While reading the F-Secure blogpost titled When is AUTORUN.INF really an AUTORUN.INF?, I was reminded of this masking technique - putting extra data between the relevant lines.
But how tolerant is the autorun.inf parser (which I suppose in fact is the INI file parser) really? The example showed by F-Secure is quite mild, in the sense that each line is preceeded by ";" to clearly mark it as a comment. We can up the ante by just putting arbitrary garbage, without the ";" marker:
for (1..255) { print chr(rand(256)); }
print "\n[autorun]\n";
for (1..255) { print chr(rand(256)); }
print "\nopen=C:\\WINDOWS\\NOTEPAD.EXE\n";
for (1..255) { print chr(rand(256)); }
This works! I didn't how large the binary blocks can be, but I imagine that you can go 32k-64k easily. Now to put an extra twist in there:
print "\xFF\xFE";
for (1..255) { print chr(rand(256)); }
print "\n[autorun]\n";
for (1..255) { print chr(rand(256)); }
print "\nopen=C:\\WINDOWS\\NOTEPAD.EXE\n";
for (1..255) { print chr(rand(256)); }
That FF FE is the Byte order mark(er) and tells text editors which recognize it that the file is UTF-16 little endian encoded, which of course it isn't. The end result? You will see only garbage in Notepad (as it tries to "decode" the file) and also in my favorite file management app. And yet, it still works!
Have fun, stay safe and make sure that to disable your autorun.
Update: the commenter had a good idea. In response: strings extracts the strings correctly (I tried it under Linux, but I assume that the Windows version would behave the same). However, for example gedit can't open it.
what about using strings (strings.exe)?
ReplyDelete@cdman83 - Great post! Thanks for sharing it with me over in my post comments. I've responded there but am reposting here to keep it in context.
ReplyDeleteI really like the suggestion about running Strings from Sysinternals. Granted it is CLI (and might turn off the casual users) but the arguments might ferret out the info much faster.
Foundstone's BinText might also be a standalone executable that could help screen it in a GUI interface. I've used it successfully in the past to field-analyze malware bits and pieces.
Finally the brilliant Didier Stevens walks us through both tools in his older post Viewing strings in executables.
Good stuff and thank you very much for the added investigative work.
I think this type of "attack" by misdirection might become more common.
Especially if it takes the form as seen in this latest F-secure post that is also related to both ath autorun.inf file as well as Windows Vista and Windows 7.
Social Engineering Autoplay and Windows 7
--Cheers! Claus V.