Disabling 'Autorun' on USB and beyond. Need help. in Security

Re: NoDriveTypeAutoRun and NoDriveAutoRun

Tue, 27 May 2008 23:47:38 EDT

mysec : Yes - as noted here on WinXP SP1.

Re: NoDriveTypeAutoRun and NoDriveAutoRun

Tue, 27 May 2008 23:25:12 EDT

R2 : Sorry, can I back up a step? Tweak UI's NoDriveAutoRun seems to be as helpful as the "DoesNotExist" .reg file -- yet is does not require a reboot. Is that correct? Thanks.

Re: NoDriveTypeAutoRun and NoDriveAutoRun

Sat, 05 Apr 2008 14:45:15 EDT

OZO : You're right - White List protection surely may help. As well as advice do not click on drive in My Computer, open to the drive in Windows Explorer instead. But not everyone runs a special program that supports a White List and not everyone remembers the rule - do not open a drive from My Computer, which may be a common practice (though personally I never do it, I respect others opinions who do it and why not). I'd call all of these - additional layers of protection.

My point here is if the basic layer is broken - it should be fixed first. And solution should be simple like marking one check box in Folder Options dialog box (see my picture below):

[att=1]
--
Keep it simple, it'll become complex by itself...

Folder Options - Autorun

Re: NoDriveTypeAutoRun and NoDriveAutoRun

Sat, 05 Apr 2008 09:06:02 EDT

mysec :

said by OZO :

There is no disagreement!...

But, as you can see, I did emphasize the words "replaced" and did it for a purpose.

OK, I see your point.

By clicking on those items user expects that drive will be opened/explored by WE. But, instead of that, what he may get is an unexpected execution of a program from removable media. Just simple like that. And that's dangerous.

This is why White List protection will always prevent the unexpected execution of a program from any media or source. Simplest way is running as a Limited User. Other solutions involve security programs with Execution protection.

Other precautions when using unknown removable media:

1) Use TweakUI toggle the NoDriveAutorun setting for that drive. No Shell commands in the Autorun file will be executed.

2) Instead of clicking on the drive letter in My Computer, open to the drive in Windows Explorer, which is just a Tree View of My Computer. The contents of the drive highlighted in the left pane are displayed in the right pane. No right-context menu items are invoked.

You can create shortcuts to open to any directory/drive in Explorer View. Here, opening to D:\

%windir%\explorer.exe /e, D:\

The /e switch opens the drive in "expanded" or Tree View.

----
rich

Re: NoDriveTypeAutoRun and NoDriveAutoRun

Sat, 05 Apr 2008 03:19:38 EDT

OZO : There is no disagreement!

The behavior I've described is by design, so that the context menu can be customized by including Shell commands in the Autorun.inf file. I would not want that useful feature to be "discarded" as well. But, as you can see, I did emphasize the words "replaced" and did it for a purpose.

If a malware is able to replace two well known menu items that I've mentioned - user is in potential trouble. By clicking on those items user expects that drive will be opened/explored by WE. But, instead of that, what he may get is an unexpected execution of a program from removable media. Just simple like that. And that's dangerous.

That's why I said that the functionality must be fixed. There should be a protection from 'replacement' those well known menu items by autorun.inf file.
--
Keep it simple, it'll become complex by itself...

Re: NoDriveTypeAutoRun and NoDriveAutoRun

Sat, 05 Apr 2008 02:36:28 EDT

mysec :

said by OZO :

--- With "NoDriveTypeAutoRun"=dword:ff
1) notepad.exe is not launched automatically when I insert CD/DVD with autorun.inf (see its content below)
2) notepad.exe is launched when I made click on My Computer | E: which is completely unexpected
3) notepad.exe may be started by clicking on replaced "Open" menu item (user doesn't want that)
4) notepad.exe may be started by clicking on replaced "Explore" menu item (user doesn't want that)

Cases #2 - 4 must be fixed by the developer of the OS !

I disagree: The behavior you describe is by design so that the context menu can be customized by including Shell commands in the Autorun.inf file. I would not want that useful feature to be "fixed!"

----
rich

Re: NoDriveTypeAutoRun and NoDriveAutoRun

Sat, 05 Apr 2008 02:25:45 EDT

OZO : Thanks

Re: NoDriveTypeAutoRun and NoDriveAutoRun

Sat, 05 Apr 2008 02:24:28 EDT

mysec :

said by OZO :

Unfortunately you did not mention what was the data set for the value "NoDriveTypeAutoRun" in your last test. And this is important to interpret the test results.

Last test (4) - same as Test 2,3:

CD/DVD drive enabled, Removable Drives disabled in TweakUI, dword value = 95

I just now included this with the tests.

Other settings in TweakUI:

Both CD/DVD and Removable drives enabled, dword value = 91.

With CD/DVD disabled and Removable Drives enabled, dword value = b1

With both disabled, dword value = b5

Re: NoDriveTypeAutoRun and NoDriveAutoRun

Sat, 05 Apr 2008 01:49:20 EDT

OZO : Unfortunately you did not mention what was the data set for the value "NoDriveTypeAutoRun" in your last test. And this is important to interpret the test results.

