由於USB儲存裝置的普遍與便利,加上Windows作業系統支援autorun的功能,導致USB儲存裝置成為新的蠕蟲傳播方式。有別於以往的蠕蟲直接透過網路進行遠端入侵,USB蠕蟲則是利用被廣泛使用的USB儲存裝置從組織內部進行感染,這種感染方式使得網路防火牆與入侵偵測系統形同虛設,也讓全世界的企業與個人遭受到巨大的損失。 在本篇論文中,我們藉由分析USB蠕蟲感染USB儲存裝置的方式,設計出一套可自我散佈的USB蠕蟲偵測機制 ─ USB Worm Killer (UWK),以解決目前USB蠕蟲的問題。UWK透過DLL Injection與API Hooking的技術,將此機制注入USB儲存裝置裡的autorun.inf所指定執行的可疑行程中,並藉由模擬USB儲存裝置,讓可疑行程誤以為系統中有多個USB儲存裝置存在而嘗試對其寫入autorun.inf與可疑執行檔,一旦可疑行程有上述行為,UWK就會將其判定為USB蠕蟲並中止其執行,以達到防止USB蠕蟲的散佈。 Due to the widespread-use of the USB storage devices and the autorun function provided by Windows OS, the USB storage devices have become the new spread method used by the USB worms. Differentiated from the past worms scanned the computers directly and intruded in them remotely via the Internet, USB worms could utilize the storage devices to infect the internal computers of the organizations. This infection makes the Internet Firewall and the Network Intrusion Detection System work ineffectively, and it also causes the whole-world entrepreneur suffer the severely tremendous losses as well as the individuals. In this paper, we present a self-spread USB worm detection system, USB Worm Killer (UWK), to solve the current problems caused by the USB worms. UWK utilizes the DLL Injection and API Hooking techniques to inject itself into the address space of the process which specified by the autorun.inf. UWK also simulates the USB storage devices and catch the request of writing the autorun.inf and worm itself. Once the above request occur, UWK will determine it as an USB worm and terminate it to avoid the spread of the USB worm.
