My Malware USB drive setup

[Avgsmoe]

I have been using this setup for a while, and it works great for me, hopefully some of you will benefit as well.

I use a 4GB flash drive dedicated for malware clean up.
I disabled autorun malware by using this

@echo off
cls
echo MKAUTORN.BAT is an autorun.inf folder maker
echo.
echo This batch file will do the following:
echo 1) Remove hidden, system, and read-only attribute of autorun.inf FILE
echo 2) Delete autorun.inf FILE
echo 3) Create autorun.inf FOLDER
echo 4) Create a CON folder inside the autorun.inf folder
echo 5) Hide the autorun.inf folder
echo.
echo This batch file should be executed from your USB drive's root directory to
echo function properly. Make sure you copy this batch file to the root of your USB drive 
echo first. If not, press Ctrl+C NOW to terminate this job then run this batch file 
echo again from there.
echo.
echo If there's any error messages or Yes or No 
echo question that appears, simpy anwser YES by pressing "Y".
echo.
pause
echo.
attrib autorun.inf -r -h -s
del autorun.inf
md autorun.inf
cd autorun.inf
md .\con\
cd\
attrib autorun.inf +r +h +s
echo.
dir autorun.* /a
echo.
echo DONE!
pause

I created a hidden folder called TrueCrypt. Inside is portable truecrypt, and a 3GB truecrypt container.

On the root of the flash drive I have 3 batch files.

1) mounts truecrypt container with read only permissions

TrueCrypt\TrueCrypt.exe /q background /l /e /m ro /v "cleaner" /p "infected"

2) mounts truecrypt container with read/write - for updating

TrueCrypt\TrueCrypt.exe /q background /l /e /m rm /v "cleaner" /p "infected"

3) unmounts truecrypt volume

TrueCrypt\TrueCrypt.exe /q /d

**cleaner is the name of my truecrypt container** **infected is the password**

I also have rkill on the root, and a back up of truecrypt file compressed, and passworded.

You can imagine what to put n the true crypt container. I have all my normal anti-spyware/virus/malware/rootkit software. I also have a Windows system control center setup there also, because AV's love to delete those files

 

[alarmingsword]

Brilliant idea! And I was about to run out and buy a write protection switch flash drive

 

[Avgsmoe]

The problem I have with the write protect flash drives is that in my experience they are slow, really really slow. So instead of buying a new drive that will perform worse, I just used a drive I already had. Also my memory sometimes doesn't work, I can see forgetting to switch on the write protect after an update.

 

[AtYourService]

if your flash drive got hit by the Virut virus you'd have a little bit of trouble

 

[iisjman07]

if your flash drive got hit by the Virut virus you'd have a little bit of trouble

Oh that's a bitch..................

 

[Avgsmoe]

Virut cant infect a compressed passworded file, which is how I store a back up of the files kept in root. Virut cant infect my files in read only mode. I have had this flash drive in a machine with virut with no problems.

Plus running from the machine with virut on it isn't the best method to clean it anyways...

 

[DarDar]

Virut cant infect a compressed passworded file, which is how I store a back up of the files kept in root. Virut cant infect my files in read only mode. I have had this flash drive in a machine with virut with no problems.

Plus running from the machine with virut on it isn't the best method to clean it anyways...

But once you mount the compressed folder, the protection is now only a password? Plus you are depending on truecrypt to keep your data read only.

I much prefer the hardware solution so as not to have any dependencies on software which at the end of the day is only as good as the creator(s).

 

[Avgsmoe]

The compresses file contains a back up of truecrypt, and the batch files. Nothing more.

I have a lot of experience with truecrypt, I remember using as far back as 05. I know how stable it is, and what it can, and can't do. I understand other people don't know. If you don't trust it, don't use it. I know that when I mount a container in read only there is NO way of writing to it. It would have to be unmounted and re-mounted with write permissions.

I have had truecrypt containers that have lasted longer then some flash drives. It isn't perfect, just like the hardware...

The only thing that can happen is a self attaching virus could attack the truecrypt exe, but then that same virus would attach to ANY exe so it's a moot point.

For myself, I would rather use a drive I can get anywhere, with good performance, to use. This is an option, not the only one, obviously. Use what you are comfortable with. Just because one solution works for you doesn't mean it works for everyone.

 

[DarDar]

Oh i trust truecrypt I use it on my keepass usb key as an extra layer of protection and it is my reccomended encryption method. I just don't agree with this kind of statement:

I know that when I mount a container in read only there is NO way of writing to it. It would have to be unmounted and re-mounted with write permissions.

What is to stop someone writing some code that would do this? You have it done in a batch file. I know you have the password stored, but what is to stop some smart coder scanning for inputs into truecrypt and then using those inputs for themselves. You can never say NO when it comes to security. I guess i'm raising a point of principle more than anything

 

[Avgsmoe]

If someone were to write an exploit for my usb drive setup it would only effect me... Why would they do that?

If I'm working on a computer I'll know if a volume is mounted, and unmounted. If it is mounted with read only I know it is read only. You're right someone may develop an exploit for read only mode on truecrypt, but it doesn't exist today. If it ever happens I'll change my method, but until then I won't worry.

