More on Autorun-Based Malware
Friday November 21, 2008 at 11:54 am CST
Posted by Lokesh Kumar
Earlier, my colleague Vinoo Thomas blogged about “The Rise in Autorun-Based Malware” and about a method employed to disable such malware from executing that uses the gpedit.msc tool.
I briefly want to add a couple of points to this:
The Group Policy Editor (gpedit.msc) is a tool provided by Microsoft, and is used to modify various system settings. One such setting is the ability to turn off the autoplay feature.
Changes made using this tool eventually get applied in the Windows registry. For example, when a user modifies settings related to autoplay using the group policy editor, it will be reflected in the following location in the registry:
Now, here’s the interesting part. The Group Policy Editor is not available to users of Windows XP Home Edition. Those users would need to manually edit the registry or install TweakUI, a tool available in the PowerToys Suite, or download a third-party tool to do disable this feature.
Isn’t it odd that Microsoft makes a home user manually edit the registry to turn off this feature, yet it provides a tool for administrators using XP Professional?
I can understand the growing concern many are having with the use of removable devices. There has been a known bug in the NoDriveTypeAutoRun subkey value, which allows any changes made to this subkey to revert to its default value.
Of course, the default value enables the autoplay feature to function in all its glory.
All hope is not lost, though, as I managed to find a fix. Save the following text as a .reg file and import it into the registry. And, as always, remember to back up your registry before doing this.
Apparently, this registry value prevents Windows from taking actions based on the Autorun.inf file.
If you are a McAfee Virus Scan customer, you could create a custom Access Protection Rule to disable the execution of files named autorun.inf. Many autorun worm variants are detected by McAfee asW32/Autorun.worm.dw.
Finally, Microsoft should implement this autorun feature (which is now exploited by malware) in a more efficient manner. My Ubuntu machine, which has Wine installed, can run Windows executables and has the same autoplay feature as Microsoft does, but with one BIG difference:
When a removable device with an autorun.inf file is inserted on my Ubuntu machine, it recognizes that the autorun.inf file is trying to run an executable and then asks for confirmation. Now, that’s what I call prioritizing the user’s security needs!!