I've repeated the test similar to yours (actually the same I've done before my post here) and here are my results:

--- With "NoDriveTypeAutoRun"=dword:ff
1) notepad.exe is not launched automatically when I insert CD/DVD with autorun.inf (see its content below)
2) notepad.exe is launched when I made click on My Computer | E: which is completely unexpected
3) notepad.exe may be started by clicking on replaced "Open" menu item (user doesn't want that)
4) notepad.exe may be started by clicking on replaced "Explore" menu item (user doesn't want that)

Cases #2 - 4 must be fixed by the developer of the OS !

--- With "NoDriveTypeAutoRun"=dword:91 (default for WXP2)
1) notepad.exe is launched automatically when I insert CD/DVD with autorun.inf (see its content below) - as expected.
The rest of results are the same as above.

Here is content of autorun.inf file:

Here is the picture:
[att=1]

In this test I was using only "NoDriveTypeAutoRun" value placed in this key:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]

I do not modify / use "NoDriveAutoRun" value.

And finally, because I do not block interpretation of autorun.inf file I'm able to see new drive label (see picture above), as well as its new icon (from notepad.exe in this case) and have all new menu items in context menu. Which is the way it should be.

--
Keep it simple, it'll become complex by itself...

AutoRun

Re: NoDriveTypeAutoRun and NoDriveAutoRun

Sat, 05 Apr 2008 01:18:17 EDT

Blackbird :

said by mysec :

...
Conclusions
1) Scott Dunn's statement that both keys can be overridden is not correct.
2) While Nick Brown is correct with regard to the NoDriveTypeAutoRun key being overridden, it would seem that a device plugged in for the first time would not be vulnerable to this.

Also, he omitted mentioning the NoDriveAutoRun tweak which effectively blocks the AutoRun.inf file from running in any case.
...

Thank you for your tests - excellent documentation and careful reasoning! While there are probably unknowns and untested issues, it is encouraging to see Mountpoints2's Autorun Status value changing when you do the NoDriveAutoRun setting in TweakUI... at least something is communicating between TweakUI and that key, and your test results indicate the "something" has to do with blocking autorun.

I agree that the NoDriveAutoRun key isn't mentioned in Brown's blog... possibly the similarity between the two key names (NoDriveAutoRun and NoDriveTypeAutoRun) has created confusion for people.

Regarding your #2 Conclusion... sneaker-net situations (like my friend's, in the 3rd World country) do exist all too often. And in those situations, frequently a given flashdrive will move back and forth as a simple transport device for collaboration/review of documents. So if computer A is 'clean' and places a document on a freshly-"installed" flashdrive, if that flashdrive moves into an infected computer B for editing the document, the flashdrive will become infected. Then when that flashdrive moves back into computer A, an autorun.inf infection would do an end-run around the NoDriveTypeAutoRun reg setting via the MountPoints2 over-ride behavior. While initial protection would be afforded by the NoDriveTypeAutoRun key setting, subsequent exposures to the later-infected flashdrive's autorun would occur. This is the exact usage situation my friend is having to deal with: a flashdrive is moving back and forth between them and government ministry computers.

The IniFileMapping key fix will evidently block all autoruns from occurring. Now I'm increasingly confident that your TweakUI approach will work effectively as well on specific drives, based on your tests and your pointing out the 2-key error Dunn made about Brown's work in his (Dunn's) writeup. Particularly, your TweakUI NoDriveAutoRun approach offers the clear advantage of ease-of-use and re-setability. And certainly, white-listing (as I'm coming to understand it) will totally block this and a lot of other problems.

This has been a very enlightening thread thus far, and it's begun to dispel a lot of confusion I'd retained from earlier threads. My appreciation goes out to Shriyash as well for his original post!
--
If God wanted us to work with electrons, He'd make them big enough to see...

Re: NoDriveTypeAutoRun and NoDriveAutoRun

Fri, 04 Apr 2008 23:58:56 EDT

mysec :

said by OZO :

It's interesting to know how a new and/or old USB drive is treated by OS. Is an info from a drive is collected and kept (and for how long) in "MountPoints2" subkey? Will autorun.inf file be interpreted by WE? There is no doubt that all of this is interesting to know.

Thanks for your comments and insights.

I don't know the answer to that - it may depend on a lot of things. Because of the uncertainty, I would not depend on consistent action here for security of any kind.

said by OZO :

The way I see it - there should be guaranteed way that blocks any automatic execution of a program from removable media. And - is it an old media or a new one, is it USB or CD/DVD, is it drive F:, drive G: or drive Z: - all it doesn't matter. If you agree with setting that simple goal, let's find the way.

I've said before that Autorun.inf, iFrame, .ani (animated cursor), etc... have this in common: to run a program by remote code execution.

Each has a "fix":

Autorun.inf by disabling Autorun by some tweak or other

iFrame by patch from MS, or browser tweak

etc...

I would never depend on these as a last line of defense. Too many things can go wrong. Settings become changed, etc. Especially if more than one user on the computer.

Besides, what about the next new remote code execution exploit that is zero-day for a period of time? Remember the .wmf explolit?

The only sure-fire protection is White Listing,where no executable not White Listed can run. Period.

Using a TrendMicro analysis of a pendrive Autorun.inf exploit, I happened to get the trojan downloader file from another person to test.

Here is the Autorun.inf file:

I put it along with the trojan file on a CD and let it Auto Run:

_________________________________________________________

This is the only way that, to use your phrase. I would guarantee blocking any automatic execution of a program from removable media. Or from any other source.

