As they say: Necessity is the mother of invention and here we are, in a world of viruses, where detection of a virus of prime importance. Some AVs use API calls to track down an infection, also known a heuristic scanning while some rely on the signatures and some rely on both.
Today I will be writing about the most favorite method deployed by malwares to propagate and make their presence felt in the digital world. Although there are many ways of entering into a system which includes via web-sites in form of a drive-by download or by enticing a user / scaring a user into downloading and executing a malicious file into their system. However with the ever changing scenarios, malwares prefer to stick to the basics.
Presently many organizations / countries are preferring to walk away from the regular internet and either – create a private network or deploy stringent firewall rules, WAFs, IPS/IDS or plan to cut themselves off completely (IRAN?).
In such scenarios, web-based threats are taken care of. Why, one may ask? The logic is simple – if there is no internet then there would be no web-based threats , no drive-by downloads . In this case are we really secure? The only other method for infecting systems which can be relied upon is propagation via USB disks/sticks/pendrives as many of us prefer to call them.
Pen-Drives are small, hence assist in easy mobility, they can be carried anywhere, they come in various shapes and sizes and in case these pen-drives have malicious content, then the malicious content can be detected only when there is an AV present in the computer system.
Presently, all the Antiviruses, provide a nifty feature of disabling autorun.inf, which works by tweaking a few registry keys. This feature will not allow any autorun.inf file to execute. This will work IFF an AV is installed and this feature is enabled. This effectively means that the USB pen-drive is still vulnerable to USB based infections, especially on those system which do not have an AV installed.
So, presently, the goal of most of the AVs is to stop the infected USB dead in its track. However, is this really what we want? How about – ensuring that USB never gets infected? Even if you attach the USB stick into an infected system and yet the malware is unable to infect the stick, is this possible? Well, the answer is YES.
There are two approaches to the problem of USBs getting infected and Heuristic ability of an Antivirus.
An infected USB stick, will be rendered useless when an Antivirus is disabling autorun.inf. However, the same USB stick is still a lethal weapon for other systems not protected by an AV.
Secondly, when the user has enabled execution of autorun.inf, then the Heuristic scanning ability of the AV comes into the picture, especially when the signatures are not available.
We at eScan gave these issues a brief thought and came up with these solutions.
Solution 1: Disable autorun.inf
I better not write about this, its the most commonly discussed topics and a DIY task. Here is the link which will allow you to disable “autorun.inf”
Solution 2: USB Vaccination
A few months ago, we were working on USB Vaccination, which will modify the USB stick to ensure that any application (malicious or benign or any user), just cannot create/modify autorun.inf on a USB stick which has been vaccinated. Hence, on an infected system, a vaccinated USB stick will not get infected, it doesn’t matter whether an Antivirus is installed or not, on the infected system.
This feature, will be made available in the upcoming latest version of eScan.
**Personally, I not a huge fan of autorun.inf.
Solution 3: Heuristic Scan engine (AVC)
Our Heuristic Scan Engine (also known as AVC), which will be a part of the offering, was tested for similar USB Infectors and has come out with flying colors. In this blog post I will not be providing you with the screenshots of our AVC in action, however as no blog-post is complete without a screenshot, a small visual of the message which Microsoft Windows provides:
These screenshots have been taken from a system which DOES NOT HAVE ANY ANTIVIRUS.
Today morning, I came across an interesting article on “Antivirus Evasion: The Making of a Full, Undetectable USB Dropper / Spreader” and was inspired to write about our efforts in tackling this USB’s autorun.inf menace.