Undelete folders, virus protection on flash drives and all

Hello!

Today we will talk about the so-called "immunizers" and "vaccinators" flash carriers from autorun viruses - how they work, whether they are needed at all. And of course we will consider one of the easiest ways to create such a "vaccine".

')
SUPER-MEGA-PROTECTION from the autoruns

- Some such slogan accompanies all such programs. Of course: it is claimed that the program is able to detect any known and unknown infection transmitted on flash drives, ensure its blocking and even in a special way modify the file system on the flash drive so that such an infection will never stick again.

Such programs became especially popular after the Kido boom - flash drives were one of the ways it was distributed. The impudence of the “utilizators” reached the point that they began to ask for a program for the money, immediately there were “hackers”, which these programs began to break - well, it went and went.

Let's now figure out what this program actually does and whether it makes sense.

DETECTION OF INFECTION

In fact, most programs consider a flash drive dangerous and “detect infection” by the presence of autorun.inf in the root of the disk. Every time the media is mounted, the system’s autostart function is blocked, and the search for the desired autorun.inf is launched, and if there are, screams and groans begin.

Particularly advanced programs can analyze the contents of autorun.inf for the presence of open, after which they parse the value and look - is there a file or folder on the flash drive along this path? If there is - the cry will be deafening. It is perfectly understandable the number of falls on almost all disks of presentations and installations, in which autorun.inf is slightly less than everywhere else. In especially “advanced” programs, files and folders from open are checked for the “hidden” attribute in order to reduce failures. This, of course, a great achievement!

It is quite obvious that such crafts will not protect against file viruses: if there is a program infected with Sality on the flash drive, it will nicely infect you when it is launched, bypassing all protections. The sensational Stuxnet case will work without noise and dust - autorun.inf is not used at all. In short, sad.

Have you done vaccination from kori?

One of the “special” advantages of the programs being discussed for protection against infected flash media is the so-called “vaccination” of the carrier, as a result of which it cannot be infected. The essence of vaccination is the creation of an autorun.inf folder in the root with known file system errors, as a result of which it cannot be deleted. In this case, it is impossible to write a file with the same name to the USB flash drive, which means that the malware will not be able to autostart.

Alas, this method is miserable a priori: even if autorun.inf is not created, all other malware files will be safely copied and an inexperienced user can launch them by mistake or simply, “to understand what it is I have kept”.

In addition, all the errors described are successfully used by the malware itself for self-defense (executable files are hidden in the undelete folders), it is naive to believe that virus writers do not know how to get around what they themselves use.

And now we will consider how to create in practice such a “non-removable” folder without any “vaccinators”.

PRACTICE

Long time ago, it seems last Friday, when speeds were measured in baud, nobody heard about Mbit / s, and there were two, absolutely incompatible classes to chat on the phone and sit on the Internet: there was a glorious problem: a simple archive was created that dressed in hex editors, modified so that the file in the archive, consisting of ten characters "x", was converted into a file with a 10-degree character of the symbols "x". The essence of the attack was simple: the archiving algorithm squeezed such a homogeneous file very strongly, but when sending by e-mail, if the client had automatic unpacking, the result file scored completely weak media then. In total - the full desired "g". After all, then no one else thought about the file system restrictions - just think: then the owners of 40 MB of screws were considered kings!

No, I have not started senile insanity, and in general I am still young and beautiful (hello, girls!), But I remembered all this because our example will be very similar to those ancient methods.

So, we will need:

- WinRAR archiver. I used version 3.93, for the rest I can not vouch.
- 7-zip archiver. In my case - 9.20.04
- OS Windows XP SP3
- system library mozg.dll
- driver ruki.sys

So what we do. It is well known that in Windows, the total length of the path along with the file name should not exceed 260 characters. Therefore, when creating folders with a deep attachment, sooner or later you will have to stop. This is well known to people who make rips from sites with large attachments - whether you want to or not, but either the names of the folders should be shortened or cross-references should be made. This is the limitation we will use.

Create an empty folder on the disk with the name autorun.inf and add it to the rar-archive using WinRar. Open the archive in WinRar - well, let's go. Create another folder inside autorun.inf, then another and another - fill in the required 260 characters. Well, at the very end, add something to the archive - you can even have an empty text file. So, the vaccine is ready!

