Seven deadliest usb attacks phần 5
- 23 trang
- file .pdf
Anatomy of the Attack 79
How to Recreate the Attack
The most common deployment scenario, given in our previous discussions in
Chapters 1 and 2, “USB Hacksaw” and “USB Switchblade,” respectively, would
be executing the payload of your choice by way of a U3-enabled flash drive. Using
this method, you have the ability to craft a custom ISO enabling any program to run
automatically simply by connecting a U3-compatible flash drive to a computer. Once
again, this is assuming that autorun is enabled and working properly; otherwise,
console access will be required to initiate via manual means.
This section will walk you through the creation of a custom ISO that can be used
to automatically execute a program on a computer using a U3-compatible flash drive.
Here is what you will need to recreate an attack of this sort.
• A scripting tool called AutoIt
• The U3 Universal Customizer tool
• A U3-supported flash drive
• A text editor program
• Icons to label your flash drive
This section will use the U3-enabled flash drive and Universal Customizer pro-
gram applied in the previous chapters. Download and install the most recent ver-
sion of AutoIt that is available on the Internet (www.autoitscript.com). Once you
have downloaded the package, the following instructions will guide you through the
installation process.
1. Run the AutoIt installation executable, then select Next when prompted, as shown
in Figure 3.3.
2. Ensure you concur with the agreement presented (Figure 3.4) and click I Agree.
3. Select Edit the script when the dialogue box appears as seen in Figure 3.5, then
click Next. This option will prevent accidental execution of the script on your
workstation during testing.
4. There are some script examples that can be installed, as seen in Figure 3.6.
Tip
These are convenient for reference if you are having difficulty understanding the syntax.
They are not required in order to complete the next section, but you may find them useful
at a later time.
5. Click Next to continue the installation as seen in Figure 3.6.
6. Choose a custom location for installation or accept the default as indicated in
Figure 3.7, and click Install.
7. Once the installation completes, click Finish, as illustrated in Figure 3.8.
80 CHAPTER 3 USB-Based Virus/Malicious Code Launch
Figure 3.3
AutoIt Installation Screenshot
Figure 3.4
AutoIt Installation Screenshot
Anatomy of the Attack 81
Figure 3.5
AutoIt Installation Screenshot
Figure 3.6
AutoIt Installation Screenshot
82 CHAPTER 3 USB-Based Virus/Malicious Code Launch
Figure 3.7
AutoIt Installation Screenshot
Figure 3.8
AutoIt Installation Screenshot
Anatomy of the Attack 83
Now that the installation of AutoIt is completed, we will begin building the
executable. In this example, we will send predefined text to Notepad, which will
render it on the screen once activated via autorun.
1. Launch AutoIt.
2. Go to File and select New File.
3. On line one, enter Run(“notepad.exe”)
4. On line two, enter Run WinWaitActive(“Untitled - Notepad”)
5. On line three, enter Send(“YOU ARE NOW INFECTED WITH THE PINK
SLIP VIRUS.{ENTER}NANNY NANNY BOO BOO{ENTER}”) or a phrase
of your choice
6. On line four, enter Sleep(500)
7. On line five, enter Send(“+{UP 2}”)
8. On line six, enter Sleep(500)
9. Save the file using “hotfix” as the name.
10. Test the script to ensure it is working as intended by right-clicking the newly
created file and selecting Run Script.
11. If there are any errors, the tool will let you know on what line the problem is
located. The final script should look something like Figure 3.9.
Figure 3.9
AutoIt Example Script
84 CHAPTER 3 USB-Based Virus/Malicious Code Launch
12. Next, we will compile the newly created script into an .exe file. To do this, sim-
ply right-click the script and select Compile Script. You should now see your
file with an .exe extension in the same directory you originally created it.
13. Go to the directory where you extracted the Universal Customizer and copy the
file you just created to the U3CUSTOM folder.
14. Download or choose a benign-looking icon. A good site to go to for this is www.
freeiconsweb.com. This example used an icon called MSN.ico.
15. Next, we will create a custom autorun.inf file that will be used to run your pay-
load. Open up a new text file and type in the following lines.
[Autorun]
open=HotFix.exe
icon=msn.ico
shell\Open\Command= HotFix.exe
shell\open\Default=1
shell\Explore\Command= HotFix.exe
shell\Autoplay\command= HotFix.exe
label=Microsoft HotFix
16. Save this file as autorun.inf and place it into the U3CUSTOM folder.
17. Next, run ISOCreate.cmd. This file can be found in the root of the Universal
Customizer folder. Press any key to end the script when prompted. An example
of the ISOCreate.cmd is included in Figure 3.10.
18. Insert your U3 USB flash drive.
19. In the root of the Universal Customizer folder, locate and run Universal Cus-
tomizer.exe. Execute the program and follow the on-screen steps, accepting the
default options provided in the installation dialogues. Steps 9 to 13 in the “How
Figure 3.10
ISOCreate.cmd Example Script
Evolution of the Attack 85
Figure 3.11
Intended Output of the AutoIt Script
to Recreate the Attack” section of Chapter 1, “USB Hacksaw,” provides detailed
directions and screenshot illustrations for these steps.
20. That’s it! Now you’re ready to rock and roll. Eject and insert your U3 drive
into your computer. If everything is properly in place, you should see the image
shown in Figure 3.11.
Evolution of the Attack
Computer viruses have been a technological nuisance since the inception of the digi-
tal age. The first computer virus is a debatable subject, but some conclude it was
known as the Creeper. This virus was authored by Bob Thomas in the early 1970s.
Creeper was an experimental, self-replicating program that targeted the then-popular
Tenex operating system. It was produced in a lab and was not written for malicious
purposes. Its payload was fairly benign in nature, and infected systems displayed the
message, “I’M THE CREEPER: CATCH ME IF YOU CAN.”K
In 1981, the Rother J virus was one of the first to appear “in the wild.” It attached
itself to the Apple DOS 3.3 operating system. It was written by Richard Skrenta as
a practical joke when he was still in high school. On its fiftieth use, the Elk Cloner
virus would be activated, infecting the machine and displaying a short poem. Skrenta
Khttp://vx.netlux.org/lib/atc01.html
86 CHAPTER 3 USB-Based Virus/Malicious Code Launch
then decided that it would be funny to put a copy of his “code” on the school comput-
ers and rig it to copy itself onto floppy disks that other students used on the system.
This was how the Elk Cloner virus was released into the wild.L
Agent.BTZ was mentioned previously in the “Invasive Species among Us”
section and will be expanded upon here to exemplify the evolution of similar
strains. This worm includes an additional payload known as a Trojan dropper.