----
rich

Re: NoDriveTypeAutoRun and NoDriveAutoRun

Fri, 04 Apr 2008 22:38:44 EDT

OZO : mysec - you're doing great job testing autorun functionality and thank you for sharing your results with us. It's interesting to know how a new and/or old USB drive is treated by OS. Is an info from a drive is collected and kept (and for how long) in "MountPoints2" subkey? Will autorun.inf file be interpreted by WE? There is no doubt that all of this is interesting to know. But I think the most important thing (at least for this forum) is to focus on just one thing particularly - will WE/OS allow an unexpected automatic action (like giving control to an application from USB or CD/DVD) without prior user consent or there is a sure way to protect user from this action?

The way I see it - there should be guaranteed way that blocks any automatic execution of a program from removable media. And - is it an old media or a new one, is it USB or CD/DVD, is it drive F:, drive G: or drive Z: - all it doesn't matter. If you agree with setting that simple goal, let's find the way.

What is not important in pursuing the goal (and therefore should be discarded from investigation):
1) user makes a double click on unknown program in removable media effectively starting it;
2) WE interprets autorun.inf file and changes menu by adding new item(s) allowing user to execute program from removable media by clicking on the item.

In all cases above user can make a deliberate decision to run an application and it's his responsibility to run anything he wants. We should not be concerned about it.

From this perspective interpretation of autorun.inf file by WE is not an evil that we should be fighting against. The only thing from that interpretation that should be certainly blocked is automatic way of starting a program (particularly the lines with 'open=' or 'shellexecute=' or similar statements). Again, changing drive label, changing its icon, adding new menu items that may be done via autorun.inf file - it's not a problem at all (at least to me). The only exception is one dangerous case of substituting old "Open" and/or "Explore" menu item(s) that may be potentially dangerous (due to unexpected action in this case). See my post for more details on how to do this. But interpretation of autorun.inf file itself is not a problem.

If we narrow our focus - it'd be easier to achieve the goal - to make our computers more secure. Do you agree with that?
--
Keep it simple, it'll become complex by itself...

Re: NoDriveTypeAutoRun and NoDriveAutoRun

Fri, 04 Apr 2008 21:40:12 EDT

HA Nut : mysec: Thanks for the test! This is why this site is such a great resource! :)

NoDriveTypeAutoRun and NoDriveAutoRun

Fri, 04 Apr 2008 20:43:41 EDT

mysec :

said by Shriyash :

Thanks for posting this link EGeezer.
»windowssecrets.com/comp/071108

Scott Dunn writes in the Windowssecrets newsletter,

You might think that you could protect yourself from AutoRun by using two keys in the Registry known as NoDriveAutoRun and NoDriveTypeAutoRun.

However, self-described "low-budget hacker" Nick Brown points out that these keys can be overridden.

A careful reading of Nick Brown's blog reveals he mentions only NoDriveTypeAutoRun.

Here is the pertinent stuff from the blog:

Now, in theory you can prevent certain drive types from executing the contents of their AUTORUN.INF files using a registry value (NoDriveTypeAutoRun). But... a little-known registry key called MountPoints2 contains cached information about every memory stick or other removable device which your PC has ever seen, and that overrides the NoDriveTypeAutoRun value if you insert a volume which the PC already knows about.

I decided to investigate this further.

Test 1

I plug in one of my USB backup drives with AutoRun enabled for all media.
(NoDriveTypeAutoRun dword value = 91)

I have an AutoRun.inf file on the drive which customizes the context menu. Here is the entry in the Mountpoints2 Key in the Registry which Nick Brown refers to. Note the _AutorunStatus value:

______________________________________________________________

The Shell commands configure the context menu:

______________________________________________________________

Test 2

I unplug the drive, reboot, and configure NoDriveTypeAutoRun
using TweakUI: My Computer|Autoplay|Types
to disable Removeable Media. (dword value = 95)

I plug in the drive and I get the same result as in Test 1: Nick Brown is correct: the PC has cached information about this drive which overrides the NoDriveTypeAutoRun setting.

Test 3

Same as Test 2 but I configure NoDriveAutoRun using TweakUI: My Computer|AutoPlay|Drives
to uncheck my USB drive.

I plug in the drive, the AutoRun.inf file does not execute, and, the _AutorunStatus value has changed:

____________________________________________________________________

My context menu has not been customized:

____________________________________________________________________

Repeated tests show the same results. With NoDriveAutoRun configured to uncheck that drive, the Autorun.inf file cannot be read by the PC.

Back to Nick Brown's statement:

...if you insert a volume which the PC already knows about.

What about a drive that the PC has not seen.

Suppose you purchase a digital picture frame, or a pendrive which is infected. What happens when you plug it in for the first time?

Test 4

With NoDriveTypeAutoRun configured to disable removeable media (dword value = 95), I plugged in a new Pen Drive, the drive folder did not open automatically, and nothing was written to it's key in Mountpoints2. To me, this makes sense, since there is no prior cached information on this drive.

More testing with different devices needs to be done to confirm this.

(I did not investigate the known bugs associated with NoDriveTypeAutoRun)

Nonetheless, configuring NoDriveAutoRun to uncheck that drive letter blocks in all cases.

Conclusions

1) Scott Dunn's statement that both keys can be overridden is not correct.

