Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: U3 TEchnology was RE: strange new virus

from [Thor (Hammer of God)] Network Security [Permanent Link]
Subject: Re: U3 TEchnology was RE: strange new virus
Date: Fri, 15 Dec 2006 09:10:14 -0800 
Right-- I should have stated that in my earlier message- the "autorun"
capabilities of u3 thumb drives function because the hardware is
specifically designed to provide that (and other) functionality.  The device
specifically presents itself as a media device that supports auto-run (like
a CD or DVD drive would) upon insertion.

A "standard" thumb drive would not invoke autorun unless you have software
on the system to do that (it's out there). Unfortunately, you can find many
references in posts and blogs around the net where people talk about putting
autorun on a thumb drive and rootkit'ing people's boxes at banks, insurance
agencies, etc, but it's bunk. I've even seen detailed explanations of how to
encrypt drive contents on "any old thumbdrive" and to use autorun to
immediately execute code, but they dance right over the fact that you have
to go out of your way to autorun a thumb drive.

The most important thing is the last point you made about least privilege.
Even if someone went out of HIS way (There, Shinder- That better??? ;) to
autorun a usb (or if it was u3) the user would still have to be an
administrator to do anything.

Again, in Vista, even with autorun supported media insertion, it asks if you
want to run autorun by default.  If you want to, (depending on what the
autorun does) UAC requires you to then enter the admin password to execute
code or such.  If you've turned off UAC, nothing would happen unless you
were an admin.  And in this day and age, no one should ever be running an
interactive session as admin, unless you're a Scot in Bermuda (inside joke
;)

t


On 12/15/06 5:40 AM, "Henry Troup" <HenryT@watchfire.com> spoketh to all:


Ah, the Bruce Schneier blog comments have the very valuable comment:

   The removable media device setting is a flag contained within the
SCSI Inquiry 
   Data response to the SCSI Inquiry command. Bit 7 of byte 1 (indexed
from 0) is 
   the Removable Media Bit (RMB). A RMB set to zero indicates that the
device is not 
   a removable media device. A RMB of one indicates that the device is a
removable 
   media device. Drivers obtain this information by using the
StorageDeviceProperty
   request.

So U3 is a different hardware spec, and U3 function can't be copied to
non-U3 media.  That's good.  But the remarks about custom USB hardware
there make me want to reach for the ol' glue gun! Of course, the real
problem is still failure to adhere to least privilege.

Thanks for the link, Bill.

Henry Troup
Watchfire Corporation
henryt@watchfire.com


-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Bill Call
Subject: RE: strange new virus

I wouldn't be so sure about that.  Check out:

http://www.schneier.com/blog/archives/2006/06/hacking_compute.html

---------------------------------------------------------------------------
---------------------------------------------------------------------------







---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re[2]: strange new virus, Thierry Zoller
Next by Date:  Strange modifications to HD, nathan . fulton
Previous by Thread:  Is explorer.exe (XP) a high risk process, sergelessard76
Next by Thread:  RE: U3 TEchnology was RE: strange new virus, James D. Stallard
Indexes:  [Date] [Thread] [Top] [All Lists]