Spam Prats Jan 06, 2010 No Comments
Way back when, Microsoft opted for convenience over security and Windows users have been sitting ducks ever since. I’m speaking of autorun/autoplay, a feature in Windows that lets programs run automatically when a CD or USB flash drive is inserted into a PC. For years now bad guys have been exploiting this to automatically infect PCs with malicious software.
Everyone knows this. What many Windows users don’t know is that there are two different approaches to disabling autorun/autoplay.
There is a simple way and a complex way. There is a consistent way and one that varies depending on the version of Windows. There is an all-encompassing way and one whose design has holes in it. There is a foolproof way and one that has needed multiple patches. There is a consistent way and one whose design has changed over time. There is an easily understood way and one that no one fully grasps. There is a frequently written about way and one that is often overlooked.
There is, in a nutshell, a good way and a bad way.
The bad way is from Microsoft. The good way is from two people no one knows (myself included) – Nick Brown and Emin Atac.
What brings this up? Three things.
A recent article about autorun security problems in the Washington Post is chock full of statistics on how bad the problem remains. In particular, the Taterf worm, which spreads by exploiting autorun, was detected by Microsoft on 4.91 million Windows computers.
And, despite the plethora of articles on how Microsoft is making this all better, my latest PC, a netbook running Windows XP SP3, was vulnerable to autorun hacking even with all the latest patches installed.
The Many Faces of Autorun and Autoplay
Part of the problem in understanding autorun/autoplay is that there are five aspects to it, yet we have only two words: autorun and autoplay. The language used insures mis-understandings about autorun/autoplay.
There are four ways that malicious software on a USB flash drive (thumb drive, pen drive, memory stick, etc.) can execute and infect a Windows computer:
On top of this, bad guys can also modify the displayed volume label and icon for an external USB device, to try and entice a user into falling for one of the above tricks.
All the maliciousness is centered in a single file called autorun.inf. Nick Brown’s registry update simply tells Windows not to process any autorun.inf files. The concept is elegant in its simplicity.
And, this is separate and distinct from the Autoplay feature of Windows. The autorun.inf file is an optional part of Autoplay.
Kicking the Autorun Tires
If a picture is worth a thousand words, then a live demo is worth many pictures. You can see and test the five aspects of autorun/autoplay using an autorun.inf file that I created back in January. For more, see my blog post about testing your defenses against malicious USB flash drives.
My sample autorun.inf file safely attempts to exploit all five aspects of autorun/autoplay. Simply adding it, and a copy of mspaint.exe, to a USB flash drive, turns the device into an autorun tester. With it, you can see which of the five aspects of autorun/autoplay a Windows computer is vulnerable to. It also gives you a baseline to test any attempts at disabling autorun.
If you are concerned about downloading files from strangers (good for you), autorun.inf files are plain text. You can open them in Notepad to see what programs they are attempting to run.
Source : www.esecurityplanet.com
Leave a Reply