Network News

X My Profile
View More Activity

What Windows Autorun Has Wrought

A new report by Microsoft shows that the two most prevalent threats to Windows PCs in the first half of 2009 were malicious programs that have been aided mightily in their spread by a decision by Microsoft to allow the contents of removable media -- such as USB thumb drives -- to load automatically when inserted into Windows machines.

In its latest "Security Intelligence Report," Microsoft counted the number of threats detected by its anti-malware desktop products, and found that the Conficker worm, along with a Trojan horse program called Taterf which steals passwords and license keys for popular computer games, were detected on 5.21 million and 4.91 million Windows computers, respectively.

The original version of Conficker emerged nearly a year ago, and initially it spread by exploiting a networking vulnerability in Windows. But Conficker infections soared by the millions in January with the arrival of Conficker B, which introduced the ability to spread via the Autorun capability in Windows. Taterf spreads exclusively via Autorun.

Together, these two threats accounted for more than 35 percent of the top 10 malicious software infections in first six months of this year, Microsoft found (click the chart below for a breakdown of those threats). According to the previous Security Intelligence Report, more than 17 percent of infections in the second half of 2008 were by malware that can spread via AutoRun.

msir7.PNG

In April, after the third version of Conficker became front-page news and even fodder for feature story on 60 Minutes, Microsoft announced that its AutoPlay function would no longer support AutoRun for USB drives. Autorun is disabled for USB drives in Windows 7 (the new OS still automatically plays any inserted CDs and DVDs). In late August, Microsoft released a patch that similarly disables Autorun on Windows XP, Vista, Windows Server 2003 and Server 2008 systems.

However, this patch does not appear to have been pushed out through Microsoft's Automatic Updates or Windows Update, so if you'd like to install it, you'll need to visit this link and download the appropriate version for your operating system. Users who install this update will no longer receive a setup message that prompts them to install programs that are delivered by USB thumb drives. Wilders Security Forum has a nice writeup on this patch, and offers some harmless sample code to test whether your Windows box has this feature enabled.

As a feature first introduced way back in Windows 95, Autorun had...well, a pretty good run, particularly considering how long malware has used it as a propagation method. Frankly, I'm surprised that Microsoft kept Autorun as the default option for as long as it did, given the company's Trustworthy Computing security initiative, launched in January 2002 with a memo from Chairman Bill Gates that memorably stated, "When we face a choice between adding features and resolving security issues, we need to choose security."

On a more positive note, Microsoft found that the number of infections associated with rogue security software fell to 13.4 million in the first six months of this year, down from 16.8 million in the latter half of 2008. Microsoft also tracked a tenfold decrease in infections from Zlob, a Trojan that masquerades as a video player plug-in. Redmond said Zlob infections fell from 21.1 million at its peak in 2007 to 2.3 million in the first half of 2009.

The key findings from Microsoft's Security Intelligence Report Version 7 are available here (PDF).

By Brian Krebs  |  November 2, 2009; 11:55 AM ET
Categories:  From the Bunker , New Patches , Safety Tips  | Tags: autorun, microsoft  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: FDIC: Uptick in 'money mule' scams
Next: Spike in Social Media Malware, Phishing Attacks

Comments

"...the contents of removable media -- such as USB thumb drives -- to load automatically when inserted into Windows machines."

That simply isn't true.

As noted in a later paragraph, the risk here is the Autorun capability which requires the user to click on Ok before the malware can run.

I have installed Windows XP (with Service Pack 2 where the Autorun capability was introduced) dozens of times and the default action upon insertion of USB media is to display the Autorun dialog and ask for the user to approve an action. USB U3 drives are an exception as they present as a CD-ROM drive.

Posted by: fastoy | November 2, 2009 11:22 PM | Report abuse

@fastoy: "...the contents of removable media -- such as USB thumb drives -- to load automatically when inserted into Windows machines."

That simply isn't true."

You are correct for normal autorun programs, but there is AutoPlay used by Malware to silently execute with no prompts. I was able to make a harmless demo batch file that I use to verify that a system has been neutered. (Probably similar to the Wilders Security Forum test cited above).

Posted by: moike | November 3, 2009 8:34 AM | Report abuse

"(click the chart below for a breakdown of those threats)"

Nice try, Krebbs, if that's your real name ...

Posted by: gannon_dick | November 3, 2009 8:54 AM | Report abuse

You can always disable USB/removable drive autoplay, as per the Microsoft article http://support.microsoft.com/kb/953252

It's really a good thing to do security wise. There's really no reason that you NEED a CD or USB to automatically start something for you.

I've seen more autorun worms (and even Conficker) infect things like camera memory cards, iPods, smart phones, anything that can load as a removable storage device.

