Source: http://www.dusko-lolic.from.hr/usbwp/
Published: May 25, 2011
Updated: Jun 4, 2011

Dostupno i na Hrvatskom


Home page

Protecting USB Flash Drives (thumb drives) from malware

So, it got you too? Don't worry you are not alone. I was bitten once, shame on you (malware creators)! I was bitten twice, shame on me! There is no saying for the third time, something had to be done.
When large capacity USB flash drives became widely available at affordable prices, they came as a blessing sent to replace cumbersome CD-s and DVD-s. But as often, blessings and curses often come in pairs. It turned out that such tiny and movable memory devices are irresistible breeding ground for all kinds of viruses, worms, trojans and other kinds of malware! And not just flash USB drives. Any removable data storing device soon became a viable target.

Mechanism of infection

To understand the rest of this article, a short explanation is necessary about how the USB flash drive infections spread.
We are all familiar with Windows' built-in autoplay feature as almost every CD/DVD media makes use of it. Similarly so with USB storage devices, plug anything in and a dialog will pop up. When mounting any removable storage volume, Windows will look for AutoRun.inf file in the root of the volume. If found, it is parsed for instructions how to treat that drive. Very convenient feature by itself, but unfortunately convenient for spreading malware too.
If you plug your USB drive into a computer infected with malware, the nastiness will copy itself to the drive and create AutoRun.inf referencing itself, waiting for the first opportunity to get autostarted on another computer to infect it too. For the curious ones, it is explained here in more detail. USB drives are also very susceptible to plain-type viruses that infect executable files as well as worms and trojans that pretend to be something else.

This time I'll be careful!

Antivirus software on a computer is a bit like airbags on a car, It's comforting to know that they are there, but you don't actually want to rely on them to save you. That's why you should learn how to handle USB flash drives safely. Luckily, Microsoft has wisely given up on strictly implementing aforementioned auto play feature. Nowadays, If you plug in a removable auto play enabled drive, Windows will always ask what to do with it. Then how come computers eventually get infected? Well, Windows will ask just once, and then give you a plenty of opportunities to screw it up later. For example, right after plugging it in, you will probably  get a dialog looking like this...

 

Although it is generally safe to choose Open folder to view files here, bear in mind that a lot of malware exploit this dialog by trying to mimic Open folder to view files and if Windows are not up to date it might get you. The recommended practice would be to close this dialog altogether and browse the drive with Windows Explorer instead. Windows explorer can be quickly open with Win+E key combination. Navigate through directory structure only by expanding the tree view (green), and never double click on anything on the right side (red in the following picture)! Each and every computer that picked up something from an infected USB flash drive got it either by autostarting it (rarely) or much more often by careless user double clicking something he or she should not have double clicked. It is also advisable to enable displaying of hidden and system files in Windows Explorer, as all malware regularly tries to hide itself that way. Also, unhiding extensions for registered file types helps a lot in distinguishing a real folder from a worm (extension .exe) that successfully mimics the look of real folders.

       

Developing proper habits is the best protection strategy and with some practice you can open positively infected USB drives with confidence that you won't infect your computer. Always treat your USB flash drives as if they are infected. If they've been around, they most probably are!

let's start protecting our thumbs

Our goal from now on will be to prevent infection of USB flash drives if possible, minimize the damage when it happens anyway, and detect it instantly when inevitable happens.

Quick thinking might yield an apparently sure-fire solution in the form of a drive with a hardware write-protect switch. Once upon a time manufacturers were making these, but not any more. If you manage to get one, it will be from old stocks and of inferior capacity and speed. It isn't the definite solution as it may seem anyway, read on.

Starting from Windows XP SP2 Microsoft had been thinking the same way. They have introduced a registry key that makes all removable drives write protected, as if by hardware switch. Here it is:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies]
"WriteProtect"=dword:00000001

Of course, you cannot carry it around on your thumb drive, it has to be entered manually before the USB drive is plugged in. Each letter counts, omit one and your drive is writable without you knowing it until it is too late! Also, in the case of Windows XP, don't forget to check for SP2 before you rely on it! No restart is necessary, and if you decide later to reenable writing, just change 1 to 0 and not even unplugging/replugging of the device is necessary (notice that malware can do this too!). However efficient this may seem, similar to the hardware switch, it won't be useful  in many situations as you will usually want to transfer some data onto the drive while keeping already present content intact. Later we will learn how to split an USB drive into writable and read-only parts. As the writable part is sure to get infected, let's first work on detection.

