Protecting USB Drives from Malwares

July 7, 2010, by | Start Discussion

The emergence of USB drives has become a blessing for the digital world. It has become very easy to carry and transfer data using USB drives. Unfortunately with the increase in use of USB drives, the nuisance of malwares has also increased.
USB drives are being used  by malwares to spread from machine to machine.

The Problem

Malwares use two main techniques to spread through USB drives.

  1. Infecting executable files on memory drives so that when they are run on another machine, the infections move with them.
  2. This technique uses ‘autorun.inf’ file to spread the malware.

The second technique is more dangerous. Because as soon as the USB drive is plugged in, ‘autorun.inf’ file is automatically executed by Windows operating system which needs no human interaction. Most of the malicious programs use this technique. We can prevent this infection by disabling ‘autorun’ feature in Windows. But it requires  the client machine to do  this, which is not always the case, as most users will not have the technical knowledge to do this.

The Solution

We can purchase USB drives with read-only switches. But it has its own disadvantages, like in order to write on to the memory sticks we will have to remove the protection and thus putting USB drive to risk of being infected.

We can solve this problem in very simple and free way and without having to buy memory sticks with read only switches!
So before we start, take the backup of the data on USB drive and make sure it is blank.

Here are the steps to make your USB drives malware safe

  1. We create a blank ‘autorun.inf’ file on the USB drive.
  2. Now use a hex editor to open the USB device in read and write mode. Make sure that nothing is accessing the device at that time.
  3. In the disk, search for the string – ‘AUTORUN’ in a non-Unicode format. You will find it near the beginning of the disk.

    This is what we are interested in
    41 55 54 4F 52 55 4E 20 49 4E 46 20
    AUTORUN.INF

  4. The current value of the byte 0x20 has just the archive bit set. We change this bite to 0x40. This sets the device bit, which is never normally found on disk.  In simple words, what you have to do is just replace ‘2’ of 0x20 with 4, this will make it 0x40.

    The edited block should look like this:-

    41  55  54  4F  52  55  4E  20  49  4E  46  40
    A    U    T    O   R     U   N          I     N    F    @

  5. Save this to the disk, ignoring all the warnings that might appear.
  6. Unmount and remount the device. To test if our autorun.inf file is protected or not, try deleting the autorun.inf file. You will get the following popup with an error.

    As you will observe, you cannot open, edit, delete or overwrite it. Also its attributes cannot be changed.

So now feel free to use this protected USB device on any machine.

Author bio not avialable

Leave a Reply