Beyond Autorun: Exploiting Vulnerabilities with Removable Storage

Total Page:16

File Type:pdf, Size:1020Kb

Beyond Autorun: Exploiting Vulnerabilities with Removable Storage Beyond Autorun: Exploiting vulnerabilities with removable storage Jon Larimer [email protected], [email protected] IBM X-Force Advanced Research BlackHat – Washington, DC - 2011 January 18, 2011 Beyond Autorun (v1.0) (c) 2011 IBM Corp. 1 Contents 1. Abstract ..................................................................................................................................................... 5 2. Introduction .............................................................................................................................................. 6 2.1. A brief history of removable storage malware .................................................................................. 6 2.2. AutoRun and AutoPlay ....................................................................................................................... 6 2.3. Stuxnet and the LNK vulnerability...................................................................................................... 7 2.4. Attacks on physical systems ............................................................................................................... 7 3. USB Architecture ....................................................................................................................................... 9 3.1. About USB .......................................................................................................................................... 9 3.2. Host controllers ................................................................................................................................ 10 3.3. Devices ............................................................................................................................................. 10 3.3.1. Hubs .......................................................................................................................................... 10 3.3.2. Functions ................................................................................................................................... 10 3.3.3. Interfaces .................................................................................................................................. 10 3.3.4. Endpoints .................................................................................................................................. 11 3.3.5. Device classes ............................................................................................................................ 11 3.3.6. USB descriptors ......................................................................................................................... 12 3.4. Mass storage class devices ............................................................................................................... 13 3.5. Attacks using the USB protocols ...................................................................................................... 14 3.6. Fuzzing USB drivers .......................................................................................................................... 14 3.6.1. Windows Device Simulation Framework .................................................................................. 15 3.6.2. QEMU/BOCHS ........................................................................................................................... 15 4. USB operation on Windows 7 ................................................................................................................. 16 4.1. USB driver stack ............................................................................................................................... 16 4.1.1. Core stack .................................................................................................................................. 16 4.1.2. Class drivers .............................................................................................................................. 17 4.1.3. USB device recognition ............................................................................................................. 18 4.1.4. The danger of drivers from Windows Update .......................................................................... 20 4.2. Mass storage devices ....................................................................................................................... 21 4.2.1. USB storage port driver and Windows disk class driver ........................................................... 21 Beyond Autorun (v1.0) (c) 2011 IBM Corp. 2 4.2.2. Partition and volume management .......................................................................................... 22 4.2.3. File system drivers .................................................................................................................... 22 4.2.4. Fuzzing filesystem drivers on Windows .................................................................................... 23 4.3. Exploiting USB and file system drivers ............................................................................................. 24 4.4. PnP Manager .................................................................................................................................... 24 4.4.1. Kernel mode PnP manager ....................................................................................................... 24 4.4.2. User mode PnP manager .......................................................................................................... 25 4.5. AutoPlay ........................................................................................................................................... 25 4.5.1. Shell Hardware Detection Service ............................................................................................. 25 4.5.2. ReadyBoost ............................................................................................................................... 27 5. Windows Explorer ................................................................................................................................... 28 5.1. Shell Extension Handlers .................................................................................................................. 28 5.1.1. Registered file types and perceived types ................................................................................ 29 5.1.2. Icon handlers ............................................................................................................................. 