mysec
Premium
join:2005-11-29
| reply to NickBrown
Re: Blocking autorun
said by NickBrown  :Yes, if you can find a way to tell Windows never to run an executable from (given types of) external media, that's great.
Several ways come to mind,
1) Software Restriction Policies
2) Run as Limited User
3) 3rd party execution prevention (White List) program
quote:
On our network, through, our mission is generally to restrict as little as possible.
I understand your dilemma, having worked in an educational setting (not quite as many computers as your network, though)
Some faculty computers had Anti-Executable installed (White List protection) where it could be quickly disabled when the user wanted to install something. When enabled, no executable not on the White List could download or install from the web (remote code execution) or any external media.
All lab computers have Deep Freeze.
----
rich |
|
NickBrown
join:2007-12-03
| reply to mysec
said by mysec : quote:
At that point, Autorun.inf can run an executable, and AFAIK, that can not be blocked by any "official" means, at least in XP.
It seems to me that this is a no-threat on a computer that has execution protection. Yes, if you can find a way to tell Windows never to run an executable from (given types of) external media, that's great. On our network, through, our mission is generally to restrict as little as possible. We agonised over the deployment of the "IniFileMapping" hack because people who want to install s/w from CD now need to explore the CD to find the setup program. Some sites have officially disabled USB storage altogether (but I'll bet money that the IT people and the VIPs in the executive suite have a workaround). |
|
mysec
Premium
join:2005-11-29
3 edits | reply to NickBrown
Hello Nick,
From your blog:
quote:
These worms pretty much all reproduce the same way, at least in terms of how they jump to and from PCs. They have an AUTORUN.INF file and an executable of some kind. When you put the stick in the PC, Windows finds AUTORUN.INF "automagically"... basically, the worm version will either run the executable immediately, or modify the Windows Explorer default behaviour so that the worm will run as soon as you open the stick by double-clicking on it. The executable will make a copy of itself...
And from your post above:
quote:
At that point, Autorun.inf can run an executable, and AFAIK, that can not be blocked by any "official" means, at least in XP.
It seems to me that this is a no-threat on a computer that has execution protection.
----
rich |
|
NickBrown
join:2007-12-03
| reply to shearer
said by shearer :If I apply the tweak in OP's post, does it mean other tricks like tweaking Autorun=0 and NoDriveTypeRun keys are not necessary? Probably. In any case, most of the other keys are per-user rather than per-PC, which is a pain, especially in a corporate environment with roaming profiles. |
|
NickBrown
join:2007-12-03
1 edit | reply to EGeezer
>could the user protect against folder deletion by making it
>and a file within it password protected with a 3rd party
>utility?
I'm not sure what this would mean. You're dealing with the file system (presumably FAT of some kind on a USB stick) directly here. When you place your stick into an arbitrary computer, you can't guarantee that the computer is running any given utility.
Most viruses are probably not smart enough to delete a directory called Autorun.inf as opposed to deleting or overwriting a file with the same name, because they are separate OS calls. And a directory with a file in it potentially requires a recursive tree delete, which is even more code. Of course, if my workaround becomes popular, that's what viruses will start to do.
However, the other day we came across a virus (not memory stick related) called PE_CORELINK.C which created three files, one in %SystemRoot% and two in %SystemRoot%\System32\Drivers. (It used what I call a pseudo-rootkit to hide from the Windows API, and this pseudo-rootkit was implemented via a boot-time driver.) Anyway, we were able to block it by creating directories of the same name as the files which it creates, but we also had to put NTFS permissions on them so that the user context (in which the virus runs) didn't even have read access. So this virus was able to delete directories. (I don't know if we checked what happened if we put a file in the directory instead of setting the permissions.) |
|
shearer
Northern Lights
Premium
join:2002-06-18
Toronto, ON
clubs: | reply to EGeezer
If I apply the tweak in OP's post, does it mean other tricks like tweaking Autorun=0 and NoDriveTypeRun keys are not necessary? |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
| reply to NickBrown
Hi Nick,
Welcome to BBR, and thanks for the information and link! You have an interesting blog there.
In your follow-up tip where you create an autorun.inf folder and/or file, could the user protect against folder deletion by making it and a file within it password protected with a 3rd party utility? Seems that would prevent the hacker workaround, or at least make them have to add cracker code for the automated hack.
--
My Flickr Gallery |
|
NickBrown
join:2007-12-03
| reply to EGeezer
Hi,
As the co-discoverer of the "blocking Autorun.inf" hack, I'm interested to see how far it has spread. See my original blog article at »nick.brown.free.fr/blog/2007/10/···rms.html.
