, i.e. created by a fellow countryman.

    So I did a quick perusal, and indeed "dir c:\ /a" shows an autorun.inf running some .vbs script. I quickly solve the problem by deleting autorun.inf and the .vbs during boot (it refuses to be deleted from within Windows. The delete would succeed, but within minutes the autorun.inf will be resurrected).

    The horror of the story is: I am using the most-up-to-date NOD32 v2 on that computer (auto-update every hour, as is the default of NOD32)

    So much for antivirus protection on autorun.inf :ouch:
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That is a fact of life in the AV world. I'm sure NOD32 (and all AV companies) add files to their updates as quickly as possible after they detect them.

    If someone encounters a new variant between their updates, then...


    ----
    rich
     
    Last edited: Dec 11, 2007
  12. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406

    Attached Files:

  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    And indeed it does!

    I connected my external USB drive which has the test autorun.inf and .vbs files. The code for the autorun.inf is

    Code:
    [AutoRun]
    shellexecute=wscript.exe finjan.vbs 
    and upon connecting the drive, the action is blocked:

    vbs-4.gif
    _________________________________________________________


    Nice utility!


    ----
    rich
     
  14. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
  15. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    You can do the same thing with the Tools section of AVG-AS, if you don't want to do it manually.

    Personally, I have execution protection for wscript.exe and cscript.exe. Additionally I've set the My Computer zone to 'High' so that .vbs scripts do not run off the desktop, unless I want them to.
     

    Attached Files:

  16. pepoluan

    pepoluan Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    7
    Location:
    Jakarta, ID
    Ah, thanx for the inputs, guys!

    Will surely disable scripting host, as I never use it anyway.
     
  17. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Hello,
    You can also: Start > Run > gpedit.msc > User Configuration > Administrative Templates > Windows Components > System > Turn off Autoplay, switch to enable.
    Mrk
     
  18. pepoluan

    pepoluan Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    7
    Location:
    Jakarta, ID
    Okay, regarding EXE Lockdown BSOD-ing my PC (see my first post), I found the cure:

    I have to first click "Scan HDD" in the EXE Lockdown control panel.

    Now, all is well :)
     
Loading...
Thread Status:
Not open for further replies.