• Shortcuts : 'n' next unread feed - 'p' previous unread feed • Styles : 1 2

» Publishers, Monetize your RSS feeds with FeedShow:  More infos  (Show/Hide Ads)


Date: Wednesday, 30 Sep 2009 21:56
Part of my job involves maintaining a Web application which I wrote almost entirely from scratch. I designed the database, wrote pretty much all of the PHP and HTML, and even put my toe in the water of CSS. A colleague now supports part of the application, but v1.0 was more or less entirely my own work.

Unless, that is, you count the date picker. You know what I mean: the little window which opens on a travel site, say, so you can say when you want to leave and when you want to come back. When I was writing the application, I hadn't yet learned Javascript, so I scoured the Internet looking for a date picker that could do times as well as days, have the week start on a Monday, was multilingual, and free software.

Well, 2 out of 4 ain't bad. I found one which did the first two, scraped together just enough Javascript to allow me to send the day name abbreviations (M, T, W, etc) to it in different languages, and ignored the word 'Copyright' because, well, er, we're non-profit and nobody will find out.

That was nearly four years ago. In the meantime, I've found some things I don't like about it, apart from the fact that I would like our application to go open source and then somebody might just notice that I stole the code. It uses Javascript's date objects, so you can't ask people for their date of birth with it unless you're running a school, because Javascript's dates start at 1/1/1970. And it opens a new document window, which often turns into a tab these days, depending on how the user has set up their browser. So we get support calls: "I can't see the calendar" (as most users call it), and when we look, they've got 35 copies, each in its own tab, as a result of frantic clicking.

Anyway, about a month ago I was on a hotel's site and I noticed that the date picker appeared and disappeared in an instant. (It certainly wasn't the first one I've seen like that, but presumably I was in a receptive mood.) It occurred to me that it was running in a DIV rather than a window. I thought this was brilliant and decided to write my own, so that my application could be "pure" (and people wouldn't open 35 tabs trying to specify a date).

Remembering how much of a hassle it was to use the one which I stole (OK, OK, if you break into someone's house and steal their DVD recorder, you don't get the instruction book), I decided to make my date picker as flexible as possible, so that other people could use it without having to touch the code (although you do need to write a couple of Javascript data declarations yourself).

The result is called AnyDatePicker. I don't know what this means, except that it does let you pick any date in any year from 1582 (the start of the Gregorian calendar) through 9999. It also has a lot of ways to allow you to control exactly which dates and times people can choose; for example, it would be pretty good for a system where people book 15-minute appointments and you have different opening hours for Fridays, weekends, and holidays.

Please feel free to check it out.
Author: "noreply@blogger.com (Nick Brown)"
Send by mail Print  Save  Delicious 
Date: Thursday, 22 Jan 2009 21:59
I learned a new word today: Podslurping.

I've been having fun with StatCounter seeing how many people have been hitting this blog since the Conficker worm made people take the whole business of securing their networks against memory stick worms seriously. (The answer is: about 15000 in the last 7 days.)

One of the sites which referenced my original post was this one at the Postdam Institute for Climate Impact Research in Germany. It notes that with Autorun.inf disabled, Podslurping is made harder.

So what is Podslurping? Well, at its simplest, it consists of plugging a USB storage device (of which an iPod is just one example) into somebody's PC and copying lots of data from its disk, or the network to which the PC is connected. That hardly seems worth giving a name to, but the clever part comes if you automate it. You can write an Autorun.inf file which will start the copy to the USB device as soon as you plug it in, without any need to access the keyboard. All it needs is a reasonable copy program and a few lines of a .BAT file.

So now you literally only need three seconds unsupervised access to the PC on two occasions (one to plug the device in, one to unplug it half an hour later) and you can steal all of the data from it, without having to log in or risk detection by hanging around in the office, leaving a command prompt window open on the screen, etc. If the PC has USB ports on the rear, you don't even have to walk round to the side of the desk where your victim sits; in fact you could probably drop your phone and slip the USB device in while the user is sitting there.

So if you have issues with people potentially stealing data, disabling Autorun might be a useful extra precaution to take.
Author: "noreply@blogger.com (Nick Brown)"
Send by mail Print  Save  Delicious 
Conficker   New window
Date: Thursday, 15 Jan 2009 08:23
This rather unfortunately-titled virus - ask anyone who speaks both French and German ;-) - seems to be "flavour of the month" at the moment.