30 5.1.3. Thumbnail handlers .................................................................................................................. 32 5.1.4. Image handlers .......................................................................................................................... 34 5.1.5. Preview handlers ....................................................................................................................... 35 5.1.6. Infotip handlers ......................................................................................................................... 36 5.1.7. COM object persistence and type confusion ............................................................................ 36 5.1.8. Fuzzing shell extensions ............................................................................................................ 36 5.1.9. Exploiting shell extensions ........................................................................................................ 36 5.2. Property system ............................................................................................................................... 37 5.3. Folder customization ....................................................................................................................... 38 5.3.1. Shell namespace extensions ..................................................................................................... 39 6. USB operation on GNU/Linux ................................................................................................................. 40 6.1. Core .................................................................................................................................................. 40 6.2. USB interface drivers ....................................................................................................................... 40 6.3. USB mass storage class driver .......................................................................................................... 40 6.4. udev, udisks, D-Bus .......................................................................................................................... 41 6.5. File systems in Linux ......................................................................................................................... 41 7. GNOME and Nautilus .............................................................................................................................. 43 7.1. Automatic mounting of storage devices .......................................................................................... 43 Beyond Autorun (v1.0) (c) 2011 IBM Corp. 3 7.2. Autorun capabilities ......................................................................................................................... 44 7.3. Thumbnailers ................................................................................................................................... 45 7.3.1. Exploiting
Recommended publications
  • The Rise of Autorun- Based Malware by Vinoo Thomas, Prashanth Ramagopal, and Rahul Mohandas Report the Rise of Autorun-Based Malware
    Report The Rise of AutoRun- Based Malware By Vinoo Thomas, Prashanth Ramagopal, and Rahul Mohandas Report The Rise of AutoRun-Based Malware Table of Contents Abstract 3 The Return of Removable-Disk Malware 3 Distribution of AutoRun-Based Malware 4 AutoRun Woes 6 Incomplete autorun.inf cleaning 7 Traditional detection methods 8 Smart removal of autorun.inf 8 Leveraging In-the-Cloud Computing Technology 10 The Road Ahead 11 About the authors 12 Report The Rise of AutoRun-Based Malware Abstract Most people associate today’s computer viruses and other prevalent malware with the Internet. But that’s not where they started. Lest we forget, the earliest computer threats came from the era of floppy disks and removable media. With the arrival of the Internet, email and network-based attacks became the preferred infection vector for hackers to spread malicious code—while security concerns about removable media took a back seat. Now, however, our attention is returning to plug-in media. Over the years, floppy disks have been replaced by portable hard drives, flash media cards, memory sticks, and other forms of data storage. Today’s removable devices can hold 10,000 times more data than yesterday’s floppy disks. Not only can they store more data, today’s devices are “smart”—with the ability to run portable software programs1 or boot operating systems. 2,3 Seeing the popularity of removable storage, virus authors realized the potential of using this media as an infection vector. And they are greatly aided by a convenience feature in operating systems called AutoRun, which launches the content on a removable disk without any user interaction.
    [Show full text]
  • Investigating Powershell Attacks
    Investigating PowerShell Attacks Black Hat USA 2014 August 7, 2014 PRESENTED BY: Ryan Kazanciyan, Matt Hastings © Mandiant, A FireEye Company. All rights reserved. Background Case Study WinRM, Victim VPN SMB, NetBIOS Attacker Victim workstations, Client servers § Fortune 100 organization § Command-and-control via § Compromised for > 3 years § Scheduled tasks § Active Directory § Local execution of § Authenticated access to PowerShell scripts corporate VPN § PowerShell Remoting © Mandiant, A FireEye Company. All rights reserved. 2 Why PowerShell? It can do almost anything… Execute commands Download files from the internet Reflectively load / inject code Interface with Win32 API Enumerate files Interact with the registry Interact with services Examine processes Retrieve event logs Access .NET framework © Mandiant, A FireEye Company. All rights reserved. 3 PowerShell Attack Tools § PowerSploit § Posh-SecMod § Reconnaissance § Veil-PowerView § Code execution § Metasploit § DLL injection § More to come… § Credential harvesting § Reverse engineering § Nishang © Mandiant, A FireEye Company. All rights reserved. 4 PowerShell Malware in the Wild © Mandiant, A FireEye Company. All rights reserved. 5 Investigation Methodology WinRM PowerShell Remoting evil.ps1 backdoor.ps1 Local PowerShell script Persistent PowerShell Network Registry File System Event Logs Memory Traffic Sources of Evidence © Mandiant, A FireEye Company. All rights reserved. 6 Attacker Assumptions § Has admin (local or domain) on target system § Has network access to needed ports on target system § Can use other remote command execution methods to: § Enable execution of unsigned PS scripts § Enable PS remoting © Mandiant, A FireEye Company. All rights reserved. 7 Version Reference 2.0 3.0 4.0 Requires WMF Requires WMF Default (SP1) 3.0 Update 4.0 Update Requires WMF Requires WMF Default (R2 SP1) 3.0 Update 4.0 Update Requires WMF Default 4.0 Update Default Default Default (R2) © Mandiant, A FireEye Company.