At least let me know when my stick is sick!

WARNING: the suggested procedure assumes that there are no user files in the root of the target drive! Move all your files to folders, otherwise they will be deleted. It is generally a bad idea to keep any user files in the root of any drive.
Scroll back and look at the screen capture of the Windows Explorer window above and notice that drive H: shows custom icon . The AutoPlay dialog presents the same icon. Besides making the drive easily noticeable in the crowded space of Windows drive letters, the icon plays one very important security role. The icon is specified  in AutoRun.inf file in the root of the drive. The malware, if present, would replace our AutoRun.inf file with its own AutoRun.inf, thus phasing out our icon. Missing icon from the usual places is the sure sign that something somewhere very probably went wrong! The very basic AutoRun.inf that just customizes drive icon looks like this:

[AutoRun]
icon=MyIcon.ico

Creating custom icons like the one above is no rocket science, you can draw them with Windows inbuilt MS Paint. In image attributes specify a bmp image of 32x32 pixels, draw something, ask your children to help (they will be glad to). Place one single black dot in the top-left corner, it will preserve all the other colors (don't ask me to explain here). Save the result as MyIcon.bmp and simply rename it to MyIcon.ico. Technically speaking that isn't an icon file, but Windows could not care less and will display and resize it properly as if it was a real *.ico file. Perfectionists can convert bmp to real icon using IrfanView, a free graphic viewer/editor.

One step further, it is not too difficult to create a self-cleaning USB stick. The principle is to keep somewhere a backup copy of the original AutoRun.inf and compare it with the currently active AutoRun.inf file. If not matching exactly, just restore from the backup and indiscriminately wipe everything else. The full protection system we'll be using later contains the tool that can be used independently named test.bat. To check for infection start test.bat, and if it just closes everything is OK. If not, you will be warned and offered an option to disinfect. This method is very simple and very effective in protecting the drive itself, yet it doesn't provide any protection to the content of the drive. We can do better.

The real stuff

What I consider the ultimate solution is splitting the USB drive into one completely write protected and thus safe portion, and the rest left available for general use. The tool for achieving this comes from unexpected source, the TrueCrypt disk encryption software. It can create a virtual encrypted disk within a file container and mount it as a real disk drive. The catch is that the virtual disk can be mounted in read-only mode. Luckily, running directly from a USB flash drive (as portable application) is something TrueCrypt has been designed for. All that is left to do is to somehow protect the portable TrueCrypt files from becoming infected and to automate everything as much as possible to make it user-friendly.

Setting up the real stuff

Don't be scared off if the following seems a bit too technical, ask someone to help just with setting it up. Once set up and running, you are a mouse click away from having rock solid USB flash drive protection.
First, download TrueCrypt setup file. These instructions are based on version 7.0a. Install it the usual way into suggested Program Files folder.
Second, download Hidden Start utility. We will be using just hstart.exe from the archive hstart.zip. Don't unpack it yet.
Download this archive containing everything else and copy it to the root (the topmost folder) of your USB drive. Extract the content of the archive to X:\mnt folder (right-click on the archive, choose Extract All..., click Next, Next, Finish). Now extract hstart.exe from hstart.zip to X:\mnt folder (open the archive by double clicking, drag the file from it to X:\mnt folder). Of course, you will be using the actual letter of your USB drive instead of  X:.
Start (double click) 00mount.bat in the X:\mnt folder. Under Windows 7/Vista a familiar UAC dialog will probably pop up asking you to give permission to run Hidden Start. Unless it is specifically marked as Security Warning, it is safe to continue since it is a signed application. Also ignore the warning that hstart.exe is unprotected, we know it is for now, it won't be for long.
You will eventually get to the main menu looking like this:

