According to well-known statistics provided by antivirus companies, about 30% of users do not use antiviruses, simply disable them or do not update databases. Based on this, it can be argued that in any average company there is a certain group of people who are very dismissive of information security, and, in turn, it is these people who should be used to carry out an attack. In addition, any functioning system can be affected by a number of random factors that can also temporarily paralyze the security system.:
- the proxy server settings crashed, which is why the antivirus databases were not updated.
- the antivirus license expired, but the management did not take care of its renewal in time.
- A network outage made it impossible to print files remotely, which forced all employees to copy the documents to a USB stick and print them in another department.
In fact, the task boils down to the following: to determine that one of the random events has occurred at the moment, which has led to a decrease in security, and then use this situation as a disguise and carry out an attack unnoticed.
In fact, the task boils down to finding a person who gives up on security, and why not use flash drives for this?
Many virus writers have become very fond of flash drives, as they make it easy and fast to infect computers, and even the most basic USB virus has a good chance of success. The boom of autorun viruses, which occurred in 2008, has not slowed down after five years, moreover, USB viruses have become even more brazen and sometimes do not even hide their presence. At the same time, an infected USB flash drive is a universal indicator of its owner's literacy in basic information security. For example, if you collect ten flash drives from different people, then surely three or four of them will have viruses on the flash drives. If you take flash drives from these people again a week later, then two or three viruses will remain. Based on this, it can be argued that even the most basic protection is not necessary on computers that are operated from this flash drive, or for some reason it is disabled or does not work at all. Thus, even if you spread the most common virus, which is successfully detected by all antiviruses, only among this group of people, it will be able to infect a large number of computers before it is detected. And since these computers do not have protection, it will also be able to remain functional for a long time.
Exposure to computer threats based on the availability of real-time protection
On a specific computer, to which flash drives are periodically connected, we install a special program that works according to the following algorithm. When connecting another USB flash drive, the program tries to determine if it is infected. Since it is impossible to take into account all the variety of USB viruses, it makes sense to use a heuristic approach to determining infection based on the following criteria:
the presence of the autorun.inf file;
attributes of RHS files;
small size of the suspicious file;
the file system is not NTFS;
missing folder named autorun.inf;
the presence of shortcut files.
If this flash drive is infected, the program writes it to the database with the serial number and hash of the suspicious file. If after a few days the flash drive is reconnected to this computer (and this almost always happens) and suspicious files still remain on it, then it is infected with our "virus"; if there is no suspicious file left, the program deletes the serial number of this flash drive from the database. When a new computer is infected, the virus remembers the serial number of the mother flash drive and never infects or analyzes it, so as not to give itself away after a while if the owner of the flash drive "gets smarter".
To get the serial number, write the following function based on the GetVolumeInformation API:
C++:
String GetFlashSerial(AnsiString DriveLetter)
{
DWORD NotUsed;
DWORD VolumeFlags;
char VolumeInfo[MAX_PATH];
DWORD VolumeSerialNumber;
GetVolumeInformation( AnsiString(DriveLetter + ":\\").c_str() ,
NULL, sizeof(VolumeInfo), &VolumeSerialNumber, &NotUsed,
&VolumeFlags, NULL, 0);
String S;
return S.sprintf("%X", VolumeSerialNumber);
}It should be noted that the Get Flash Serial function does not receive a static unique device codifier, but only the serial number of the volume. This number is set as a random number and usually changes every time the device is formatted. For our purposes, only the serial number of the flash drive is sufficient, since the task of hard linking is not worth it, and formatting implies the complete destruction of information, effectively equating the formatted flash drive to a new one.
Now let's start implementing the heuristic itself.
