PCbanter

PCbanter (http://www.pcbanter.net/index.php)
-   General XP issues or comments (http://www.pcbanter.net/forumdisplay.php?f=18)
-   -   Thumb drive scanner? (http://www.pcbanter.net/showthread.php?t=1107641)

[email protected] March 10th 19 03:33 AM
Thumb drive scanner?
 
Is there a tool out there that will scan a thumb drive and tell you if
the formatting/partitioning is buggered in a stuxnet sort of way?

James Davis March 10th 19 03:43 AM
Thumb drive scanner?
 
On Saturday, March 9, 2019 at 7:33:58 PM UTC-8, wrote:
Is there a tool out there that will scan a thumb drive and tell you if
the formatting/partitioning is buggered in a stuxnet sort of way?

Have you tried ScanDisk?

[email protected] March 10th 19 05:51 AM
Thumb drive scanner?
 
On Sat, 9 Mar 2019 19:43:44 -0800 (PST), James Davis
wrote:

On Saturday, March 9, 2019 at 7:33:58 PM UTC-8, wrote:
Is there a tool out there that will scan a thumb drive and tell you if
the formatting/partitioning is buggered in a stuxnet sort of way?

Have you tried ScanDisk?

That might tell you if the structure is unusable but not if there is a
boot sector virus and another hidden partition full of nasty stuff.

Paul[_32_] March 10th 19 06:28 AM
Thumb drive scanner?
 
wrote:
On Sat, 9 Mar 2019 19:43:44 -0800 (PST), James Davis
wrote:

On Saturday, March 9, 2019 at 7:33:58 PM UTC-8, wrote:
Is there a tool out there that will scan a thumb drive and tell you if
the formatting/partitioning is buggered in a stuxnet sort of way?
Have you tried ScanDisk?

That might tell you if the structure is unusable but not if there is a
boot sector virus and another hidden partition full of nasty stuff.

Kaspersky Rescue Disc ?

Linux LiveCD disc (so the Linux OS can't be corrupted) ?

I just bought some new USB flash a week ago, and I
inserted them on a setup running Linux, for a "first look".
They did have EXEs on them, which I removed.

Paul

pyotr filipivich March 10th 19 06:43 PM
Thumb drive scanner?
 
James Davis on Sat, 9 Mar 2019 19:43:44
-0800 (PST) typed in microsoft.public.windowsxp.general the
following:
On Saturday, March 9, 2019 at 7:33:58 PM UTC-8, wrote:
Is there a tool out there that will scan a thumb drive and tell you if
the formatting/partitioning is buggered in a stuxnet sort of way?

Have you tried ScanDisk?

Not what he was asking.
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?

Paul[_32_] March 10th 19 08:18 PM
Thumb drive scanner?
 
wrote:
Is there a tool out there that will scan a thumb drive and tell you if
the formatting/partitioning is buggered in a stuxnet sort of way?

One problem would be, the trouble could result instantly from the
stick being plugged in. So a purely passive analysis would
not be enough.

As I understand it, one exploit mechanism is to make
the stick a "composite device", hiding USB Mass Storage
and a virtual optical drive in the same USB device. There
were some U3 sticks which had this feature anyway. Using
USBTreeView, you might see a declaration of "Composite"
in the device config data, on a U3 style stick.

There is a registry entry with Autorun/Autoplay bits,
and Microsoft may leave that, such that optical discs
still work. Others in the industry wanted them to turn
this subsystem off entirely, so it would be a little harder
for these things to happen. One third-party technique
was to use a software restriction policy, such that
@autorun.inf could not be accessed, which would "break
the chain" for that style of exploitation.

But I don't know if that covers every possibility or not.

It's an attack surface. That's all I can say for sure.

Paul

[email protected] March 10th 19 08:41 PM
Thumb drive scanner?
 
On Sun, 10 Mar 2019 16:18:33 -0400, Paul
wrote:

wrote:
Is there a tool out there that will scan a thumb drive and tell you if
the formatting/partitioning is buggered in a stuxnet sort of way?

One problem would be, the trouble could result instantly from the
stick being plugged in. So a purely passive analysis would
not be enough.

As I understand it, one exploit mechanism is to make
the stick a "composite device", hiding USB Mass Storage
and a virtual optical drive in the same USB device. There
were some U3 sticks which had this feature anyway. Using
USBTreeView, you might see a declaration of "Composite"
in the device config data, on a U3 style stick.

There is a registry entry with Autorun/Autoplay bits,
and Microsoft may leave that, such that optical discs
still work. Others in the industry wanted them to turn
this subsystem off entirely, so it would be a little harder
for these things to happen. One third-party technique
was to use a software restriction policy, such that
could not be accessed, which would "break
the chain" for that style of exploitation.

But I don't know if that covers every possibility or not.

It's an attack surface. That's all I can say for sure.

Paul

When I was looking around I did see things that would stop the auto
run and somewhat protect that host but I was wondering if anyone had
the software to flag a bad USB drive with extra partitions and
malware. I assume a brand new stick from a reputable firm would be OK
but after it is "been around" who knows what it might have picked up.

Lu Wei March 11th 19 06:24 AM
Simple way to disable autorun
 
On 2019-3-11 4:18, Paul wrote:
....
There is a registry entry with Autorun/Autoplay bits,
and Microsoft may leave that, such that optical discs
still work. Others in the industry wanted them to turn
this subsystem off entirely, so it would be a little harder
for these things to happen. One third-party technique
was to use a software restriction policy, such that
@autorun.inf could not be accessed, which would "break
the chain" for that style of exploitation.


Add this registry and disable autorun completely:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

--
Regards,
Lu Wei
IM:
PGP: 0xA12FEF7592CCE1EA


All times are GMT +1. The time now is 04:56 PM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 2004 - 2006 PCbanter
Comments are property of their posters