Now enter the command install. Don't look for it in the menu since it is a hidden command, just type in install and press Enter.
If you've done everything right so far, you will be informed of a successful installation. If the installation fails for some of the most common reasons, it will be reported too. Try to remedy the failed step or start carefully from the beginning.
We are almost done. Now it is time to read the TrueCrypt beginner's tutorial and to learn how to create an encrypted volume file. When you've learned how, create two encrypted volumes in the folder X:\mnt of your USB drive, name them vol1.tc and vol2.tc and assign them password abc123. The file names and the password are hard coded in xmount.bat and have to be entered exactly (password is case sensitive) or xmount.bat has to be changed accordingly. Choose the size of encrypted volumes as you wish, this will be the size of protected part of your USB drive. Bear in mind that the limit is 4 GB (actually 4095 MB, 1 MB short of  4 GB) due to usual FAT32 formatting of flash drives and that's why we've created two volumes to be able to store up to 8 GB of protected data. Peek into xmount.bat and you will see how even more volumes can be added, or vol2.tc removed if that much space is not needed. An alternative way to store more than 4 GB of protected data in one piece would be to reformat USB flash drive to NTFS file system, but it's got it's own drawbacks and I have opted to create several smaller volumes instead.
Once installed, the system is completetly portable and can be moved to another USB drive just by copying. Fell free to spread it around to help fight the malware!
That's it! Let's test it. Unplug (don't forget to Safely Remove Hardware first) your USB flash drive. 

Using the real stuff

Plug in your freshly protected USB flash drive. Standard Windows AutoPlay dialog should pop up. Notice the custom icon , that's the sign that AutoRun.inf hijacking malware has not populated our stick.
Choose Open folder to view files using Windows Explorer from the dialog. Better yet, close the dialog and navigate the stick via explorer's tree view. Remember this?
Enter the X:\mnt folder. The first file in it is 00mount.bat (it is named 00... to be the first in the list), that's the main entry point of our protection. Starting it (Windows Vista and Windows 7 will ask for UAC confirmation) opens up the main menu. Sorry, no mouse here, You'll have to reach for the keyboard. The menu options are:

Now choose W to mount volumes in writable mode. Additional confirmation will be required. If everything goes well, an empty window will open for each protected volume we created. Add your files to it and close it.
Start 00mount.bat again and choose U to unmount the volumes. The window will flash blue to signal it.
Once prepared, the volumes are easily accessible for everyday use through automnt.bat in the root of the drive. Run it once and it will mount all the volumes in read-only mode (signaling it by green window) and show their content each in it's own explorer window. Run it again and the volumes will be unmounted (the window will flash blue). No folders, no keyboard, no messy menus, just mouse click and go. Mounted.txt file will be created to indicate that some volumes are mounted.

In the case you suspect that the host drive became infected (there is no icon, some suspicious files appeared, some folders or files disappeared...), run the test.bat diagnostic tool. It can be used independently of write protection. As described before, it will check if AutoRun.inf file has changed and search for hidden files or folders, the typical signs of malware activity. If anything suspicious is found, it will be reported, and option offered to restore the drive to the original state. WARNING: restoring the drive will erase all the files in the root of the drive! The files in the folders are safe.

Mac OS, Linux...

No need to protect from malware here, of course. But suppose you sometimes need to access your protected data on one of those systems, what then?
Well, you can always download and setup TrueCrypt to use it the usual way, it is a pretty small download. And for the cases when the internet connection is not available, you can always carry TrueCrypt installation files for Mac and Linux as unprotected files on the USB drive and all the chances are that Windows viruses will leave them alone. 

Conclusion

The practices introduced here have evolved out of pure necessity over a period of several years, so the concept has had it's deal of field testing. Let me take the opportunity to apologize for not publishing this earlier. It was about to be published when Windows 7 was introduced with it's own share of bugs and features. A major rewrite was needed to make it run as smoothly as under XP, with a little help from Hidden Start.
The whole thing is now simple to use, the protected part had proven to be totally protected, and self-healing works well in usual severities of infection. There are some compromises to benefit simplicity (password is stored in clear text), but unless this strategy becomes widely accepted and malware becomes aware of it, we can sleep peacefully.
The speed penalty is of no concern for flash drives as decrypring speed is greater than the raw reading speed of majority of drives. Writing often turns out to be much faster, as Windows handles one large file much better than many smaller ones, and this is exactly how TrueCrypt functions.
The only significant drawback is inability to mount the volumes on a computer without administrative privileges unless the TrueCrypt is already present.

Disclaimer and Copyright

Copyright © 2011 Dusko Lolic.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation.
These instructions are given in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Use at your own risk!
The accompanying software is distributed under the terms of the GPL3 license.

Comments