OZOPremium
join:2003-01-17
kudos:2 | Removable media could easily distribute a virusIt's a common scenario and everyone does it.
You take a flash drive (or a CD) and put it into USB port (or CD drive, respectively). Then you open Windows Explorer (WE) and click on "My Computer" on the left panel. Then, if you want to open and explore new drive on the right panel, you double click on it, as you usually do to open a drive.
Now it's done. Virus is started. See picture on the right side.
Don't believe me? Make simple autorun.inf file from the window below, put it in the root of your flash drive and repeat steps described above:
[autorun]
shell\Surprise\Command=cmd /T:2E /K title -= Could be a Virus =-&&echo Have you just started me?
icon=%SystemRoot%\system32\SHELL32.dll,176
label=Test
or download it here:[att=4]
It happens because for removable media WE may silently replace default action (Explore) with whatever program specified in autorun.inf file and you won't notice that until it's too late (or may be even later)...
The question is - why in the hell WE replaces that default Explore action in the "My Computer" for removable media?
And more importantly - how to protect computer from replacing Explore action with anything that may come from/with autorun.inf file?
P.S. Please, don't offer solutions that break other functionality associated with autorun.inf file (labeling the drive, providing an icon for it, adding items to context menu, etc). I'm interested in a solution that will block just one thing and in particular - replacing of the default Explore action in My Computer. I want to keep it at all times. Thanks.
--
Keep it simple, it'll become complex by itself... |
|
 PhilRojo SolPremium
join:2001-06-11
Camarillo, CA
kudos:2 | This has been known for quite some time. |
|
OZOPremium
join:2003-01-17
kudos:2 | Yes, indeed. I'm looking for a permanent fix. |
|
 ahulettLife Without WallsPremium,VIP
join:2003-02-02
Bellevue, WA
kudos:2
1 edit | reply to OZO
AutoRun test on Windows Vista |
Off the top of my head I don't know how to change this behavior in Windows XP. Wild stab in the dark, and assuming Windows XP Professional, could try opening the Group Policy editor (start | run | gpedit.msc) then navigate to User Configuration | Administrative Templates | System and enable the "Turn Off Autoplay" setting. Run gpupdate /force afterwards, or reboot, and see how it goes. Never mind, I just tried this on a Windows XP Professional SP2 machine and it didn't change the behavior in this way.
Aaron
--
Aaron Hulett | Senior Spyware Researcher | Microsoft Malware Protection Center
This posting is provided "AS IS" without warranty, and confers no rights. |
|
|
|
OZOPremium
join:2003-01-17
kudos:2 | ahulett  - thanks a lot for posting screen shot from your Vista SP1 computer. That's exactly the way how WE should react. Default action should remain Explore, while Surprise should be offered just as an option in context menu.
It's serious problem with Windows XP which does no less then facilitates spreading viruses. It must be fixed by some configuration change (I'm looking for it now) or by fixing WE code ASAP. Otherwise, it's quite dangerous to put removable media into Windows computers. You must be very careful not to open it with common double-click on the right panel of the WE (or via Start | My Computer | Drive). And believe me, it's very common to watch how folks open removable drives this way...
--
Keep it simple, it'll become complex by itself... |
|
 NetFixerFreedom is NOT freePremium
join:2004-06-24
The 'Boro
 ·Vonage
 ·Cingular Wireless
 ·Comcast
 ·AT&T Southeast
3 edits | reply to OZO
With help of the following registry setting and the old original Windows 9x/NT TweakUI utility, I do not see the problem. I have installed your autorun.inf file on a flash drive, a floppy drive, a Zip drive, a mapped network drive, and a CDRW, and autorun simply does not happen on any Windows 2000 SP4, Windows XP SP2 or SP3 PC on my network (with your autorun.inf or with any other autorun.inf that I have tested).
Source for NoAutoRun.reg:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
TweakUI Paranoia Settings
The screen shots below are from a CDRW on a Windows XP SP3 PC, but the results were the same with any removable media/drive I tested.
CDROM before opening
CDROM after opening
*****sniff***** No Surprise for me. 
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
OZOPremium
join:2003-01-17
kudos:2 | NetFixer - thank you for testing my autorun.inf file. By applying your registry fix (with Autorun.inf subkey) you effectively kill Autorun functionality altogether, and namely you can't see a new label for the drive attached, you can't see its new icon, you can't see new menu items that may be offered by the new drive, etc.
There are several known ways to completely kill Autorun. That's not what I want. As I said in my initial post - with keeping all Autorun functionality, I'd like to fix one and only one, but quite dangerous problem - silent replacement of default Explore action with whatever program that may come with removable media.