There is a nice, readable summary of how this virus spreads here.

On our network, we installed the MS08-067 patch to every PC as soon as it became available, and we have Autorun disabled (of course).

That just leaves the problem of the worm, once it's on your LAN, spreading by logging in to the other PCs. I presume from the description that it does the equivalent of
  NET USE \\{pc}\ADMIN$ /USER:{pc}\Administrator {password}
for some set of passwords selected from a dictionary.

Well, as luck would have it, all of our PCs have unique, computer-generated(*) passwords on the local Administrator account. This was a decision we took 12 years ago when we first installed Windows NT 4.0. It was done so that if necessary we could keep any troublesome users from having Administrator privileges (we had decided that by default, Domain Users would be in the Administrators group, after discovering that this was necessary to install a patch for Office, and not being in the Administrators group didn't prevent them accidentally breaking NT anyway). In 12 years we've only had to do this once (and the guy was let go a couple of months later), and we've always wondered if it was really a sensible thing to do, since managing all those 8- or 9-letter random words is quite a bit of work. It looks like we may have found a good reason after all...


(*) Since you ask: we used SET PASSWORD /GENERATE on VAX/VMS.
Author: "noreply@blogger.com (Nick Brown)"
Send by mail Print  Save  Delicious 
Date: Wednesday, 10 Sep 2008 08:31
Very early in the history of interactive logon with passwords, the big brains noticed that if someone was looking over your shoulder, they might see what you were typing. So they decided that whenever any system, anywhere, asks for a password, it has to be replaced by blobs or asterisks.

We've all become so used to this, that we don't realise how inappropriate it is for 99% of our daily interactions with computers. The vast majority of us will never encounter anyone trying to steal our password by looking over our shoulder, but I'm guessing that almost everybody reading this has been locked out of a system, site, or application to which they had legitimate access by a problem caused by not being able to see what you're typing.

There are many reasons why people type the wrong password. They forget which site they're on, they forget that this system forced them to change their password last month, maybe Caps Lock is on, whatever. (If you're typing the right username but the wrong password into a site, you'd better hope that the site managers don't capture your wrong attempts and then try them on other sites which they might learn that you're signed up for...)

It's also possible that your keyboard layout may not be what the operating system thinks it is. All keyboards are electrically identical, so the only way Windows (etc) has to know what the top-left letter key means, is the keyboard settings which you gave it. If someone replaces their QWERTY keyboard with an AZERTY one, without informing the system via some obscure part of the Control Panel, the top-left letter key might look like an A, but the system will see a Q. And the person typing will still see the same blob or asterisk. (In our environment, we use 15 different keyboard layouts, and people tend to move around and take their keyboard with them. And even if they know how to set up the layout for their current Windows session, they usually don't know that they should also change the default layout so that the new keyboard works correctly at logon time as well.)

This "security feature" must cost millions of dollars in helpdesk calls every year. Eevryone who has ever worked on a support phone line has had people call who are "convinced" that they are typing the right password. Sometimes you can get them to type the password in another box and then paste it across, but that's not always possible, and explaining it to a confused user is often a nightmare in itself ("Don't click OK when the password is in the username box!").

It doesn't even make you very much more secure. Someone who really wants to steal your password while being in the same room can observe your keyboard while you type, perhaps keeping up some conversation to distract you, and after a couple of times they'll have a pretty clear idea of your password, especially since so many people choose insecure ones (hmm, did anyone think that maybe some people do that precisely because it's easier to type "rosepetal" than "h4%tfr3q" when you can't see what you've typed?). Now that we all have LCD screens, it's getting harder to sell us the fantasy that someone is parked outside our offices in a van examining the electromagnetic field from our monitor. And of course, the password-stealing spyware inside your PC gets a full view of every keystroke, unobscured by blobs. It's more than slightly ironic that the bad guys can see your password more clearly than you can.

So imagine my delight when I first saw this feature in an admirable free ZIP/RAR program called 7-Zip:










Yesss! Provided of course that there are no spies in the room, you can check the box when opening a password-protected RAR or ZIP file, so that you can see what you're typing in the password box!