2) While Nick Brown is correct with regard to the NoDriveTypeAutoRun key being overridden, it would seem that a device plugged in for the first time would not be vulnerable to this.

Also, he omitted mentioning the NoDriveAutoRun tweak which effectively blocks the AutoRun.inf file from running in any case.

(These assertions are welcome to challenge if someone can create a situation in which they fail).

3) In the corporate world, I agree that Nick Brown's Registry Tweak

@="@SYS:DoesNotExist"

is preferable, for the reasons he lists.

For the home user who normally enables Autorun, TweakUI provides a quick way to toggle the NoDriveAutoRun settings if desired when using unknown CDRom or removeable media.

----
rich

Re: Disabling 'Autorun' on USB and beyond. Need help.

Thu, 03 Apr 2008 13:18:26 EDT

Name Game : as a review...

Discovered: January 19, 2004
Updated: February 13, 2007 12:16:26 PM
Type: Trojan Horse, Worm, Virus
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Symantec antivirus products exclusively use the virus name Bloodhound.Packed when a potentially unknown virus is found using Symantec Bloodhound technology. Bloodhound technology consists of heuristic algorithms used to detect unknown viruses. The actual file detected under Bloodhound.Packed is likely to be infected with a new, packed, 32-bit Windows virus.

Bloodhound.Packed is detected only in Portable Executable (PE) files. Bloodhound.Packed can detect any threat within a packed file.

What are Portable Executable (PE) files?
Portable Executable (PE) files are files that are portable across all the Microsoft 32-bit operating systems. The same PE-format executable can be executed on any version of Windows 95, 98, Me, NT, 2000, and XP. All the PE files are executable, but not all the executable files are portable.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/

Re: Disabling 'Autorun' on USB and beyond. Need help.

Thu, 03 Apr 2008 12:36:21 EDT

Name Game :

said by EGeezer :

I note in the bloodhound.packed.jmp issue, the infected user was running a security suite. You and I remember the days when viruses were spread by sneakernetting diskettes. Unfortunately, despite all the progress in fancy GUIs, slick effects in operating systems, snazzy web pages and massive security "suites", Sneakernet still works.

Exactly..and this bloodhound.packed.jmp with the auto crap is coming on strong...This is only our hijackthis help forum look..
»gladiator-antivirus.com/forum/in···orum=170

and so many of the new posts for help are about this one.

I have not seen a badboy come on this strong for a while and I think as you and others have pointed out..it is only the tip of the iceberg and it will soon come to a theatre near you. :(

It is of course that packer those suite have to start understanding if the want their users to stop being infected. But once the stuff is on a public system..or on those USB drive storage devices..then even the innocent users are whacked and spreading joy through out the land.

--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/

Re: Disabling 'Autorun' on USB and beyond. Need help.

Thu, 03 Apr 2008 11:53:17 EDT

EGeezer : I note in the bloodhound.packed.jmp issue, the infected user was running a security suite. You and I remember the days when viruses were spread by sneakernetting diskettes. Unfortunately, despite all the progress in fancy GUIs, slick effects in operating systems, snazzy web pages and massive security "suites", Sneakernet still works.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )

Re: Disabling 'Autorun' on USB and beyond. Need help.

Thu, 03 Apr 2008 11:41:15 EDT

Shriyash : Im just thankful that as always,
the knowledgeable folks here at DSLR came to help me out,lol :D

Re: Disabling 'Autorun' on USB and beyond. Need help.

Thu, 03 Apr 2008 11:22:27 EDT

Name Game : Yup...

I hope the College Library PC's also feel the same. :(

Thanks for your thread Shriyash

Re: Disabling 'Autorun' on USB and beyond. Need help.

Thu, 03 Apr 2008 11:12:28 EDT

Shriyash :

said by Name Game :

Now he is finally asking the right questions after his PC was cleaned..

Yes, and i hope he will soon breathe easy,
as discovering the NoAutoRun.reg solution is just a click away for him!
--
Alex Jones Bullhorning Bilderberg.
»www.jonesreport.com/articles/211···erg.html

Re: Disabling 'Autorun' on USB and beyond. Need help.

Thu, 03 Apr 2008 10:54:11 EDT

Name Game : Case history in progress>>>

Another bloodhound.packed.jmp issue, Cannot access hidden files and hard drive
»gladiator-antivirus.com/forum/in···ic=70868

Now he is finally asking the right questions after his PC was cleaned..

Questions:

After a computer scare, I have been hesitant to use my USB on my computer, since the computer obtained a virus around the time I used the USB on the computer. Whether it was the USB or not, I don't know. Now, here's the problem: I have University assignments INSIDE the USB. My question is: Do USBs infect computers by putting them in the hard-drive slot, or does the outbreak occur when opening a file within the USB? (Powerpoint presentations and Word documents)

I need to know this, so I can confirm whether I'll have to schedule time at the library to work solely on the computers there. If it's the latter case (preferably), then I can insert it and then scan it and fix the USB (somehow) before really opening up and continuing to work on my projects.

I'm not asking for a solution, since I don't have a problem (per se). I just need to know when EXACTLY do infected USB drivers affect computers (upon insertion or upon opening a file inside the USB)?

Greatly appreciate any help!