A dropper is recognized as a variety of Trojan that will look to download and
execute other malware once it has infected a system. Upon insertion of the remov-
able media, the virus will detect the newly recognized drive and then attempt
self-replication to the device. If successful, it will then create an autorun.inf file in
the root of the drive, which tells the system to run the associated malicious code.
When the infected drive is inserted into a virgin host, the operating system will
detect the autorun.inf file and run the payload contained within. Agent.BTZ can
also spread through mapped network drives, but its primary means of propagation
targets removable media.
Agent.BTZ is one of many viruses that have hijacked the removable-media band-
wagon. A vast majority of these have two major concepts in common. These include
the creation of an autorun.inf file and exploitation of the autorun feature built into the
Windows operating system. W32/Agent.BTZ autorun.inf shown below is the con-
tent of the file that it creates. [RANDOM] represents the various names the worm
can create for the *.dll file. This is used to evade automated detection and removal
mechanisms.
[autorun]
open=
shell\open=Explore
shell\open\Command=rundll32.exe .\\[RANDOM].dll,InstallM
shell\open\Default=1
As has been previously discussed, this file is responsible for infecting new
systems when the infected USB drive is plugged in. Opening the infected USB drive
will automatically launch the rundll32.exe. Once this infected file is executed, it will
copy itself to directories on the system included below.
%system%\muxbde40.dll
%system%\\winview.ocx
%temp%\6D73776D706461742E746C62FA.tmp
%system%\system32\mswmpdat.tlb
Winview.ocx, mswmpdat.tlb, and 6D73776D706461742E746C62FA.tmp are log
files, and their contents are encrypted. Muxdbe40.dll is the virus itself, just with a
different name. After these files are in place, the virus then modifies the following
registry keys.
Lwww.smh.com.au/articles/2007/09/01/1188671795625.html
Evolution of the Attack 87
HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}
(default) = Java.Runtime.52
HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\
InprocServer32\
(default) = C:\WINDOWS\system32\muxbde40.dll
HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\
InprocServer32\
ThreadingModel = Apartment
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellService
ObjectDelayLoad\
UpdateCheck = {FBC38650-8B81-4BE2-B321-EEFF22D7DC62}
HKLM\Software\Microsoft\Windows\CurrentVersion\StrtdCfg
HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}
HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\
InprocServer32\
Agent.BTZ is just one instance of many USB-focused viruses. The logic behind
most of these is not complicated; in fact, Agent.BTZ is actually a variant of the W32/
SillyFDC, which was first discovered back in 2005. Some of the other removable
media viral variants are included in Table 3.1 for reference.M
Conficker is another worm whose variants’ infectivity is extremely prevalent
today. In fact, since it was first detected in November of 2008, the number of infec-
tions has already risen to 7 million.N “Conficker B copies itself as the autorun.inf to
removable media drives in the system thereby forcing the executable to be launched
every time a removable drive is inserted into a system. It combines this with a unique
social engineering attack to great effect. It sets the “shell execute” keyword in the
autorun.inf file to be the string “Open folder to view files” thereby tricking users into
running the autorun program.”2 Conficker is considered a botnet and could easily call
for reinforcing weaponry that can be used toward any attack the authors may deem
necessary.
Table 3.1 Removable media viruses
Removable media viral variants
Worm:W32/Conficker Worm:Win32/Autorun.BO
Worm:VBS/SillyFDC.F Worm:Win32/Autorun.RA
Worm:Win32/SillyShareCopy.AC Worm:AutoIt/Renocide.gen!A
Worm:Win32/Autorun.A Worm:Win32/SillyShareCopy.E
PWS:Win32/Wowsteal.ZE!inf Worm:Win32/VB.CD
Worm:Win32/Nuj.A Worm:Win32/Emold.B
Worm:Win32/Autorun.PH Worm:Win32/Slenfbot.ACP
Mwww.microsoft.com/security/portal
Nwww.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking
88 CHAPTER 3 USB-Based Virus/Malicious Code Launch
Why All the Fuss?
The risks that viruses can present cover a broad spectrum. Loss of data, resources,
time, trade secrets, and personally identifiable data are just a few risks that can be
introduced by malware. This section will highlight the most vicious viral concoction
currently among us and how it might affect your network and data. Botnets are a
recent threat example which exemplifies most of the viral hazards these entities can
and do expose, often in an undetectable manner.
Botnets
A botnet is nothing more than an instrument cybercriminals use to carry out Internet-
based crime. They closely resemble a Mafia hierarchy whose actions are controlled
by a godfather. Listed below are a few of the possible activities botnets can be pro-
grammed to perform.
• Distributed denial-of-service attacks
• E-mail spamming
• Infecting new hosts
• Identity and credential theft
• Transporting illegal software
• Google AdSense and advertisement add-on abuse
Distributed Denial-of-Service Attacks
A distributed denial-of-service attack (DDoS) is an Internet-based assault that is
delivered from multiple sources (botnet) to one destination. The goal of these attacks
is to severely impair the victim’s network or Web site in such a way that it can
no longer service legitimate requests. During a large-scale attack, Internet service
provider (ISP) networks can also be affected, resulting in degraded services to its
customers. The botnet master can control a large number of bot computers from a
remote location, leveraging their bandwidth and resources to send session requests
to the intended victim. Botnets are frequently used to carry out these types of attacks
because their sessions closely resemble normal Internet traffic patterns, just in exces-
sive amounts. Depending on the nature of the attack, it can be hard to filter out what
is and is not bad traffic. The most common tactics that attackers use in DDoS attacks
are TCP SYN and UDP floods.
E-mail Spamming
In the past, whenever you were inundated by spam messages or phishing scams,
you could report the incident to your ISP, who would then track down the source of
the abuse and blacklist the Internet Protocol (IP). Spammers realized very quickly
that these tactics were no longer effective. They are now operating their own botnets
or renting existing infections to blast out spam messages. Losing one bot has little
Why All the Fuss? 89
impact on the overall mission if there are thousands of other bots to keep up the pace.
Botnets are an ideal platform for spammers. A single spam message can be sent to
an individual bot and then redistributed to all others, which then relay the spam. This
allows the individuals responsible for the operation to remain anonymous while all
the blame gets transferred to the infected computers.
Infecting New Hosts
Botnets can enlist new recruits to join in the game through social engineering and
the distribution of malicious phishing e-mail messages. These messages could have
infected attachments or maybe an embedded link to a Web site that has a malicious
ActiveX control. Just about everyone who has an e-mail account has seen a suspi-
cious message in their inbox. The most important thing to remember is that if you do
not know the person who sent the e-mail, it should be deleted, not opened.
Identity Theft
Identity theft is on the rise, and the trends are showing no signs of slowing down.
