| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | Re: Gotcha |
From: "Geo"
"John Beckett" wrote
in message news:9jdbd2tofr3mecninaujfjv03rqv9li1pm{at}4ax.com...
> However I'm not sure that anyone has taken my point:
> - Do whatever you like to disable autorun for your USB.
> - Try my scenario - it WILL autorun.
I took your point, it's only slightly different from a removeable hd
though. All removeable storage devices that have boot capabilities have
this ability, the only difference here is that the USB device is using a
named file instead of having to use a boot sector.
Have you ever noticed how an NT4 CD doesn't ask if you want to boot from CD
but a W2K CD does? That code is in the boot code on the CD. I don't know if
it's the CD driver or the boot code on the CD but one does a check to see
if the computer is already booted when you mount a CD. That doesn't
necessarily mean that the boot code is not executing when you mount a CD,
I've never actually looked at the bootstrap process for a CD but that may
be what's preventing it. That's how syquest cartridges used to work.
> Apparently there is some magic handshake whereby the USB device tells the
> system what it is capable of. It might be a keyboard, an emulated disk
> drive, or other stuff.
It's likely the boot sector has a check.
> One security posting suggested that it might be possible to have a gadget
> that looks like a USB memory stick, but which identifies itself as a
> keyboard, and it might be able to stuff keystrokes into the computer to do
> any task that the user is capable of (an unstoppable autorun).
It might be possible to identify it as a bootable CD. An easy test would be
to infect a bootable CD with a boot sector virus and see if just mounting
the CD causes the virus to spread. My bet is this is totally possible.
> Apparently you can buy USB memory sticks that emulate a CD drive. They do
> this on the assumption that most users have CD autorun enabled, so
> inserting the tricky USB device will autorun (to present your company's
> fabulous marketing presentation without waiting for anything old fashioned
> like permission to run).
That suggests the above bootstrap senario, that capability is being loaded
during the mount process.
Geo.
--- BBBS/NT v4.01 Flag-5
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)SEEN-BY: 633/267 270 5030/786 @PATH: 379/45 1 106/2000 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.