How to autorun USB? – in Mac OS

Nowadays, more and more PC user move into Mac OSX environment. Infecting a Mac OS will become more and more popular in the coming few years. Apple always claim that Mac OSX is virus-free. Yes, that is true, when they are still in the PowerPC generation. Once they changed to Intel architecture, it is easier for virus writer to write code in other OS, which can also run in Mac OS.

However, long time ago Apple notified that USB autorun is a dangerous thing, even though it is very conveninet for user. This feature is excluded from the system long time ago. As a result, the techniques mentioned in the previous post are not possible to perform in Mac OS. The only way I think that can be used to infect Mac OS is like the boot virus, eg. inject a jump instruction in the boot sector of the USB storage device.

Instead of describing how the infection can be done, I want to introduce an interesting USB virus (Although I think this is a hoax) and some other viruses on Mac. The USB virus is developed by Troika, an art and design studio located in London. They published the demo of this virus on the web with name Newton. This virus will break the Mac OS in piece, and they claimed that the effect only appeared once. Here is the demo of the virus:

The first worm on Mac OS X was discovered in Feb, 2006, announced by SophosLabs. This worm spreads via iChat instant messenger, forwarding itself as a file called latestpics.tgz to contacts on the infected users’ buddy list. When the latestpics.tgz archive file is opened on a computer it disguises its contents with a JPEG graphic icon in an attempt to fool people into thinking it is harmless.

“This is the first real virus for the Mac OS X platform,” continued Graham Cluley – Senior Technology Consultant in SophosLabs. “Apple Mac users need to be just as careful running unknown or unsolicited code on their computers as their friends and colleagues running Windows.”

For more detail about this first virus on Mac OS X, please visit this link:

First ever virus for Mac OS X discovered

Only one worm, disproved the virus-free promise from Apple.

P.S. Apple changed its virus-free statement to “Designed with security in mind, Mac OS X isn’t plagued by constant attacks from viruses and malware. Likewise, it isn’t inundated by never-ending security dialogs.”

Reference:

• Troika | art virus
• First ever virus for Mac OS X discovered
• Why Mac?

Filed under: virus , Mac OS X, USB, virus

How to autorun USB? – in Windows

We knew that Windows disabled the USB autorun feature by default, for security issue. However, the autorun feature of CD is still enabled. Before discussing how to make the USB “autorun”-able, let’s see how to do this in CD.

In most cases, you bought CD/ DVD a software. When you insert the disc into the machine, it will prompt a welcome page, which is provided by the software company. Have you ever browse into the disc and see the content of it? You will soon discover that these CDs/ DVDs which prompt when it is inserted, has a common file with name “autorun.inf” at the root of the disc. Actually, what Windows do is, when a disc is inserted, Windows will detect and read the autorun.inf to see what should be prompt (In the case of USB, Windows will perform the same procedure but with different result). The following is a typical autorun.inf in CD/ DVD.

[AUTORUN]
OPEN=file
ICON=icon.ico

The file assigned to OPEN is the one that you want Windows execute when the disc is inserted, the value in icon attribute is the one that will show in the explorer (when you open Computer, and the icon.ico will be shown as the driver logo of the CD/ DVD). Similarly, we can use the same autorun.inf in USB drive, however, the file assigned to OPEN will not be autorun. Instead, the autorun fuction works only when you double click the icon of the drive in the browser of Computer.

ICON = %SystemRoot%system32SHELL32.dll,3

Back to the situation of USB, when you plug the USB in, which containing the autorun.inf as above, the follow dialog will be prompted. This dialog is called autoplay dialog but not autorun, you can search more information using this keyword.

Autoplay dialog w/ or w/o CD's autorun.inf

You don’t see your expected program is auto execute, why is that? Because Microsoft discovered that auto run feature is a security hole that increase the chance of users being infected, as the popularity of USB keeps increasing. Although we cannot auto run the USB, but we can add something to the dialog above to incite user to execute our programs. The following are some useful entries in autorun.inf that helps to get the work done.

