none
Como evitar vírus no pendrive RRS feed

  • Discussão Geral

  • Olá amigos,

    O terror de todo administrador de rede hoje em dia  com certeza são os pendrives que todos os usuários têm e querem usar nos computadores da empresa.

    Qualquer administrador de rede sente um frio na espinha quando alguém liga para o suporte dizendo que precisa usar o pendrive para copiar para o computador um arquivo que ele baixou  lá na lan house.

    Já escrevi um artigo aqui no blog para mostrar como evitar (via GPO) o uso de pendrive na rede , mas isso é uma atitude radical, pois realmente não podemos negar a facilidade que o pendrive trouxe e que o mesmo veio para ficar, não há mais como viver sem um.

    Então  estive pensando aqui em um meio de evitar vírus em pendrives, e pensei em uma coisa que vejo como uma solução, pelo menos até os vírus encontrarem uma estratégia diferente. :D

    Um breve embasamento teórico

    Todos sabemos que a base de disseminação da maioria absoluta dos vírus é copiando seu executável em alguma pasta do pendrive (geralmente recycler para se confundir com a lixeira) e gravar um arquivo autorun.inf que é para disparar seu executável quando o pendrive for inserido ou quando for clicado. É aí que mora o perigo e é aí que vamos agir.

    Simples e eficaz

    Basta criarmos uma pasta no raiz do pendrive chamada autorun.inf, ATENÇÃO!!! Eu falei para criar UMA PASTA e não um arquivo chamado autorun.inf.

    Isso acontece porque se for criado um arquivo, o vírus o sobrescreverá, e se for uma pasta ele não conseguirá sobrescrever (um arquivo não pode sobrescrever uma pasta) e consequentemente seu pendrive não será um disseminador de vírus.

    Na prática ele até poderá ser infectado porque nós não evitamos que o executável do vírus seja copiado para ele, mas o vírus não será disparado automaticamente, o que eu já vejo como uma grande vantagem.

    Abraço a todos e aguardo comentários

    quarta-feira, 11 de março de 2009 19:21

Todas as Respostas

  • O artigo abaixo também tem uma solução interessante. Encontrei ele no milw0rm.

    //Author – Robin Bailey

    //Date – 05/04/2009

    //Email - rbailey.security<0x40>googlemail.com

     

    //Contents

    [1] Introduction

    [2] The problem

    [3] Solution

    [4] Conclusion

     

     

    //Introduction [1]

     

    As the use of memory sticks has become more and more widespread, so malware has

    began to use them as a way to spread from machine to machine. While this is a

    problem for end users, the real danger is with IT professionals, who might use

    the same USB stick in dozens of computers in a single day, will often be logged

    in with administrative privileges, and will have access to important machines.

    This paper is aimed at those professionals, and how they can mitigate the risk

    of passing an infection onto other machines.

     

    //The Problem [2]

     

    Malware uses two main techniques to spread through memory sticks. The first,

    and less serious, is infecting executable files on the memory stick, so that

    when they are run on another machine, the infection moves with them.

     

    The more common, and more dangerous, is to spread via the `autorun.inf` file,

    which Windows automatically executes when the drive is connected, meaning that

    no user interaction is needed. Conficker has been getting a lot of attention

    recently, and this was one of the methods it used to spread itself, but many

    other malicious programs used the same technique.

     

    It is possible to disable the autorun feature from Windows, but this requires

    that the client machine has done this, which is not always the case, as most

    users will not have the technical knowledge to do this.

     

    //The Solution [3]

     

    Since we cannot rely on the computer to prevent the execution of the

    autorun.inf file, we must do this from the memory stick. It is possible to buy

    memory sticks with read-only switches, so that they can be locked to prevent

    the computer writing to them, but this can cause problems, is easily forgotten,

    and doesn't help once the memory stick has been infected.

     

    However, if the memory stick is FAT32, which most are, with the exception of

    some of the new 8GB+ drives, we can create a quick fix using a hex editor, and

    a basic knowledge of the FAT32 directory table.

     

    First, we create a blank `autorun.inf` file on the memory stick, then open up

    the disk in a hex editor. It doesn't matter if you open the physical disk, or

    the logical partition, but if the disk has more than one partition, it is

    better to do the latter. Make sure that the disk is opened with read/write

    permissions, and that you haven't got anything accessing it at the time. HxD

    for Windows is a small, portable hex editor, if you don't already have one.

     

    While this can be done to a disk with data on, it is safer to do it to a blank

    one, just in case there is a problem. If not, make sure that you have a copy of

    any data on the stick, if you don't, the you are liable to any loss of data

    that might occur.

     

    Next, run a search in the disk for the string `AUTORUN`, as a non-Unicode text

    string. It should find it near the beginning of the disk. The area we are

    interested in is as follows.

     

    41 55 54 4F 52 55 4E 20 49 4E 46 20

    A  U  T  O  R  U  N     I  N  F

     

     

    The first 8 bytes are the filename (with a space at the end, because autorun is

    only 7 characters), followed by a 3 bytes file extension (INF), followed by one

    byte for the file attributes. It is this final byte that is relevant.

     

    The current value of the byte (0x20) has just the archive bit set. What we want

    to do, is to change this byte to 0x40, which sets the device bit, which is

    never normally found on a disk. The block will now look like this.

     

    41 55 54 4F 52 55 4E 20 49 4E 46 40

    A  U  T  O  R  U  N     I  N  F  @

     

    Once this has been saved to disk, ignoring any warning that this might corrupt

    the disk, we then unmount and remount the volume. Now, when you browse to the

    disk, the autorun.inf file can be seen, but it cannot be deleted, opened,

    edited, overwritten, or have its attributes changed.

     

    When this memory stick is connected to an infected machine, which will try to

    create an autorun.inf file on it, it will fail with an error, (Cannot create

    file), meaning that this memory stick cannot be infected, and thus cannot pass

    an infection on to any other computers.

     

    //Conclusion [4]

     

    As stated before, this is not a guide aimed at end users, it is aimed at IT

    professionals, or other power users, who will use the same USB stick on

    multiple computers on a day to day basis.

     

    Should this technique become widely used, we will almost certainly see malware

    that can bypass it, but until that happens, it can provide a simple but

    effective defense against USB spreading malware.

     

     

    If you have any comments/questions/suggestions send me an email.

     

    # milw0rm.com [2009-04-06]


    Luiz A. Amelotti
    quarta-feira, 3 de junho de 2009 13:45
  • leia estes artigos,o meu poendrive esta livre depois das dicas desse blog.
    use o spybot search end destroy (anti spyware),avast anti virus e o hijackthis
    meu pc tava lotado de virus e as dicas desse blog me ajudaram muito.
    http://comosaberfazer.blogspot.com/2008/04/como-retirar-virus-malwares-e-spywares.html
    use o hijackthis,é facil de usar.
    leia este artigo nesse blog.acho que vai te ajudar .
    o hijackthis da uma lista de todos os procesos e o site dele diz quais são virus ou não...
    http://comosaberfazer.blogspot.com/2008/04/como-utilizar-o-hijackthis.html
    espero ter ajudado!!
    Obs: Por favor,não se esqueça de escolher a melhor resposta.

    quinta-feira, 7 de janeiro de 2010 23:11
  • O USB Vaccine da Panda cria a 'protecao` necessaria.
    Fernando Nishimura de Aragão
    domingo, 14 de março de 2010 20:55