The key point is that Autorun.inf allows much more than just "this program runs when you insert the media". Specifically, it allows the right-click menu in Explorer to be changed, and by extension, the default behaviour when you double-click a folder. At that point, Autorun.inf can run an executable, and AFAIK, that can not be blocked by any "official" means, at least in XP.
Since we applied this registry hack to all of our 1800 PCs, our rate of memory stick worm infection has dropped from 2 or 3 per week, to zero.
(If you can't apply this hack for some reason, consider protecting the stick itself, using the trick described in the next blog article from the one mentioned above.)
Nick |
|
planet
join:2001-11-05
Olmsted Falls, OH
·Cox HSI
| reply to norwegian
said by WCB :
(launching an application without your interaction) can only work if the file resides on a CD/DVD or a media that emulates a CD media.
So, holding down the left shift key when inserting any removable media should prevent unwanted execution, correct?
And, thanks for a great read. I shift from being paranoid with this to not so paranoid. So far so good but ya never know. |
|
norwegian
Premium
join:2005-02-15
Outback
 ·WestNet Broadband
1 edit | reply to EGeezer
Not quite how to put this, but I was thinking, maybe this is an interestining thread on a topic that does need research.
With the minimal time to research at the moment, I am curious why that in the past 3 months, Autoplay seems to run randomly at times, in not quite a standard fashion meaning it will open a window when nothing is happening to my disk drives, floppy eetc.
Is this a trait to something new, or just miss handling of my protection? Broken drivers?
Otherwise, I have enjoyed some real info for a change. Almost what it used to be here once.
Thankyou.
Edit: Minor correction
.................
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke |
|
DRM Killler
@rr.com
| reply to EGeezer
Another nice thing about Vista is that even if Autorun and Autoplay are enabled and you insert an infected device, Vista will ask you to approve any executable before running it. XP does not offer this protection. Since the OP was about Vista, the whole "auto anything" point is quite mute. If something executes upon insertion or clicking, just click "No", unless you were wanting or expecting an executable to infect your system with malware. That is why the "No" option in the prompt is available. |
|
Sindows 7
join:2006-09-13
Hope, BC
| reply to EGeezer
That should do it. |
|
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
| reply to OZO
said by OZO :If you need to block autorun.ini from running on a temporary basis you do not need to run two reg files and make two relogins/restarts of WE in the process. Just press SHIFT key while you're inserting CD/DVD True, but for some reason, I trust the reg file more than my finger on the shift key. 
By the way, no restart is needed. I just click on the file and insert the CD/DVD.
--
You can catch the Devil, but you can't hold him long. |
|
OZO
Premium
join:2003-01-17
| reply to Wildcatboy
The value 0xB1 for registry value NoDriveTypeAutoRun placed into HKEY_LOCAL_MACHINE hive is working well (actually, as it should be from the beginning, IMHO). It will block autorun.ini from automatic execution, but still change/modify the drive label, show proper filesystem type (e.g. CDFS) in Properties dialog box and provide with AutoPlay item in right-click menu in WE (you will be able to execute it, if you need).
Wildcatboy - thanks for sharing
said by Wildcatboy :... which is why I mentioned I kept the file on the desktop, only for when I need to insert an unknown and untrusted CD into the drive. In normal circumstances, I leave it enabled because I like the feature and I use it. If you need to block autorun.ini from running on a temporary basis you do not need to run two reg files and make two relogins/restarts of WE in the process. Just press SHIFT key while you're inserting CD/DVD with autorun.ini and the file will be temporarily blocked from execution, yielding you the same result as using the registry value above.
--
Keep it simple, it'll become complex by itself... |
|
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
| reply to EGeezer
said by jmorlan :This setting also disables auto-insert notification so CDs will not refresh when a new CD is inserted, nor will they refresh when F5 is pressed. Yes it does, which is why I mentioned I kept the file on the desktop, only for when I need to insert an unknown and untrusted CD into the drive. In normal circumstances, I leave it enabled because I like the feature and I use it.
OK, to answer the other questions as promised and to give you guys more ideas, here's another way around it.
Explorer uses the registry key
to determine which drive should or should not recognize AutoRun.
And this is how the value of NoDriveAutoRun is set. A little complicated but bear with me. There are several drive types and each has a bitmask and a Decimal / Hex value as follows:
Now, the base value is 128 and by default, in Windows 9x, bits 0, 2, 4 and 7 are already set. (Bit 7 is reserved for future drive types hence the base value of 128). So you have
128+1+4+16=149 = Hex 95
This disables AutoRun function for DRIVE_UNKNOWN, DRIVE_REMOVEABLE, and DRIVE_REMOTE (Network drives) by default.