• ACTION: The action entry specifies the text that is used in the autoplay dialog for the handler representing the program specified in the open or shellexecute entry in the media’s autorun.inf file. The value can be expressed as either text or as a resource stored in a binary. For example, in the above dialog, “Open folder to view files”, you can create your own text show in this way on the dialog.
• SHELL\VERB: The shell\verb entry adds a custom command to the drive’s shortcut menu. Here is an example:

shell\open\command=Filename.exe
shell\open=MenuText

By adding these two entries into the autorun.inf file, we can incite users to run what we want them to run and the icon will show in the autoplay dialog as follow. (The red circle is what I added to the autorun.inf)

Added ACTION and SHELLOPENCOMMAND to autorun.inf

The following piece of code is the content of the autorun.inf, I did not need to grab any icon files because I use the one stored in users’ computer, I think we can guarantee this file always exists (SHELL32.dll in system32 folder). There are a lot more entries you can add into the autorun.inf, but I don’t see any of them helps to make the autorun more success. Please let me know if you have any good idea how to work this out more perfectly.

[autorun]
icon=%SystemRoot%\system32\SHELL32.dll,3
open=run.bat
action=Open folder to view files
shell\open\command=run.bat
shellexecute=run.bat

Hope you guys will not be so disappointed about this because I found that there are lots of articles talking about the same method to autoplay the USB.

Reference:

• Autorun.inf Entries (msdn)
• How to: Quick intro to hacking autorun for USB flash drives

ps. In Vista, even autorun feature in CD/ DVD is disabled. Currently, I don’t have a WinXP so I cannot test it, but before, CD/ DVD is allow to autorun file.

Filed under: virus , autorun, USB, virus, windows

How to autorun USB? – An introduction

I investigated on USB virus in the past few months. USB portable drive, is one of the most popular removable device, instead of CDs and floppies (I think no one use floppy nowadays). According to its popularity, it becomes a target media for virus writer to infect and spread their virus. And in my point of view, spreading virus in USB is a very interesting topic. To fully understand how the USB virus is being spread, we should first focus on a more general question: how to autorun USB?

One of the most frequently heard sceniaros is, “When I plug the USB into the computer, my anti-virus prompt and said I have been infected!”. Sounds very familiar right? But why this works? Is that easy to autorun USB drive? Not exactly. Here are some facts.

1. Mac OS disabled autorun for all removable devices (USBs, CDs, floppies). Sometimes you will see that when you insert a VCD/ DVD, the OS (also in Windows and *nux system) will automatically run video player. This is not auto running the devices, this kind of “autorun” is because the system detected that the device is VCD/ DVD.
2. In Windows XP, early release allows USB autorun, but soon they discovered that autorun may cause security issues. Now, XP and Vista disabled USB autorun by default, but CDs autorun remains enabled.

So, sounds like this is not possible to autorun a USB drive, then how can I do this? or how can virus infect in this way? Without really auto running a USB, there are couple of ways to incite victim to get infect. Since these topic is very huge (the skill is varies in different OS/ architecture). So I would like to divide this study into 3 parts. in Windows, in *nux system, other methods to spread USB virus and end with a conclusion.

Filed under: virus , autorun, USB, virus

Aho-Corasick – Intro

Anti-virus software is a piece of software that attempt to identify, neutralize or eliminate malicious software. In the past, “anti-virus” software is only focus on computer virus detection and elimination. However, nowadays, anti-virus software is going to protect computers from many threats, besides virus, the software also try to identify worms, phishing attacks, trojan horses and other malware. In general, there are two different kinds of approaches to accomplish this, file content examination and suspicious behavior identification. In following series of entries, I would like to focus on one of the algorithms that is used for the file content examination.

In other words, file content examination is a virus pattern matching. Before going into detail what pattern matching is, first we need to know what is a computer virus. A general definition, virus is a program that recursively and explicitly copies a possibly evolved version of itself, in order to get permitted to execute code and write to memory. A virus is self-automated programs that, against the user’s wishes, making copies of themselves to spread themselves to new targets. One of the way that virus uses to replicate itself, is to add a JUMP code at the beginning of a victim and the core part of the virus at the end of the victim. Once a user tries to start a infected file, the program will first execute the JUMP code, this code will skip the original procedures in the file, and execute the virus in this executable.

As mentioned above, you may discover that most of the virus using this naive way will have the same infected executable. As a result, the most popular and naive virus detection scheme is to perform pattern matching. You can take the infected file as a search text, and now we have some patterns of known viruses, let us call this virus dictionary. This virus detection scheme is trying to pick an executable file each time, and going to check whether the patterns in virus dictionary is contained in the executable. If so, the executable is said to be infected.

Let us define the problem in a formal way.