Identities are bought and sold in online black markets every day throughout the
world. Credit card numbers can be bought for as little as 50 cents while a full identity
complete with social security number, mother’s maiden name, account information,
and passwords can be purchased for less than 20 bucks. Botnets are often used to
gather the majority of this information.
Bots have also been found to use keyloggers and packet sniffers to collect
confidential information being entered or transmitted in clear text. Social security
numbers, credit cards, banking data, gaming valuables, or any other critical creden-
tials can be easily collected using these tools. If the infected computer uses encrypted
communication channels such as SSL, then sniffing traffic on the victim’s machine is
useless, since the appropriate key to decrypt the packets is not known. This is when
keyloggers come into play. Using these tools, an attacker can collect every keystroke
a user enters, making it very easy to gather sensitive information.
Transporting Illegal Software
Botnets can be used to transfer and store pirated software. They use these areas for
temporary holding tanks that usually contain a slew of illegal material. Everything
from pornography to full operating systems has been found on machines infected
with bot programs.
Google AdSense and Advertisement Add-On Abuse
Google AdSense offers businesses the opportunity to earn revenue displaying Google
advertisements on their own Web sites. Revenue is generated based on the number
of clicks the ads receives. Botnets can and are used to artificially increment the
click counters by scripting the process of site visits and viewing the advertisements.
90 CHAPTER 3 USB-Based Virus/Malicious Code Launch
The process can be further improved if the bot program hijacks the start page of the
infected computer so that the clicks are executed each time the user opens his or her
browser. Hosting companies often fall prey to this scam.
Defending against This Attack
According to study done by brighthub, half of the top 10 viruses of 2009 were
exploiting the Windows autorun feature.O When it comes to protection from USB-
based malicious code, one may choose to tackle the problem from a few different
angles. Each approach has beneficial and detrimental consequences, and these will
be discussed in the remaining sections.
Malicious code currently has two preferred methods of transmission when it
comes to removable media. The first is a technique that involves the infection of
existing executables or files on the removable device. Propagation occurs when the
tainted drive is introduced to a clean machine and the contaminated files are run from
the media by the user. The more popular approach these programs take is to manipu-
late or create an autorun.inf file for auto-execution.
The most effective way to prevent USB-based malware from leveraging Windows
autorun features is to prevent a computer from being able to run autorun.inf files
completely. The only drawback of this method is that it will prevent the operating
system from being able to read all autorun.inf files. This includes the convenient
feature build into CDs and DVDs that makes them automagically run as soon as the
operating system detects that they have been inserted. After making this change, a
user of the system will have to navigate the removable media manually in order to
initialize the appropriate program.
By following these steps, you can disable the usage of autorun.inf files completely
from the system. This can be done by adding a key called autorun.inf in the registry
paths included below.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
IniFileMapping
Add an entry under the newly created autorun.inf key called @. Next, set the
value of the @ entry to “@SYS:DoesNotExist”. Alternately, you can copy the below-
mentioned text to a Notepad file and save it with a .reg extension. Once this file is
created, browse to the saved location and double-click to add the registry value.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
This value tells Windows to treat autorun.inf as if it were a configuration file from
a pre–Windows 95 application. The “IniFileMapping” is a key that tells Windows
Owww.brighthub.com/computing/smb-security/articles/44811.aspx
Defending against This Attack 91
how to handle the .inf files. In this case, it tells the operating system to parse the reg-
istry key included below for direction when it encounters an autorun.inf file. Since
the “DoesNotExist” key is fictitious, the OS treats the autorun.inf as if it were empty,
so the instructions mentioned in the autorun.inf are not executed.
Due to the inconsistencies you might encounter on different types of operating
systems, you may decide that the best strategy for a particular situation would be to
disable features on the USB device itself. Some USB flash drives include a read-only
switch, but they make up the minority of what is on the market and in use today. The
switch does no good if left unengaged, and most users don’t understand its purpose
or realize that it even exists.
If the flash drive is like most, which means having a file system formatted with
FAT32, then there is a simple yet effective method to prevent propagation. If the drive
uses an autorun.inf to provide a specific functionality you desire, do not apply this
fix, as it will render the file and its functions useless. You will need access to a hex
editor for the following steps. A good free hex editor called HxD can be found at the
author’s Web site (http://mh-nexus.de/en/downloads.php?product=HxD).
Warning
You should test these procedures on an empty flash drive. If data exists on the drive, be
sure you have a backup in case corruption occurs.
The following defensive technique must be accomplished on Windows XP or an
alternate operating system due to recent updates with Vista and beyond. For Windows
Vista and greater, a write on a volume handle will only succeed if the drive or volume
is not mounted by a file system or if one of the following conditions is true:
1. Writing occurs on boot sectors.
2. There is any writing to sectors outside of the file system area.
3. FSCTL_LOCK_VOLUME or FSCTL_DISMOUNT_VOLUME has been used to
lock or dismount the volume.
4. The volume or drive does not have a file system. (Mounted as a raw volume.)
The write for a particular disk handle needs only one of the following circum-
stances to be true for it to be successful.
1. The sectors that will be written to do not fall inside a volume’s extents.
2. Sectors that will be written to fall inside a mounted volume, but something has
explicitly locked or dismounted the volume by way of FSCTL_LOCK_VOLUME
or FSCTL_DISMOUNT_VOLUME.
3. Sectors that will be written to fall inside a volume that is not unmounted or lacks
a file system.3 Sectors that will be written are within an unmounted or nonforma
tted volume.
92 CHAPTER 3 USB-Based Virus/Malicious Code Launch
The conditions listed above will likely prevent you from accomplishing a hex
edit on a USB drive from a Vista system. If you have access to a machine running
XP Professional, fortifying your USB autorun.inf file can be accomplished in a few
steps. Download a hex editor and install it, if you have not done so already. Next, you
will need to insert the USB flash drive and create an empty autorun.inf on the root
of this drive. Once you have done this, follow the instructions below to complete the
process. These instructions were built using the HxD hex editor from an XP system,
so if you are using another editor or operating system, the instructions will be slightly
off, but the concept is still the same.
1. Open the HxD hex editor, then go to the Extra menu, and select Open disk.
Note
Close all other programs or applications that are accessing the USB flash drive.
2. Uncheck the Open as Read-only box, then select your flash drive.
3. Go to the Search menu and select Find, then type AUTORUN in the Search for
window and select OK. Figure 3.12 illustrates what should be found.
4. Ensure you have the value highlighted as seen in Figure 3.12, then select Edit,
then Fill selection. In the Fill selection dialogue, you will find a section called
Hex-values. Change the 20 to 40 in the box provided. The dialogue should now
look like Figure 3.13.