»gladiator-antivirus.com/forum/in···=201462&
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/

Re: Related articles

Thu, 03 Apr 2008 10:43:55 EDT

planet : mysec, thanks for further discussion regarding TweakUI. I am using it now to disable autoplay on specific drive letters and drives themselves. I also typically run in a limited user account which is a further safeguard. I don't intend to use the reg tweak at this time myself.
:)

Re: Related articles

Thu, 03 Apr 2008 10:19:24 EDT

mysec :

said by OZO :

If you apply it [The IniFileMapping\AutoRun.inf key] - you'll lose the ability to: ...

Also, it's a "sticky" fix - that is, you can't just merge a .reg file to remove the key - you have to also reboot - not convenient for those who want to block AutoRun only for unknown devices and leave it to work for normal operations.

The TweakUI settings can be toggled w/o a reboot.

said by Blackbird :

There seems to be a number of things that affect the vulnerability of a computer to autorun-related malware. Obviously, Brown and Dunn seem to think there's a way for the MountPoints2 key to over-ride other settings. Your experience seems to show otherwise. It's never easy, is it? :huh:

It's wise to do your own testing, when possible.

Dunn just quotes Brown - he didn't do any testing to confirm.

Brown didn't give details or screenshots to explain what he means.

said by Blackbird :

I guess I need to dig more deeply into the whitelisting approach... though I'm not sure how easy that will be for them to acquire and install where they are.

A simple way would be to run as Limited User, where no executable not already on the computer can install.

Also, programs using White Listing can be downloaded/installed from the internet. See the other anti-malware software thread at Wilders Forums for discussions of products.

----
rich

Re: Disabling 'Autorun' on USB and beyond. Need help.

Thu, 03 Apr 2008 03:33:27 EDT

Blackbird :

said by mysec :

I read both the article and blog when they appeared. I've tested many times with my XP laptop and have never found the mountpoints2 entries to stick once the CD is removed from the drive, or USB drive unplugged.

Nick doesn't elaborate on the cache setting, so I don't know what he is referring to.

Regarding your friend: is he concerned about his own computer, or government computers?

If his own, just install a White List execution prevention program and he's safe.

----
rich

It's their own computer they're trying to protect. They've been attacked 3 times in recent days, and there's a concern that sooner or later their AV may not hold against the flood... the most recent attack was related to an autorun-triggered Win32/PSW virus varient that only made it onto their AV's signature list three days or so before the attack occurred.

There seems to be a number of things that affect the vulnerability of a computer to autorun-related malware. Obviously, Brown and Dunn seem to think there's a way for the MountPoints2 key to over-ride other settings. Your experience seems to show otherwise. It's never easy, is it? :huh:

I guess I need to dig more deeply into the whitelisting approach... though I'm not sure how easy that will be for them to acquire and install where they are.
--
If God wanted us to work with electrons, He'd make them big enough to see...

Re: Related articles

Thu, 03 Apr 2008 03:30:25 EDT

OZO :

said by Shriyash :

said by mysec :

1) The IniFileMapping\AutoRun.inf key which tells Windows that AutoRun.inf file does not exist

Got it. :)
...

It may be the only reliable solution (and you may just forget about the rest of the others if you use this one), but there is one drawback that stops me from using it.

If you apply it - you'll lose the ability to:
1) see a new drive label (potentially defined within AutoRun.inf)
2) see a new icon (potentially defined within AutoRun.inf)
3) see new context menu items (potentially defined within AutoRun.inf)
4) (and most importantly!) - run that startup program when you need it and you're confident that it's a legitimate one (eg. Windows OS or Office setup disk).

Applying the registry change ("NoDriveTypeAutoRun" value) would be the right solution in case if m$ wanted to fix the known potential problems with it. :) I just hope it will happen some day...
--
Keep it simple, it'll become complex by itself...

Re: Disabling 'Autorun' on USB and beyond. Need help.

Thu, 03 Apr 2008 03:21:03 EDT

anon : asd

Re: Disabling 'Autorun' on USB and beyond. Need help.

Thu, 03 Apr 2008 03:20:53 EDT

mysec : I read both the article and blog when they appeared.

Nick refers to the NoDriveTypeAutoRun key but not the NoDriveAutoRun key.

I've tested with the latter and have not found it to be overridden.

Regarding your friend: is he concerned about his own computer, or government computers?

If his own, just install a White List execution prevention program and he's safe.

----
rich

Re: Disabling 'Autorun' on USB and beyond. Need help.

Thu, 03 Apr 2008 03:15:04 EDT

Blackbird :

said by mysec :

My conclusions:
...
2) TweakUI to disable the drive if you want to prevent the drive from executing the AutoRun.inf file.
...

Question: do you or anyone else know for sure if the TweakUI settings persist in spite of the MountPoints2 key possibly over-riding various Windows settings, as Nick Brown noted in EGeezer 's »Blocking autorun link and Scott Dunn referred to in Shriyash 's »windowssecrets.com/comp/071108 link? I've got a friend in a 3rd-World country who's wrestling right now to protect against USB-drive malware that keeps appearing on flashdrives being exchanged with government ministries... govt malware protection is virtually non-existent there. Some of these drives pass back and forth multiple times, so if MountPoints2 stored data over-rides other settings and allows autorun.inf to run on a USB drive that's been plugged into their computer before, that presents a real threat to using TweakUI or similar in that locale. Using the IniFileMapping\AutoRun.inf reg-fix EGeezer noted above would probably be their only simple answer... but I'd really like to know for sure.
--
If God wanted us to work with electrons, He'd make them big enough to see...

