I stumbled on the Panda USB and AutoRun Vaccine on the Panda Research blog and it peaked my interest because autorun-based malware is very wide-spread these days and also because I’ve written extensively about the topic.
An other reason is that I don’t like black boxes and it is my opinion that all knowledge should be disseminated in the open :-).
So how does the “vaccination” work? (as a sidenote: in the “olden days” – meaning DOS – the idea of “vaccination” was quite common and was based on the idea of emulating the checks which different viruses used to detect if they already infected the system. This quickly became unmanageable, since not all viruses checked for previous infections and some used the same vector but wanted different results. This program however has nothing to do with this method of vaccination.)
There are actually two components to it:
- The “immunization” of the computer: this is done by the IniFileMapping feature I also discussed.
The “vaccination” of the USB drives: this is done by creating a folder named “autorun.inf” on the drive. Since folders and files are the same on most file systems, you can’t create a file and a directory with the same name. There is also some additional magic involved: the tool creates a file named lpt1 in the folder named autorun.inf (so you have the structure U:autorun.inflpt1) in which it writes “caacaacaacaacaa” (don’t ask my why, I have no idea – it seems to be gene sequence).
This makes the folder undeletable by conventional tools. The reason is the interaction with compatibility (in DOS LPT1 referred to the printer port, so for compatibility reasons Windows tries to open the printer port whenever you ask for LPT1). For a more detailed description and workarounds which can be used see the section “Cause 5: The file name includes a reserved name in the Win32 name space” in KB320081 from Microsoft. A couple of errors in the announcement:
- The announcement claims "USB drives that have been vaccinated cannot be reversed except with a format". This is not actually true, in fact the "vaccination" can be undone as described in the Microsoft KB.
- "Panda USB Vaccine currently only works on FAT & FAT32 USB drives" – while this is true, the reason for it is that the program explicitly checks for the given filesystems (possibly because the authors thought that the method works because of quirks in the FAT filesystem, but in fact it works because the compatibility layer in the Win32 API, independent of the underlying FS). Also, on the NTFS filesystem other tricks can be played to create “undeletable” files / folders (like removing all the permissions for the given item, playing with the fact that NTFS is case sensitive – even though case insensivity is emulated by the Win32 API, etc), but none of them is irreversible as the blogpost claims. A possibly irreversible (or more accurately: very hard to reverse) change would be to open the disk directly and much around in the allocation tables / MFT and selectively corrupting it, but this would be very risky.
So there you have it. Nothing too magical and some errors/misunderstanding in the original post. Also, it is quite possible that future malware will look for the “immunization” on USB drives and reverse it.
Picture taken from Clearly Ambiguous’ photostream with permission.