Thanks for the clarification, very informative. Going off updating registry...
-----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Wednesday, January 28, 2009 5:44 PM To: NT System Admin Issues Subject: Re: Malware and USB flash drives (was: Bookmark management programs) On Wed, Jan 28, 2009 at 11:33 AM, René de Haas <[email protected]> wrote: > Shouldn't turning off autoplay prevent this spreading (not it becoming > infected of course)? You'd think so, but there are a number of issues with that. One is that turning off autoplay doesn't always turn off autoplay everywhere, due to some truly craptacular design by Microsoft. (Supposedly they got it all fixed after a few tries, but I'm not trusting them with it at this point.) Another is that turning off autoplay just prevents Windows from spontaneously starting software on disk-insert; it doesn't prevent AUTORUN.INF from modifying the context menu or default action for the drive object (icon). Finally, if won't help you if your FIREFOX.EXE (or whatever) has been modified by malware, or if you mistakenly double-click an interesting looking icon that's actually malware. I do recommend blocking AUTORUN.INF from being interpreted by Windows. That blocks several of the above vectors. You can do this with a single registry entry. My detailed notes follow... === Concepts === AutoRun = media specified actions, menus, and/or appearances AutoPlay = Windows searching media for actions to take AutoRun is the dangerous one, because it does whatever the media says to do. If a disk says to execute a virus also on the disk, that is what the computer will do. As of this writing, AutoPlay is considered relatively safe. AutoPlay uses a list of file types and actions configured on the computer, rather than on the media. The AutoPlay actions included with a "stock" install of Windows are believed to be safe ones, such as viewing pictures or playing music. Executing software on the media is not one of the actions. If a computer was previously compromised by malware, it may be possible that a malicous AutoPlay action was added, but if a computer was previously compromised it should not be considered trustworthy anyway. === Recommended action === Completely block Windows from using the AUTORUN.INF file. ====== Implementation ====== Modifiy the registry as follows: Create a new key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf Set the default value to: @SYS:DoesNotExist ====== How it works ====== Windows has a built-in faility to redirect any .INF file to a registry location. This was introduced by Microsoft as part of a strategy of migrating from storing settings in .INF files to storing settings in the registry. In the above, we redirect any and all AUTORUN.INF files to an invalid location. Thus, any AUTORUN.INF file will no longer be "seen" by the Windows AutoRun facility. ====== Limitations ====== Any malicous software present on a removable drive can still be executed manually, if the user finds the .EXE itself and then double-clicks it. However, at least it will not *automatically* execute. === Other methods === Various methods of altering AutoRun behavior in Windows are suggested by Microsoft and third-parties. In the opinion of this author, completely blocking AUTORUN.INF (as described above) is the best method. Other methods of altering AUTORUN.INF may prevent Windows from spontaniously taking an action when media is inserted, but they may permit AUTORUN.INF to influnce other areas of Windows. In particular, the AutoRun action may still be used if a user double-clicks on the drive icon in Explorer. Since most users will do that to view the contents of any inserted media, that is almost as bad as leaving AutoRun completely enabled. === References === This author first learned of the IniFileMapping method at the following: Nick Brown's blog 23 October 2007 http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html A good write-up on this topic has been published by the Canadian Cyber Incident Response Centre: Document ID: TR08-004 Document title: Disabling Autorun Published: 22 Dec 2008 http://www.publicsafety.gc.ca/prg/em/ccirc/2008/tr08-004-eng.aspx Microsoft Knowledge Base Article ID: 155217 Title: How to Enable or Disable Automatically Running CD-ROMs Summary: disables some (but not all) AutoRun behaviors for optical drives only Microsoft Knowledge Base Article: 953252 Title: How to correct "disable Autorun registry key" enforcement in Windows Summary: Weaknesses in some AutoRun policy mechanisms; offers a hotfix (software patch) Wikipedia article: Autorun http://en.wikipedia.org/wiki/Autorun ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ *** The information in this e-mail is confidential and intended solely for the individual or entity to whom it is addressed. If you have received this e-mail in error please notify the sender by return e-mail delete this e-mail and refrain from any disclosure or action based on the information. *** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