Re: Related articles

Thu, 03 Apr 2008 03:05:03 EDT

Shriyash :

said by mysec :

For those wanting to block the AutoRun.inf file from executing, there are two sure ways, to recap:

1) The IniFileMapping\AutoRun.inf key which tells Windows that AutoRun.inf file does not exist

2) Using TweakUI to disable the drive from Auto-running anything.

Got it. :)

Re: Disabling 'Autorun' on USB and beyond. Need help.

Thu, 03 Apr 2008 02:42:48 EDT

mysec :

said by planet :

said by mysec :
With the drive disabled in TweakUI for WinXP the AutoRun.inf file will not do anything.

I'm not sure I understand this. Doesn't TweakUI only disable autoplay on the drive? TweakUI isn't disabling the drive? So, wouldn't autorun still be an issue? If you are correct then using Tweak UI is the simplest solution to preventing autorun for me.

The labeling in TweakUI is misleading.

The section AutoPlay|Drives controls the NoDriveAutoRun Registry Key at

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Open to this Key and watch the binary value change as you check|uncheck a drive letter in TweakUI.

When you uncheck the CDROM or USB drive letter to disable it, nothing will AutoRun from that drive.

To prove this, you can insert an installation CD which Auto runs a setup.exe file, and watch the
Shell\Autorun\Command entries written to the Drive in the Mountpoints2 Registry Key at

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\

Here is an installation CD with this AutoRun.inf file:

I insert the CD with the CD drive enabled in TweakUI.

Windows reads the AutoRun.inf file, writes the Shell\AutoRun\Command to the Registry:

___________________________________________________________

and setup.exe launches -- well, it attempts to launch, but because it is not on my White List,
it can't run without my permission:

___________________________________________________________

Now, with the drive disabled in TweakUI I insert the CD: the Autorun.inf file cannot be read and nothing is written to that drive Key, so nothing can tell setup.exe to run:

________________________________________________________

The other setting in TweakUI is Autoplay|Types which controls the values in NoDriveTypeAutoRun at

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

You can watch the changes (0b1 and 0b5) as you uncheck the boxes in TweakUI)

Ozo has covered this Registry Key in above post, and has some reservations about it. With the drive types unchecked, I have found it to prevent AutoRun.inf from executing in the tests I've run -- even using Shell commands in the AutoRun.inf file -- but will defer to his reservations.

Disabling the Drive does prevent in all cases.

These are the tests I ran with several digital picture frame exploits analyzed by TrendMicro using the exploit AutoRun.inf file and a real trojan:

»www.urs2.net/rsj/computing/tests/auto-inf/

My conclusions:

1) White List security measures for absolute protection against installation of malware executables by remote code execution.

2) TweakUI to disable the drive in Autoplay|Drive if you want to prevent the drive from executing the AutoRun.inf file.

----
rich

Re: Related articles

Thu, 03 Apr 2008 02:38:15 EDT

mysec :

said by EGeezer :

Although this was done in 2006, I'd surmise this would still work in many instances.

See article here.

I mentioned in another thread a comment I made two years ago regarding this parking lot baiting, that it showed that

1) people are gullible

2) the computers involved had no protection against installation of unauthorized executables by remote code execution

said by EGeezer :

How many, when given a new digital picture frame would fail to plug it into the USB port of their PC as instructed in the accompanying documentation?

I would plug it in -- why not?

These digital media exploits are no different than any other exploit using remote code execution -- it's just that the re-emergence of the AutoRun.inf file as the trigger (remember floppy disk exploits?) has created all sorts of media sensation.

Even in this forum, Picture Frame Trojan unstoppable!!!

How is AutoRun.inf as a trigger any different than iFrame, or animated cursor (.ani) etc, etc? They are all nullified by preventing non-White Listed executables from installing. That is the final stop gap.

For those wanting to block the AutoRun.inf file from executing, there are two sure ways, to recap:

1) The IniFileMapping\AutoRun.inf key which tells Windows that AutoRun.inf file does not exist

2) Using TweakUI to disable the drive from Auto-running anything. More in next post.

----
rich

Re: Disabling 'Autorun' on USB and beyond. Need help.

Thu, 03 Apr 2008 02:12:57 EDT

OZO : No, TweakUI is not disabling the drive and TweakUI may be the best solution for you (personally I prefer to collect all such settings in a reg file that I'll execute at a new OS re/installation time).

When you apply TewakUI (clean "Enable Autoplay for removable drives" checkbox, see the last picture) all it does it changes registry value that I've mentioned in this post. The only difference is - it changes setting in HKCU (Current User) and not HKLM (Local Machine) as I mentioned, and, keep in mind, that Local Machine key has priority for that particular setting. It will protect your computer from Autorun executing some program from the new media when you insert it. But, again, it some cases you will be able to start that malware without your actual intent to do so (see my reference earlier).
--
Keep it simple, it'll become complex by itself...

Re: Disabling 'Autorun' on USB and beyond. Need help.

Wed, 02 Apr 2008 23:09:36 EDT

planet :

said by mysec :
With the drive disabled in TweakUI for WinXP the AutoRun.inf file will not do anything.

Wed, 02 Apr 2008 14:45:43 EDT

EGeezer : How many folks, when finding - or given - a free USB drive with a well-known vendor logo on it would fail to stick it in a PC at some point?

