Create fake virus message

Camillia
Camillia used Ask the Experts™
on
This is not homework, seriously :)

My manager said there's some client conference and they want to show that we care about security. He said they want to leave a USB on a table and have a note on it ... something like...financial data...and see who takes it. If that person puts the USB/flash drive in his laptop, he wants the user to see a fake message... you have a virus whatever.

He said this can be done with some ini file and ini file needs to be on the USB/flash drive and when it's inserted, that ini is going to run. Something like that.

I pushed it off on the jr developer :) but now I'm thinking about it and I'm wondering how the code can be done for it. Any ideas?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018
Commented:
First, if you really desire someone to insert it + use it, don't label the drive. Labeling is a clear indication you've just dropped down bait.

Second, you must be very careful how you go about this + in what country where conference is running.

In some jurisdictions (countries) simply doing this as an example or test case violates serious laws, which can land people in a dark prison.

This includes, the US, depending on exactly what's on the thumb drive + exactly what occurs when it's inserted.

This is not a matter for some idiot... er, I mean, highly competent manager to orchestrate. This is a matter for your company's legal department to consider.
btanExec Consultant
Distinguished Expert 2018
Commented:
I believe it is using Autorun.inf - autorun HTML, PDF, PPT, DOC etc. But it needed autorun to be enable which may be disabled by default in company policy

https://www.howtogeek.com/236241/how-to-enable-disable-and-customize-autoplay-in-windows-10/

To create the inf file.
http://www.allusb.com/usb-explained/usb-autorun

Type “shellexecute=” without the quotation marks, followed by the PDF file name in question. If the file resides within a subfolder, include its title before the file name while separating the two with a backslash. An example would be “shellexecute=foldername\test.pdf.” Ensure that the actual file names and the written commands do not include spaces.

Click the “File” menu, followed by “Save As.” Name the text file “autorun.inf” and then click “Save.” Note that this changes the default ".txt" extension to ".inf," which is necessary for the Autorun command to work
@David, I didn't know that. Thanks for the info. I know...just feels like a stupid thing to demo.

@btan , let me look at your info.

Hopefully, my manager will forget about this silliness.
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

just feels like a stupid thing to demo

IMO you're right, it is. At least as proposed.

If I were thinking about doing something like this (and I'm not) I would display something like "YOUR DATA HAS JUST BEEN ENCRYPTED"
and then go into a small tutorial about security explaining what had just happened and why "If this had been an actual attempt" etc etc etc... "Never put foreign or media from un trusted sources on network devices", etc etc etc

End with logo, sales pitch, contact info

But I wouldn't do even that with out running it past your legal eagles

Just my 2cents

Ken
btanExec Consultant
Distinguished Expert 2018
Commented:
Actually if intent is to level up awareness, consider sending phishing email instead and there is more indicator of compromise
https://www.experts-exchange.com/articles/31731/Am-I-being-hacked-What's-next.html?headerLink=workspace_article

or simply put in the USB with "eicar" file and AV will alert by default. The AV prompt may already "phished" the boss.  
http://www.eicar.org/85-0-Download.html
Emailed my manager the info from this thread. He said he didn't know Autorun needs to be turned on and didn't know about legal issues.

I don't understand that "eicar" link. AV prompt?
I don't understand that "eicar" link. AV prompt?

An eicar file is a file that will trigger a antivirus virus alert

The file / signature is 100% safe it's used all the time for testing purposes
Eicar
http://www.eicar.org/86-0-Intended-use.html

Just copy and save this to a text file and save it to a thumb drive, CD, etc
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Open in new window


Make sure your antivirus is suspended first though otherwise it'll be captured as you create it
thanks, let me take a look.
btanExec Consultant
Distinguished Expert 2018

Commented:
Thanks kencamp for the eicar sharing.

As for the Autorun, that is Windows feature.  think of it simple as autoplay. Can try out. Due to malware spreading through thumbdrive,  security policy mandate tends to state it to be disabled by default. If you have security folks, can check out with them too.
AndyAinscowFreelance programmer / Consultant
Commented:
Just a small comment from my side.
I agree totally that this is a bad idea and probably would not work anyway due to the autoplay being disabled.

It might be better to prepare a laptop with the autoplay enabled and the USB stick then as part of your display demonstrate what can happen just by plugging in the usb stick.  You could even show them a folder and its contents.  Then plug in the stick which will delete (or modify) the files.  Then plug the stick in and show them the folder contents no longer exist - no warnings....
Most Valuable Expert 2015
Distinguished Expert 2018
Commented:
I agree totally that this is a bad idea

Indeed. Talk your manager from this stupid happening. Security is nothing to play with. Seriously.
As for the Autorun

Technically using the Eicar Autorun shouldn't even be needed.

The antivirus should jump on it as soon as the thumb drive is mounted
Security is nothing to play with

Well yes and no, there's just a right way and a wrong way to go about doing it.

Scaring the bejesus out of a customer, regardless of the intent is definitely the wrong way and will likely be counter productive
Thanks , guys. Yes, very stupid. I've sent him the info... held back and didnt call him stupid:)
btanExec Consultant
Distinguished Expert 2018

Commented:
Maybe some scary case study may suffice. Stuxnet and Conficker are easily googled and well known to have used thumbdrive to spread. It is not just a hygiene issue negligence but a bigger issue it can be if the root cause is due to such ignorance. :)
Technical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
Here is a tool used in such a drop test
You can download our special, "beaconized" file onto any USB drive. Then label the drive with something enticing and drop the drive at an on-site high traffic area. If an employee picks it up, plugs it in their workstation and opens the file, it will "call home" and report the "fail" to your KnowBe4 console. And for Office documents, if the user also enables macros (!), additional data is tracked and geomapped.
https://www.knowbe4.com/usb-security-test
thanks, Shaun, let me look,
btanExec Consultant
Distinguished Expert 2018
Commented:
The USB drop test is good. KnowBe4 has nice awareness toolkits

https://www.linkedin.com/pulse/free-security-tools-ransomware-ceo-fraud-more-steve-morgan/
thanks, guys. This was very helpful.
Anytime, Good luck

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial