Penetration Testing mailing list archives

Re: --++[Preventing the spread of USB malware]++--

From: Shreyas Zare <shreyas () technitium com>
Date: Wed, 15 Apr 2009 20:28:06 +0530

Hi,

Thats true if the trusted machine is really infected. The SYSTEM user
not being present in the permissions makes processes running as SYSTEM
not able to write into the drive. This helps to some extent with
malware running as SYSTEM. Also, using AD user for this purpose is not
good idea. Only local machine user should be used since if you logon
with AD user to infected machine, put the drive in then it would
definitely get infected and the method fails. Generally, malware are
not coded to change file permissions and so this method thwarts most
common threats (in general).

Regards,

On Wed, Apr 15, 2009 at 8:03 PM, Irrational Pi <pinowudi () gmail com> wrote:

This is an elegant solution for userland malware trying to dump to a USB
without permission checks.  It will fail for a malware that crosses into
kernel territory for the purpose of infecting all users of a machine.  Sadly
these are becoming more common.  This would invalidate the solution based on
your "only my trusted machine users" assumption.  All users would be
compromised on the machine, even the 'trusted' ones.



-- 
("Computers have a strange habit of doing what you say, not what you
mean." - SANS Top 25 Most Dangerous Programming Errors)

Shreyas Zare
Co-Founder, Technitium
eMail: shreyas () technitium com

..::< The Technitium Team >::..
Visit us at www.technitium.com
Contact us at theteam () technitium com

Join Sci-Tech News group and get the latest science & technology news
in your inbox. Visit http://tech.groups.yahoo.com/group/sci-tech-news
to join.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------

Current thread:

Re: Botnets, (continued)
- Re: Botnets M.D.Mufambisi (Apr 03)
- Re: Botnets Renaud Bidou (Apr 03)
- Re: Botnets R. DuFresne (Apr 03)
  - Re: Botnets Aarón Mizrachi (Apr 03)
    - Message not available
    - Re: Botnets Aarón Mizrachi (Apr 14)
    - --++[Preventing the spread of USB malware]++-- Marcus Vinicius (Apr 14)
    - Re: --++[Preventing the spread of USB malware]++-- Shreyas Zare (Apr 14)
    - Re: --++[Preventing the spread of USB malware]++-- Nathan Sportsman (Apr 15)
    - Message not available
    - Re: --++[Preventing the spread of USB malware]++-- Marcus Vinicius (Apr 15)
    - Message not available
    - Re: --++[Preventing the spread of USB malware]++-- Marcus Vinicius (Apr 15)
    - Message not available
    - Re: --++[Preventing the spread of USB malware]++-- Shreyas Zare (Apr 15)
    - Message not available
    - Re: --++[Preventing the spread of USB malware]++-- Shreyas Zare (Apr 16)
    - Re: --++[Preventing the spread of USB malware]++-- Razi Shaban (Apr 14)
    - Re: Botnets R. DuFresne (Apr 14)