On our site, we even take it a step further and advocate disabling all unused ports, even USB ports. See here for more info:
http://www.sophos.com/security/best-practice/10-tips.html

Beth Jones

Posted by: bethjones | November 3, 2009 9:56 AM | Report abuse

It's not nessecarily that simple. Conficker B and C actually disguised themselves in the auto-run 'pop-up' as other legitimate choices. A user could click on 'Take No Action' which could in fact be the malware itself. Selecting that choice would have run the program. The average user is not savy enough to know better.

I've manually disabled auto-run/auto-loader on all my PCs since the feature was available. You used to have to edit the registry. With the influx of pirated media on the market, even seemlingly legitimate CDs and DVDs can contain malware. I also use two different users. One with admin rights and another with standard user rights. This act alone will stop 95% of all malware from infecting your computer.

Posted by: akmzrazor | November 3, 2009 10:08 AM | Report abuse

AAhhh....sure is nice being a Mac guy now...more time to gloat....

Posted by: rbaldwin2 | November 3, 2009 10:31 AM | Report abuse

It doesnt matter if the OS is set to "autorun" when a pre-loader can do the same thing....

The only thing that helps protect other OS providers is simply HOW it is designed.

Windows is too closely intertwined with all the components to actually make secure... Thus the slow but inevitable push to cloud computing and Open Source Software within the government...

I dont think Gates got the memo yet... But he will..

Posted by: ProveMeWrong | November 3, 2009 11:59 AM | Report abuse

Is there any evidence that the "Trustworthy Computing security initiative" was anything more than spin ?

Posted by: washpost34 | November 3, 2009 1:54 PM | Report abuse

I have been in computer software development for a long time and I have a hard time with this article.

I can only assume that Auto Run allows for a software interrupt of the operating system and that hackers are exploiting this by simply sending the signals of the interrupt.

It would nice if articles actually explained the problem instead of forcing readers to guess.

I hope that readers will correct me if I am wrong and provide an explanation of Auto Run as a threat.

Posted by: bsallamack | November 3, 2009 2:46 PM | Report abuse

fastoy wrote:

That simply isn't true.

As noted in a later paragraph, the risk here is the Autorun capability which requires the user to click on Ok before the malware can run.

----------------

You're mistaken. Windows does open a dialog box asking users what to do when certain media is inserted into the computer, but not always, and if a user clicks "always use this action," then Windows will autoplay whatever USB stick is inserted into the computer with no discrimination. But even if a user hasn't ticked that box, viruses on a USB stick are designed to infect as soon as the USB stick is inserted into the port, regardless what the user does or does not push.

I've had a computer infected this way before, and the worm's reinstaller, combined with the feeble abilities of various anti-virus and anti-spyware programs to root the virus out, ultimately froze up Windows entirely so that it would not even boot, and I was left with no option except to reinstall. New rule: nobody puts any media into my computer. If they want to transfer a file to me, that's what e-mail or a file-sharing service is for. I don't need to lose a week of productivity on one of these worms loaded via USB sticks again.

Posted by: blert | November 3, 2009 3:55 PM | Report abuse

Another bad thing about the 'autoplay' function is that so-called legitimate vendors load junkware on USB sticks that it's really hard to prevent from running in Windows. I have a San Disk USB memory stick that always starts some garbage program that I don't want to run. Whatever this jukware is (and I really don't care - I didn't ask for it and I don't want to deal with it), it also prevents my SanDisk USB memory stick from working in some of those photo printing kiosks. Great job SanDisk - you make your product not work for the primary use intended I intended it for!

I tried reformatting the drive in LINUX, but there is a hidden partition or something and the autoplay gets invoked anyways in Windows. Bascially now I only use LINUX and don't worry about these things anymore.

Posted by: boboran | November 3, 2009 4:28 PM | Report abuse


With tons of viruses and assorted malware I'm surprised at how many people still buy and use Windows. http://www.techdictionary.com/resources/virusnews.html

Sure Linux and Mac aren't as popular, but since I have all my financial information on the computer I'd rather not take the chance and use Windows.

A pretty good Linux can be had at http://www.ubuntu.com -- Mac OSX is BSD UNIX with a nice GUI. But if everyone stopped using Windows then the criminals would go after Linux and Mac... keep buying Windows!

Posted by: kkrimmer | November 3, 2009 5:52 PM | Report abuse

Wow. It must be something in the water supply. Nobody can hold shift down anymore? Anyway.

> Nice try, Krebbs, if that's your real name
Oh goodness.

> You can always disable USB/removable drive autoplay
Yep! And then Windows is just as secure as any real operating system!