5. Select OK, then Save, and click Yes to the Warning.
6. Close HxD and remove your flash drive.
The value of 20 indicated the archive bit setting, and the change to 40 changed to
the device bit. Now, when you browse to the disk, the autorun.inf file can be seen, but
it cannot be deleted, opened, edited, overwritten, or have its attributes changed.P
For those of you without XP or an alternate operating system, there are tools that
some vendors provide to inoculate your USB flash drive autorun.inf. Panda produces
a free utility called USB Vaccine that creates an unwritable autorun.inf file on the
drive. The software and user guides are available on their Web site. They have also
just released a NTFS beta version for USB flash drives that are formatted in this
manner.Q
Antimalware
The anti-malicious code market has been steadily growing for well over a decade.
Anti-virus, Trojan, spyware, adware, and rootkit products are abundant, and most
provide an adequate amount of protection. Many new players have entered this game,
often finding their niche when these new threats arise. Most established AV vendors
Phttps://security-shell.ws/showthread.php?t=26372
Qhttp://research.pandasecurity.com/archive/Panda-USB-Vaccine-with-NTFS-Support.aspx
Defending against This Attack 93
Figure 3.12
HxD AUTORUN Search Results with Applicable Bytes Highlighted
deem spyware, adware, and rootkits as separate entities, thus requiring additional
cleaning engines or components. These existing vendors are often slow acknowledg-
ing fresh adaptations, leaving room for these startups to become viable players in
the market. Lately, many of the top vendors such as Trend Micro, Symantec, and
McAfee now include features to fight against these updated threats. You can visit the
Anti-Spyware CoalitionR Web site to validate standards, participating members, and
updated developments in the area of spyware prevention.
EPIC Fail
Reliance on AV alone can leave you susceptible to USB and other attacks as demonstrated
in Chapter 2, “USB Switchblade.” Use of a firewall, heuristic-based engines,S and adher-
ence to security best practicesT will significantly minimize the risk from these threats.
Rwww.antispywarecoalition.org/
Swww.securityfocus.com/infocus/1542
Twww.sans.org/reading_room/whitepapers/bestprac/system_administrator_security_best_
practice_657
94 CHAPTER 3 USB-Based Virus/Malicious Code Launch
Figure 3.13
HxD Fill Selection Dialogue with Modified Value
There are numerous vendors who supply free versions of their products for home
and personal use. Many of these can provide ample protection, but only when com-
bined with additional tools, which compensate for areas where these free versions
are lacking. Examples of this would be to use the free version of AvastU (AV) with
MalwareBytesV (anti-spyware) or AVGW (AV) along with SpybotX (anti-spyware).
Those inclined to use free protection products should consider alternating these
tools on a regular basis to ensure you have eradicated the highest majority of pesky
programs. Free versions often fail to update the engines and filter drivers, which may
leave you vulnerable to new forms of attacks. They will still provide updated signa-
tures or definitions, but this may not be enough to fight off the most current viral vari-
ants. If you choose to alternate or update AV programs, uninstalling the one being
replaced is usually the best option. Some of these programs can conflict, detect, and
inadvertently remove the other, rendering corruption or a system crash depending on
the specific functionality enabled.
Uwww.avast.com/eng/avast_4_home.html
Vwww.malwarebytes.org/
Whttp://free.avg.com/us-en/homepage
Xwww.safer-networking.org/en/home/index.html
Defending against This Attack 95
Whether you are using a free product or have purchased a licensed copy of the
latest and greatest, it is always a good idea to keep up with comparative analyses in
the anti-malware realm. At minimum, annual checkups are recommended on these
products to ensure they continue to meet updated quality and performance crite-
ria. There are several independent organizations that provide this data for consumer
consumption. Included below are some of these organizations and certification
bodies that can be referenced when the need arises.
• AV-Comparatives,Y an Austrian nonprofit organization, provides independent anti-
virus software tests that are free to the public. To be included in these standard tests,
vendors must fulfill various conditions and a minimum set ofrequirements.
• AV-TestZ includes testing against the latest proficiency and development stan-
dards. This company is one of the leading global providers of test scenarios that
analyze the effectiveness and behavioral aspects of these security solutions.
• AntimalwareAA provides free public testing results. The choices of test scope and
vendor participants are established by a panel of experts who are not affiliated
with vendors tested against. Paid services are also provided for nonpublic testing
and research.
• ICSA LabsBB is an accredited certification body that performs cryptographic and
security testing and works with security product vendors to help them understand
and meet requirements mandated by the United States and Canadian governments
in order to participate in government markets.
• WestCoastLabsCC is another certification body that provides operational testing
in areas that are structured to satisfy the needs of both clients and the regulatory
authorities to aid operation of the international standards (ISO/IEC 17025:2005).
If you are planning to purchase an AV product or a security suite of tools, be sure
to evaluate their additional features independently. Most vendors are now includ-
ing bundled products containing firewalls, HIPS, antispam, and other components,
which can sometimes lack in luster. Some of these products features can also have
interoperability issues that can complicate normal operation and individual user
compatibility.
Be mindful of illegitimate or rogue products and services in this market.DD The
saturation of software in this industry has left much room for fraudulent folks who
peddle their products to unsuspecting victims. These fake healers are often driven
by spam or deceptive advertising and usually masquerade as genuine or well-known
vendors. They commonly deploy invalid detection techniques and produce false
positives, even on clean systems.
Ywww.av-comparatives.org/comparativesreviews/main-tests
Zwww.av-test.org/publications
AAwww.anti-malware-test.com/
BBwww.icsalabs.com/
CCwww.westcoastlabs.com/productTestReports/
DDwww.2-spyware.com/corrupt-anti-spyware
96 CHAPTER 3 USB-Based Virus/Malicious Code Launch
Summary
The days of malicious code isolation on Windows systems is nearly gone. These
developers are beginning to code their creations to infect cross or multiplatform
systems. New strains are being cultivated to perform joint task force operations on
Windows, Solaris, Linux, and OS X, and some are now even targeting networking
equipment. Mobile phone–based malware types are another growing trend and will
likely continue to be a major issue moving forward.
Malicious code will continue to keep security vendors and professionals fighting
on their heels into the new decade. Removable media appears to be one of the
many favorite avenues for propagation and shows no signs of slacking off. Proper
precautions must be exercised with removable media on foreign and known systems
alike.
Endnotes
1. www.wired.com/threatlevel/2008/08/virus-infects-s/. Accessed October 2009.
2. http://mtc.sri.com/Conficker/. Accessed October 2009.
3. http://msdn.microsoft.com/en-us/library/aa365748%28VS.85%29.aspx. Accessed
November 2009.