For comparison with the better approach, take a look at this post and check the name of the drive and its icon for the removable media. It's there. Moreover, if you not kill Autorun you will be able to execute Autoplay or run Surprise if you want to. That's the right way.
OS (or a program for that matter) is NOT more secure when it asks each and every time "Are you sure you want do this" (like e.g. UAC in Vista), but rather it IS more secure when it doesn't perform unexpected actions with common routines, like executing a program from a removable media instead of opening and exploring that media when you're going to explore it. I think it's a simple concept, that is clearly violated here and, thus, should be fixed ASAP.
--
Keep it simple, it'll become complex by itself... |
|
NetFixerFreedom is NOT freePremium
join:2004-06-24
The 'Boro Reviews:
·Vonage
·Cingular Wireless
·Comcast
·AT&T Southeast
| said by OZO: NetFixer - thank you for testing my autorun.inf file. By applying your registry fix (with Autorun.inf subkey) you effectively kill Autorun functionality altogether, and namely you can't see a new label for the drive attached, you can't see its new icon, you can't see new menu items that may be offered by the new drive, etc... My intention was/is to kill autorun, so the "limitations" are not a problem for me. However, you are incorrect in one thing, killing autorun does not prevent drive change notification, and you can see the drive label change when the media changes.
Empty CD drive
SuSE boot CD
Audio CD
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
OZOPremium
join:2003-01-17
kudos:2 | said by NetFixer:you are incorrect in one thing, killing autorun does not prevent drive change notification, and you can see the drive label change when the media changes. As you have discovered there are several ways to set label for a drive. The one that is come with media (you may get/edit it with CMD>label command). And there is another one that is come with Autorun.inf file (see my file for label=Test line). The latter overwrites the former (if Autorun is supported). Perhaps it's easier to assign appropriate label via Autoran.inf file then change it directly on the media itself. But, YMMV. That's why you still see a label on CD, which in your case comes directly from the media.
I've never said that you kill driver change notification, I've said that with the fix provided you kill Autorun functionality altogeter  . No more and no less 
--
Keep it simple, it'll become complex by itself... |
|
mysecPremium
join:2005-11-29
kudos:4 | reply to OZO
said by OZO:It's a common scenario and everyone does it. You take a flash drive (or a CD) and put it into USB port (or CD drive, respectively). Then you open Windows Explorer (WE) and click on "My Computer" on the left panel. Then, if you want to open and explore new drive on the right panel, you double click on it, as you usually do to open a drive.
Not everyone does it that way. My way is to single-click on the drive in the left pane which then displays the contents of the drive in the right pane (Explorer view, if you will). This way, no Shell commands in the .inf file are remotely executed.
A quick way to display a drive (or any folder, for that matter) in Explorer view is to modify the target line in the Properties of the shortcut icon of the drive. For example, my F-drive:
______________________________________________________
The /e switch forces the drive to display in Explorer view (two-pane), rather than Folder view (single pane). If you want, you can assign a Windows Shortcut Key and avoid using the mouse to display your drive.
Now it's done. Virus is started. See picture on the right side.
Using the above method, nothing starts. In your example: You view the contents of the drive; you notice the autorun.inf file, open in notepad to view the file. End of exploit.
The question is - why in the hell WE replaces that default Explore action in the "My Computer" for removable media?
I can understand your frustration here. I always assumed that the first command in the AutoRun.inf file became the default so as to autorun a setup.exe file, for example, when the user d-clicked on the drive icon in My Computer, if for some reason the Autorun.inf file did not AutoPlay on connecting the drive. I often see the message, "If the setup file doesn't automatically start, d-click on the drive in My Computer."
I guess Vista has changed this?
Back to the virus thing, which is important:
Make simple autorun.inf file from the window below, put it in the root of your flash drive and repeat steps described above...WE may silently replace default action (Explore) with whatever program specified in autorun.inf file and you won't notice that until it's too late (or may be even later)...
You make a good point.
Let's make your example more interesting by substituting a real exploit:
[autorun]
shell\Surprise\Command=kwjkpww.exe
This trojan file is from a real USB picture frame exploit. If you think of an AutoRun.inf file as just another means to remotely trigger the download of malware, then any security product or policies which prevent the downloading of unauthorized executables will block:
__________________________________________________________
The actual exploit in fact was more dangerous, in that it used AutoPlay to run the file as soon as the drive was connected, without any action on the part of the user. However, it is just as easily blocked by XP's Software Restriction Policies, or any number of products which catch the attempt to sneak in an unauthorized executable.
So, to your thread title, I would add, "only if not properly protected."
