Protection own autorun.inf

[x-quisite]

Actually i have ask this question in several forum but no one can give me the answer..kind of frustrated for so long.. Look like this forum have a lot of expert in programming n hacking, so just try my luck here.

Here the case. I'm a student n have usb thumbdrive. so i always insert my usb to different pc in different lab. The virus inside all the PC really make me sick although it's simple. Coz i create my own autorun.inf (customize it for icon and etc), and when i insert it to the pc in the lab, the virus will change my autorun.inf.

The best way i think is to protect the autorun.inf file. i try usb flash disinfector and ggreat usb antibody, which will protect autorun.inf. Usb flash disinfector will protect by creating special folder for autorun.inf i believe they call it 'lp3' method. ggreat usb antibody will add special attribute (x) to the autorun.inf. i try both of them, and it successfully protect the autorun.inf.

But my problem is, i create my own autorun.inf (customize for icon and etc). Both of the program and i think all the program that protect autorun.inf will 'RESET' the autorun.inf to default before they protect it (for security purpose). I want my own autorun.inf (that i created) to be protected. Any idea? either by manual or program..

[Sparda]

If you format the partition using NTFS you can semi protect the files with permissions. However, malware could be written to circumvent this quite easily. If you are using FAT there is basically no way to protect files from been over written short of using a physical hardware 'read only' switch.

An alternative would be to keep a backup copy of the files then use a simple script to restore the backup befor you dismount the drive each time.

[x-quisite]

If you format the partition using NTFS you can semi protect the files with permissions. However, malware could be written to circumvent this quite easily. If you are using FAT there is basically no way to protect files from been over written short of using a physical hardware 'read only' switch.

An alternative would be to keep a backup copy of the files then use a simple script to restore the backup befor you dismount the drive each time.

thanx 4 the reply

yeah, my thumbdrive is ntfs and i know it won't help in any way..keep backup an restore? i think it's manual way..just asking for anybody know how all the software like ggreat,naevius, and so many others protect autorun.inf by creating special folder or special permission which can't be deleted easily..

[Sparda]

thanx 4 the reply

yeah, my thumbdrive is ntfs and i know it won't help in any way..keep backup an restore? i think it's manual way..just asking for anybody know how all the software like ggreat,naevius, and so many others protect autorun.inf by creating special folder or special permission which can't be deleted easily..

The thing about software is it has to be running in order to do any thing. The thing about malware that wants to infect your memory stick is that it is already running before you run any 'protection' software.

It's NTFS permissions or nothing basically. As previously indicated, there are alternatives such as making the drive physically read only and restoring the autorun contents before removal.

[agni]

I am not sure if this can help you,but this tool will definitely protect autorun.inf in FAT32

http://agnipulse.com/2009/06/disable-autor...f-in-usb-drive/

[x-quisite]

The thing about malware that wants to infect your memory stick is that it is already running before you run any 'protection' software.

don't u think u your statement above is not really accurate? coz what i mention, i can run the software before any malware infect the usb. The software only need to run 'once' to give special permission to the autorun. i try to remove the permission but it won't work easily.

As example, ggreat give permission 'x' to the autorun.inf. I believe ntfs just can give permission read only,archive,hidden and system only. it really protect the autorun.inf. u should try it first.

usb stick physically read only? how about if i want to write on the drive?

simple script to restore the backup? can u suggest me with your script?

[x-quisite]

I am not sure if this can help you,but this tool will definitely protect autorun.inf in FAT32

http://agnipulse.com/2009/06/disable-autor...f-in-usb-drive/

thanks..but does it look like any other software? where it will protect the default autorun.inf. Not the one that i modified

[Sparda]

don't u think u your statement above is not really accurate? coz what i mention, i can run the software before any malware infect the usb.

The malware on any given computer is already running and monitoring for memory sticks, so your software can't run before the malware is running, but which will take effect first is up for debate and may change from computer to computer.

The software only need to run 'once' to give special permission to the autorun. i try to remove the permission but it won't work easily.