How to Recreate the Attack
The most common deployment scenario, given in our previous discussions in
Chapters 1 and 2, “USB Hacksaw” and “USB Switchblade,” respectively, would
be executing the payload of your choice by way of a U3-enabled flash drive. Using
this method, you have the ability to craft a custom ISO enabling any program to run
automatically simply by connecting a U3-compatible flash drive to a computer. Once
again, this is assuming that autorun is enabled and working properly; otherwise,
console access will be required to initiate via manual means.
This section will walk you through the creation of a custom ISO that can be used
to automatically execute a program on a computer using a U3-compatible flash drive.
Here is what you will need to recreate an attack of this sort.
• A scripting tool called AutoIt
• The U3 Universal Customizer tool
• A U3-supported flash drive
• A text editor program
• Icons to label your flash drive
This section will use the U3-enabled flash drive and Universal Customizer pro-
gram applied in the previous chapters. Download and install the most recent ver-
sion of AutoIt that is available on the Internet (www.autoitscript.com). Once you
have downloaded the package, the following instructions will guide you through the
installation process.
1. Run the AutoIt installation executable, then select Next when prompted, as shown
in Figure 3.3.
2. Ensure you concur with the agreement presented (Figure 3.4) and click I Agree.
3. Select Edit the script when the dialogue box appears as seen in Figure 3.5, then
click Next. This option will prevent accidental execution of the script on your
workstation during testing.
4. There are some script examples that can be installed, as seen in Figure 3.6.
Tip
These are convenient for reference if you are having difficulty understanding the syntax.
They are not required in order to complete the next section, but you may find them useful
at a later time.
5. Click Next to continue the installation as seen in Figure 3.6.
6. Choose a custom location for installation or accept the default as indicated in
Figure 3.7, and click Install.
7. Once the installation completes, click Finish, as illustrated in Figure 3.8.
80 CHAPTER 3 USB-Based Virus/Malicious Code Launch
Figure 3.3
AutoIt Installation Screenshot
Figure 3.4
AutoIt Installation Screenshot
Anatomy of the Attack 81
Figure 3.5
AutoIt Installation Screenshot
Figure 3.6
AutoIt Installation Screenshot
82 CHAPTER 3 USB-Based Virus/Malicious Code Launch
Figure 3.7
AutoIt Installation Screenshot
Figure 3.8
AutoIt Installation Screenshot
Anatomy of the Attack 83
Now that the installation of AutoIt is completed, we will begin building the
executable. In this example, we will send predefined text to Notepad, which will
render it on the screen once activated via autorun.
1. Launch AutoIt.
2. Go to File and select New File.
3. On line one, enter Run(“notepad.exe”)
4. On line two, enter Run WinWaitActive(“Untitled - Notepad”)
5. On line three, enter Send(“YOU ARE NOW INFECTED WITH THE PINK
SLIP VIRUS.{ENTER}NANNY NANNY BOO BOO{ENTER}”) or a phrase
of your choice
6. On line four, enter Sleep(500)
7. On line five, enter Send(“+{UP 2}”)
8. On line six, enter Sleep(500)
9. Save the file using “hotfix” as the name.
10. Test the script to ensure it is working as intended by right-clicking the newly
created file and selecting Run Script.
11. If there are any errors, the tool will let you know on what line the problem is
located. The final script should look something like Figure 3.9.
Figure 3.9
AutoIt Example Script
84 CHAPTER 3 USB-Based Virus/Malicious Code Launch
12. Next, we will compile the newly created script into an .exe file. To do this, sim-
ply right-click the script and select Compile Script. You should now see your
file with an .exe extension in the same directory you originally created it.
13. Go to the directory where you extracted the Universal Customizer and copy the
file you just created to the U3CUSTOM folder.
14. Download or choose a benign-looking icon. A good site to go to for this is www.
freeiconsweb.com. This example used an icon called MSN.ico.
15. Next, we will create a custom autorun.inf file that will be used to run your pay-
load. Open up a new text file and type in the following lines.
[Autorun]
open=HotFix.exe
icon=msn.ico
shell\Open\Command= HotFix.exe
shell\open\Default=1
shell\Explore\Command= HotFix.exe
shell\Autoplay\command= HotFix.exe
label=Microsoft HotFix
16. Save this file as autorun.inf and place it into the U3CUSTOM folder.
17. Next, run ISOCreate.cmd. This file can be found in the root of the Universal
Customizer folder. Press any key to end the script when prompted. An example
of the ISOCreate.cmd is included in Figure 3.10.
18. Insert your U3 USB flash drive.
19. In the root of the Universal Customizer folder, locate and run Universal Cus-
tomizer.exe. Execute the program and follow the on-screen steps, accepting the
default options provided in the installation dialogues. Steps 9 to 13 in the “How
Figure 3.10
ISOCreate.cmd Example Script
Evolution of the Attack 85
Figure 3.11
Intended Output of the AutoIt Script
to Recreate the Attack” section of Chapter 1, “USB Hacksaw,” provides detailed
directions and screenshot illustrations for these steps.
20. That’s it! Now you’re ready to rock and roll. Eject and insert your U3 drive
into your computer. If everything is properly in place, you should see the image
shown in Figure 3.11.
Evolution of the Attack
Computer viruses have been a technological nuisance since the inception of the digi-
tal age. The first computer virus is a debatable subject, but some conclude it was
known as the Creeper. This virus was authored by Bob Thomas in the early 1970s.
Creeper was an experimental, self-replicating program that targeted the then-popular
Tenex operating system. It was produced in a lab and was not written for malicious
purposes. Its payload was fairly benign in nature, and infected systems displayed the
message, “I’M THE CREEPER: CATCH ME IF YOU CAN.”K
In 1981, the Rother J virus was one of the first to appear “in the wild.” It attached
itself to the Apple DOS 3.3 operating system. It was written by Richard Skrenta as
a practical joke when he was still in high school. On its fiftieth use, the Elk Cloner
virus would be activated, infecting the machine and displaying a short poem. Skrenta
Khttp://vx.netlux.org/lib/atc01.html
86 CHAPTER 3 USB-Based Virus/Malicious Code Launch
then decided that it would be funny to put a copy of his “code” on the school comput-
ers and rig it to copy itself onto floppy disks that other students used on the system.
This was how the Elk Cloner virus was released into the wild.L
Agent.BTZ was mentioned previously in the “Invasive Species among Us”
section and will be expanded upon here to exemplify the evolution of similar
strains. This worm includes an additional payload known as a Trojan dropper.
