How Windows Autorun Can Autoinfect
Roger Grimes, InfoWorld
Nothing beats a USB port for convenience, whether you want to quickly transport a couple gigabytes of files for work, refresh the lineup on your MP3 player, or view the pictures from your recent trip to Boise. Unfortunately, USB ports also provide an overly convenient bridge for malware to creep from a portable media device onto an unsuspecting user's system. In fact, it seems nearly every client I visit these days has numerous computers carrying USB-infecting malware -- even trusted clients with otherwise stellar security histories. It's getting so bad that I'm scared to share USB keys with my clients.
The primary culprits here: Microsoft Windows' autorun and autoplay features for portable media devices (USB keys, USB hard drives, camera memory flash cards, and so on). To make users' lives easier, Microsoft coded Windows to seek and deploy autorun and autoplay files on removal media. A user connects his or her device, and the program it contains launches automatically, if so designed by the software developer. It's what allows a CD or DVD to start playing the moment it's inserted or a new software program's install routine to automatically commence.
[ Already infected by malware? Starting from scratch is the best course of action. | Are you up to snuff in your security regimen? Get your defenses in tip-top shape with InfoWorld's Security Boot Camp, a 20-lesson course via e-mail that begins Sept. 21. ]
Unfortunately, malware writers have co-opted autorun and autoplay to spread rogue code. An unsuspecting user inserts a portable media device containing the code, which is often invisible to the casual user. The malware then uses autorun and autoplay -- and maybe the desktop.ini file -- along with the hidden core malware program to pull off the overall exploit. The malware can then go on to infect the computer and network using other vectors, such as network shares, password guessing, and normal infection vectors, or it can stick to infecting removal media devices. Either way, it's not a good thing.
My recommendation: Protect your systems and your network by disabling the autorun and autoplay functionalities and by educating users on how to manually launch any needed program. Disabling this functionality has become easier and easier with each new version of Windows. It can be done using Group Policy or registry edits. In many cases, you might have to install an additional software hotfix to get all the needed disabling functionality.
Specifically, to disable the autorun functionality in Vista or in Windows Server 2008, you must have security update 950582 installed (security bulletin MS08-038). To disable the autorun functionality in Windows XP, Windows Server 2003, or Windows 2000, you must have security update 950582, 967715, or 953252 installed. (See Microsoft's Web site for more details. It covers what software fixes to install, if needed, and the related registry keys and group policies that can be configured.)
My friend Jesper Johannson has an excellent description -- and solution discussion -- of the problem, which I highly recommend.
Even if you fix your computers, you have to be careful as to where you stick your USB device. It's truly similar to sex advice: You are sharing your USB device with every USB device that has shared the same port.
Of course, it doesn't hurt to run antimalware software, even if it isn't 100 percent accurate, configured to autoscan all autolaunching code or inserted media devices.
Also, if I share my USB key, I always look for any added autorun.inf, desktop.ini, or newly appearing executable files. I configure Windows Explorer to show all files (hidden, system, and registered extensions) so that any hidden files are shown. You can disable USB ports (or any devices or ports) physically or by using Group Policy, registry edits, or third-party software. Last, check all your removal media to make sure they haven't been silently infected and you aren't spreading the disease.
Practice safe computing and disable autorun and autoplay -- so we can go back to fighting Internet-based malware.
Are your network defenses feeling a little flabby? InfoWorld's Security Boot Camp will whip your IT operation into shape in next to no time. Get Roger Grimes’ advice delivered to your in-box in a special, four-week e-mail-only course. Sign up now.