How many, when given a new digital picture frame would fail to plug it into the USB port of their PC as instructed in the accompanying documentation?

We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

Although this was done in 2006, I'd surmise this would still work in many instances.

See article here.
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )

Re: Disabling 'Autorun' on USB and beyond. Need help.

Wed, 02 Apr 2008 12:26:17 EDT

EGeezer :

said by Shriyash :

OH!
i didnt realize that Autorun is NOT the same as Autoplay :o
Thanks for posting this link EGeezer.

Well, I can't take full credit for the distinction between the two - Wildcatboy and NickBrown 's posts in particular provided me with a better understanding of the two functions (although we might vary on our opinions of how much of an exposure autorun may be).
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )

Re: Disabling 'Autorun' on USB and beyond. Need help.

Wed, 02 Apr 2008 12:18:51 EDT

mysec :

said by Shriyash :

Thanks mysec, but i realised after reading that article, that even if the Autoplay is disabled, still if you manyally double-click on the DVD/CD, it may be possible for the Autorun.inf thing to be launched!
So, permanently blocking Autorun is a better idea in situations like mine.

That article is talking about changing the defaults for AutoPlay on a given drive by right-clicking the drive in Windows Explorer and choosing Properties.

Forget about AutoPlay vs AutoRun.

You are concerned about preventing the AutoRun.inf file from executing any command.

With the drive disabled in TweakUI for WinXP the AutoRun.inf file will not do anything.

To test, insert an installation CD that runs a setup.exe or install.exe file, first with the CD drive enabled in TweakUI and watch your setup.exe file run.

Repeat the test with the CD drive disabled in TweakUI and the setup.exe file will not run.

Double-click the drive icon in My Computer and it will not run.

This applies also to U3 type USB drives

----
rich

Re: Disabling 'Autorun' on USB and beyond. Need help.

Wed, 02 Apr 2008 08:58:36 EDT

Name Game : Here are some hijackthis logs and fix to illustrate the problem some users are having out there this packer..

Bloodhound.Packed.Jmp Infection
»www.symantec.com/business/securi···-5627-99

That is being used to carry this badboy... :(

W32/Autorun.worm.bx
Overview -
This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

»vil.nai.com/vil/content/v_144151.htm

In a blended threat...

»gladiator-antivirus.com/forum/in···ry201354

»www.bleepingcomputer.com/forums/···798.html

where this is added to their system

C:\Autorun.inf
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo1.dll
D:\Autorun.inf
F:\Autorun.inf

with a lot of other crap. :(
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/

Re: Disabling 'Autorun' on USB and beyond. Need help.

Wed, 02 Apr 2008 02:59:05 EDT

OZO : Yes, it's important to distinguish Autoplay from Autorun.

Autoplay is the way of starting (default) application from your computer based on the type of content in attached drive. You may keep Auptoplay always 'on' without ill effects.

Autorun - on the other side - is very dangerous and actually is an automatic way to be infected by potential malware. It's because by allowing Autorun you allow automatic execution of an application resided on the new attached media (e.g. USB drive).

To block Autorun from unexpected execution of potential malware you may want to change this registry value:


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:B1

Unfortunately even with this setting (and due to current implementation of this feature by m$) there still be risks of running a malware. Read this my post explaining my point with some details.

--
Keep it simple, it'll become complex by itself...

Re: Disabling 'Autorun' on USB and beyond. Need help.

Wed, 02 Apr 2008 02:51:14 EDT

Shriyash : Err, im a little confused as i go thru this thread here, especially in the end :huh:
»Blocking autorun

In my situation,
where i forsee myself inserting new USB's in the future,
will the solution quoted above my me (about creating the NoAutoRun.reg file)suffice to block Autorun and thus not allowing the Trojan/virus to automatically execute itself? :hmm:
--
Alex Jones Bullhorning Bilderberg.
»www.jonesreport.com/articles/211···erg.html

Re: Disabling 'Autorun' on USB and beyond. Need help.

Wed, 02 Apr 2008 02:40:54 EDT

Shriyash : Thanks mysec, but i realised after reading that article, that even if the Autoplay is disabled, still if you manyally double-click on the DVD/CD, it may be possible for the Autorun.inf thing to be launched!
So, permanently blocking Autorun is a better idea in situations like mine.
--
Alex Jones Bullhorning Bilderberg.
»www.jonesreport.com/articles/211···erg.html

Re: Disabling 'Autorun' on USB and beyond. Need help.

Wed, 02 Apr 2008 02:30:29 EDT

Shriyash : OH!
i didnt realize that Autorun is NOT the same as Autoplay :o
Thanks for posting this link EGeezer.
»windowssecrets.com/comp/071108
Quote from the above website:

...Unfortunately, simply turning off AutoPlay, a separate feature, isn't enough to prevent AutoRun from introducing a rogue program into your system.
...In XP, you can change the defaults for AutoPlay on a given drive by right-clicking the drive in Windows Explorer and choosing Properties. Click the AutoPlay tab and use the controls there to change the settings for different types of media.
Making changes in this dialog box, however, has no effect in preventing autorun.inf from being executed.

And heres the solution too.
(quoted from the article).

Block AutoRun for all devices all the time

You might think that you could proect yourself from AutoRun by using two keys in the Registry known as NoDriveAutoRun and NoDriveTypeAutoRun.

