mysec
Premium
join:2005-11-29
1 edit | reply to planet
Re: Disabling 'Autorun' on USB and beyond. Need help.
said by planet  : said by mysec :
With the drive disabled in TweakUI for WinXP the AutoRun.inf file will not do anything.
I'm not sure I understand this. Doesn't TweakUI only disable autoplay on the drive? TweakUI isn't disabling the drive? So, wouldn't autorun still be an issue? If you are correct then using Tweak UI is the simplest solution to preventing autorun for me.
The labeling in TweakUI is misleading.
The section AutoPlay|Drives controls the NoDriveAutoRun Registry Key at
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Open to this Key and watch the binary value change as you check|uncheck a drive letter in TweakUI.
When you uncheck the CDROM or USB drive letter to disable it, nothing will AutoRun from that drive.
To prove this, you can insert an installation CD which Auto runs a setup.exe file, and watch the
Shell\Autorun\Command entries written to the Drive in the Mountpoints2 Registry Key at
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
Here is an installation CD with this AutoRun.inf file:
I insert the CD with the CD drive enabled in TweakUI.
Windows reads the AutoRun.inf file, writes the Shell\AutoRun\Command to the Registry:
___________________________________________________________
and setup.exe launches -- well, it attempts to launch, but because it is not on my White List,
it can't run without my permission:
___________________________________________________________
Now, with the drive disabled in TweakUI I insert the CD: the Autorun.inf file cannot be read and nothing is written to that drive Key, so nothing can tell setup.exe to run:
________________________________________________________
The other setting in TweakUI is Autoplay|Types which controls the values in NoDriveTypeAutoRun at
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
You can watch the changes (0b1 and 0b5) as you uncheck the boxes in TweakUI)
Ozo has covered this Registry Key in above post, and has some reservations about it. With the drive types unchecked, I have found it to prevent AutoRun.inf from executing in the tests I've run -- even using Shell commands in the AutoRun.inf file -- but will defer to his reservations.
Disabling the Drive does prevent in all cases.
These are the tests I ran with several digital picture frame exploits analyzed by TrendMicro using the exploit AutoRun.inf file and a real trojan:
»www.urs2.net/rsj/computing/tests/auto-inf/
My conclusions:
1) White List security measures for absolute protection against installation of malware executables by remote code execution.
2) TweakUI to disable the drive in Autoplay|Drive if you want to prevent the drive from executing the AutoRun.inf file.
----
rich |
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
 ·Verizon Online DSL
1 edit | said by mysec :My conclusions: ... 2) TweakUI to disable the drive if you want to prevent the drive from executing the AutoRun.inf file. ... Question: do you or anyone else know for sure if the TweakUI settings persist in spite of the MountPoints2 key possibly over-riding various Windows settings, as Nick Brown noted in EGeezer 's »Blocking autorun link and Scott Dunn referred to in Shriyash 's »windowssecrets.com/comp/071108 link? I've got a friend in a 3rd-World country who's wrestling right now to protect against USB-drive malware that keeps appearing on flashdrives being exchanged with government ministries... govt malware protection is virtually non-existent there. Some of these drives pass back and forth multiple times, so if MountPoints2 stored data over-rides other settings and allows autorun.inf to run on a USB drive that's been plugged into their computer before, that presents a real threat to using TweakUI or similar in that locale. Using the IniFileMapping\AutoRun.inf reg-fix EGeezer noted above would probably be their only simple answer... but I'd really like to know for sure.
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
mysec
Premium
join:2005-11-29
2 edits | I read both the article and blog when they appeared.
Nick refers to the NoDriveTypeAutoRun key but not the NoDriveAutoRun key.
I've tested with the latter and have not found it to be overridden.
Regarding your friend: is he concerned about his own computer, or government computers?
If his own, just install a White List execution prevention program and he's safe.
----
rich |
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
·Verizon Online DSL
| said by mysec :I read both the article and blog when they appeared. I've tested many times with my XP laptop and have never found the mountpoints2 entries to stick once the CD is removed from the drive, or USB drive unplugged. Nick doesn't elaborate on the cache setting, so I don't know what he is referring to. Regarding your friend: is he concerned about his own computer, or government computers? If his own, just install a White List execution prevention program and he's safe. ---- rich It's their own computer they're trying to protect. They've been attacked 3 times in recent days, and there's a concern that sooner or later their AV may not hold against the flood... the most recent attack was related to an autorun-triggered Win32/PSW virus varient that only made it onto their AV's signature list three days or so before the attack occurred.
There seems to be a number of things that affect the vulnerability of a computer to autorun-related malware. Obviously, Brown and Dunn seem to think there's a way for the MountPoints2 key to over-ride other settings. Your experience seems to show otherwise. It's never easy, is it? 
I guess I need to dig more deeply into the whitelisting approach... though I'm not sure how easy that will be for them to acquire and install where they are.
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