> I've seen more autorun worms (and even Conficker) infect things like camera memory cards, iPods, smart phones, anything that can load as a removable storage device.
You go, girl! ;)

> On our site, we even take it a step further and advocate disabling all unused ports, even USB ports.
But you will absolutely not advocate abandoning Windows, will you? Because that's your cash cow, isn't it?

> AAhhh....sure is nice being a Mac guy now...more time to gloat....
You'll get tired of it. You will never be able to help these people and you'll be so glad you don't have to deal with that nonsense anymore.

> Windows is too closely intertwined with all the components to actually make secure... Thus the slow but inevitable push to cloud computing and Open Source Software within the government...
Armchair theorists are amusing. Especially the uneducated ones.

> 'Is there any evidence that the 'Trustworthy Computing security initiative' was anything more than spin ?'
No. Were you expecting any?

> I have been in computer software development for a long time and I have a hard time with this article.
I've been in system engineering probably a lot longer and I love this article.

> I can only assume that Auto Run allows for a software interrupt of the operating system and that hackers are exploiting this by simply sending the signals of the interrupt.
You can't have been around for more than a few months if you don't know the answer to that.

> Another bad thing about the 'autoplay' function is that so-called legitimate vendors load junkware on USB sticks that it's really hard to prevent from running in Windows.
Oh goodness. Pandora's looking for wardrobe again.

> Bascially now I only use LINUX and don't worry about these things anymore.
Congratulations!

> With tons of viruses and assorted malware I'm surprised at how many people still buy and use Windows.
You and about 50,000,000 others with IQs at orang-utan level or better.

> But if everyone stopped using Windows then the criminals would go after Linux and Mac... keep buying Windows!
Good point. Totally uneducated but still and all. It needs to be addressed. The answer: let them come. They won't get in. The pickings will be too slim to support the multibillion dollar industry they have today. They'll go back to protection, gambling, prostitution, etc. But it doesn't matter: just make sure you're not where they are. And make sure you're using a 'real' OS. Such as Unix. And you'll be fine. *Always*. Cheers.

Posted by: Rixstep | November 3, 2009 9:00 PM | Report abuse

Rixstep, please learn some humility and respect for your fellow human beings.

Posted by: bentleychan | November 3, 2009 10:34 PM | Report abuse

For Microsoft to be shipping an OS in 2009 that runs any code from a device upon insertion is crazy. Obviously you need to run the code *already within the OS* in order to perform the "mount" operation. But code, untrusted code, from the device is just insane.

If Microsoft won't fix this on their own then it really *is* time for regulatory intervention. After all, Microsoft's stupid actions, as leveraged by malevolent criminals, are costing us billions of dollars (our own direct losses through identity theft etc, U.S. government losses, and those of others worldwide). As things stand, Microsoft is the world's largest enabler of criminal enterprises. Think about it.

Posted by: vdev | November 3, 2009 11:34 PM | Report abuse

@vdev Thanks, you nailed it.

Not a week goes by without the user being reminded that habits - clicking insecure links, can be dangerous. Whence my previous comment. No OS, or the web itself is impervious to clever human deception, but enabling crime is something different, and the solution has nothing to do with Market Share.

Posted by: gannon_dick | November 4, 2009 12:50 AM | Report abuse

vdev... I'm with you its crazy.

I think though there's some serious confusion here with the comments. One there's a group thinking that code isn't capable of being executed based on the fact that their prompted to run or access the drive. That seems logical but isn't true because it appears Microsoft has never implemented this feature properly. Second there are some that think that by going in and changing the system settings your safe. I believe this has also been untrue because Microsoft didn't implement the disable feature properly. I don't even think the first patch they released worked entirely properly either. Here's a link about this info from the Security Now Podcast on the TWIT Network, with Steve Gibson. I don't always agree with Steve's analysis but when it come's to programming and the in-and-outs of some of this software I think he know's his stuff.

Transcript:
http://www.grc.com/sn/sn-187.txt
Audio-Podcast:
http://media.grc.com/sn/sn-187.mp3

Brian the only thing I'm wondering about is the link you mentioned to a patch, to shutdown this feature, is it a sure fix? That is having resolved some of the issues before that were as I recall partial fixes that Microsoft issued.

Nice article BK.

Posted by: dward__ | November 5, 2009 11:34 AM | Report abuse

@dward -- yes, I know what you're getting at, because previous fixes were found to be half-baked, or in some cases the fix wouldn't take.

i would say this is about as close as a total fix as we're going to get from Microsoft. i should note, however, that Microsoft says in the notes for this latest update to disable autorun, that this patch will do nothing to change the behavior of thumb drives that have their own firmware:

Some USB flash drives have firmware that present these USB flash drives as CD drives when you insert them into computers. These USB flash drives are not affected by this update.

This would almost certainly include U3 USB drives.

Posted by: BTKrebs | November 5, 2009 11:45 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company