However, self-described "low-budget hacker" Nick Brown points out that these keys can be overridden. A Registry key named MountPoints2 stores information about all USB flash drives and other removable media that have ever been connected to your computer. Brown says this cache overrides the Registry settings that turn off AutoRun.

The solution is to globally block autorun.inf files from executing, without trying to use the dialog boxes in XP and Vista to do this. Here's the procedure:

Step 1. Start Notepad or another text editor.

Step 2. Copy the following text from this page and paste it into your text editor (everything between the square brackets should be all on one line):

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Step 3. Save the file with a name like NoAutoRun.reg, taking care to include the .reg extension.

Step 4. Right-click your .reg file and choose Merge. Confirm any warning prompts to add the information to the Registry.

The next time you insert a flash drive, CD, DVD, or other removable disc into your system, Windows will not execute the information in any autorun.inf file that may be present. :) :)

Naturally, taking these steps means that the next time you put a game or installer disc into your CD or DVD drive, its software won't launch automatically. You'll have to open a Windows Explorer window or use a command line to launch the desired executable.

The benefit is a big one: a rogue program that you never intended to launch won't silently take over your system if you happen to insert a Trojan-carrying disc into a drive.

Re: Disabling 'Autorun' on USB and beyond. Need help.

Wed, 02 Apr 2008 02:05:14 EDT

mysec :

said by Shriyash :

So you are saying that even if i uncheck Autoplay in C: D: E: and F: drives(shown in the firstpic) it should be ok?...

because that autorun.inf file even though present in the USB stick, it is hereby prevented from running. (?)

For any drive disabled, an AutoRun.inf file will not run from the root of that drive.

I've tested with both types of AutoRun.inf files:

Another test is to insert a CD installation disk that has an AutoRun.inf file. The setup.exe file will not automatically start if your CD drive is disabled in TweakUI.

----
rich

Re: Disabling 'Autorun' on USB and beyond. Need help.

Tue, 01 Apr 2008 23:30:39 EDT

EGeezer : AutoRUN is not the same as autoPLAY. I suggest a full read of the topic »Blocking autorun
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )

Re: Disabling 'Autorun' on USB and beyond. Need help.

Tue, 01 Apr 2008 23:27:20 EDT

Shriyash : For those interested in Tweak UI and other 'Microsoft PowerToys for XP', you can get them here:
»www.microsoft.com/windowsxp/down···oys.mspx
--
Alex Jones Bullhorning Bilderberg.
»www.jonesreport.com/articles/211···erg.html

Re: Disabling 'Autorun' on USB and beyond. Need help.

Tue, 01 Apr 2008 23:21:17 EDT

Shriyash : Ok, snapshots will be better.
In the first pic, the options are checked by default.
In the 2nd pic, i have disabled Autoplay in the G: and H: drives, which are my DVD and USB drives respectively.
In addition, in pic 3, i have unchecked the 2 options seen.

So you are saying that even if i uncheck Autoplay in C: D: E: and F: drives(shown in the firstpic) it should be ok?

Also, yes, the scanner might still detect it,
but the Trojan wont automatically run right,
because that autorun.inf file even though present in the USB stick, it is hereby prevented from running. (?)
--
Alex Jones Bullhorning Bilderberg.
»www.jonesreport.com/articles/211···erg.html

Re: Disabling 'Autorun' on USB and beyond. Need help.

Tue, 01 Apr 2008 22:58:01 EDT

jansson_mark :

said by Shriyash :
My question is, without autorun, will the virus automatically run, once i manually open the folder in the USB drive?

No, it wont run. However, antivirus might still spot it on the stick, since its resident scanner might still scan it, even you dont run it.

quote:
Is it a good idea to disable autorun on ALL drives, operating system drive including? Will windows (XP Pro+SP2) be affected adversely by this?

Its very good idea and it has no bad effects. Im not sure what you mean by disabling autorun on operating system driver...you can only disable it generally on CD/DVD/USB:s...

Its also advisable to disable firewire ports, since firewire can be used to manymany nasty things.

Re: Disabling 'Autorun' on USB and beyond. Need help.

Tue, 01 Apr 2008 22:54:31 EDT

anon : To me you need one safe very lockdown computer for bank secure transactions etc. Then a fun but less secure computer with backups(backups on the secure one also) or that vm computer for fun stuff.
Will the condom break, is it made in China, is the girl so crazy it comes off.
You need a virgin clean computer then a nasty computer as secure as you can but if all blows up image it back.

Disabling 'Autorun' on USB and beyond. Need help.

Tue, 01 Apr 2008 22:37:55 EDT

Shriyash : Ok, i recently inserted a friends USB stick into my laptop to copy some pdf files to my desktop.
Before i could open the folders contained in the USB, a warning came up by my resident virus-scanner that it had detected some 'Troj???.exe' file, and it had deleted it!
(Later i did a full scan, nothing is infected now, the laptop's clean)
So, i came across a tip on the net about TweakUI, and have disabled autorun/autoplay for my DVD and USB drives.
My question is, without autorun, will the virus automatically run, once i manually open the folder in the USB drive?
AND
Is it a good idea to disable autorun on ALL drives, operating system drive including? Will windows (XP Pro+SP2) be affected adversely by this?
Please help!
--
Alex Jones Bullhorning Bilderberg.
»www.jonesreport.com/articles/211···erg.html