As example, ggreat give permission 'x' to the autorun.inf. I believe ntfs just can give permission read only,archive,hidden and system only. it really protect the autorun.inf. u should try it first.

No, those (read only,archive,hidden and system) are file attributes that can be used on FAT and NTFS. File attributes are not mandatory for software to obey. NTFS permissions are mandatory and enforced by the operating system. They give you much more control based on various different permission levels and can be user or group based.

usb stick physically read only? how about if i want to write on the drive?

You would have to disconnect it and enable write, which would make it vulnerable to modifications.

simple script to restore the backup? can u suggest me with your script?

Copy your autorun backup to where it should be using some thing like:

xcopy /Y * ..

This does assume hat the malware only creates the autorun file when you first plug the memory stick in, if it continuously check this probably wont work too well.

[x-quisite]

i have tried setting ntfs permission on autorun.inf file. It protect the autorun.inf file but unfortunately it still doesn't achieve my objective. The "modified" autorun.inf still unusable. Means when it protect, it just look like a blank autorun.inf.

So in other word, i can't protect the 'modified' autorun.inf which consist icon and etc for my pendrive

[Charles]

What permissions did you change?

[x-quisite]

What permissions did you change?

cacls autorun.inf /c /d administrators

is it correct?

[Charles]

I do not know if that's correct. I thought you had just modified the permissions to remove the "write" permission.

[th3bigguy]

Why are you using autorun.inf...Of course you are going to get infected. Just don't use it. Why would you even want to use autorun.inf unless you were trying to hack the box yourself. I would suggest creating two partitions and then truecrypt the bigger partition and putting the truecrypt app on the other partition. This way the virus will not be able to access the crypted file system. Do not worry about permissions as most virus can bypass them.

[x-quisite]

Why are you using autorun.inf...Of course you are going to get infected. Just don't use it. Why would you even want to use autorun.inf unless you were trying to hack the box yourself. I would suggest creating two partitions and then truecrypt the bigger partition and putting the truecrypt app on the other partition. This way the virus will not be able to access the crypted file system. Do not worry about permissions as most virus can bypass them.

Actually i already mention above i use autorun.inf for icon, label n customize many things for my thumbdrive.

It's simple virus but can be quite annoying. As far as i concern, those virus can't bypass ninja flashdisk, flash disinfector and any other software that protecting autorun.inf. Regarding 'sparda', all those software just use ntfs permission to done that.

Back to the topic, my main concern here is to protect own modified autorun.inf regardless the method. And of course truecrypt isn't the one.

[Sparda]

For NTFS permissions to work as you describe you need to make sure that the Everyone group has full control of the entire drive then change the permissions on autorun.inf so that everyone only has read only. Similar to the screen shot below except all the usernames are wrong:

[digip]

If you set specific user permissions on a thumb drive or files in it and take it to another machine and the virus on that machine has admin level access, it wont matter who you set the permissions to, as an admin of an NTFS system can take ownership of any files in a NTFS volume.

Forget even a virus accessing it for a moment. All administrators (above home editions) can take ownership of any other users files, including NTFS encrypted files (im not talking about true crypt, just NTFS encryption). Normal Limited users, won't be able to even access the files or take ownership and Home Edition users wont even be able to load the files unless the everyone flag isnt set on them specificly, but if malware has compromised a system, chances are it has system or admin level access.

Removable media doesnt really have any protection in windows environments other than 3rd party encryption of the files or change to an alternate file system, such as EXT3 which windows isnt going to be able to be read without additional software or bootong into *nix like systems, which defeats the use of windows software. You'd be better off putting your files in a truecrypt volume than trying to use NTFS to protect a thumbdrive.

I would leave it fat just for the lack of security, so you know nothing malicious was able to hide something on the drive of an NTFS volume.

* Best practices:

- dont plug it into a system that isnt yours (duh!)

