Protecting Removable drive against malware

November 26th, 2009   •   6 Comments   

Today one of the fastest medium used by malware for infection is removable drives. Worms used it to replicate faster, once your removal drive come in contact with infected system it gets infected automatically by the malicious services running in system, one of the first task done by malicious services is to create AUTORUN information file into Removable drive for further propagation.

Now once you open these infected Removable Drives in any PC, AUTORUN file do there task, but question is How?

Actually AUTORUN file contains code for executing infected executable file instantly which were copied earlier somewhere in Removable Drives by malicious services.

The code within AUTORUN information file looks something like this:

[AUTORUN]
OPEN=recycler/setup.exe

In the above script recycler is a folder in removal drives which contain infected executable file (copied earlier by malicious services) that is now being used by AUTORUN file for propagation.

Here we can protect our Removal Drives against these worms by restricting changes to Autorun.inf file.

Step1: Create four folders in the root directory of your Removable drive with name Autorun.inf, Recycle, Recycler and Recycled.
Step2: Go to Start>Run and type cmd to open Command Prompt
Step3: Now type below command one by one
attrib autorun.inf /s /d –a +s +r
cacls autorun.inf /c /d administrators
Step4: Repeat Step3 for Recycle, Recycler and Recycled.

Here in the above procedure attrib command is used to set the folder attributes and cacls is used to set the privilege label to deny access for members of administrators group.

Once you have completed this task successfully you won’t be able to delete, rename, modify, copy or open these folders and this also prevent Malicious services running in any system to modify or copy infected files into Removable Drives.

Sample Images:1

Autorun1

Sample Images:2

Autorun2

Sample Images:3

Autorun3

Share this article

6 Responses

  1. Goben says:

    Hi its good,

    Here got someting interesting about Ankit, yu guys from India should put some comment over this article.

    Check out this Link

    http://economictimes.indiatimes.com/features/the-sunday-et/backpage/Hackings-ethical-side/articleshow/5231471.cms

    I guess this is one of the biggest hoax I have ever come across. Ankit coining the word “ethical hacker” J LOL . I was under the impression that the term “ethical hacker” was coined by IBM many years ago before Ankit Fadia started writing technical stuffs. I am not sure why he is so famous? Most of the stuff he writes is freely available in the wild.

  2. bz says:

    why not write a script and run it from a batch file?
    something like (I have not tested, some additional options may be required)
    Save as protect.bat
    Invoke as ‘protect x:’ where x: is the mountpoint of the thumb drive.
    ————
    rem create folders Autorun.inf, Recycle, Recycler and Recycled on your thumb
    drive and protect them from changes.
    %1
    cd \
    md autorun.inf
    md Recycle
    md Recycler
    md Recycled
    attrib autorun.inf /s /d -a +s +r
    cacls autorun.inf /c /d administrators
    attrib Recycle /s /d -a +s +r
    cacls Recycle /c /d administrators
    attrib Recycler /s /d -a +s +r
    cacls Recycler /c /d administrators
    attrib Recycled /s /d -a +s +r
    cacls Recycled /c /d administrators

  3. Most what i read online is trash and copy paste but i think you offer something different. Keep it like this.

  4. Adam Lipke says:

    You made a few good points there. I did a search on the issue and found mainly people will agree with your blog.

  5. This is certainly great. I absolutely concur with everything you explained here. This is extremely important, we need more folks to understand this and get going on it.

Leave a Reply


  • 4 − = two