TrustedAutoRun: USB AutoRun based on security key.

[joedf]

[placeholder]

https://github.com/joedf/TrustedAutoRun

[Drugwash]

The only autorun I trust is NO autorun.

[joedf]

Nice.

[Drugwash]

Now seriously, at some point in time someone tried hard to infiltrate my system by placing autorun virii on all my partitions. Fortunately I already had autorun completely disabled on all kinds of drives but still needed a check so I built myAV (see my repository), a rudimentary antivirus that notifies of autorun attempts and certain registry changes. DON'T run it on anything beyond XP, it will delete all extensionless files in all drives' root!!!

While fixing friends' computers I've occasionally had my flash drives infected, because hardware write-protected flash drives are (intentionally?) not imported in my country although they've existed for quite a while. I only have one such drive which unfortunately is too small to carry all necessary files (2GB).

I know there are some locking applications that sometimes come with the flash drives, I do have such drive but never tried to use that application, I simply don't trust software solutions over hardware solutions in such critical matter. No offense, Joe.

[elModo7]

Seems useful for showcasing some of my projects!
Yeah, and maybe for my job!, I can have it open the vpn just as I plug in the drive, great!!!!!!!

[BoBo]

Now seriously, at some point in time someone tried hard to infiltrate my system by placing autorun virii on all my partitions. Fortunately I already had autorun completely disabled on all kinds of drives but still needed a check so I built myAV (see my repository), a rudimentary antivirus that notifies of autorun attempts and certain registry changes. DON'T run it on anything beyond XP, it will delete all extensionless files in all drives' root!!!

While fixing friends' computers I've occasionally had my flash drives infected, because hardware write-protected flash drives are (intentionally?) not imported in my country although they've existed for quite a while. I only have one such drive which unfortunately is too small to carry all necessary files (2GB).

I know there are some locking applications that sometimes come with the flash drives, I do have such drive but never tried to use that application, I simply don't trust software solutions over hardware solutions in such critical matter. No offense, Joe.

What about a (micro)SD(HC) card (eg used within digital cameras)?!
I use those (32GB) with an USB adaptor.
They aren't that expensive in Germany, like this one ...

https://www.amazon.de/SanDisk-SDSDQM-03 ... B003HIWHN0

[tank]

I don't think I understand what this does and I don't have time to read code

[Drugwash]

What about a (micro)SD(HC) card (eg used within digital cameras)?!
I use those (32GB) with an USB adaptor.
They aren't that expensive in Germany, like this one ...

https://www.amazon.de/SanDisk-SDSDQM-03 ... B003HIWHN0

Cards don't have a true write-protection switch, as far as I understand from different comments across the web. It's more of a 'guideline' which malicious software could easily bypass. If anyone knows otherwise please feel free to correct me.

I don't think I understand what this does and I don't have time to read code

After a very quick look I think it builds and stores a SHA1/SHA256 checksum of the autorun.inf files present on selected flash drives and upon (re)insertion it checks for a valid checksum match before allowing it to autorun. Someone correct me if I'm wrong, didn't analyze the code in depth either.

[joedf]

@Drugwash Oh none taken! A very valid point, Hardware solutions are always to go when possible.
On a side note, some SD cards have a physical read-only switch on the chip.

@tank sorry, I haven't taken the time to really describe better. Been a little busy to sit down for a "good" english descrip. haha
It's pretty much what drugwash said. With this, you can disable autorun, but have this run in the background (or startup). When a signed (only) USB is plugged in, the autorun is executed. If it's not signed or is "untrusted", it will notify you. Essentially, it's a more "customary" version of autorun.

[Drugwash]

Dunno if it's already implemented but this just came to mind: do not launch autorun if the executable referred to in the inf resides in a dodgy location such as Recycle Bin.

Most if not all autorun virii I've seen hid their executable in a subfolder of a Recycle Bin folder they create on the flash drive (if not already present). I'm not even sure such folder should exist on a flash/removable drive. Personally I have Recycle Bin completely disabled on all systems and I always delete files/folders through Total Commander which is set to delete directly. So in case the Recycle Bin shouldn't even exist on a removable drive the script may wanna notify the user of its presence even though there is no autorun.inf or the referred executable does not reside in there.

