Microsoft has at last released patches for Windows XP & Vista which restricts the AutoRun entries in the AutoPlay dialog to only CD and DVD drives …
Ø Update for Windows XP (KB971029)
Ø Update for Windows Vista (KB971029)
I had blogged previously about the upcoming AutoRun Patch that was supposed to be released by Microsoft to restrict the AutoRun feature for USB Removable drives:
http://maliciousbrains.blogspot.com/2009/04/update-to-disable-autorun-feature-for.html
A nice post about the AutoRun Menace and why Microsoft is willing to change the AutoRun feature was published in the MMPC Blog.
Windows Addresses the Changing AutoRun Threat Environment
Windows AutoRun Feature –
The Autorun Feature is a functionality that has been provided in the Windows OS which would react in a predefined way when certain devices like CD/DVD ROMs are inserted in the specified drive. In Windows OS, AutoRun is handled by the Explorer.exe process. It was introduced in the Windows OS keeping in mind the increase in the number of Multi Media Presentations that is used by Corporate Users/Students/Media Industry people etc. Business Cards, Product Presentations, Business and Project Presentations, Presentations for Seminars, Media and Graphics demos for designers etc represent just a fraction of the areas where CDs/DVDs were extensively used. Identifying these requirements Microsoft had made the Windows OS smart enough to recognize and auto executes the content of these CDs/DVDs whenever a CD/DVD was inserted. The whole point of providing this feature was to make it as easy as possible for the users to enjoy the content of the CD/DVD even if he/she is oblivious of the actual file or program that is launching the content. This AutoRun feature is enabled by default, but we also have the option to manually enable/disable it as well.
How USB Removable drives became a “Threat”?
Unfortunately, it is because of this fact that these USB Removable drives are so popular and are so commonly used to transfer/share data between systems that are not connected to each other, have limited connectivity or are physically located at different places, they are becoming a prime target for attackers or Malware authors who use them as a medium for spreading infections from one system to another in a very successful way. Off late there has been a sharp rise in the number of Malwares that are spreading through these USB Mass Storage devices. The moment you plug in the USB Removable drive and try to access it you might probably get infected. The reason for writing this article is to show how these infections traverse from one system to another and what we can do to stop the propagation of these USB Malwares.
Increasing trend of USB Infectors –
It was observed by Symantec and many other Antivirus vendors that there has been a rapid growth of these USB infecting Malwares. Almost everyday newer variants of these Malwares are detected in the wild and keeping in mind the frequency in which they are coming, it is becoming more and more troublesome for the Antivirus companies to keep their signatures updated. It has been published in the volume XIII of Symantec’s Internet Security Threat Report (Page 56, Malicious Code Trends), that describes the propagation mechanisms of these Malwares.
Method of propagation –
These worms spread by copying itself into the root of the system drive and also into the root of the Removable drive. It also creates an autorun.inf file with instructions that will invoke the Malware when the said drive is accessed from My Computer/Windows Explorer.
Activities that these USB Infectors may carry out in general are like:
· Bypasses Windows Firewall
· Downloads & Drops Additional Malwares
· Disables Task Manager/Regedit/CMD
· Disabled Folder Options
· Spread via Unprotected Network Shares
Some other USB Infecting Malwares are:
· Worm:VBS/SillyFDC.F
· Worm:Win32/SillyShareCopy.AC
· Worm:Win32/Autorun.A
· PWS:Win32/Wowsteal.ZE!inf
· Worm:Win32/Nuj.A
· Worm:Win32/Autorun.PH
· Worm:Win32/Nhatq
· Worm:Win32/Autorun.BO
· Worm:Win32/Autorun.RA
· Worm:AutoIt/Renocide.gen!A
· Worm:Win32/SillyShareCopy.E
· Worm:Win32/VB.CD
· Worm:Win32/Emold.B
· Worm:Win32/Slenfbot.ACP
· Worm:Win32/Slenfbot.ACU
You can refer to these and many more USB Infecting Malwares from the Microsoft Malware Protection Center website. Please refer to the below URL to view complete descriptions about these USB Infectors: http://www.microsoft.com/security/portal
“Thanks MMPC”
Regards...
Rajdeep Chakraborty
Microsoft® MVP - Consumer Security
---------------------------------------------------------------------
http://www.malwareinfo.org
http://www.linkedin.com/in/rajdeepchakraborty
https://mvp.support.microsoft.com/profile=62F27767-F7D0-448F-84C7-F28501B6ECCB
---------------------------------------------------------------------