Question: why isn't this feature available on every non-military password dialog box in the world?

Author: "noreply@blogger.com (Nick Brown)"
Send by mail Print  Save  Delicious 
Date: Thursday, 04 Sep 2008 15:02
Since Google launched the Beta version of their Chrome browser - it's about 72 hours ago but it feels like a lot longer - we've been getting people asking why we've blocked its download to our corporate network.

The short answer is "because it's not suitable". Sure, it looks great, has better security, Javascript runs fast, etc etc. But it seems like no thought has gone into how one might go about deploying it in a business setting.

First, the only way to get it is by interacting with Google's download site. You get a small installer executable, which then goes back to Google and downloads the rest. During this time, you sit and watch. Is it installing the same code as yesterday? How can you tell? Until we can see a single .MSI file, with the usual command-line parameters allowing for totally silent installation, we can't use this.

Secondly, have you taken a look at where the installer leaves all the files which make up the browser? Well, most of them are in the profile of the user who downloaded it. On an out-of-the-box version of XP this means that your Web browser is in C:\Documents and Settings\username\Local Settings\etc etc etc. This is a disaster in many corporate environments which use roaming profiles, because they typically have fairly strict retention policies about how long old profile copies are allowed to remain on PCs. Although it could have been worse (Chrome could have installed into some other directory at the top of the profile rather than "Local Settings", thus entering the roaming part of the profile and being copied to the server when you log off), this means that in practice you're going to have multiple copies of the browser per PC, but with each individual user losing access to it every time the local profile copy is cleaned.

I wish that this was the first time we'd seen this sort of problem, but it isn't. Although "consumer" products (such as the iPhone and iPod, or any Google application you can name) tend to be the worst offenders in terms of treating your entire PC as if they own it, some business software publishers are not far behind. I hope the person who decided to place Adobe Bridge's file cache in the roaming part of the user profile is reading this.

In mitigation, perhaps I should mention that it took Microsoft about 6 years from the release of Windows NT 4.0 to get their programmers to understand the consequences of roaming profiles. Most MS products now do the right thing, although some are still quick to impose their own view of the world on "User Shell Folders" registry entries if the network is a little slow, with potentially "hilarious" consequences for unsuspecting users who didn't realise that all their new documents are being chucked into an unbacked-up directory on the local hard disk instead of their network drive.
Author: "noreply@blogger.com (Nick Brown)"
Send by mail Print  Save  Delicious 
Date: Monday, 31 Mar 2008 20:19
Ever since Microsoft started the whole "Patch Tuesday" thing, we've been very cautious about rolling out patches (it seems like every 3 months or so, there's one patch which breaks something). Here's what we do:

- Read the descriptions to see which "critical" patches are really critical (almost none), which are probably worth installing (about half), and which are about as much use as a lottery ticket - for example, protecting you from malicious, individually targetted Excel sheets (the other half).

- Add these patches to the post-installation procedure which runs when we reinstall Windows. We do this about 300 times a year on our 2000 PCs, so after a month we have 25 or so PCs running the patches and there's a reasonable chance that we would know if a new patch was breaking something major.

- We don't push patches to all the PCs unless we think there's a credible threat of a major malware outbreak. Since MS-Blast and Sasser, there hasn't been anything very damaging, but about twice a year we decide to take the "sky is falling" threats a little more seriously. It's a good test of our patch push system, anyway. (Update 2009-01-20: we started pushing MS08-067 on the day it appeared, because there seemed to be a credible threat. In the three months since then, we have managed to patch about 98% of our PCs. The limiting factor is that we have laptops which people don't bring into work very often, and a few PCs which are very rarely switched on, partly due to our organisation's sometimes Kafkaesque staffing rules.)

All that's fine, but we still found ourselves removing three or four trojans a week. Most of these are (of course) undetected by anti-virus scanners, either because they are rootkits or because the scanner isn't up to date (sometimes we identify malware before the excellent VirusTotal has even a single scanner which can detect it).

I started to think about generic ways to fix this - perhaps involving patching browser executable files so that the offending Javascript functions don't work, like I did 8-9 years ago with a tool called ATLAS-T to patch Microsoft Word to eliminate macro viruses - but then I read an article about the number of malware links served up by search engines, which said that most of the techniques used by these trojans exploit IE vulnerabilities for which patches exists.

