Summary of the attack and defense experience of Autorun. inf virus (USB flash drive virus)

Source: Internet
Author: User

Export ravmone.exe "," rose.exe "," sxs.exe "," copy.exe "," setup.exe "... the mysterious ghost in the root directory, the killer of system security, is called the "USB flash drive virus ". Countless Windows users are focusing on them. This article is a summary of your research on the USB flash drive virus and lessons learned from the fight against the USB flash drive virus.

Windows 95 and later systems all have an "Auto Run" function. Read the Autorun. inf file to get the custom icons of the volume in Explorer, modify the context menu of the volume icon, and automatically run Autorun on some media. the executable file defined in inf. More than years later, with the popularization of various removable storage devices, some domestic hackers have stolen the content of the USB flash disk and copied themselves to the USB disk to use the Autorun. inf virus. The famous pseudo-ravmon, copy + host, sxs, Viking, pandatv and other famous viruses all spread in this way. They are sometimes mysterious ghosts in the root directory, and sometimes the recycle bin that appears in places that shouldn't appear. In short, they are a serious threat to system security.

Autorun. inf can be exploited by viruses in four ways.

1.
Opentracing filename.exe
Run automatically. However, for many XP SP2 users and Vista users, Autorun has become AutoPlay and will not run it automatically. A pop-up window will pop up asking you what to do.

2.
Shellautocommandpolicfilename.exe
Shell = Auto
Modify the context menu. Change the default item to the startup Item of the virus. However, you only need to right-click the icon to immediately detect vulnerabilities. A savvy virus will change the name of the default item, but if you find Garbled text or Chinese characters in the context menu in a non-Chinese system, what do you think of it?

3.
Shellexecuteappsfilename.exe
ShellExecute =... the virus runs automatically by calling the ShellExecuteA/W function to open the root directory of the USB flash drive. This is to deal with those who use the Win + R drive letter to open.

4.
Shellopen = open (& O)
ShellopenCommand = filename. EXE
ShellopenDefault = 1
Shellexplore = Resource Manager (& X)

This is a new form of confusion. Right-click the menu at a glance, but it is invisible in a non-Chinese system. The sudden garbled characters and Chinese characters are of course difficult to escape.
In the face of this danger, especially the fourth type, it is difficult to determine whether a removable disk is poisoned by Explorer alone. In this case, some people also developed an "immune" tool based on their own experience.
Immune methods (for removable disks and hard disks)

1. directories with the same name

A directory is a special file in Windows, and the two files in the same directory cannot have the same name. Therefore, creating a new directory "autorun. inf" in the root directory of the removable disk can prevent the Early occurrence of the virus that did not consider this situation to create autorun. inf, reducing the probability of successful propagation.

2. invalid file name directory under autorun. inf

Some viruses are added with fault tolerance code, and try to delete the autorun. inf directory before generating autorun. inf.
In Windows NT Win32 subsystem, such as "filename. "Such directory names are allowed, but to maintain compatibility with the DOS/Win9x 8.3 file system (. if you call the directory query function in the standard Win32 API directly, you cannot query the content in the directory and an error is returned. However, to delete a directory, you must delete the entire tree structure step by step. Therefore, you must query the content of each subdirectory under the directory. Therefore, you can create a special directory such as "MD x: autorun. infyksoft .." in the "autorun. inf" directory to prevent the autorun. inf directory from being easily deleted. Similarly, using Native APIs to create directories with DOS reserved names (such as con, lpt1, and prn) can achieve similar purposes.

3. NTFS permission Control

Virus makers are also hackers who know that these functions of Windows are bugs. They can run a program to scan the Directory and find that the last byte of a directory name is. access "dirfullname .. ", or you can use the file system function in the Native API of Windows NT to directly intervene to delete this special directory.

Therefore, the method of permission control based on the lower-level file system emerged. Format the USB flash drive and mobile hard disk as the NTFS file system, create the Autorun. inf directory, and set this directory to have no permissions for any users. viruses cannot be deleted or even listed.

However, this method is not suitable for devices that normally do not support NTFS, such as music players.

These three steps are wonderful. However, the biggest problem is not how to prevent the autorun. inf from being generated, but the vulnerability of the system itself and Explorer. Virus writers will soon make more powerful solutions. This is what I expected.

1. Combine the ANI vulnerability in autorun. inf sets the icon to an Exploit file with the ANI Vulnerability (after my experiment, I found that Windows has a feature that can parse the icon even if the ani extension is changed to ico ), in this way, as soon as "My Computer" is turned on, the system without patches or software kill will suffer directly. Such things can also be stored in various online resource ISO.

2. Improve the overall programming level of the virus, and integrate the above anti-immune methods. In addition, most windows users in China often log on to the system with high permissions and automatically use the Autorun. the inf directory obtains ownership, adds read/write deletion permissions, and breaks through this strongest bastion.

There are not many solutions to such terrible things. But they are actually the basic solutions to all windows security problems,

1. Be sure to keep the system and security software up to date. Even for pirated users, Microsoft never updates important security levels, nor has it ever recorded anti-piracy programs in important security updates.

2. Try to use the system and access the Internet with restricted accounts, which can reduce the probability of viruses entering the system. Vista adds the UAC function because it enables users to enjoy the security of Restricted Users while making it as convenient as possible.

3. To some extent, it can be said that online games with QQ, IE, and certain equipment that can change the real money and require real money are the "sources of all evil" caused by a large number of virus and Trojan writers ". Using the IE vulnerability, you can create Web Trojans, install the account theft program, steal accounts, and obtain RMB. In this black industry chain, IE is actually the easiest part to cut. Cherish the system, the system must be updated, and anti-virus software that can prevent web Trojans should be used. Use IE to avoid various small download sites, pornographic websites, and other high-risk sites. If possible, use a non-IE engine browser.

4. Malicious Software bundle is getting closer and closer to virus Trojans. The fsd hook self-defense program of some malware may be used by viruses to protect itself (such as sony xcp events), and some malware itself is a download tool of virus Trojans. Therefore, do not let the rogue approach your machine.

The attack and defense of Autorun. inf continues, but it will become more and more exciting. The security awareness of netizens will make breakthroughs in the confrontation and unification of attacks and defense.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.