Two Approaches to Securing Autorun and AutoPlay in Windows
Protecting your Windows computer from Autorun/Autoplay security problems can be done the 'official' way -- or the safe way.
Way back when, Microsoft opted for convenience over security and Windows users have been sitting ducks ever since. I'm speaking of autorun/autoplay, a feature in Windows that lets programs run automatically when a CD or USB flash drive is inserted into a PC. For years now bad guys have been exploiting this to automatically infect PCs with malicious software.
Everyone knows this. What many Windows users don't know is that there are two different approaches to disabling autorun/autoplay.
There is a simple way and a complex way. There is a consistent way and one that varies depending on the version of Windows. There is an all-encompassing way and one whose design has holes in it. There is a foolproof way and one that has needed multiple patches. There is a consistent way and one whose design has changed over time. There is an easily understood way and one that no one fully grasps. There is a frequently written about way and one that is often overlooked.
There is, in a nutshell, a good way and a bad way.
The bad way is from Microsoft. The good way is from two people no one knows (myself included) - Nick Brown and Emin Atac.
What brings this up? Three things.
A recent article about autorun security problems in the Washington Post is chock full of statistics on how bad the problem remains. In particular, the Taterf worm, which spreads by exploiting autorun, was detected by Microsoft on 4.91 million Windows computers.
And, despite the plethora of articles on how Microsoft is making this all better, my latest PC, a netbook running Windows XP SP3, was vulnerable to autorun hacking even with all the latest patches installed.
Finally, Windows 7 introduces sufficient changes that everything written on the subject prior to October 2009 needs to be revised.
The Many Faces of Autorun and Autoplay
Part of the problem in understanding autorun/autoplay is that there are five aspects to it, yet we have only two words: autorun and autoplay. The language used insures mis-understandings about autorun/autoplay.
There are four ways that malicious software on a USB flash drive (thumb drive, pen drive, memory stick, etc.) can execute and infect a Windows computer:
- Run immediately and automatically. This is typically allowed only on CDs and DVDs, however, other external USB devices can appear to Windows as CDs and thus cause software to, literally, run automatically.
- Run via the Autoplay pop-up window by adding an entry to the list of options and making this malicious entry appear to be something that it is not.
- Run when the user double-clicks on the drive letter in My Computer (or Computer).
- Run via a modification to the context menu (the pop-up menu displayed when you right click on a drive letter). Malware can either add a new entry to the context menu or redefine the meaning of one the normal entries.
On top of this, bad guys can also modify the displayed volume label and icon for an external USB device, to try and entice a user into falling for one of the above tricks.
All the maliciousness is centered in a single file called autorun.inf. Nick Brown's registry update simply tells Windows not to process any autorun.inf files. The concept is elegant in its simplicity.
And, this is separate and distinct from the Autoplay feature of Windows. The autorun.inf file is an optional part of Autoplay.
Kicking the Autorun Tires
If a picture is worth a thousand words, then a live demo is worth many pictures. You can see and test the five aspects of autorun/autoplay using an autorun.inf file that I created back in January. For more, see my blog post about testing your defenses against malicious USB flash drives.
My sample autorun.inf file safely attempts to exploit all five aspects of autorun/autoplay. Simply adding it, and a copy of mspaint.exe, to a USB flash drive, turns the device into an autorun tester. With it, you can see which of the five aspects of autorun/autoplay a Windows computer is vulnerable to. It also gives you a baseline to test any attempts at disabling autorun.
If you are concerned about downloading files from strangers (good for you), autorun.inf files are plain text. You can open them in Notepad to see what programs they are attempting to run.