- if it must be used on someone elses machine and you wanted read only protection, burn it to cd/dvd media

[Sparda]

If you set specific user permissions on a thumb drive or files in it and take it to another machine and the virus on that machine has admin level access, it wont matter who you set the permissions to, as an admin of an NTFS system can take ownership of any files in a NTFS volume.

It is the only method that stand a chance that is software based.

[x-quisite]

For NTFS permissions to work as you describe you need to make sure that the Everyone group has full control of the entire drive then change the permissions on autorun.inf so that everyone only has read only. Similar to the screen shot below except all the usernames are wrong:

thanks. it works as mention. i tested it and most of the virus can't change the permission. It's better than i have to change autorun.inf everytime i insert the thumbdrive to laboratory comp

If you set specific user permissions on a thumb drive or files in it and take it to another machine and the virus on that machine has admin level access, it wont matter who you set the permissions to, as an admin of an NTFS system can take ownership of any files in a NTFS volume.

Forget even a virus accessing it for a moment. All administrators (above home editions) can take ownership of any other users files, including NTFS encrypted files (im not talking about true crypt, just NTFS encryption). Normal Limited users, won't be able to even access the files or take ownership and Home Edition users wont even be able to load the files unless the everyone flag isnt set on them specificly, but if malware has compromised a system, chances are it has system or admin level access.

Removable media doesnt really have any protection in windows environments other than 3rd party encryption of the files or change to an alternate file system, such as EXT3 which windows isnt going to be able to be read without additional software or bootong into *nix like systems, which defeats the use of windows software. You'd be better off putting your files in a truecrypt volume than trying to use NTFS to protect a thumbdrive.

I would leave it fat just for the lack of security, so you know nothing malicious was able to hide something on the drive of an NTFS volume.

* Best practices:

- dont plug it into a system that isnt yours (duh!)

- if it must be used on someone elses machine and you wanted read only protection, burn it to cd/dvd media

If u suggest "dont plug it into a system that isnt yours " than better said don't even buy the thumbdrive. i have to plug to PC that isn't me which must perform read and write function.

understand the situation. i need to plug to unknown PC everyday with read and write function. That can't be help. Also i don't like wasting my time to encrypt and decrypt everytime i plug to PC. But if u suggest to encrypt the autorun.inf only ONCE and u sure the modified autorun.inf can run although it's encrypted, then please provide me with more detail instructions

thank you

[digip]

thanks. it works as mention. i tested it and most of the virus can't change the permission. It's better than i have to change autorun.inf everytime i insert the thumbdrive to laboratory comp

If u suggest "dont plug it into a system that isnt yours " than better said don't even buy the thumbdrive. i have to plug to PC that isn't me which must perform read and write function.

understand the situation. i need to plug to unknown PC everyday with read and write function. That can't be help. Also i don't like wasting my time to encrypt and decrypt everytime i plug to PC. But if u suggest to encrypt the autorun.inf only ONCE and u sure the modified autorun.inf can run although it's encrypted, then please provide me with more detail instructions

thank you

My thing is, if its protection you want, use one write media, such as cd/dvd or even an sd card that has locking features on the side of them. Thumbdrives using NTFS permissions as protection can be bypassed.

[x-quisite]

1. I also would like to ask, is it possible to force autoplay on PC which autoplay has been disabled?

Is it ture, some PC disable autoplay using windows setting such as registry edit and there's another way which i don't really know the method. Just like nlite do when u tick to disabled autoplay. Although autoplay enable through windows setting or registry, but the autoplay will not run. do u know what kind of method they(nlite) use?

2. Another question, my friend's thumbdrive infected by virus. the effect of this virus will set permission to all the contain of the thumbdrive which disallowed any kind of modifying or deleting all the files in it.

But the problem is the thumbdrive is using FAT system. So there's no security tab on the properties. i also try using command prompt by using "cacls", "icacls", registry setting method and all kind of take ownership method but they are no use. Of course i can't format the thumbdrive and convert system file. I got formatter from the manufacturer website but when i try to format it said "device info block corrupted". Worst, i even try ubuntu to delete file on the thumbdrive but no use.