 

[AtYourService]

yea but your truecrypt.exe and rkill.exe are both open to get infected by a virus like Virut , and once you decrypt any programs they could get infected too

setting a read only attributes on any exe in your flash drive is trivial to undo for the virus before it injects the code

 

[Avgsmoe]

Again if a virus will infect any exe then that means ANY.
Trying to clean a system with an infection like that from its own environment is useless. You will make the problem worse trying to clean it like that. So that is a moot point.

A Truecrypt container has no header or footer for a virus to identify and attack, if thats what you mean by "setting a read only attributes" If the exes are in the mounted container with read only, then no the virus can NOT inject itself.

 

[alarmingsword]

setting a read only attributes on any exe in your flash drive is trivial to undo for the virus before it injects the code

I... don't believe he stated he was using read only attributes. He uses truecrypt to mount the container as read only.

 

[qwibbles]

Missing the point?

The virus can still infect the usb drive itself? Adjust partition sizes at put itself in a hidden partition etc. It's when you come to use the same drive on the NEXT COMPUTER I would be more concerned. I use a Type 6/10 SD Card and SD to USB adapter (Clear plastic so I can see the switch), these all have switches.

 

[Avgsmoe]

The virus can still infect the usb drive itself? Adjust partition sizes at put itself in a hidden partition etc. It's when you come to use the same drive on the NEXT COMPUTER I would be more concerned. I use a Type 6/10 SD Card and SD to USB adapter (Clear plastic so I can see the switch), these all have switches.

Not true but thanks. I have never had a problem using it this way. I've used it on extremely infected systems without incident.

 

[PC Ops]

I like the idea Avgsmoe!
I'll give it a try asap.

Thanks for sharing the idea!

Sent from my Desire HD using Tapatalk

 

[TmouR]

Been using Avgsmoe's way for cleaning malware with great success for many months.

 

[Xander]

I am duplicating this at this moment. I've been using one 8GB "Toolkit" drive and a 2GB "infected" locking SD. This'll let me use the SD for something else and leave it on the workbench. Edit: I'll probably just leave it as is but just for the workbench

Thanks, Avgsmoe. Rep to you!

 

[Xander]

Rattled this off this evening while the wife and daughter watched a musical and the son worked on Xmas lego:

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Icon=..\..\..\Media\Icons\TrueCrypt.ico
#AutoIt3Wrapper_Outfile=Y:\tcprep.exe
#AutoIt3Wrapper_Compression=4
#AutoIt3Wrapper_UseX64=n
#AutoIt3Wrapper_Run_Tidy=y
#AutoIt3Wrapper_Run_Obfuscator=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
Dim $drive, $ini, $letter, $name, $pass, $fullcommand
$drive = StringLeft(@ScriptDir, 2)
$ini = $drive & "\tc.ini"
$letter = IniRead($ini, "Truecrypt", "Letter", "")
$name = '"' & IniRead($ini, "Truecrypt", "Name", "") & '"'
$pass = '"' & IniRead($ini, "Truecrypt", "Password", "") & '"'

If FileExists($letter & ":\cd.ico") Then [COLOR=SeaGreen];LOOKS FOR THIS FILE ON THE MOUNTED PARTITION AND, IF FOUND, ASSUMES A DISMOUNT[/COLOR]
    Run($drive & "\TrueCrypt\TrueCrypt.exe /q /d")
Else
    If Not IsDeclared("iMsgBoxAnswer") Then Local $iMsgBoxAnswer
    $iMsgBoxAnswer = MsgBox(790563, "Mount as Writeable?", "Would you like to mount this partition as writeable?" & @CRLF & @CRLF & "( 10 seconds will default to Read-Only )", 10)
;topmost, default to No
    Select
        Case $iMsgBoxAnswer = 6 ;Yes
            ReadWrite()
        Case $iMsgBoxAnswer = 7 ;No (default)
            ReadOnly()
        Case $iMsgBoxAnswer = 2 ;Cancel
            Exit
        Case $iMsgBoxAnswer = -1 ;Timeout
            ReadOnly()
    EndSelect
EndIf
Exit

Func ReadOnly()
    $fullcommand = $drive & "\TrueCrypt\TrueCrypt.exe /q background /l " & $letter & " /e /m ro /v " & $name & " /p " & $pass
    Run($fullcommand)
EndFunc   ;==>ReadOnly

Func ReadWrite()
    $fullcommand = $drive & "\TrueCrypt\TrueCrypt.exe /q background /l " & $letter & " /e /m rm /v " & $name & " /p " & $pass
    Run($fullcommand)
EndFunc   ;==>ReadWrite

#cs
    [COLOR=SeaGreen]SAVE THE BELOW TEXT AS ITS OWN FILE:  __:\TC.INI
    EDIT ACCORDINGLY[/COLOR]
    
    [Truecrypt]
    Letter=X
    Name=Toolkit
    Password=infected
    
#ce

I think it's pretty clear on what does what. At the beginning and end, I use $name, $pass and $fullcommand to simplify the necessary use of quotes in the variables (the only hump in writing it). I guess that obfuscating+highcompression might limit the likelihood of this file getting infected but I'm open to any suggestions on protecting it better.

 

[Vicenarian]

And...a good quality, fast, reliable, 4 GB usb drive from Kanguru costs like nothing?