[joedf]

But that's only if the USB is set as trusted. I'm not sure how this comes into play. Do you mean if they are trying to set such a drive as trusted, then notify them of this "dodgy" situation?

[elModo7]

#1 You can use shift+del to permanently delete files without the hassle of wiping out recycle bin.
#2 If you set one of your usb's as "Trusted" it's because you do know what's it launching with present autorun.inf.
But yeah, some 3rd party sw could rewrite that autorun.inf (even if read only) and set it up for virus spread (quite uncommon nowadays but possible).

In the end it comes down on how much you trust your usb and autorun.inf integrity.

[Drugwash]

But that's only if the USB is set as trusted. I'm not sure how this comes into play. Do you mean if they are trying to set such a drive as trusted, then notify them of this "dodgy" situation?

Yes, there my be a niche situation where the user - or someone nearby playing with the computer (such as a cat walking on keyboard - my Lily does that lately) - inadvertently validates a dangerous inf. Or there could be an old (or new, incomplete) attempt at inserting a virus where the executable has already been placed in a Recycle Bin folder on the drive.

[joedf]

elModo7 express #2 which is what I had in mind...
I guess... I mean, for some virus to exploit to mess with a "trusted" usb. you would have to plug in an infected pc. I have no seen any effort for autorun exploits for years, especially because of the widely shared view of how unsafe autorun is. Most anti virus have a runtime scan that blocks execution... a solution, could be encrypting and hashing a usb's autorun.inf... and hash the open action exe, or whatever it is...?

[Drugwash]

Not everybody uses AV solutions (I don't, except for my own mentioned above). Autorun virii are still on the loose, at least around here, albeit quite rare. I still have someone's laptop to fix, infected with some version of PE_SALITY, which immediately infected one of my flash drives. Needless to say I had to redownload many of the executables that were on that drive when a scan with TrendMicro's Sysclean revealed them as infected. Luckily myAV took care of the autorun files but if it wasn't running or was paused I would've recognized the infection due to the Recycle Bin folder. So having this script check and report the presence of that folder might be a good idea, even as an option.

Another idea that may be a bit of a stretch (or not): an option to upload the 'open' executable to Virus Total when the user isn't sure whether it's valid or not.

Now, about the script as is. I've just fired v0.6.1 up on XP-SP3 x86, detected the camera connected as storage, started the wizard and…

Setup wizard

20171014100957.png (14.88 KiB) Viewed 3231 times

… I've no idea what to do with it. No notification that an executable is required, no option to copy an executable to the drive or move an existing one to a different location, no directions at all. But there is an 'Accept and Trust' button enabled - accept and trust… what, I wonder. Obviously I wanted to cancel the wizard but surprise: the 'Cancel' button doesn't do anything, wizard is still there, blocking any action in the main GUI; had to click the [x]. Then, the wizard window title is… 'Window'?
C'mon, Joe, you can do better than that!

BTW, the ListView in the main GUI fails to refresh when the wizard window is moved away. May not be noticeable with certain themes.
Oh and it keeps buzzing the floppy, at start and when wizard or raw edit windows are closed. Could that be avoidable, please? There's some message(s) that can be hooked to be notified of insertion/eject of removable media, which would avoid the full redetection of drives. Unfortunately I don't have the testing script at hand, it's on the 98 machine which is still off.

Now you got your hands full!

[joedf]

I already have something to go around the refresh issue, I removed because It stopped happening on my computer... I'll put it back.
Also the wizard is not operational! It says so in the Readme. The whole thing is still a work process still in "alpha" as not v1.0 yet :p also this isn't meant to be replacing what an AV does and its only meant to be for your own personal computers, because you would have to manually run and set up the app on the computers and the signatures are only saved on the original pc when the drive is being "trusted".
So maybe I shouldn't use the word "trusted", but rather USB drive that this specific pc knows about. If that's clearer?

[Drugwash]

OK, in that case I'll go back to my first statement in the topic.
Good luck!

[Helgef]

It looks good It found my camera
Thanks for sharing, cheers.

[joedf]

Yes, I would never trust anyone else's auto run. And using public computers is managed risk... :/
@Helgef thanks

[Tomer]

Thanks