So we decided to try an experiment. We applied all of the current patches (including the various ones for IE6) to 20% of our PCs (all of which run XP). Over the next couple of weeks we noticed that none of the trojans which appeared, were on patched PCs. We've now patched 95% of our PCs and trojans, etc have practically disappeared.

There was a downside, however. At least one Access application stopped working due to an authentification DLL being replaced "for security reasons", and since only about 5 PCs run this particular application, we didn't spot it until half the PCs were patched. The solution was to pretend that the patch was in place - our home-brew procedure looks for %SystemRoot%\KBnnnnnn.LOG and if it finds it, assumes the patch is installed, so we just create a fake log file on the PCs which run this application. But it will probably need rewriting before we push IE7 out to our desktops.

So, for once, the obvious advice ("keep your PC up to date with patches") actually has some use. Does it justify buying software to do it? Of course not (we do everything from distributed command-line scripts), but it may save you some malware cleanups, and the damage to the stability of your application platform by the patches may be sufficiently limited to actually make the whole thing worthwhile.
Author: "noreply@blogger.com (Nick Brown)"
Send by mail Print  Save  Delicious 
Date: Friday, 11 Jan 2008 19:48
I'm not a big fan of malware reporting in the media - generally it comes down to flacking press releases of the "sky is falling, buy our software" variety from some A/V company's marketing manager with a quota to meet - but I did take note of this article on the BBC's site.

Turns out that somebody has finally made what I would call a true rootkit: malware that loads from the master boot record (MBR) before the OS loader and, if the stealth is done right, will be completely invisible to anything downstream.

Although there's a pretty tight limit to what you can hide in the MBR (446 bytes of code, if I remember my DOS-based virus studies from the early 1990s), the malware can also probably take advantage of the rest of track 0, which on a modern multi-GB disk could be pretty big.

So, if your anti-virus toolkit currently contains Rootkit Revealer, a spare bootable copy of Windows, and some registry hacks to get persistent malware files to die, you might also want to keep a DOS floppy handy. If FDISK /MBR doesn't work, you might wish you'd saved a copy with BOOTSEC (a utility I've used more or less every day since 1994) so you could restore it later.
Author: "noreply@blogger.com (Nick Brown)"
Send by mail Print  Save  Delicious 
Date: Wednesday, 28 Nov 2007 22:00
OK, so I googled myself, and I was second on the list. I'm not this Nick Brown (PHP is more my style than ASP). And I'm definitely not this Nick Brown.
Author: "noreply@blogger.com (Nick Brown)"
Send by mail Print  Save  Delicious 
Date: Wednesday, 28 Nov 2007 21:02
If you're interested in why software goes wrong - and anyone who uses a computer for anything more than reading the occasional e-mail should be - then there are a couple of classic books you should have read by, say, December 30.

The first, little-known but very accessible, is "Digital Woes: Why We Should Not Depend on Software" by Lauren Ruth Wiener. This is about 14 years old and hardly mentions the Internet (!), but it is extremely readable and gives a good insight into the organisational issues around software projects. Anyone who buys software or IT services, and especially anyone who is the business owner of an IT project, should have read this book thoroughly before the salesperson from EDS, CSC, or IBM drops by.

If you're in software development, you could then move on to the daddy of all books on writing software, "The Mythical Man-Month: Essays on Software Engineering" by Frederick P. Brooks. Although most people under 40 will struggle to understand some of the technical references, and some of the suggestions have been made obsolete by hardware improvements, the general principles of how software development works are still as valid as they were 32 years ago when the first edition of the book appeared. My favourite quote: "Adding people to a late project, makes it later". If you can get your pointy-haired boss to understand that, you're half-way there.
Author: "noreply@blogger.com (Nick Brown)"
Send by mail Print  Save  Delicious 
Date: Sunday, 11 Nov 2007 21:42
The first person to link to my blog was Steve Riley, who gets paid to "do security". It was nice of him to mention my AUTORUN.INF hack, even if he didn't recommend it (for reasons I didn't quite gather).

Anyway, while flicking through the archives of Steve's blog, I found this article which questions the whole need for anti-virus software. Yesss!