A dropper is recognized as a variety of Trojan that will look to download and
execute other malware once it has infected a system. Upon insertion of the remov-
able media, the virus will detect the newly recognized drive and then attempt
self-replication to the device. If successful, it will then create an autorun.inf file in
the root of the drive, which tells the system to run the associated malicious code.
When the infected drive is inserted into a virgin host, the operating system will
detect the autorun.inf file and run the payload contained within. Agent.BTZ can
also spread through mapped network drives, but its primary means of propagation
targets removable media.
Agent.BTZ is one of many viruses that have hijacked the removable-media band-
wagon. A vast majority of these have two major concepts in common. These include
the creation of an autorun.inf file and exploitation of the autorun feature built into the
Windows operating system. W32/Agent.BTZ autorun.inf shown below is the con-
tent of the file that it creates. [RANDOM] represents the various names the worm
can create for the *.dll file. This is used to evade automated detection and removal
mechanisms.
[autorun]
open=
shell\open=Explore
shell\open\Command=rundll32.exe .\\[RANDOM].dll,InstallM
shell\open\Default=1
As has been previously discussed, this file is responsible for infecting new
systems when the infected USB drive is plugged in. Opening the infected USB drive
will automatically launch the rundll32.exe. Once this infected file is executed, it will
copy itself to directories on the system included below.
%system%\muxbde40.dll
%system%\\winview.ocx
%temp%\6D73776D706461742E746C62FA.tmp
%system%\system32\mswmpdat.tlb
Winview.ocx, mswmpdat.tlb, and 6D73776D706461742E746C62FA.tmp are log
files, and their contents are encrypted. Muxdbe40.dll is the virus itself, just with a
different name. After these files are in place, the virus then modifies the following
registry keys.
Lwww.smh.com.au/articles/2007/09/01/1188671795625.html
Evolution of the Attack 87
HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}
(default) = Java.Runtime.52
HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\
InprocServer32\
(default) = C:\WINDOWS\system32\muxbde40.dll
HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\
InprocServer32\
ThreadingModel = Apartment
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellService
ObjectDelayLoad\
UpdateCheck = {FBC38650-8B81-4BE2-B321-EEFF22D7DC62}
HKLM\Software\Microsoft\Windows\CurrentVersion\StrtdCfg
HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}
HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}\
InprocServer32\
Agent.BTZ is just one instance of many USB-focused viruses. The logic behind
most of these is not complicated; in fact, Agent.BTZ is actually a variant of the W32/
SillyFDC, which was first discovered back in 2005. Some of the other removable
media viral variants are included in Table 3.1 for reference.M
Conficker is another worm whose variants’ infectivity is extremely prevalent
today. In fact, since it was first detected in November of 2008, the number of infec-
tions has already risen to 7 million.N “Conficker B copies itself as the autorun.inf to
removable media drives in the system thereby forcing the executable to be launched
every time a removable drive is inserted into a system. It combines this with a unique
social engineering attack to great effect. It sets the “shell execute” keyword in the
autorun.inf file to be the string “Open folder to view files” thereby tricking users into
running the autorun program.”2 Conficker is considered a botnet and could easily call
for reinforcing weaponry that can be used toward any attack the authors may deem
necessary.
Table 3.1 Removable media viruses
Removable media viral variants
Worm:W32/Conficker Worm:Win32/Autorun.BO
Worm:VBS/SillyFDC.F Worm:Win32/Autorun.RA
Worm:Win32/SillyShareCopy.AC Worm:AutoIt/Renocide.gen!A
Worm:Win32/Autorun.A Worm:Win32/SillyShareCopy.E
PWS:Win32/Wowsteal.ZE!inf Worm:Win32/VB.CD
Worm:Win32/Nuj.A Worm:Win32/Emold.B
Worm:Win32/Autorun.PH Worm:Win32/Slenfbot.ACP
Mwww.microsoft.com/security/portal
Nwww.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking
88 CHAPTER 3 USB-Based Virus/Malicious Code Launch
Why All the Fuss?
The risks that viruses can present cover a broad spectrum. Loss of data, resources,
time, trade secrets, and personally identifiable data are just a few risks that can be
introduced by malware. This section will highlight the most vicious viral concoction
currently among us and how it might affect your network and data. Botnets are a
recent threat example which exemplifies most of the viral hazards these entities can
and do expose, often in an undetectable manner.
Botnets
A botnet is nothing more than an instrument cybercriminals use to carry out Internet-
based crime. They closely resemble a Mafia hierarchy whose actions are controlled
by a godfather. Listed below are a few of the possible activities botnets can be pro-
grammed to perform.
• Distributed denial-of-service attacks
• E-mail spamming
• Infecting new hosts
• Identity and credential theft
• Transporting illegal software
• Google AdSense and advertisement add-on abuse
Distributed Denial-of-Service Attacks
A distributed denial-of-service attack (DDoS) is an Internet-based assault that is
delivered from multiple sources (botnet) to one destination. The goal of these attacks
is to severely impair the victim’s network or Web site in such a way that it can
no longer service legitimate requests. During a large-scale attack, Internet service
provider (ISP) networks can also be affected, resulting in degraded services to its
customers. The botnet master can control a large number of bot computers from a
remote location, leveraging their bandwidth and resources to send session requests
to the intended victim. Botnets are frequently used to carry out these types of attacks
because their sessions closely resemble normal Internet traffic patterns, just in exces-
sive amounts. Depending on the nature of the attack, it can be hard to filter out what
is and is not bad traffic. The most common tactics that attackers use in DDoS attacks
are TCP SYN and UDP floods.
E-mail Spamming
In the past, whenever you were inundated by spam messages or phishing scams,
you could report the incident to your ISP, who would then track down the source of
the abuse and blacklist the Internet Protocol (IP). Spammers realized very quickly
that these tactics were no longer effective. They are now operating their own botnets
or renting existing infections to blast out spam messages. Losing one bot has little
Why All the Fuss? 89
impact on the overall mission if there are thousands of other bots to keep up the pace.
Botnets are an ideal platform for spammers. A single spam message can be sent to
an individual bot and then redistributed to all others, which then relay the spam. This
allows the individuals responsible for the operation to remain anonymous while all
the blame gets transferred to the infected computers.
Infecting New Hosts
Botnets can enlist new recruits to join in the game through social engineering and
the distribution of malicious phishing e-mail messages. These messages could have
infected attachments or maybe an embedded link to a Web site that has a malicious
ActiveX control. Just about everyone who has an e-mail account has seen a suspi-
cious message in their inbox. The most important thing to remember is that if you do
not know the person who sent the e-mail, it should be deleted, not opened.
Identity Theft
Identity theft is on the rise, and the trends are showing no signs of slowing down.