    [Show full text]
  • Securing Your Email in 13 Steps: the Email Security Checklist Handbook Securing Your Email in 13 Steps
    HANDBOOK Securing Your Email in 13 Steps: The Email Security Checklist handbook Securing Your Email in 13 Steps overview You’ve hardened your servers, locked down your website and are ready to take on the internet. But all your hard work was in vain, because someone fell for a phishing email and wired money to a scammer, while another user inadvertently downloaded and installed malware from an email link that opened a backdoor into the network. Email is as important as the website when it comes to security. As a channel for social engineering, malware delivery and resource exploitation, a combination of best practices and user education should be enacted to reduce the risk of an email-related compromise. By following this 13 step checklist, you can make your email configuration resilient to the most common attacks and make sure it stays that way. 2 @UpGuard | UpGuard.com handbook Securing Your Email in 13 Steps 1. Enable SPF How do you know if an email is really from who it says it’s from? There are a couple of ways to answer this question, and Sender Policy Framework (SPF) is one. SPF works by publishing a DNS record of which servers are allowed to send email from a specific domain. 1. An SPF enabled email server receives an email from [email protected] 2. The email server looks up example.com and reads the SPF TXT record in DNS. 3. If the originating server of the email matches one of the allowed servers in the SPF record, the message is accepted.
    [Show full text]
  • Hunting Red Team Activities with Forensic Artifacts
    Hunting Red Team Activities with Forensic Artifacts By Haboob Team 1 [email protected] Table of Contents 1. Introduction .............................................................................................................................................. 5 2. Why Threat Hunting?............................................................................................................................. 5 3. Windows Forensic.................................................................................................................................. 5 4. LAB Environment Demonstration ..................................................................................................... 6 4.1 Red Team ......................................................................................................................................... 6 4.2 Blue Team ........................................................................................................................................ 6 4.3 LAB Overview .................................................................................................................................. 6 5. Scenarios .................................................................................................................................................. 7 5.1 Remote Execution Tool (Psexec) ............................................................................................... 7 5.2 PowerShell Suspicious Commands ......................................................................................
    [Show full text]
  • Imail V12 Web Client Help
    Ipswitch, Inc. Web: www.imailserver.com 753 Broad Street Phone: 706-312-3535 Suite 200 Fax: 706-868-8655 Augusta, GA 30901-5518 Copyrights ©2011 Ipswitch, Inc. All rights reserved. IMail Server – Web Client Help This manual, as well as the software described in it, is furnished under license and may be used or copied only in accordance with the terms of such license. Except as permitted by such license, no part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, without the expressed prior written consent of Ipswitch, Inc. The content of this manual is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by Ipswitch, Inc. While every effort has been made to assure the accuracy of the information contained herein, Ipswitch, Inc. assumes no responsibility for errors or omissions. Ipswitch, Inc. also assumes no liability for damages resulting from the use of the information contained in this document. Ipswitch Collaboration Suite (ICS), the Ipswitch Collaboration Suite (ICS) logo, IMail, the IMail logo, WhatsUp, the WhatsUp logo, WS_FTP, the WS_FTP logos, Ipswitch Instant Messaging (IM), the Ipswitch Instant Messaging (IM) logo, Ipswitch, and the Ipswitch logo are trademarks of Ipswitch, Inc. Other products and their brands or company names are or may be trademarks or registered trademarks, and are the property of their respective companies. Update History December 2011 v12 April 2011 v11.5 October 2010 v11.03 May 2010 v11.02 Contents CHAPTER 1 Introduction to IMail Web Client About Ipswitch Web Messaging Help ..................................................................................................................
    [Show full text]
  • Introduction to Email
    Introduction to Email gcflearnfree.org/print/email101/introduction-to-email Introduction Do you ever feel like the only person who doesn't use email? You don't have to feel left out. If you're just getting started, you'll see that with a little bit of practice, email is easy to understand and use. In this lesson, you will learn what email is, how it compares to traditional mail, and how email addresses are written. We'll also discuss various types of email providers and the features and tools they include with an email account. Getting to know email Email (electronic mail) is a way to send and receive messages across the Internet. It's similar to traditional mail, but it also has some key differences. To get a better idea of what email is all about, take a look at the infographic below and consider how you might benefit from its use. Email advantages Productivity tools: Email is usually packaged with a calendar, address book, instant messaging, and more for convenience and productivity. Access to web services: If you want to sign up for an account like Facebook or order products from services like Amazon, you will need an email address so you can be safely identified and contacted. Easy mail management: Email service providers have tools that allow you to file, label, prioritize, find, group, and filter your emails for easy management. You can even easily control spam, or junk email. Privacy: Your email is delivered to your own personal and private account with a password required to access and view emails.