Having steered a corporate network through three major software generations over the last 17 years, without spending a penny on anti-virus software in that time, I can confirm that you don't need anti-virus software. Not just on your own PC, gentle technically-aware reader; not on your users' PCs, either.

We currently have 1800 PCs, all running XP SP2, with all users having administrator privileges, allowed to install more or less any software they want, allowed to visit most Web sites (except for a few which we've specifically blacklisted for hosting malware), and we have not had a single report that any user has lost a single byte of data to a virus, in all that time, going right back to DOS 3.3 and Digital Pathworks.

Steve tries to suggest that this approach may not be for everybody, although I suspect he's just trying to sound like he's being less radical than he is - kind of like those non-religious people who can't actually bring themselves to say that they're atheists (this is a simile, please don't write in about it). He has hit the nail on the head: if your anti-virus software doesn't ever detect anything, what use is it? Other bloggers tip-toeing around this subject, but not quite ready to fully admit their apostasy in public, are Adam Vero (who, I suspect, has become a non-believer, but - probably correctly - doesn't think his customers are ready for such a drastic step), and Aaron Margosis, who has a "lite" approach (he suggests you don't need an anti-virus if your users don't have administrator privileges).

To me, installing anti-virus software because you're afraid of viruses, is like hiring a retired, but very dumb, police officer to stand guard in your home 24/7 because you're afraid of burglars. Every time any member of your family tries to move from one room to another, they get asked for ID. No ID, no place at the dinner table. And because your oldest kid's name is "Lexy" (geddit?), she gets extra-special treatment: a strip-search every morning when she gets up, to make sure she didn't get converted into a burglar during the night.

I wouldn't object so much, if viruses were even 1% as terrible things as people make out. I know users who would rather have a sudden, unrecoverable, scrape-the-platters hard drive crash, than the idea that any form of worm, virus, or trojan is on their PC. Strange, since pretty much the worst a virus can do is trash all your data (yes yes, I know it could e-mail your grocery list to some randomly-selected guy in Latvia), which is the same thing, and oh yes, modern viruses don't do that. In fact they don't do very much damage to their "host" PC; if they did, rather less that 25% of the world's PCs would be in botnets, because their owners would have noticed and done something about it.

The only bits of malware to have caused significant disruption to our network were the "MS-Blast" and "Sasser" worms. And guess what? Because they exploited a vulnerability in Microsoft's DLLs, anti-virus software didn't work (except, perhaps, to clean them up, which in any case was a one-line registry entry). People flooded to their anti-virus vendor's site, to be told "get the security patches from Microsoft". You paid the cop every day for a year, but he couldn't protect you from a burglar who wore a very small mask.

Talking of disk crashes: we change between 3% and 5% of our PC hard drives every year. We try to get to at least half of them before they die (by monitoring certain disk-related system events), but we know that of the 1800 PCs on our network, about 35 will experience sudden and irreversible disk death. We don't worry too much, because our users keep all their important data (by definition) on network drives. But if users do want to keep data locally, the backups which they make (!) are also useful protection against the day when the evil mega-virus makes the inter-species crossover (the one from "Hollywood" or "the marketing department of anti-virus companies" to "the real world").

So, put up the built-in Windows firewall (just in case the next exploit worm gets on to your Intranet), run some daily checks of the key parts of the registry (I'll write up how we do this, one day), submit suspicious files to VirusTotal (on average, after a week, one-third of the virus engines used by that site still don't detect any given virus, in my experience), build your PCs with a separate disk partition which you can boot to clean up malware in the main partition, and above all, stop worrying. You will get some viruses, worms, and trojans on your network, and they won't kill you. In fact, chances are you already do have several bits of malware anyway, because you're trusting that dumb cop to protect you, and he can't recognise 1/3 of the burglars.
Author: "noreply@blogger.com (Nick Brown)"
Send by mail Print  Save  Delicious 
Date: Wednesday, 31 Oct 2007 16:14
A standard way to remove many forms of malware is to remove the registry entry which autoruns them. For example, you might have an entry called windows auto update in HKLM\Software\Microsoft\Windows\CurrentVersion\Run with a value of Activexdebugger32.exe. Once you've determined this executable to be malware, you delete this registry entry, kill the process, delete the executable, and you're done.