Identities are bought and sold in online black markets every day throughout the
world. Credit card numbers can be bought for as little as 50 cents while a full identity
complete with social security number, mother’s maiden name, account information,
and passwords can be purchased for less than 20 bucks. Botnets are often used to
gather the majority of this information.
Bots have also been found to use keyloggers and packet sniffers to collect
confidential information being entered or transmitted in clear text. Social security
numbers, credit cards, banking data, gaming valuables, or any other critical creden-
tials can be easily collected using these tools. If the infected computer uses encrypted
communication channels such as SSL, then sniffing traffic on the victim’s machine is
useless, since the appropriate key to decrypt the packets is not known. This is when
keyloggers come into play. Using these tools, an attacker can collect every keystroke
a user enters, making it very easy to gather sensitive information.
Transporting Illegal Software
Botnets can be used to transfer and store pirated software. They use these areas for
temporary holding tanks that usually contain a slew of illegal material. Everything
from pornography to full operating systems has been found on machines infected
with bot programs.
Google AdSense and Advertisement Add-On Abuse
Google AdSense offers businesses the opportunity to earn revenue displaying Google
advertisements on their own Web sites. Revenue is generated based on the number
of clicks the ads receives. Botnets can and are used to artificially increment the
click counters by scripting the process of site visits and viewing the advertisements.
90 CHAPTER 3 USB-Based Virus/Malicious Code Launch
The process can be further improved if the bot program hijacks the start page of the
infected computer so that the clicks are executed each time the user opens his or her
browser. Hosting companies often fall prey to this scam.
Defending against This Attack
According to study done by brighthub, half of the top 10 viruses of 2009 were
exploiting the Windows autorun feature.O When it comes to protection from USB-
based malicious code, one may choose to tackle the problem from a few different
angles. Each approach has beneficial and detrimental consequences, and these will
be discussed in the remaining sections.
Malicious code currently has two preferred methods of transmission when it
comes to removable media. The first is a technique that involves the infection of
existing executables or files on the removable device. Propagation occurs when the
tainted drive is introduced to a clean machine and the contaminated files are run from
the media by the user. The more popular approach these programs take is to manipu-
late or create an autorun.inf file for auto-execution.
The most effective way to prevent USB-based malware from leveraging Windows
autorun features is to prevent a computer from being able to run autorun.inf files
completely. The only drawback of this method is that it will prevent the operating
system from being able to read all autorun.inf files. This includes the convenient
feature build into CDs and DVDs that makes them automagically run as soon as the
operating system detects that they have been inserted. After making this change, a
user of the system will have to navigate the removable media manually in order to
initialize the appropriate program.
By following these steps, you can disable the usage of autorun.inf files completely
from the system. This can be done by adding a key called autorun.inf in the registry
paths included below.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
IniFileMapping
Add an entry under the newly created autorun.inf key called @. Next, set the
value of the @ entry to “@SYS:DoesNotExist”. Alternately, you can copy the below-
mentioned text to a Notepad file and save it with a .reg extension. Once this file is
created, browse to the saved location and double-click to add the registry value.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
This value tells Windows to treat autorun.inf as if it were a configuration file from
a pre–Windows 95 application. The “IniFileMapping” is a key that tells Windows
Owww.brighthub.com/computing/smb-security/articles/44811.aspx
Defending against This Attack 91
how to handle the .inf files. In this case, it tells the operating system to parse the reg-
istry key included below for direction when it encounters an autorun.inf file. Since
the “DoesNotExist” key is fictitious, the OS treats the autorun.inf as if it were empty,
so the instructions mentioned in the autorun.inf are not executed.
Due to the inconsistencies you might encounter on different types of operating
systems, you may decide that the best strategy for a particular situation would be to
disable features on the USB device itself. Some USB flash drives include a read-only
switch, but they make up the minority of what is on the market and in use today. The
switch does no good if left unengaged, and most users don’t understand its purpose
or realize that it even exists.
If the flash drive is like most, which means having a file system formatted with
FAT32, then there is a simple yet effective method to prevent propagation. If the drive
uses an autorun.inf to provide a specific functionality you desire, do not apply this
fix, as it will render the file and its functions useless. You will need access to a hex
editor for the following steps. A good free hex editor called HxD can be found at the
author’s Web site (http://mh-nexus.de/en/downloads.php?product=HxD).
Warning
You should test these procedures on an empty flash drive. If data exists on the drive, be
sure you have a backup in case corruption occurs.
The following defensive technique must be accomplished on Windows XP or an
alternate operating system due to recent updates with Vista and beyond. For Windows
Vista and greater, a write on a volume handle will only succeed if the drive or volume
is not mounted by a file system or if one of the following conditions is true:
1. Writing occurs on boot sectors.
2. There is any writing to sectors outside of the file system area.
3. FSCTL_LOCK_VOLUME or FSCTL_DISMOUNT_VOLUME has been used to
lock or dismount the volume.
4. The volume or drive does not have a file system. (Mounted as a raw volume.)
The write for a particular disk handle needs only one of the following circum-
stances to be true for it to be successful.
1. The sectors that will be written to do not fall inside a volume’s extents.
2. Sectors that will be written to fall inside a mounted volume, but something has
explicitly locked or dismounted the volume by way of FSCTL_LOCK_VOLUME
or FSCTL_DISMOUNT_VOLUME.
3. Sectors that will be written to fall inside a volume that is not unmounted or lacks
a file system.3 Sectors that will be written are within an unmounted or nonforma
tted volume.
92 CHAPTER 3 USB-Based Virus/Malicious Code Launch
The conditions listed above will likely prevent you from accomplishing a hex
edit on a USB drive from a Vista system. If you have access to a machine running
XP Professional, fortifying your USB autorun.inf file can be accomplished in a few
steps. Download a hex editor and install it, if you have not done so already. Next, you
will need to insert the USB flash drive and create an empty autorun.inf on the root
of this drive. Once you have done this, follow the instructions below to complete the
process. These instructions were built using the HxD hex editor from an XP system,
so if you are using another editor or operating system, the instructions will be slightly
off, but the concept is still the same.
1. Open the HxD hex editor, then go to the Extra menu, and select Open disk.
Note
Close all other programs or applications that are accessing the USB flash drive.
2. Uncheck the Open as Read-only box, then select your flash drive.
3. Go to the Search menu and select Find, then type AUTORUN in the Search for
window and select OK. Figure 3.12 illustrates what should be found.
4. Ensure you have the value highlighted as seen in Figure 3.12, then select Edit,
then Fill selection. In the Fill selection dialogue, you will find a section called
Hex-values. Change the 20 to 40 in the box provided. The dialogue should now
look like Figure 3.13.
