The threat of malicious software can easily be considered as the greatest threat to Internet security these days. Earlier, Viruses were, more or less, the only form of Malware. However, nowadays, the threat has grown to include a vast range of highly sophisticated applications viz. network-aware worms, Trojans, DDoS agents, IRC Controlled bots, Spywares, RootKits and many more advanced techniques of infection.

These days USB Removable drives are so popular and are so commonly used to transfer/share data between systems, they are becoming a prime target for attackers or Malware authors who use them as a medium for spreading infections from one system to another in a very successful way. Off late there has been a sharp rise in the number of Malwares that are spreading through these USB Mass Storage devices. The moment you plug in the USB Removable drive and try to access it you might probably get infected.

USB Protect runs in the background and monitors the DBTDEVICEARRIVAL events. Once it detects a DBTDEVICEARRIVAL event, it identifies if its a REMOVABLE media like USB. If it detects a USB DBT_DEVICEARRIVAL, it detects the drive entry and checks for the existence of Autorun.inf and the malware binary that is being called through it. On a positive detection, it deactivates both the Malware binary and the Autorun.inf file. USB Protect also gives a voice confirmation when an Autorun.inf file is detected in the USB drive. On a positive detection, USB Protect changes the Malware binary to .blocked and Autorun.inf to .usb extensions, so nothing is deleted or lost. It creates a blank harmless autorun file so that Open With window doesn't appear when the USB Drive is clicked.

USB Protect will save log files in C:\USBProtectLog with names like USBProtectLog23012009163525.log



Shortcut keys:

CTRL + NUM 1 --> Shows application window

CTRL + NUM 2 --> Shows About Me window



Sample log file entries will look like:



1/23/2009 4:46:15 PM: WM_DEVICECHANGE 537
1/23/2009 4:46:15 PM: wParam = DBT_DEVICEARRIVAL <---- detects device insertions
1/23/2009 4:46:15 PM: Device Type: DBTDEVTYPDEVICEINTERFACE
1/23/2009 4:46:15 PM: Device Name: STORAGE <---- detects if storage is USB Removable drive
1/23/2009 4:46:15 PM: Vendor\Product ID: REMOVABLEMEDIA
1/23/2009 4:46:15 PM: Device Unique ID: 7&14A32F0A&0&RM
1/23/2009 4:46:15 PM: Device CLSID: {53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}
1/23/2009 4:46:15 PM: Drive Letter: I <---- detects drive letter
1/23/2009 4:46:15 PM: Renamed To: I:\USBProtect23012009164615.usb
1/23/2009 4:46:15 PM: Autorun Detected In Drive I
1/23/2009 4:46:15 PM: Autorun Path: I:\USBProtect23012009164615.usb <---- renames autorun.inf
1/23/2009 4:46:15 PM: Autorun Content: <---- displays the autorun.inf text
AutoRun
> open=Malware.exe <---- shows the malware binary
shell\open=Malware
> shell\open\Command=Malware.exe
shell\explore=Malware
> shell\explore\Command="Malware.exe"
1/23/2009 4:46:16 PM: Binary Renamed To: I:\Malware.blocked <---- deactivates malware binary

Last edited Sep 8, 2009 at 2:53 AM by maliciousbrains, version 2