If you try to unpack the resulting file with WinRar, the archiver rightly scolds:


But the 7-zip file perfectly unpacks and preserves the folder structure. In total - voila!

1. If the total path length with folder names and file name exceeds 260 characters, then such folder will be displayed, but the file cannot be opened, copied or edited. The delete folder also fails because the file is not available for the system:



The sample file described here is observed when unpacking to the root of any NTFS partition.

2. If the total length of the path with folder names exceeds 260 characters without even counting the file name, then you simply cannot see the file itself - you will not reach it with either Explorer or file managers. Well, all the sweets of claim 1 in addition :)

The sample file described here is observed when unpacking to the root of any NTFS partition.

ADVANTAGES AND DISADVANTAGES

The benefits of this are knowledge and understanding! But there are infinitely many minuses :) Because such a “defense” is easy to manage. I will not load with technical details, I am sure that those to whom they understand are not reading this article for a long time, but drinking beer and loading others with technical details :), to put it simply - if we use lower access in the system, then we can perfectly work as with folders, and with hidden files.

This is easily seen by the good old IceSword:



This anti-rootkit perfectly sees the entire folder structure, and the command force delete deletes them in one move.

IceSword is no longer supported, but the Chinese do not give up and, in my opinion, very successfully intercept the baton with the help of the XueTr, which is inappropriate for the Russian ear of the anti-rootkit:



- all the same plus snacks, for example - reddish something that is suspicious (in our case - hidden folders and a file) :)

Yes, in fact, a lot of things can be seen - I just chose two examples that were the closest.

Separately, it is worth paying attention to the situation when in our undeletable folder hides not a regular textbook, but a malicious one. Kaspersky Anti-Virus successfully checks the contents of the folder, it is easy to check this by unpacking the contents of this archive (inside - not a textbook, but eicar) and checking the resulting folder.

As for the popular AVZ utility among the CIS residents, which is used in the manual treatment of infected computers, it is more interesting.

I tried to secure and delete the file using the following AVZ script (the already mentioned test1.rar archive was used ):

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('D:\autorun.inf\Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov\Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov\Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov.txt','');
DeleteFile('D:\autorun.inf\Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov\Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov\Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov.txt');
BC_ImportAll;
ExecuteSysClean;
BC_LogFile(GetAVZDirectory + 'boot_clr.log');
SaveLog(GetAVZDirectory+'avz_log.txt');
BC_Activate;
RebootWindows(true);
end.

In total, direct quarantine and deletion commands did not work:

File Quarantine error, attempt to direct reading (D: \ autorun.inf \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov.txt)
Quarantine using direct reading - error
File Quarantine error, attempt to direct reading (D: \ autorun.inf \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov.txt)
Quarantine using direct reading - error
Deleting a file: D: \ autorun.inf \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov.txt
>>> To delete a file D: \ autorun.inf \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov.txt must reboot

After the automatic reboot, BootCleaner worked, which made a successful quarantine, but I still could not delete it:

Quarantine path: \ ?? \ D: \ AWZ \ Quarantine \ 2011-01-27 \
QuarantineFile \ ?? \ D: \ autorun.inf \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov.txt - succeeded
QuarantineFile \ ?? \ D: \ autorun.inf \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov.txt - succeeded
DeleteFile \ ?? \ D: \ autorun.inf \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov \ Mozhno_nazvat_kak_hotite_lish_by_bylo_ochen_dlinno_i_v_itoge_summa_papki_i_faila_poluchilas_bolee_260_simvolov.txt - failed (0xC0000043)
- End -

Thus, we copied the malware, but we could not remove and neutralize it. So I think Oleg Zaitsev still has something to work on :)

FINDINGS

In this review, we have seen that almost all existing programs to provide protection against viruses that spread through flash media do not fully provide this protection. "Vaccination" or "immunization" flash drives only leads to partial protection, which is easily bypassed by serious malware.

If you are really interested in providing protection against this kind of threat, I recommend simply disabling autorun of any media on your system. This can be done irreversibly (because I am too lazy to remember the default settings in the registry :)) by adding the registry information of this file , or reversibly, using specific programs, such as Autorunsettings from Uwe Sieber .