5. Select OK, then Save, and click Yes to the Warning.
6. Close HxD and remove your flash drive.
The value of 20 indicated the archive bit setting, and the change to 40 changed to
the device bit. Now, when you browse to the disk, the autorun.inf file can be seen, but
it cannot be deleted, opened, edited, overwritten, or have its attributes changed.P
For those of you without XP or an alternate operating system, there are tools that
some vendors provide to inoculate your USB flash drive autorun.inf. Panda produces
a free utility called USB Vaccine that creates an unwritable autorun.inf file on the
drive. The software and user guides are available on their Web site. They have also
just released a NTFS beta version for USB flash drives that are formatted in this
manner.Q
Antimalware
The anti-malicious code market has been steadily growing for well over a decade.
Anti-virus, Trojan, spyware, adware, and rootkit products are abundant, and most
provide an adequate amount of protection. Many new players have entered this game,
often finding their niche when these new threats arise. Most established AV vendors
Phttps://security-shell.ws/showthread.php?t=26372
Qhttp://research.pandasecurity.com/archive/Panda-USB-Vaccine-with-NTFS-Support.aspx
Defending against This Attack 93
Figure 3.12
HxD AUTORUN Search Results with Applicable Bytes Highlighted
deem spyware, adware, and rootkits as separate entities, thus requiring additional
cleaning engines or components. These existing vendors are often slow acknowledg-
ing fresh adaptations, leaving room for these startups to become viable players in
the market. Lately, many of the top vendors such as Trend Micro, Symantec, and
McAfee now include features to fight against these updated threats. You can visit the
Anti-Spyware CoalitionR Web site to validate standards, participating members, and
updated developments in the area of spyware prevention.
EPIC Fail
Reliance on AV alone can leave you susceptible to USB and other attacks as demonstrated
in Chapter 2, “USB Switchblade.” Use of a firewall, heuristic-based engines,S and adher-
ence to security best practicesT will significantly minimize the risk from these threats.
Rwww.antispywarecoalition.org/
Swww.securityfocus.com/infocus/1542
Twww.sans.org/reading_room/whitepapers/bestprac/system_administrator_security_best_
practice_657
94 CHAPTER 3 USB-Based Virus/Malicious Code Launch
Figure 3.13
HxD Fill Selection Dialogue with Modified Value
There are numerous vendors who supply free versions of their products for home
and personal use. Many of these can provide ample protection, but only when com-
bined with additional tools, which compensate for areas where these free versions
are lacking. Examples of this would be to use the free version of AvastU (AV) with
MalwareBytesV (anti-spyware) or AVGW (AV) along with SpybotX (anti-spyware).
Those inclined to use free protection products should consider alternating these
tools on a regular basis to ensure you have eradicated the highest majority of pesky
programs. Free versions often fail to update the engines and filter drivers, which may
leave you vulnerable to new forms of attacks. They will still provide updated signa-
tures or definitions, but this may not be enough to fight off the most current viral vari-
ants. If you choose to alternate or update AV programs, uninstalling the one being
replaced is usually the best option. Some of these programs can conflict, detect, and
inadvertently remove the other, rendering corruption or a system crash depending on
the specific functionality enabled.
Uwww.avast.com/eng/avast_4_home.html
Vwww.malwarebytes.org/
Whttp://free.avg.com/us-en/homepage
Xwww.safer-networking.org/en/home/index.html
Defending against This Attack 95
Whether you are using a free product or have purchased a licensed copy of the
latest and greatest, it is always a good idea to keep up with comparative analyses in
the anti-malware realm. At minimum, annual checkups are recommended on these
products to ensure they continue to meet updated quality and performance crite-
ria. There are several independent organizations that provide this data for consumer
consumption. Included below are some of these organizations and certification
bodies that can be referenced when the need arises.
• AV-Comparatives,Y an Austrian nonprofit organization, provides independent anti-
virus software tests that are free to the public. To be included in these standard tests,
vendors must fulfill various conditions and a minimum set ofrequirements.
• AV-TestZ includes testing against the latest proficiency and development stan-
dards. This company is one of the leading global providers of test scenarios that
analyze the effectiveness and behavioral aspects of these security solutions.
• AntimalwareAA provides free public testing results. The choices of test scope and
vendor participants are established by a panel of experts who are not affiliated
with vendors tested against. Paid services are also provided for nonpublic testing
and research.
• ICSA LabsBB is an accredited certification body that performs cryptographic and
security testing and works with security product vendors to help them understand
and meet requirements mandated by the United States and Canadian governments
in order to participate in government markets.
• WestCoastLabsCC is another certification body that provides operational testing
in areas that are structured to satisfy the needs of both clients and the regulatory
authorities to aid operation of the international standards (ISO/IEC 17025:2005).
If you are planning to purchase an AV product or a security suite of tools, be sure
to evaluate their additional features independently. Most vendors are now includ-
ing bundled products containing firewalls, HIPS, antispam, and other components,
which can sometimes lack in luster. Some of these products features can also have
interoperability issues that can complicate normal operation and individual user
compatibility.
Be mindful of illegitimate or rogue products and services in this market.DD The
saturation of software in this industry has left much room for fraudulent folks who
peddle their products to unsuspecting victims. These fake healers are often driven
by spam or deceptive advertising and usually masquerade as genuine or well-known
vendors. They commonly deploy invalid detection techniques and produce false
positives, even on clean systems.
Ywww.av-comparatives.org/comparativesreviews/main-tests
Zwww.av-test.org/publications
AAwww.anti-malware-test.com/
BBwww.icsalabs.com/
CCwww.westcoastlabs.com/productTestReports/
DDwww.2-spyware.com/corrupt-anti-spyware
96 CHAPTER 3 USB-Based Virus/Malicious Code Launch
Summary
The days of malicious code isolation on Windows systems is nearly gone. These
developers are beginning to code their creations to infect cross or multiplatform
systems. New strains are being cultivated to perform joint task force operations on
Windows, Solaris, Linux, and OS X, and some are now even targeting networking
equipment. Mobile phone–based malware types are another growing trend and will
likely continue to be a major issue moving forward.
Malicious code will continue to keep security vendors and professionals fighting
on their heels into the new decade. Removable media appears to be one of the
many favorite avenues for propagation and shows no signs of slacking off. Proper
precautions must be exercised with removable media on foreign and known systems
alike.
Endnotes
1. www.wired.com/threatlevel/2008/08/virus-infects-s/. Accessed October 2009.
2. http://mtc.sri.com/Conficker/. Accessed October 2009.
3. http://msdn.microsoft.com/en-us/library/aa365748%28VS.85%29.aspx. Accessed
November 2009.