But hold on... just refresh the view of HKLM\Software\Microsoft\Windows\CurrentVersion\Run and check that the entry really disappeared. If it didn't, you have some form of self-protecting malware. It could be a real rootkit, a pseudo-rootkit, or just a couple of buddy processes which look after each others' backs.

I won't go into the world of rootkits very far here, except to say that I've yet to see a single example in the flesh of what I would call a real rootkit - that is, one which runs before the OS loader and controls everything. All the ones we've had to deal with on our site are pseudo-rootkits, with the "cloaking" - intercepting API calls and returning fake information to make it look as if the malware isn't there - being done by a boot-time service.

The "buddy processes" which I mentioned might take the form of two or more standard processes, or perhaps a standard malware process plus a DLL loaded at boot (or logon) time, for example via HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify. These processes form a kind of "Whack-a-Mole" game; if you kill one, its buddy pops up another. Killing both simultaneously is hard, and killing Winlogon is generally not a good idea anyway.

Anyway, let's say that you have a file like %SystemRoot%\System32\NTOS.EXE which you can't delete or rename, or that you've used Rootkit Revealer and found a pseudo-rootkit using a driver/service file called %SystemRoot%\System32\drivers\ynhqttqd.sys which you can't even see. You have a couple of choices to get rid of them.

You could boot a different OS copy: from a CD, a memory stick, a separate hard disk partition, a separate hard disk altogether (maybe take the infected PC's disk to a different PC), or even MS-DOS 7.0 from diskette with NTFSDOS Pro, depending on how macho you are. Then go in while the system is under "general anaesthetic" and delete the offending files. You can clean up the registry entries which run the malware once you've rebooted.

If you can't do that - notably, if the PC is "far" away, defined as "further than you're prepared to walk", or if the PC can't be rebooted until midnight and you don't want to be around then - you can have Windows rename the files for you at the next reboot. To do this, we're going to use a registry value which is also used by software installation and patch operations, called PendingFileRenameOperations, which lives in the key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager. This is a value whose type is REG_MULTI_SZ, which for our purposes means "a list of strings".

Each element of PendingFileRenameOperations consists of a pair of strings. The first is a full path name to a file, with a bit of magic at the start of it; the second is the name name and extension (only) for the file. Here's a sample REGINI file:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
    PendingFileRenameOperations = REG_MULTI_SZ \
        "\??\C:\WINDOWS\System32\ntos.exe" "ntos.exe_x" \
        "\??\C:\WINDOWS\System32\drivers\ynhqttqd.sys" "ynhqttqd.sys_x" \


I have no idea what the backslash and two question marks are for at the start of the full path name, but I suggest you leave them in. The backslashes at the end of each line say "we're not done yet" (there's a blank line at the end of the file to say "now we are"). If you use a different command-line tool (other than REGINI) to edit your registry, adjust the syntax appropriately.

Now, when you apply this registry change and reboot, Windows will perform the equivalent of the following good old-fashioned DOS boxcommand prompt commands:

REN "C:\WINDOWS\System32\ntos.exe" "ntos.exe_x"
REN "
C:\WINDOWS\System32\drivers\ynhqttqd.sys" "ynhqttqd.sys_x"

Because this happens really early in the boot process, it's more or less guaranteed to work. (Only a "true" rootkit, running under the OS loader, would prevent it, I think.) About the only thing that might go wrong is if the target filename already exists, which can happen if you didn't clean up after a previous attack. So your first task whern the PC reboots is to delete the various .EXE_X and .SYS_X files.
Author: "noreply@blogger.com (Nick Brown)"
Send by mail Print  Save  Delicious 
Date: Thursday, 25 Oct 2007 16:21
If, for some petty corporate reason like "they don't allow me to change the registry", you can't apply the little hack I wrote about on 23 October, then you can at least protect your memory stick itself. This is also useful if you're lending your stick out to someone who will use it in more than one PC and don't want them catching, then transferring viruses (and blaming you, loudly, to their hosts).

