USB Memory Sticks with hidden virtual CD partitions (U3 Drives?)

[flyinghaggis]

We've been finding that pupils (and staff) seem to be increasingly bringing in USB memory sticks they've been given as freebies into school. Most of these seem to be formatted (I'm assuming it's done purely using software rather than custom hardware in the sticks) specifically so that they appear in windows as both a 'virtual CD' partition and a partition that contains the USB drives data.

When connecting them to a PC the USB stick autoruns and windows detects it as a virtual CD drive which launches an app (often a Menu or a promo screen) from an .exe file and them mounts the USB data partition.

What's really worrying is that despite us having autorun turned off for users and Windows GP file path restrictions in place to stop executables running from removable drives the way these sticks emulate a CD drive seems to bypass this allowing the initial menu program to run ?

Has anyone found a fix to stop these type of memory sticks from being used and/or autorunning when connected as they're potentially a pretty major security loophole ?

Also is there any kind of program to reformat these sticks so we can get rid of the hidden virtual CD partition? I've tried the U3 removal tool but it's not detecting the USB drive as being a U3 model ?

[ajbritton]

Hmmm. Never heard of that. Not sure how a normal USB drive could be formatted to appear as a CD (except of course by the inclusion of AUTORUN.INF that points to a custom icon for the partition).

Do you actually have one in your posession to test?

I am very surprised to find that GP restrictions are not effective. Perhaps students are disconnecting PCs from LAN at critical moment during logon which can affect GP processing. Are you using a blacklist or whitelist approach for restrictions? In my experience, the whitelist approach is far more reliable.

[Griffo]

I have had a few of them brought to me but never really looked at how it was done. There are also a few branded ones like a Liverpool Echo or LFC one that i seem to remember launches IE and goes to their website when inserted.

Not a problem for us as we simply dont allow any access to usb drives

[ICT_GUY]

I have a kingston one, it drives me mad, the U3 removal tool does not work on them either. Its so annoying I hardly ever use the stick now.

[flyinghaggis]

Hmmm. Never heard of that. Not sure how a normal USB drive could be formatted to appear as a CD (except of course by the inclusion of AUTORUN.INF that points to a custom icon for the partition).

Do you actually have one in your posession to test?

I am very surprised to find that GP restrictions are not effective. Perhaps students are disconnecting PCs from LAN at critical moment during logon which can affect GP processing. Are you using a blacklist or whitelist approach for restrictions? In my experience, the whitelist approach is far more reliable.

Yeah, I'm amazed MS haven't blocked these sticks in windows as it's basically using a hack to fool windows into thinking the USB stick is a CD drive. Given this works as a limited user without admin rights it leaves the whole thing seriously open to being exploited! We've using a blacklist rather than whitelist which may be part of the issue? I've tried it myself using our test pupil account so it's definitely not a problem caused by pupils unplgugging network cables/etc.

I have had a few of them brought to me but never really looked at how it was done. There are also a few branded ones like a Liverpool Echo or LFC one that i seem to remember launches IE and goes to their website when inserted.

Not a problem for us as we simply dont allow any access to usb drives

Admittedly the ones I've seen so far have been innocent in what they've done but my fear was that one might get infected with a virus and/or pupils might find out how to create their own customs sticks that would allow them to run programs bypassing our security (which looks like these specifically formatted sticks do) ! It's also frustrating because after plugging in these devices they install then prompt for a reboot (because of the virtual CD drive) so it's acutally permanently altering the configuration of the PC which is a concern.

Has anyone found a way to block them yet other than blocking all removable USB drives?

[RabbieBurns]

my 16bg sandisk has this cr*p on it. It also creates a directory structure on the disk it thinks i might want. Documents. Photos etc.

If i delete them, they re-appear next time I plug it in. ANNOYING.

I even formatted the drive and it still happens. GrRR

[flyinghaggis]

They certainly make it difficult to reformat the drive (assuming it can be done) but then I guess they don't want you removing their advertising material! You can't easily do it in windows because it sees it as though it was a CD drive and only lets you format the 'other' USB partition on the drive natively.
The only way I could think to carry it out would be to use Linux (or some kind of DOS cmd prompt boot) where you could physically see the partition structure on the drive and remove it?

[RabbieBurns]

mine appears as a usb+cd in ubuntu as well. Mine is a legitimate paid for 16gb memory stick not a freebee POS. Its annoying as H3ll.

[takeware]

Hi

Formatting wont do it I'm afraid, neither will partitioning. U3 and some others emulate a CD in their firmware - which means as far as Windows is concerned it's pretty much a separate device.

Some of manufacturers provide tools to manipulate the vCD - can't recall whether U3 do. M-Systems (who designed the U3 system and then partnered with Sandisk to try to poularise it) used to provide such tools as a downloadable SDK. But we are going back quite a while.

Drives are so cheap now why bother with it?

HTH

[flyinghaggis]

Drives are so cheap now why bother with it?

I'm not bothered about using the drives TBH. My primary concern's really what the sticks do as I don't like the idea of pupils bringing in USB drives that install virtual hardware onto a PC and appear to bypass security policies! As you say it looks as though these drives actually contain different hardware controllers (rather than just being regular sticks formatted in a special way) to handle the CD emulation so you'd need a specifically written piece of software for each hardware controller type to alter/format them

Would be nice to reformat them if we could but failing that I'd be happy to block them altogether if anyone knows a way!

[Geoff]

You do realise your systems are vulnerable to USB switch blade hacking?

USB Switchblade - Hak5

We just disable USB here. There's so many loopholes in Windows related to it, it's not worth trying to tie it down.

[takeware]

It's difficult for the OS to tell the difference between a real CD drive and a good emulation in software. This may possibly be an understatement ;-)

I'm going to tread very carefully here - as I'm new here are don't want to overstep the mark - but we have software that does that (and a lot more). I'm happy to provide more details - but via private mail or only with explicit permission.

One way you can differentiate between a resident CD and one on a USB device is that the interloper is not there at startup (obvious loophole - if it's already plugged in at startup).

A utility is possible that detects the (late) arrival of a vCD and kicks it out. I don't know how useful that would be? If enough interest is there I might be able to get something made up and available as a freeware download (once we test it). Let me know?

[flyinghaggis]

You do realise your systems are vulnerable to USB switch blade hacking?

USB Switchblade - Hak5

We just disable USB here. There's so many loopholes in Windows related to it, it's not worth trying to tie it down.

We've seen this before and it's pretty concerning TBH. USB is something I'd like to block (and think it's we'll probably ultimately be forced into in future given data protection issues and the exploits for it) but there's no way SMT will allow it at the moment without months of discussion. Even then it probably won't happen!

How'd you manage to convince SMT to allow you block all USB devices! Do you just block it on pupil PCs or for staff aswell?

[Sirbendy]

google for U3 removers...I do it to staff ones on demand, and I've removed it from my own.

Bloody annoying thing it is.

[flyinghaggis]

I actually tried the U3 removal tool on the last stick I encountered but it didn't appear to register the drive as being a U3 model so I couldn't remove the 'read-only' CD partition. I think it might be a different kind of drive though it looks like it works in a similar way.