P.S. Please, don't offer solutions that break other functionality associated with autorun.inf file
I'm with you here. I'm not in favor of crippling functions that I like and use.
I'm interested in a solution that will block just one thing and in particular - replacing of the default Explore action in My Computer. I want to keep it at all times.
This might be done when creating your own AutoRun.inf files, by using the Action= command. I haven't tried it because it requires XP SP2 and my laptop is SP1 and I use Win2K on my desktop.
|
|
 brydry...it's meat-cake
join:2004-12-05
Safety Harbor, FL | reply to OZO
Reminds me of the "good ol' days" when virus where passed around on floppy disks. The more things, the more they stay the same. Remember, you can't be too careful. Thanks for the info.
--
Go Pats! |
|
jp10558Premium
join:2005-06-24
Willseyville, NY | reply to OZO
Re: Removable media could easily distribute a virus I was going to ask, what is this, 1990? lol. This has to be *duh* news. |
|
 iam xSungazerPremium
join:2005-02-23
ॐ | reply to OZO
BTW, this is what i do, when i need to insert a foreign USB drive into my pc,for the time being.
Toggle between noautorun.reg and enableautorun.reg entries, it happens with just a single click, no need for reboot.
Thanks to Nick Brown for both the .reg entries.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf
Copy then to notepad, rename to noautorun.reg and enableautorun.reg respectively.
--
The Very Latest SOHO Images
»sohowww.nascom.nasa.gov/data/rea···ges.html
|
|
OZOPremium
join:2003-01-17
kudos:2 | reply to mysec
said by mysec:Not everyone does it that way. My way is to single-click on the drive in the left pane which then displays the contents of the drive in the right pane (Explorer view, if you will). This way, no Shell commands in the .inf file are remotely executed. Frankly, I'm using this way too. But what advice should I give to other people around?
When you put a new removable media into your computer - do not try to explore drive by making double click on it in WE right panel? Never try to explore it by going to Start | My Computer menu and make a click on the new drive? Be extremely careful and use only one way - make a single-click on the drive in the left pane of WE which then displays the contents of the drive in the right pane?
It's a common human factor in action here - if someone used to open/explore a drive by d-clicking on it in the right panel - it's hard for him/her to be careful all the time and never do it when removable media is present. I'm sure we all agree on that 
mysec - thank you for providing your example of real exploit.
To block the exploit from automatic execution at the time I insert a removable media into my computer I use "NoDriveTypeAutoRun"=dword:FF registry value that is configured via WE | Tools | Folder Options... | View | My personal settings menu options. See it here.
--
Keep it simple, it'll become complex by itself... |
|
| said by OZO: But what advice should I give to other people around? Sorry but couldn't help it.
Recommend others get Vista?
LOL. |
|
mysecPremium
join:2005-11-29
kudos:4
1 edit | reply to OZO
said by OZO: mysec - thank you for providing your example of real exploit.
You are welcome.
said by OZO:To block the exploit from automatic execution at the time I insert a removable media into my computer I use "NoDriveTypeAutoRun"=dword:FF registry value
Does this setting prevent the AutoRun.inf file from executing if you d-click on the drive letter in the right pane of Windows Explorer?
|
|
OZOPremium
join:2003-01-17
kudos:2 | said by mysec:said by OZO:To block the exploit from automatic execution at the time I insert a removable media into my computer I use "NoDriveTypeAutoRun"=dword:FF registry value Does this setting prevent the AutoRun.inf file from executing if you d-click on the drive letter in the right pane of Windows Explorer? No, it doesn't and that's the point. If it did, I'd not ask the question here. It protects only from automatic execution at the time I insert a removable media, which is very important, but as we well know it's not enough...
--
Keep it simple, it'll become complex by itself... |
|
OZOPremium
join:2003-01-17
kudos:2 | reply to OZO
It looks like there is no any solution to block WE from replacing its default Explore action when you going to explore a new removable media without braking useful AutoRun functionality.
Is it a deliberate "feature" or a security bug in WXP?
Just because it clearly facilitates spreading malware via removable media (and it's fixed in Vista) my strong opinion is -- it's security bug, that should be fixed in WXP ASAP. Let's see OS manufacturer's response...
--
Keep it simple, it'll become complex by itself... |
|
 EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7
·Callcentric
| said by OZO: -- it's security bug, that should be fixed in WXP ASAP. Let's see OS manufacturer's response... Maybe matunga has an answer. He's hot on security bugs.. Oh, wait, this is Windows, probably no response from him.
--
If dogs travel in space at the speed of light, do they reach their destination in dog-light years? |
|
