Author Topic: McDonalds serves up a McVirus in Japan  (Read 13350 times)

0 Members and 5 Guests are viewing this topic.

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: McDonalds serves up a McVirus in Japan
« Reply #15 on: October 16, 2006, 05:27:02 pm »
I tried creating an autorun.inf (typo earlier) file on my usb drive and could not get it to run the exe specified by autorun.inf even on a machine that had never previously been connected to the usb drive.

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: McDonalds serves up a McVirus in Japan
« Reply #16 on: October 16, 2006, 07:00:01 pm »
...you can't be serious.

One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: McDonalds serves up a McVirus in Japan
« Reply #17 on: October 16, 2006, 07:31:34 pm »
I tried creating an autorun.inf (typo earlier) file on my usb drive and could not get it to run the exe specified by autorun.inf even on a machine that had never previously been connected to the usb drive.

I was googling about it, and there's a lot of suggestions about how to do it, but nothing sounded like the end-all solution.  I always assumed you could, but never really tested it. 

So if I want to infect people, I guess I'll stick to putting my virus on a CD with auto-run and leaving the CD laying around.  I forget where I read about that (maybe in Mitnick's book, but I'm not sure), but in a large-scale pen-test they left CDs containing a trojan laying around the building they were testing, and a lot of people put them in their computers.

Using your imagination, there are tons of ways you could convince somebody to put an evil CD into their computer.  And that's why I think autorun is evil. 

...you can't be serious.
Who?  And about what?  You have to quote when you say something like that.

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: McDonalds serves up a McVirus in Japan
« Reply #18 on: October 16, 2006, 07:48:35 pm »
This whole mcdonalds mp3 players malware thing..
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: McDonalds serves up a McVirus in Japan
« Reply #19 on: October 16, 2006, 10:04:02 pm »
Using your imagination, there are tons of ways you could convince somebody to put an evil CD into their computer.  And that's why I think autorun is evil. 
I think autorun was designed to give virus writers an easy way to target only people who don't use VMWare

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: McDonalds serves up a McVirus in Japan
« Reply #20 on: October 17, 2006, 08:26:47 am »
Ok, I did some research, and yes, you can do auto-run on USB.  You have to make the main partition CDFS partition, so that it's recognized as a CD. 

http://linuxbox.org/pipermail/funsec/2006-October/009425.html
http://linuxbox.org/pipermail/funsec/2006-October/009427.html

I have a ton of respect for both those posters, so I'm willing to believe them.

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: McDonalds serves up a McVirus in Japan
« Reply #21 on: October 17, 2006, 09:52:34 am »
It makes sense that autorun.inf is specific to cdfs.  I wonder how far the cdfs on usb can be taken to emulate a cd. 
* unTactical ponders

However, I have a beef with:
Quote
As of at least mid-year last year, I know that WinXP defaulted to autorun on USB sticks: I don't know if that has been reset in any of the recent patches.
Either Windows has been patched, or he is mistaking autorun for the dialog that opens and defaults the selection to the USB's internal app (I haven't looked to figure out where that is specified).  An important distinction.

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: McDonalds serves up a McVirus in Japan
« Reply #22 on: October 17, 2006, 12:03:47 pm »
Guess what guys!  autorun.inf is NOT specific to NTFS.  My tablet came with a recovery partition - guess what - it had an autorun.inf that would run when I double-clicked the volume!
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: McDonalds serves up a McVirus in Japan
« Reply #23 on: October 17, 2006, 12:08:55 pm »
Guess what guys!  autorun.inf is NOT specific to NTFS.  My tablet came with a recovery partition - guess what - it had an autorun.inf that would run when I double-clicked the volume!
It was never specific to NTFS.  Did you mean CDFS? :P

But we're talking about making it run when you plug in the USB device, not when you double-click on it.  I think that's what formatting it with CDFS does.

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: McDonalds serves up a McVirus in Japan
« Reply #24 on: October 17, 2006, 05:31:28 pm »
Ok, I did some research, and yes, you can do auto-run on USB.  You have to make the main partition CDFS partition, so that it's recognized as a CD. 

http://linuxbox.org/pipermail/funsec/2006-October/009425.html
http://linuxbox.org/pipermail/funsec/2006-October/009427.html

I have a ton of respect for both those posters, so I'm willing to believe them.

