mysec
Premium
join:2005-11-29
| reply to OZO
Re: NoDriveTypeAutoRun and NoDriveAutoRun
said by OZO  :It's interesting to know how a new and/or old USB drive is treated by OS. Is an info from a drive is collected and kept (and for how long) in "MountPoints2" subkey? Will autorun.inf file be interpreted by WE? There is no doubt that all of this is interesting to know.
Thanks for your comments and insights.
I don't know the answer to that - it may depend on a lot of things. Because of the uncertainty, I would not depend on consistent action here for security of any kind.
said by OZO :The way I see it - there should be guaranteed way that blocks any automatic execution of a program from removable media. And - is it an old media or a new one, is it USB or CD/DVD, is it drive F:, drive G: or drive Z: - all it doesn't matter. If you agree with setting that simple goal, let's find the way.
I've said before that Autorun.inf, iFrame, .ani (animated cursor), etc... have this in common: to run a program by remote code execution.
Each has a "fix":
Autorun.inf by disabling Autorun by some tweak or other
iFrame by patch from MS, or browser tweak
etc...
I would never depend on these as a last line of defense. Too many things can go wrong. Settings become changed, etc. Especially if more than one user on the computer.
Besides, what about the next new remote code execution exploit that is zero-day for a period of time? Remember the .wmf explolit?
The only sure-fire protection is White Listing,where no executable not White Listed can run. Period.
Using a TrendMicro analysis of a pendrive Autorun.inf exploit, I happened to get the trojan downloader file from another person to test.
Here is the Autorun.inf file:
I put it along with the trojan file on a CD and let it Auto Run:
_________________________________________________________
This is the only way that, to use your phrase. I would guarantee blocking any automatic execution of a program from removable media. Or from any other source.
----
rich |
|
OZO
Premium
join:2003-01-17
| Unfortunately you did not mention what was the data set for the value "NoDriveTypeAutoRun" in your last test. And this is important to interpret the test results.
I've repeated the test similar to yours (actually the same I've done before my post here) and here are my results:
--- With "NoDriveTypeAutoRun"=dword:ff
1) notepad.exe is not launched automatically when I insert CD/DVD with autorun.inf (see its content below)
2) notepad.exe is launched when I made click on My Computer | E: which is completely unexpected
3) notepad.exe may be started by clicking on replaced "Open" menu item (user doesn't want that)
4) notepad.exe may be started by clicking on replaced "Explore" menu item (user doesn't want that)
Cases #2 - 4 must be fixed by the developer of the OS !
--- With "NoDriveTypeAutoRun"=dword:91 (default for WXP2)
1) notepad.exe is launched automatically when I insert CD/DVD with autorun.inf (see its content below) - as expected.
The rest of results are the same as above.
Here is content of autorun.inf file:
Here is the picture:
AutoRun
In this test I was using only "NoDriveTypeAutoRun" value placed in this key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
I do not modify / use "NoDriveAutoRun" value.
And finally, because I do not block interpretation of autorun.inf file I'm able to see new drive label (see picture above), as well as its new icon (from notepad.exe in this case) and have all new menu items in context menu. Which is the way it should be.
--
Keep it simple, it'll become complex by itself... |
|
mysec
Premium
join:2005-11-29
| said by OZO :Unfortunately you did not mention what was the data set for the value " NoDriveTypeAutoRun" in your last test. And this is important to interpret the test results.
Last test (4) - same as Test 2,3:
CD/DVD drive enabled, Removable Drives disabled in TweakUI, dword value = 95
I just now included this with the tests.
Other settings in TweakUI:
Both CD/DVD and Removable drives enabled, dword value = 91.
With CD/DVD disabled and Removable Drives enabled, dword value = b1
With both disabled, dword value = b5
|
|
OZO
Premium
join:2003-01-17 | Thanks |
|
mysec
Premium
join:2005-11-29
| reply to OZO
said by OZO :--- With "NoDriveTypeAutoRun"=dword:ff1) notepad.exe is not launched automatically when I insert CD/DVD with autorun.inf (see its content below) 2) notepad.exe is launched when I made click on My Computer | E: which is completely unexpected 3) notepad.exe may be started by clicking on replaced "Open" menu item (user doesn't want that) 4) notepad.exe may be started by clicking on replaced "Explore" menu item (user doesn't want that) Cases #2 - 4 must be fixed by the developer of the OS !
I disagree: The behavior you describe is by design so that the context menu can be customized by including Shell commands in the Autorun.inf file. I would not want that useful feature to be "fixed!"
----
rich |
|
OZO
Premium
join:2003-01-17
| There is no disagreement!
The behavior I've described is by design, so that the context menu can be customized by including Shell commands in the Autorun.inf file. I would not want that useful feature to be "discarded" as well. But, as you can see, I did emphasize the words "replaced" and did it for a purpose.
If a malware is able to replace two well known menu items that I've mentioned - user is in potential trouble. By clicking on those items user expects that drive will be opened/explored by WE. But, instead of that, what he may get is an unexpected execution of a program from removable media. Just simple like that. And that's dangerous.
That's why I said that the functionality must be fixed. There should be a protection from 'replacement' those well known menu items by autorun.inf file.
--
Keep it simple, it'll become complex by itself... |
|
mysec
Premium
join:2005-11-29
| said by OZO :There is no disagreement!... But, as you can see, I did emphasize the words " replaced" and did it for a purpose.
OK, I see your point.
By clicking on those items user expects that drive will be opened/explored by WE. But, instead of that, what he may get is an unexpected execution of a program from removable media. Just simple like that. And that's dangerous.
This is why White List protection will always prevent the unexpected execution of a program from any media or source. Simplest way is running as a Limited User. Other solutions involve security programs with Execution protection.
Other precautions when using unknown removable media:
1) Use TweakUI toggle the NoDriveAutorun setting for that drive. No Shell commands in the Autorun file will be executed.
2) Instead of clicking on the drive letter in My Computer, open to the drive in Windows Explorer, which is just a Tree View of My Computer. The contents of the drive highlighted in the left pane are displayed in the right pane. No right-context menu items are invoked.
You can create shortcuts to open to any directory/drive in Explorer View. Here, opening to D:\
%windir%\explorer.exe /e, D:\
The /e switch opens the drive in "expanded" or Tree View.
----
rich |
|
OZO
Premium
join:2003-01-17
| You're right - White List protection surely may help. As well as advice do not click on drive in My Computer, open to the drive in Windows Explorer instead. But not everyone runs a special program that supports a White List and not everyone remembers the rule - do not open a drive from My Computer, which may be a common practice (though personally I never do it, I respect others opinions who do it and why not). I'd call all of these - additional layers of protection.
My point here is if the basic layer is broken - it should be fixed first. And solution should be simple like marking one check box in Folder Options dialog box (see my picture below):
Folder Options - Autorun
--
Keep it simple, it'll become complex by itself... |
|
R2
R Not
Premium,MVM
join:2000-09-18
Long Beach, CA
clubs: | reply to mysec
Sorry, can I back up a step? Tweak UI's NoDriveAutoRun seems to be as helpful as the "DoesNotExist" .reg file -- yet is does not require a reboot. Is that correct? Thanks. |
|
mysec
Premium
join:2005-11-29
1 edit | Yes - as noted here on WinXP SP1. |
|
