As you know, the most common use of USB drives (Pen Drives) is to transport and store personal files such as documents, pictures, videos and Data. But sometimes if you attach your USB drive to the infected computer the malware is transferred to the USB drive in no time infecting all the important data in USB drive, depending on the nature of the virus you may loose important data from the USB drive and never recover them back and also the infected USB drives can again infect other computers and so on.
This is one of the method through which malware spreads. Autorun commands are generally stored in Autorun.inf files. These commands enable applications to start, start installation programs, or start other routines. This is used to execute the malware which is hidden in USB drives. When you insert USB drive or Double click on that drive this Autorun.inf executes the malware immediately. There are several malwares which uses this techniques.
For Example
- Trojan.Win32.AutoIt
- Trojan win32.Autorun
- Worm.Win32.AutoIt
Instead of relying completely on Anti-Virus to detect infected USB drives, we can protect it by following ways :
1. Disable Autorun
2. Avoid Double Clicks
3. Using Autorun.inf
2. Avoid Double Clicks
3. Using Autorun.inf
Disable Autorun
My best advice is to disable autorun facility given by the operating system. This can be done using two ways
1. Group Policy settings
2. Registry Changes
2. Registry Changes
Group Policy settings
1. Click Start --> Run or Press "Windows Key" + R, Type Gpedit.msc and then press ENTER.
2. Under "Computer Configuration", expand "Administrative Templates" and then click "System".
3. In the Details pane, double-click "Turn off Autoplay".
4. Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives.
5. Restart the computer.
2. Locate and then click the following entry in the registry:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutorun
3. Right-click NoDriveTypeAutoRun, and then click Modify.
4. In the Value data box, type FF to disable all types of drives.
5. Click OK, and then exit Registry Editor.
6. Restart the computer.
As we know windows cannot have a file and folder of same name in a particular Drive or Folder, hence we can create a folder or File with name "autorun.inf" in USB drive, which will protects USB drive from getting infected with autorun.inf which helps in executing malware.
Some malware delete autorun.inf folder or File and place its autorun.inf in USB drive. To avoid this we should make our folder or file hidden in USB drive by changing its attributes.
1. Click Start --> Run or Press "Windows Key" + R, Type Cmd and then press ENTER.
2. Type attrib +h +s +r [Drive Letter]:\autorun.inf
The malware present in USB drives would have set system attribute and wont be visible in default settings of window. One should always keep an eye on suspicious file which are hidden as system files. To view such system files following settings must be changed :
UnHide extensions for known file types
Some malware create has name Clip.avi.exe, which will be displayed as Clip.avi in default settings where "Hide extensions for known file types" option is Enabled. Following shows us how to disable "Hide extensions for known file types" :
1. Open My Computer or any Folder
2. Then Click on Tools Menu --> Folder Options
3. Click on View Tab.
4. Then Uncheck "Hide extensions for known file types"
Unhide Hidden Files & System Files
Some malware hide themselves as Hidden or System Files which wont be visible in default settings where “do not show hidden files and folders" option and "Hide Protected Operating System Files" option is Enabled. Following shows us how to disable these options :
1. Open My Computer or any Folder
2. Then Click on Tools Menu --> Folder Options
3. Click on View Tab.
4. Enable "Show hidden files and folders"
2. Under "Computer Configuration", expand "Administrative Templates" and then click "System".
3. In the Details pane, double-click "Turn off Autoplay".
4. Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives.
5. Restart the computer.
Registry Changes
1. Click Start --> Run or Press "Windows Key" + R, Type Regedit and then press ENTER.2. Locate and then click the following entry in the registry:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutorun
3. Right-click NoDriveTypeAutoRun, and then click Modify.
4. In the Value data box, type FF to disable all types of drives.
5. Click OK, and then exit Registry Editor.
6. Restart the computer.
Avoid Double Clicks
1. Avoid using "Double Click" to open Usb Drive.
2. To open Usb Drive Right Click on Usb Drive and select Explore
2. To open Usb Drive Right Click on Usb Drive and select Explore
Using Autorun.inf
As we know windows cannot have a file and folder of same name in a particular Drive or Folder, hence we can create a folder or File with name "autorun.inf" in USB drive, which will protects USB drive from getting infected with autorun.inf which helps in executing malware.
Some malware delete autorun.inf folder or File and place its autorun.inf in USB drive. To avoid this we should make our folder or file hidden in USB drive by changing its attributes.
1. Click Start --> Run or Press "Windows Key" + R, Type Cmd and then press ENTER.
2. Type attrib +h +s +r [Drive Letter]:\autorun.inf
The malware present in USB drives would have set system attribute and wont be visible in default settings of window. One should always keep an eye on suspicious file which are hidden as system files. To view such system files following settings must be changed :
UnHide extensions for known file types
Some malware create has name Clip.avi.exe, which will be displayed as Clip.avi in default settings where "Hide extensions for known file types" option is Enabled. Following shows us how to disable "Hide extensions for known file types" :
1. Open My Computer or any Folder
2. Then Click on Tools Menu --> Folder Options
3. Click on View Tab.
4. Then Uncheck "Hide extensions for known file types"
Unhide Hidden Files & System Files
Some malware hide themselves as Hidden or System Files which wont be visible in default settings where “do not show hidden files and folders" option and "Hide Protected Operating System Files" option is Enabled. Following shows us how to disable these options :
1. Open My Computer or any Folder
2. Then Click on Tools Menu --> Folder Options
3. Click on View Tab.
4. Enable "Show hidden files and folders"
5. Then Uncheck "Hide Protected Operating System Files"
wow man . thanks tat really helped me .gr8 blog
ReplyDeleteGreat work Shiv! I recommend this blog to my friends...
ReplyDeleteAwesome
ReplyDelete