Yep. My flash drive (I forgot the brand name, but it's symbol is a M with a circle.. Magnavox?) does this to automagically install it's backup software as well as Firefox (odd..), and it's really pissing me off. I think I was going to run gparted on it once but I didn't have drivers or something.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: McDonalds serves up a McVirus in Japan
« Reply #25 on: October 17, 2006, 05:44:28 pm »
unTactical's post made me think of something interesting: a free USB stick that I recieved from an engineering trade show (companies like to give away free shit so you look at their products :D) had an auto-run program on it when attached to the USB drive. I believe it shows up as a CD on one partition, as well.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: McDonalds serves up a McVirus in Japan
« Reply #26 on: October 17, 2006, 09:18:24 pm »
Guess what guys!  autorun.inf is NOT specific to NTFS.  My tablet came with a recovery partition - guess what - it had an autorun.inf that would run when I double-clicked the volume!
It was never specific to NTFS.  Did you mean CDFS? :P

But we're talking about making it run when you plug in the USB device, not when you double-click on it.  I think that's what formatting it with CDFS does.
Yes I meant CDFS.

No, formatting it with CDFS does not make it auto-run; it has nothing to do with the file system.  Here's what happens.

Autorun is a function of the shell (typically explorer.exe).  When you mount a file system while explorer.exe is running, Explorer looks for autorun.inf and updates the display as needed.  This could involve altering the shell icon for the device, or executing the autorun command specified in the .inf.  Explorer.exe also changes the default action associated with the object - if you right-click on an object in Explorer, you'll see one item is almost always highlighted.  Typically this is the Open command.  However, when a file system is mounted with an autorun.inf file, Explorer sees the autorun.inf file, and adjusts its context menu so that the AutoPlay action is the default, and when you double-click on the object, the default action is performed.

For proof, I've created a network folder called Library (I'm at work, shutup) in the public share.  I created an autorun.inf file in this folder that specifies to open the command prompt (C:\Winnt\System32\cmd.exe), which you can see in my first attachment, autorun-inf-in-network-share.png.  I then mapped the Library folder to the network drive H, and lo and behold, the command prompt ran when I finished the mapping.  The second attachment is me right-clicking on the mapped drive in Explorer - you can see that AutoPlay is the default action, share-with-autorun.png.  Finally, double-clicking on it - just like mounting it - causes to run the autoplay file.  You can see this in the third attachment, autorun-cmd-prompt.png, as the command prompt started in the H:\ path, the network share where the autorun.inf file is located.

Please note that network shares in Windows are presented through the Network File System (NFS), and that the underlying physical file system is not represented to the components in the lower levels.

I hope this lesson in how Windows actually works (as opposed to speculation related to file systems) has been educational.

What would be intelligent for companies like Apple to do would be to not expose their file systems to Windows like a USB hard drive.  (Note: USB hard drives are also, incidentally, autorun-enabled, and they're on FAT file systems - how do you think USB drive manufacturers push their backup/sync software to users when they pop the drive in?  It's not firmware). 

iago, I realize you consider yourself a security expert, but touting about how awful Windows is when you don't actually know how it works makes you lose credibility.  If you like, I'll make you a FAT-formatted USB drive and mail it to you so you can plug it in Windows and watch it auto-play.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: McDonalds serves up a McVirus in Japan
« Reply #27 on: October 17, 2006, 09:39:12 pm »
That's all fine and dandy.  I don't care about the icon changing, and what happens when you double-click it is, while important, not the issue either. 

The issue is, when you plug in the USB stick, can it run a program? 

According to the guys on that security list (that I referenced), it will iff it's formatted as a CDFS.  At least, that's how I understand it. 

From a cursory check on Google, I couldn't find any other method to auto-running a USB stick. 

Is that the same thing that you're talking about?  Or are we talking about different things?


(On a sidenote: I don't pretend to be a Windows expert -- I'm not.  I haven't touched Windows for more than a couple minutes in probably 2 years)

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: McDonalds serves up a McVirus in Japan
« Reply #28 on: October 17, 2006, 09:55:40 pm »
According to the guys on that security list (that I referenced), it will iff it's formatted as a CDFS.  At least, that's how I understand it. 
The guys on the security list, or your understanding, are wrong.  As I demo'd, any time a drive letter is mounted, Explorer will check to see if it's auto-runnable.  It is filesystem-agnostic.

A FAT-formatted USB stick will autorun.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: McDonalds serves up a McVirus in Japan
« Reply #29 on: October 17, 2006, 10:07:58 pm »
If its file system agnostic then why does the USB drive have to be FAT formatted?

I'm sure I created and placed my autorun.inf file correctly when I was testing my usb drive and it did not autorun but I don't remember offhand what file system it is formatted in, I'll check tomorrow.