Given a search text S, and a set of patterns PS = {P₀, P₁, …, P_l}, determine whether any pattern occurred in the search text.

If you are familiar with algorithms, the first algorithm that you may use to tackle this problem is Knuth–Morris–Pratt algorithm (KMP). The KMP algorithm runs in O(n+m) time, where n and m is the length of the search text and length of a pattern respectively. Let z be the number of patterns in the set PS, then the total time it takes to check all patterns is O(z(n+m)), because each time you need to preprocess the pattern before the matching procedure can be started and do the pattern matching based on the result of the preprocess. If z is very large, it is not acceptable. It does, of course, there are many new viruses release everyday, the size of virus dictionary keeps increasing. So how can we make this detection possible? The algorithm designed by Alfred V. Aho and Margaret J. Corasick may help to solve this problem (In short, the algorithm is called AC algorithm in the following paragraphs).

The aim of AC algorithm is going to solve the exact problem described above. The algorithm first construct a trie for the given patterns, then construct an automaton from this trie. The trie of the patterns can easily be built by inserting patterns one by one. The algorithm then adds some backward edges to the trie, the aim of backward edges are to handle the case when mismatch character occur. After this preprocessing procedure, the matching procedure become trivial and strict forward. In the next post, we will discuss on what a trie is and how to construct a trie, by providing a set of patterns.

Should you have any questions or comments, or you discover a mistake I have made, please do not hesitate to tell me.

Reference:

• The Art of Computer Virus Research and Defense, Peter Szor
• wiki – Computer Virus
• wiki – Antivirus Software
• wiki – Aho-Corasick algorithm
• Alfred V. Aho

Filed under: algorithm, virus , virus, aho-corasick, antivirus, pattern matching

Virus-like MSN block checker

Yesterday, my sister play around with a block checker site, checking which user in your MSN contact list blocked the traffic from you.

Once she type in her user name and password, and suddenly, all of the user in her list receive a meaningless message. Here what I mean is that the message is definitely not written by her. Once I got it, the first idea is that she got a virus. After AVG anti-virus took a very very very … long scanning process, it did not found any suspicious file. When I try to ask my sister what site she had visited before getting this virus-like symptom, she shown me the website.

As you may know, there are many MSN block checker over the Internet. Most of the block checker sites help you to query whether the target user is online or not, ie. if you cannot see him in your online list in MSN, but he is stated online in these checker websites, it means you have been blocked. Sounds not efficient enough, rite? So the block checker site which my sister visited is trying another approach. It asks for the email address and password the user use to login MSN, and the program in its server will contact to MSN server and fetch the contact list, then send a message to each user in the list and see if they can the message. This is what I guess how it works, did not verified yet.

However, before using these block checker application, you need to consider if they are secure and innocent enough. From mess.be, although it may be an old news, most of these websites is collecting email addresses for spam or even worse. Some other like the website my sister browsed, may collect password from the user, even though they claim they are not. So, take the risk when you are going to use it.

How dangerous the world is!

Reference:

• faq in mess.be
• http://www.get-messenger.com/ (TAKE YOUR RISK WHEN YOU TRY IT)

Filed under: news, spam, virus , block checker, msn, spam, virus

New virus ask for ransom

Do you know what is encryption? In our point of view, it should be a good stuff to protect your important documents. However, it is a double-edged sword. It really happened, the application in dark side.

RSA is a public key encryption. The encryption algorithm can be divided into two main stream, private key and public key. Private key encryption algorithm is using only one key to encrypt and decrypt the text, sometimes called single key. In opposite, public key encryption uses one key to encrypt the text and one key to decrypt. RSA is a strong encryption algorithm, the size of the key determine how robust the encryption is. Some experts believe that it needs more than a century to decrypt the message encrypted with 1024 bits key!

Back to the topic, a very strong encryption is really a double-edged sword. Why I say so? Because there is a virus Gpcode.ak, it is an improved version of Gpcode. What it does is very simple, use RSA to encrypt your documents and files with 1024 bits key. Then ask you to buy their decryptor. It is obvious a crime, a kind of kidnapping, and asking for your ransom!!

It is a very creative idea to use encryption in such a way, although it is a crime. Nothing is always staying in good side.

Reference:

• Karpersky Lab Press Releases
• New Virus Lets Attackers Hold Data for Ransom

Filed under: news, virus , encryption, virus