In most cases, you bought CD/ DVD a software. When you insert the disc into the machine, it will prompt a welcome page, which is provided by the software company. Have you ever browse into the disc and see the content of it? You will soon discover that these CDs/ DVDs which prompt when it is inserted, has a common file with name “autorun.inf” at the root of the disc. Actually, what Windows do is, when a disc is inserted, Windows will detect and read the autorun.inf to see what should be prompt (In the case of USB, Windows will perform the same procedure but with different result). The following is a typical autorun.inf in CD/ DVD.
[AUTORUN]
OPEN=file
ICON=icon.ico
The file assigned to OPEN is the one that you want Windows execute when the disc is inserted, the value in icon attribute is the one that will show in the explorer (when you open Computer, and the icon.ico will be shown as the driver logo of the CD/ DVD). Similarly, we can use the same autorun.inf in USB drive, however, the file assigned to OPEN will not be autorun. Instead, the autorun fuction works only when you double click the icon of the drive in the browser of Computer.
ICON = %SystemRoot%system32SHELL32.dll,3
Back to the situation of USB, when you plug the USB in, which containing the autorun.inf as above, the follow dialog will be prompted. This dialog is called autoplay dialog but not autorun, you can search more information using this keyword.
Autoplay dialog w/ or w/o CD's autorun.inf
You don’t see your expected program is auto execute, why is that? Because Microsoft discovered that auto run feature is a security hole that increase the chance of users being infected, as the popularity of USB keeps increasing. Although we cannot auto run the USB, but we can add something to the dialog above to incite user to execute our programs. The following are some useful entries in autorun.inf that helps to get the work done.
- ACTION: The action entry specifies the text that is used in the autoplay dialog for the handler representing the program specified in the open or shellexecute entry in the media’s autorun.inf file. The value can be expressed as either text or as a resource stored in a binary. For example, in the above dialog, “Open folder to view files”, you can create your own text show in this way on the dialog.
- SHELL\VERB: The shell\verb entry adds a custom command to the drive’s shortcut menu. Here is an example:
shell\open\command=Filename.exe
shell\open=MenuText
By adding these two entries into the autorun.inf file, we can incite users to run what we want them to run and the icon will show in the autoplay dialog as follow. (The red circle is what I added to the autorun.inf)
Added ACTION and SHELLOPENCOMMAND to autorun.inf
The following piece of code is the content of the autorun.inf, I did not need to grab any icon files because I use the one stored in users’ computer, I think we can guarantee this file always exists (SHELL32.dll in system32 folder). There are a lot more entries you can add into the autorun.inf, but I don’t see any of them helps to make the autorun more success. Please let me know if you have any good idea how to work this out more perfectly.
[autorun]
icon=%SystemRoot%\system32\SHELL32.dll,3
open=run.bat
action=Open folder to view files
shell\open\command=run.bat
shellexecute=run.bat
Hope you guys will not be so disappointed about this because I found that there are lots of articles talking about the same method to autoplay the USB.
Reference:
ps. In Vista, even autorun feature in CD/ DVD is disabled. Currently, I don’t have a WinXP so I cannot test it, but before, CD/ DVD is allow to autorun file.
So it becomes a suggestion feature… it goes back to the phishing game.
log0:
Actually there is another way that can autorun USB. Have you heard of U3? It is a company mainly focus on producing autorun portable device. Before they use a technique to make a USB to be a CD, but then many hackers use its products. And now, U3 company uses software to help auto running the USB, not exactly what we want. But there previous approach is a very good direction to focus on.
There are some other ways to infect the victim, but they are also a kind of phishing, I may cover it in the conclusion.