All you do is open the memory stick and create a new folder called AUTORUN.INF. This should prevent most worms/viruses from creating a file of the same name, because when the worm sets out to create this file, it will probably use Windows file system calls which either delete, or truncate to zero, any existing regular file with that name; but those calls don't work for folders. (Of course, now I've blown the secret, I expect the virus writers will add code to do just that. So keep this one to yourself...)
Author: "noreply@blogger.com (Nick Brown)"
Send by mail Print  Save  Delicious 
Date: Tuesday, 23 Oct 2007 17:29
Lately, we've been seeing a lot of worms, and even some genuine viruses (*), coming into our network via USB memory sticks (aka "pen drives"). For those of us who remember the first MS-DOS viruses, which spread almost exclusively via diskette, it's rather nostalgic.

The culprit, of course, is Microsoft's desire to make things "simple" - meaning "automatic" - for Joe Sixpack; there's a fundamental incompatibility between a home entertainment system, which Windows has become, and an operating system for getting work done. (Here's a rule of thumb for you: any time you see stuff which starts without the user asking it to, look for malware to pop up in short order.)

These worms pretty much all reproduce the same way, at least in terms of how they jump to and from PCs. They have an AUTORUN.INF file and an executable of some kind. When you put the stick in the PC, Windows finds AUTORUN.INF "automagically". You can find documentation of some of the possible things which this file can do, but basically, the worm version will either run the executable immediately, or modify the Windows Explorer default behaviour so that the worm will run as soon as you open the stick by double-clicking on it. The executable will make a copy of itself and AUTORUN.INF on all the disk partitions and shared drive connections which it can see, and then open the root folder normally. (This takes a fraction of a second, but you won't notice it.) The executable will then sit around in memory and every time you insert a removable storage volume (such as another memory stick) or map a network drive, it will copy the worm "kit" to it.

Sometimes the executable will live in a fake \RECYCLED folder, which is quite clever because hardly anyone ever opens the recycle bin on a memory stick, and because the folder doesn't contain a real recycle bin structure, the worm will be safe, even if you empty the bin while the stick is in the drive.

Now, in theory you can prevent certain drive types from executing the contents of their AUTORUN.INF files using a registry value (NoDriveTypeAutoRun). But this is hard to do in practice. First, it's a per-user key, which in a corporate environment is harder to manipulate reliably than a per-PC key. Secondly, there are several bugs known for it. And thirdly, a little-known registry key called MountPoints2 contains cached information about every memory stick or other removable device which your PC has ever seen, and that overrides the NoDriveTypeAutoRun value if you insert a volume which the PC already knows about.

The only solution I could find from Microsoft is typically light and nimble: prevent all USB storage from running. This is fine if the aim is to stop people using memory sticks altogether, but didn't you just have a 4GB stick custom-printed for everyone in the company, and tell them to make their own backups on it?

Anyway, there seems to be a solution: a one-shot, quick way to prevent AUTORUN.INF files from being used on a PC, from any medium. My colleague and fellow low-budget Windows hacker Emin Atac thought up the idea, and I spent all of 15 minutes testing it. Now it's your turn (well, "the world is our beta site" works well enough as a corporate mantra for Microsoft).

All you do is to copy these three lines into a file called NOAUTRUN.REG (or anything.REG) and double-click it. Corporate network people can transform it into a script for their favourite command-line registry manipulator, or maybe make it a system policy thingy.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

This hack tells Windows to treat AUTORUN.INF as if it were a configuration file from a pre-Windows 95 application. IniFileMapping is a key which tells Windows how to handle the .INI files which those applications typically used to store their configuration data (before the registry existed). In this case it says "whenever you have to handle a file called AUTORUN.INF, don't use the values from the file. You'll find alternative values at HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist." And since that key, er, does not exist, it's as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action. Result: worms cannot get in - unless you start double-clicking executables to see what they do, in which case, you deserve to have your PC infected.

The only downside of this is that if you insert a CD with software on it, you have to explore it by hand to find the setup program. Of course, if that means your kids install less software, that could also be considered an upside.

If you want to check that the registry settings of this hack are in place, open Regedit, walk down to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping, and you should see something like this:




















(*) If you don't know the difference, Wikipedia is (probably) your friend.
Author: "noreply@blogger.com (Nick Brown)" Tags: "prevent virus USB memory stick worm conf..."
Send by mail Print  Save  Delicious 
» You can also retrieve older items : Read
» © All content and copyrights belong to their respective authors.«
» © FeedShow - Online RSS Feeds Reader