    [Show full text]
  • Dolphin Power Tools User's with Windows Embedded Handheld 6.5
    Dolphin™ Power Tools with Windows® Mobile 6.X for the Dolphin 6000 Scanphone User’s Guide Disclaimer Honeywell International Inc. (“HII”) reserves the right to make changes in specifications and other information contained in this document without prior notice, and the reader should in all cases consult HII to determine whether any such changes have been made. The information in this publication does not represent a commitment on the part of HII. HII shall not be liable for technical or editorial errors or omissions contained herein; nor for incidental or consequential damages resulting from the furnishing, performance, or use of this material. This document contains proprietary information that is protected by copyright. All rights are reserved. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of HII. © 2011 Honeywell International Inc. All rights reserved. Microsoft® Windows®, Windows NT®, Windows 2000, Windows ME, Windows XP, Windows Vista, Windows .NET Framework, Windows ActiveSync®, and the Windows logo are trademarks or registered trademarks of Microsoft Corporation. The Bluetooth® word mark and logos are owned by Bluetooth SIG, Inc. Other product names or marks mentioned in this document may be trademarks or registered trademarks of other companies and are the property of their respective owners. Web Address: www.honeywellaidc.com Table of Contents Chapter 1 - Introduction Dolphin Power Tools Overview............................................................................................1-1
    [Show full text]
  • Entering SMTP Details in REV MESSAGE Dispatcher
    Entering SMTP Details in REV MESSAGE Dispatcher. To Configure using Internet Mail Server (SMTP) to send Emails please do the following. Select the Email (SMTP) option under the Email tab in the Configure window. Then, click on the SMTP Details button to launch the SMTP Settings window. SMTP details Page 1 Entering SMTP Details in REV MESSAGE Dispatcher. In the User Information enter the Sender Name and the Sender E-mail Address. This is what will appear in the ‘From:’ field when the email is received. For example, we use Message Dispatcher for the Name and [email protected] as the E-mail Address SMTP details Page 2 Entering SMTP Details in REV MESSAGE Dispatcher. Example of what it looks like when the email is viewed. SMTP details Page 3 Entering SMTP Details in REV MESSAGE Dispatcher. The next step is to enter the Outgoing Mail Server SMTP (Simple Mail Transport Protocol) address. You can also use an IP address instead, i.e. 118.208.34.220 SMTP details Page 4 Entering SMTP Details in REV MESSAGE Dispatcher. The final step is to enter your outgoing email account and password information that provided to you by your ISP or Network Administrator. SMTP details Page 5 Entering SMTP Details in REV MESSAGE Dispatcher. There’re also Options for Email Attachment Encoding (MIME and UUEncode) and Email Message Format (HTML Mail Format). To send out long URL link in the email (like we have with the Web Interface link) we recommend you to select the HTML Mail Format option. Now, we just need to click on the Accept button to save these settings SMTP details Page 6 .
    [Show full text]
  • A Baseline for XP Boot Changes AAFS - 26 February 2010
    A Baseline for XP Boot Changes AAFS - 26 February 2010 Ben Livelsberger NIST Information Technology Laboratory CFTT Project 1 Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the products are necessarily the best available for the purpose. 2 Introduction Methodology/Approach Expected Results Analysis/Findings Conclusion 3 Question: What changes on a hard drive when you boot a system? Answer: Sector content of installed devices containing volumes Accessed, write, created date and time metadata Files created Files deleted 4 Build Vanilla XP system not networked Cycle through several boots and shutdowns Image with dd Boot, 2 minutes idle, shutdown, and reimage (5x) Compare images- Linux & perl Analyze differences- perl scripts and SleuthKit Tools 5 Build (vanilla) XP system DCO drive to 12 GB Partitioned 7 GB primary FAT32 2 GB secondary NTFS & 2 GB secondary FAT32 Windows XP Professional SP2 Add user files to secondary partitions 5 files - 2.4 Mb Types: .inf, .pdf, .exe, .ico, & .html 6 2.1 GB secondary NTFS partition.Payload 898,594 of 5 files copied from bootable CD (a 43 unallocated byte autorun.inf, a 17 Kb .pdf, a 2.4 sectors 7.3 GB FAT32 Mb .exe, a 13 Kb .ico, & a 13 Kb .html MBR (boot code, boot partition file). partition table, with XP SP2 Primary extended signature value) installed 2.1 GB secondary partition table + Secondary + 62 sectors) FAT32 partition. 62 sectors) extended partition table + Payload same as 62 sectors) NTFS partition Primary extended Secondary extended partition 7 partition 2.1 GB secondary NTFS partition.Payload of 5 files copied from bootable CD (a 43 byte autorun.inf, a 17 Kb .pdf, a 2.4 7.3 GB FAT32 Mb .exe, a 13 Kb .ico, & a 13 Kb .html boot partition file).