C++:
bool IsItABadFlash(AnsiString DriveLetter)
{
DWORD NotUsed;
char drive_fat[30];
DWORD VolumeFlags;
char VolumeInfo[MAX_PATH];
DWORD VolumeSerialNumber;
GetVolumeInformation( AnsiString(DriveLetter + ":\\").c_str() ,
NULL, sizeof(VolumeInfo), &VolumeSerialNumber, &NotUsed,
&VolumeFlags, drive_fat, sizeof(drive_fat));
bool badflash=false;
if ((String(drive_fat)!="NTFS") && (FileExists(DriveLetter + ":\\autorun.inf")))
{
DWORD dwAttrs;
dwAttrs = GetFileAttributes(AnsiString(DriveLetter + ":\ \autorun.inf").c_str());
if ((dwAttrs & FILE_ATTRIBUTE_SYSTEM)
&& (dwAttrs & FILE_ATTRIBUTE_HIDDEN)
&& (dwAttrs & FILE_ATTRIBUTE_READONLY))
{
badflash = true;
}
}
if (!badflash)
{
TSearchRec sr;
FindFirst(DriveLetter+":\\*.lnk", faAnyFile, sr);
int filep=sr.Name.LastDelimiter(".");
AnsiString filebez=sr.Name.SubString(1, filep-1);
if (DirectoryExists(DriveLetter+":\\"+filebez))
{
DWORD dwAttrs = GetFileAttributes(AnsiString(DriveLetter+":\\"+filebez).c_str());
if ((dwAttrs & FILE_ATTRIBUTE_SYSTEM)
&& (dwAttrs & FILE_ATTRIBUTE_HIDDEN))
{
badflash = true;
}
}
}
return badflash;
}The algorithm of the heuristic function is quite simple. First, we filter out all devices with the NTFS file system and those that do not contain the autorun.inf file. As a rule, all flash drives come with the FAT32 file system by default (less often FAT and even less often exFAT), but sometimes system administrators or other IT department employees format them into the NTFS system for their needs. We don't need "smart guys", we immediately exclude them. The next step is to check the autorun.inf file for the "hidden" and "system" attributes. The autorun.inf file may belong to a completely legitimate program, but if it contains these attributes, then it is very likely that the flash drive is infected with a virus.
Now many virus writers have become less likely to use the autorun.inf file to infect machines. There are several reasons at once: firstly, almost all antiviruses or users disable the autorun option; secondly, there may be several viruses on the computer using the same distribution method, and each of them overwrites the file in its own way. Therefore, the method of infection began to be used more and more often by creating shortcuts and hiding the original folders. In order not to leave these flash drives unattended, we check for the presence of a shortcut file and the presence of a folder with the same name in the root of the volume. If the folder also has the attributes "hidden" and "system", then mark this flash drive as infected.
Of course, heuristics have their own errors and nuances, so it makes sense to carefully work it out for a specific task, but in our case, it is possible to assert its correctness with 100% probability.
If everything is generally clear with the heuristic analysis of the flash drive, then there may be nuances with the "infection". For example, you can simply overwrite an old virus with our own without any corrections to the autorun.inf file, files, shortcuts, etc. This way, our "virus" will be managed on a new computer, but it's better to make an old copy of the virus first and save it in the same directory with a slightly different name. If for some reason an antivirus is running on another computer, it will detect the old virus, delete it, and give the user a warning about the successful destruction of the threat, thereby providing a false sense of security for the user, while our "virus" will remain unnoticed.
In addition, in the December issue of Hacker, we also wrote about DLL hijacking vulnerabilities in various software and its effective use. Therefore, if it is assumed that flash drives may contain programs such as password managers or portable versions of various software, then it makes sense to exploit this vulnerability and thereby expand the range of affected machines and the value of the data obtained for the pentest.
By the way, it doesn't always make sense to resort to infecting flash drives. For example, if the Information security department has the task of simply periodically monitoring employees for the presence of "unreliable people", then it is more reasonable to install this program on several machines and simply record the serial numbers of flash drives and the time of creation of a malicious file to collect statistics. This does not require a literal search of all employees, while maintaining the confidentiality of data on flash drives, and based on the data obtained, it is also possible to infect users' home computers and the state of information security in general. After all, as we wrote earlier, any system is subject to random factors and the risk of threats is not excluded.
Having deployed the program on a relatively medium-sized network, within a week we received quite eloquent data. More than 20% of all connected flash drives were infected with some kind of virus or Trojan, and more than 15% were still infected when reconnected a couple of days later. It should also be noted that many computers had antivirus protection, which periodically performed its duties. However, the habitual indifference to the pop-up antivirus warning, to which users have long been accustomed when connecting a flash drive, did not allow them to assume that they were dealing with a completely different threat. A false sense of security allowed users to connect a USB flash drive to various computers without embarrassment, and our program successfully did its job.
Briefly about the algorithm
- We install our program on computers in the company.
- We scan the connected flash drives for signs of infection.
- We "infect" users' flash drives with our test "virus" or rewrite their numbers for statistics.
- We report to the authorities, punish the gouging users, keep them, don't let them in, and forbid them.
Conclusion
To summarize, the main drawback of this method is its uncertainty. No one knows when exactly the "right" flash drive will be connected to the computer, as it strongly depends on the environment in which the program is deployed. However, this disadvantage does not detract from the main advantage of the method. You can go unnoticed for a very long time and, disappearing among other threats, hit more and more new machines completely automatically. It's easy to see that this technique has a certain scale effect. The more employees there are in an organization and the more diverse the internal communications, the greater the result will be. Although this approach will work perfectly in a structure of absolutely any scale, because its main task is not to cause massive damage to the system, but to target the weakest link — a person.
