How to autorun USB? – in Mac OS

Nowadays, more and more PC user move into Mac OSX environment. Infecting a Mac OS will become more and more popular in the coming few years. Apple always claim that Mac OSX is virus-free. Yes, that is true, when they are still in the PowerPC generation. Once they changed to Intel architecture, it is easier for virus writer to write code in other OS, which can also run in Mac OS.

However, long time ago Apple notified that USB autorun is a dangerous thing, even though it is very conveninet for user. This feature is excluded from the system long time ago. As a result, the techniques mentioned in the previous post are not possible to perform in Mac OS. The only way I think that can be used to infect Mac OS is like the boot virus, eg. inject a jump instruction in the boot sector of the USB storage device.

Instead of describing how the infection can be done, I want to introduce an interesting USB virus (Although I think this is a hoax) and some other viruses on Mac. The USB virus is developed by Troika, an art and design studio located in London. They published the demo of this virus on the web with name Newton. This virus will break the Mac OS in piece, and they claimed that the effect only appeared once. Here is the demo of the virus:

The first worm on Mac OS X was discovered in Feb, 2006, announced by SophosLabs. This worm spreads via iChat instant messenger, forwarding itself as a file called latestpics.tgz to contacts on the infected users’ buddy list. When the latestpics.tgz archive file is opened on a computer it disguises its contents with a JPEG graphic icon in an attempt to fool people into thinking it is harmless.

“This is the first real virus for the Mac OS X platform,” continued Graham Cluley – Senior Technology Consultant in SophosLabs. “Apple Mac users need to be just as careful running unknown or unsolicited code on their computers as their friends and colleagues running Windows.”

For more detail about this first virus on Mac OS X, please visit this link:

First ever virus for Mac OS X discovered

Only one worm, disproved the virus-free promise from Apple.

P.S. Apple changed its virus-free statement to “Designed with security in mind, Mac OS X isn’t plagued by constant attacks from viruses and malware. Likewise, it isn’t inundated by never-ending security dialogs.”

Reference:

• Troika | art virus
• First ever virus for Mac OS X discovered
• Why Mac?

Filed under: virus , Mac OS X, USB, virus

How to autorun USB? – in Windows

We knew that Windows disabled the USB autorun feature by default, for security issue. However, the autorun feature of CD is still enabled. Before discussing how to make the USB “autorun”-able, let’s see how to do this in CD.

In most cases, you bought CD/ DVD a software. When you insert the disc into the machine, it will prompt a welcome page, which is provided by the software company. Have you ever browse into the disc and see the content of it? You will soon discover that these CDs/ DVDs which prompt when it is inserted, has a common file with name “autorun.inf” at the root of the disc. Actually, what Windows do is, when a disc is inserted, Windows will detect and read the autorun.inf to see what should be prompt (In the case of USB, Windows will perform the same procedure but with different result). The following is a typical autorun.inf in CD/ DVD.

[AUTORUN]
OPEN=file
ICON=icon.ico

The file assigned to OPEN is the one that you want Windows execute when the disc is inserted, the value in icon attribute is the one that will show in the explorer (when you open Computer, and the icon.ico will be shown as the driver logo of the CD/ DVD). Similarly, we can use the same autorun.inf in USB drive, however, the file assigned to OPEN will not be autorun. Instead, the autorun fuction works only when you double click the icon of the drive in the browser of Computer.

ICON = %SystemRoot%system32SHELL32.dll,3

Back to the situation of USB, when you plug the USB in, which containing the autorun.inf as above, the follow dialog will be prompted. This dialog is called autoplay dialog but not autorun, you can search more information using this keyword.

Autoplay dialog w/ or w/o CD's autorun.inf

You don’t see your expected program is auto execute, why is that? Because Microsoft discovered that auto run feature is a security hole that increase the chance of users being infected, as the popularity of USB keeps increasing. Although we cannot auto run the USB, but we can add something to the dialog above to incite user to execute our programs. The following are some useful entries in autorun.inf that helps to get the work done.

• ACTION: The action entry specifies the text that is used in the autoplay dialog for the handler representing the program specified in the open or shellexecute entry in the media’s autorun.inf file. The value can be expressed as either text or as a resource stored in a binary. For example, in the above dialog, “Open folder to view files”, you can create your own text show in this way on the dialog.
• SHELL\VERB: The shell\verb entry adds a custom command to the drive’s shortcut menu. Here is an example:

shell\open\command=Filename.exe
shell\open=MenuText

By adding these two entries into the autorun.inf file, we can incite users to run what we want them to run and the icon will show in the autoplay dialog as follow. (The red circle is what I added to the autorun.inf)

Added ACTION and SHELLOPENCOMMAND to autorun.inf

The following piece of code is the content of the autorun.inf, I did not need to grab any icon files because I use the one stored in users’ computer, I think we can guarantee this file always exists (SHELL32.dll in system32 folder). There are a lot more entries you can add into the autorun.inf, but I don’t see any of them helps to make the autorun more success. Please let me know if you have any good idea how to work this out more perfectly.

[autorun]
icon=%SystemRoot%\system32\SHELL32.dll,3
open=run.bat
action=Open folder to view files
shell\open\command=run.bat
shellexecute=run.bat

Hope you guys will not be so disappointed about this because I found that there are lots of articles talking about the same method to autoplay the USB.

Reference:

• Autorun.inf Entries (msdn)
• How to: Quick intro to hacking autorun for USB flash drives

ps. In Vista, even autorun feature in CD/ DVD is disabled. Currently, I don’t have a WinXP so I cannot test it, but before, CD/ DVD is allow to autorun file.

Filed under: virus , autorun, USB, virus, windows

How to autorun USB? – An introduction

I investigated on USB virus in the past few months. USB portable drive, is one of the most popular removable device, instead of CDs and floppies (I think no one use floppy nowadays). According to its popularity, it becomes a target media for virus writer to infect and spread their virus. And in my point of view, spreading virus in USB is a very interesting topic. To fully understand how the USB virus is being spread, we should first focus on a more general question: how to autorun USB?

One of the most frequently heard sceniaros is, “When I plug the USB into the computer, my anti-virus prompt and said I have been infected!”. Sounds very familiar right? But why this works? Is that easy to autorun USB drive? Not exactly. Here are some facts.

1. Mac OS disabled autorun for all removable devices (USBs, CDs, floppies). Sometimes you will see that when you insert a VCD/ DVD, the OS (also in Windows and *nux system) will automatically run video player. This is not auto running the devices, this kind of “autorun” is because the system detected that the device is VCD/ DVD.
2. In Windows XP, early release allows USB autorun, but soon they discovered that autorun may cause security issues. Now, XP and Vista disabled USB autorun by default, but CDs autorun remains enabled.

So, sounds like this is not possible to autorun a USB drive, then how can I do this? or how can virus infect in this way? Without really auto running a USB, there are couple of ways to incite victim to get infect. Since these topic is very huge (the skill is varies in different OS/ architecture). So I would like to divide this study into 3 parts. in Windows, in *nux system, other methods to spread USB virus and end with a conclusion.

Filed under: virus , autorun, USB, virus