    [Show full text]
  • Asp Net Not Declared Protection Level
    Asp Net Not Declared Protection Level Hewitt never tooth any scarlets forage strenuously, is Izzy psychometrical and sympodial enough? Aroid Noland sometimes challenges any redox capsulize decreasingly. Funicular Vincents still pockmark: fugato and bran-new Gonzalo flyted quite thoughtlessly but inversed her nocturns rashly. Replace two cycles prior to the destination file browser engine and assistance program is probably the protection level security Note: just the sp table, iterating in turn through the children of the instant, it is discouraged as it up introduce errors to registry if nothing done properly and may. Please apply to affirm from constant public gatherings. To ensure provide the competent authorities shall pledge such remedies when granted. Psychosocial predictors for cancer prevention behaviors in workplace using protection motivation theory. We use easily create seperate action methods for act request types. It is quiet usually recommended to redirect all http traffic to https. New York State Update Feb. The full declaration can be viewed here. NCrunch builds fine, Martin Luther King Jr. Pinal Dave is a SQL Server Performance Tuning Expert and an independent consultant. West Virginia remains via the top states in the nation for vaccine distribution on margin per capita basis. Forum post errors, asp table and asp net not declared protection level with a vsto project. This writing help the process protect themselves then other patients. WPF content controls, requiring specific and tailored requests for particular documents or categories of documents relevant rate the empower and not actually available. How would receive do that? Free file explorer extension for Visual Studio. It has grown to lease a protection gun is self experience and vehicle.
    [Show full text]
  • GV-3D1-7950-RH Geforce™ 7950 GX2 Graphics Accelerator
    GV-3D1-7950-RH GeForce™ 7950 GX2 Graphics Accelerator User's Manual Rev. 101 12MD-3D17950R-101R * The WEEE marking on the product indicates this product must not be disposed of with user's other household waste and must be handed over to a designated collection point for the recycling of waste electrical and electronic equipment!! * The WEEE marking applies only in European Union's member states. Copyright © 2006 GIGABYTE TECHNOLOGY CO., LTD Copyright by GIGA-BYTE TECHNOLOGY CO., LTD. ("GBT"). No part of this manual may be reproduced or transmitted in any form without the expressed, written permission of GBT. Trademarks Third-party brands and names are the property of their respective owners. Notice Please do not remove any labels on VGA card, this may void the warranty of this VGA card. Due to rapid change in technology, some of the specifications might be out of date before publication of this booklet. The author assumes no responsibility for any errors or omissions that may appear in this document nor does the author make a commitment to update the information contained herein. Macrovision corporation product notice: This product incorporates copyright protection technology that is protected by U.S. patents and other intellectual property rights. Use of this copyright protection technology must be authorized by Macrovision, and is intended for home and other limited viewing uses only unless otherwise authorized by Macrovision. Reverse engineering or disassembly is prohibited. Table of Contents English 1. Introduction ......................................................................................... 3 1.1. Features ..................................................................................................... 3 1.2. Minimum system requirements ..................................................................... 3 2. Hardware Installation ........................................................................... 4 2.1.
    [Show full text]
  • HUNTING for MALWARE with COMMAND LINE LOGGING and PROCESS TREES Vanja Svajcer Cisco Talos, Croatia [email protected]
    30 September - 2 October, 2020 / vblocalhost.com HUNTING FOR MALWARE WITH COMMAND LINE LOGGING AND PROCESS TREES Vanja Svajcer Cisco Talos, Croatia [email protected] www.virusbulletin.com HUNTING FOR MALWARE WITH COMMAND LINE LOGGING... SVAJCER ABSTRACT Over the years, many detection techniques have been developed, ranging from simple pattern matching to behavioural detection and machine learning. Unfortunately, none of these methods can guarantee users to be fully protected from all types of attacks. This fact is now accepted and many companies, especially medium to large corporations, have established their own in-house security teams specifically tasked with hunting attacks that may have slipped through the cracks of their protection layers. Security operations centres (SOCs) are tasked with collecting, aggregating and analysing large quantities of security data collected from the most valuable organizational assets as well as external threat intelligence data that is used to enrich the context and allow team members to identify incidents faster. When we log Windows events, there are literally hundreds of event types that generate a huge amount of data that can only be analysed using a data analytic platform. Considering the amount of data, which is too large to be handled manually by humans, it is crucial for defenders to know what they should look for in order to reduce the set of data to the point where it can be handled relatively easily by blue team members. One of the data types that can be collected while hunting for new threats is the command line parameters used to launch processes. Logging command lines of executed processes can be a useful second line in detection of unknown malicious attacks as well as in the determination of the root cause of infections during the incident response remediation phase.
    [Show full text]