In Windows XP AutoRun is enabled for DRIVE_REMOVABLE (Floppy, etc...) So You take the value of bit 2 (4) off of 149, which gives you 145 or Hex 91. I believe that's the default value in XP.
If you want to Disable AutoRun for DRIVE_CDROM, just add 32.
145+32=177 Hex=B1
I could have just told you to set the value to 177 but that would have been too easy and you wouldn't know why. :) Now you can also experiment by adding or removing numbers to enable or disable AutoRun for other kinds of drives that you might have.
It will not affect MCN and your CD/DVD is still recognized each time you insert a new one, however the AutoPlay won't work and your CDs and DVDs won't start automatically.
Disclaimer: I don't have a CD with autorun.inf handy at the moment to test it but the method should work. Give it a try if you like and let us all know how it goes.
--
You can catch the Devil, but you can't hold him long. |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to Wildcatboy
said by Wildcatboy :You don't need a software to stop Autorun. I have a .reg file on my desktop like this: Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000000
Copy it to notepad, rename it to whatever.reg. In my case Autorun.reg If I need to insert a CD or DVD, I just double click it. Autorun is disabled, insert the CD, examine it and if it's OK, I just change the dword to dword:00000001 , save the file and double-click it again. Autorun is enabled again. As for disabling AutoRun for USB media, I really see no reason for it. I use the Autorun.inf extensively on my USB stick to create right click menus, have TrueCrypt automatically start and ask for password, etc... The only USB media that gets connected to my laptop is mine, so what's the point?
This is one solution, albeit a very good one. Another is Sofware Restriction Policy in whitelist mode. In your case you could create hash rules for TrueCrypt and any other programs you wish to run from your USB stick or other removable media and this would save you from having to reenable autorun every time you use those programs. Leave it enabled. Only the programs you have authorized will run.
--
Christianity: A cannibalistic blood cult based upon the human blood sacrifice of a virgin male. It teaches you must eat the flesh and drink the blood of the virgin to be saved. |
|
OZO
Premium
join:2003-01-17
1 edit | reply to jmorlan
That's exactly right. Setting AutoRun=0 blocks the Media Change Notification (MCN) message. Unfortunately with the bad design of this feature in Windows it leads to:
• WE doesn't change icon and title (lable) on the drive. It doesn't matter how many times I press F5 to refresh the drive...
• Properties box shows: File system: Unknown instead of e.g. CDFS
• Context menu on the drive (right click menu) does not show AutoPlay item (which is not important)
I do not see any reason why Windows can't read and show disk label and its file system without executing Autorun.inf file... It doesn't put computer into any risk (in comparison of execution a program from that unknown CD/DVD).
As jmorlan has mentioned - it took a lot of time for me as well to find out why my drive stopped to show its label when I insert a CD/DVD into it. AutoRun = 0 was a culprit.
Thus, with current design, I need to keep MCN going in order to enable refreshing of icon and title on the drive, while I need to disable just one particular feature - executing autorun.ini (which may start automatic execution of a program from the media). BTW, AutoPlay is not a problem here - it runs my local program, which doesn't contain any viruses/spyware etc.
And it looks like the solution to put a fake path with "Autorun.inf" in "IniFileMapping" key is working so far. The only side effect is - when I insert CD/DVD it opens extra WE window for that drive (which I do not ask to), but it's a minor problem...
--
Keep it simple, it'll become complex by itself... |
|
TE
I must crunch
join:2006-05-07
Brea, CA
clubs:
| reply to jmorlan
said by jmorlan :This setting also disables auto-insert notification so CDs will not refresh when a new CD is inserted, nor will they refresh when F5 is pressed. It took quite a while for me to figure out why explorer was showing the contents of the previous CD after a new one had been inserted. OT - Reminds me of what we use to do to new techs in the department. We would cut pin 34 (DSKCHG) on the floppy cable/drive and see how long it would take them to troubleshoot and repair. |
|
jmorlan
Hmm... That's funny.
Premium
join:2001-02-05
Pacifica, CA
·Pacific Bell - SBC
| reply to Wildcatboy
said by Wildcatboy :Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000000
Copy it to notepad, rename it to whatever.reg. In my case Autorun.reg This setting also disables auto-insert notification so CDs will not refresh when a new CD is inserted, nor will they refresh when F5 is pressed. It took quite a while for me to figure out why explorer was showing the contents of the previous CD after a new one had been inserted.
For this reason I leave that registry key set to "1" and disable autorun for individual drives using TweakUI. This leaves auto-insert notification functional while disabling autorun for those drives.
|
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country! | reply to Wildcatboy
Interesting topic here: »Trojan Found In New HDs Sold In Taiwan
--
My Flickr Gallery |
|
