dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
8434
slajoh01
join:2005-04-23

slajoh01

Member

Disabling Autorun in XP?

I have been reading about this Pentagon attack that happened and the most likely cause was that all the computer stations had autorun enabled and therefore, any USB key armed with a virus or a worm can sneak in to the networks.

I had found this on the NSA's Guide to Securing XP below, but I cant locate the REG DWORD value.
I dont see this registry key called (NoDriveTypeAutoRun).
Do I have to add this?

Im on a standalone PC and not connected to any domain or Active Directory.

Thanks.

bcastner
MVM
join:2002-09-25
Chevy Chase, MD

2 recommendations

bcastner

MVM

1. Download and Install Microsoft's AutoRun Hotfix: »www.microsoft.com/downlo ··· D7B8DAA5
2. Download and Install Microsoft's TweakUI©: »www.microsoft.com/window ··· oys.mspx
3. Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.
4. Download and run "Flash Drive Disinfector©" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe 
 
There is no GUI interface or log file produced. This writes a fairly effective beachhead against future attacks.

There are other approaches, but the above seem reasonable except in extreme cases.

hayc59
Your a Daisy
Premium Member
join:2001-02-26

hayc59 to slajoh01

Premium Member

to slajoh01
bcastner, sounds like a plan! Is all that reversable
in case something goes south? thanks
slajoh01
join:2005-04-23

3 edits

slajoh01

Member

Ok, thanks alot for your support.
But I will have to test this out on my laptop.

However, on my other PC Im running Solaris. Does this form of malware caused by this Autorun thing affect UNIX OSs too or only Windows??

When I logon to Solaris, I dont have other Windows machines connected on the same network. So do I need to do this also on UNIX as well?

If I really wanted to be secure form this, why not just disable the USB ports in the BIOS as well??
Will this work with the BIOS password enabled?

Esp in the work related enviroments...this may be a good and better idea just to have the whole CDROM drive to be taken out from all workstations and then disabling the USB ports in the BIOS...
SUMware2
Premium Member
join:2002-05-21

2 edits

SUMware2

Premium Member

said by slajoh01:

Does this form of malware caused by this Autorun thing affect UNIX OSs too or only Windows??
Even if autorun is enabled, the 'exe' file set to run on removable media won't be able to run nor execute on *nix (unless you've explicitly set-up to do so, and even then probably causing no system damage).

Your DE (such as KDE & GNOME) offer user options for loading & previewing removable media.

You should spend some time learning about the features, and how to properly use, your *nix OSes.
slajoh01
join:2005-04-23

slajoh01

Member

So just to confirm, I am safe from this type of attack in my UNIX OS?

Also, the NSA guide does not mention using TweakUI.
So do I need to add that reg key into the registry then?

Please advise.
SUMware2
Premium Member
join:2002-05-21

SUMware2

Premium Member

said by slajoh01:

So just to confirm, I am safe from this type of attack in my UNIX OS?
You are not running UNIX. Learn.

You are safe.

bcastner
MVM
join:2002-09-25
Chevy Chase, MD

4 edits

3 recommendations

bcastner to slajoh01

MVM

to slajoh01
You can run TweakUI again and revert any changes made.

As for FlashDrive Disinfector, it writes a read-only, system, Folder. Because the OS will not permit a new file creation with the same name as an existing folder, the protection will work.

You can use ATTRIB to revert then folder attributes and the Explorer to delete the folders created. Or more directly:

e.g. -- from the CMD box:

attrib -r -s -h G:\autorun.inf
rd /s/q G:\autorun.inf

* I strongly recommend you leave this simple beachhead form of protection in place, however.

Done. Remember to do this for all writable storage device letters.

There are other ways to bell this cat, but my original post is the one I have been recommending. Note for Vista users, you can do this even without the TweakUI or download discussion for XP; natively you can tune Autorun settings in the GUI of Vista.

See an illustration of the Vista case in my Article: The Care and Feeding of USB Storage Devices Under Windows:
»aumha.net/viewtopic.php? ··· &t=28888

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert to slajoh01

Mod

to slajoh01
Does this form of malware caused by this Autorun thing affect UNIX OSs too or only Windows??
You seem to have discovered my secret.

Anything at all suspicious, I examine first on *nix before I let it near my Windows systems.
slajoh01
join:2005-04-23

slajoh01

Member

First of all, my question is:

The NSA Guide for XP does not mention TweakUI. Can I add the following registry and add this? I check the regsitry but this is not on there. Do I need to add this?

(NoDriveTypeAutoRun) Disable Autorun for all drives

The registry value entry NoDriveTypeAutoRun was added to the template file in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies\Explorer\ registry key. The entry appears as MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended) in the SCE.
slajoh01

slajoh01

Member

Hey guys...I think I got it here:

»www.computerperformance. ··· eAutoRun
OZO
Premium Member
join:2003-01-17

1 recommendation

OZO to slajoh01

Premium Member

to slajoh01
"NoDriveTypeAutoRun" may work in some cases and may not in others.

Check this thread: Removable media could easily distribute a virus

And here is another one showing lot of tests: Disabling 'Autorun' on USB and beyond. Need help.
SUMware2
Premium Member
join:2002-05-21

1 edit

SUMware2 to slajoh01

Premium Member

to slajoh01
Totally disable Autorun / AutoPlay in Windows XP with no Registry editing!
quote:
It's always a good idea to disable the Windows AutoPlay / autorun feature which allows for a program contained on a CD to be run when it is placed into the drive and read by Windows because this gives you control over what applications are run and when.

The easiest way to disable Autorun is to use the PowerToy called Tweak UI.

If you don't have this installed, take a trip over to the Microsoft PowerToys site and download the latest copy.

Once you have downloaded and installed Tweak UI and fired it up double-click on My Computer in the tree menu on the left hand side followed by AutoPlay then on Drives. This will allow you to change the system settings for AutoPlay/autorun.

Uncheck the drives you want to disable AutoPlay on and click on Apply.

While You're in TweakUI, click on the Types in the left hand site tree menu of the program. This allows you to control whether Autoplay is enabled for CD and DVD drives and removable drives. Uncheck the box to disable Autoplay for a particular type of drive.

Click Apply when you're done.

Job done!
mysec
Premium Member
join:2005-11-29

mysec to slajoh01

Premium Member

to slajoh01
said by bcastner:

.. the above seem reasonable except in extreme cases.

Thanks for that nice summary of solutions. I've sent it to a few people.
said by slajoh01:

I have been reading about this Pentagon attack that happened and the most likely cause was that all the computer stations had autorun enabled and therefore, any USB key armed with a virus or a worm can sneak in to the networks.

In addition to the suggestions for AutoRun, one should also have in place protection against virus or worm executables that attempt to sneak in, no matter what attack method is used -- just in case some system/registry configuration gets changed, or happens to fail.

I set up an AutoRun.inf test, and let the file run and attempt to install an executable from my USB drive:






_________________________________________

AutoRun.inf is just one type of remote code execution attack. Looking recently at the "Other Anti-malware" forum at Wilders, I found 13 products other than the one I tested which will also do the job.


----

tempnexus
Premium Member
join:1999-08-11
Boston, MA

tempnexus

Premium Member

what program provides that beware of dog thingy?
mysec
Premium Member
join:2005-11-29

mysec

Premium Member

Anti-Executable by Faronics (the dog logo is one I substituted for the default logo)

»www.faronics.com/html/An ··· Exec.asp

It's been awhile since I've visited their web site, and I notice this:
Distractive and malicious software can be accidentally or intentionally installed on computers from portable drives, email accounts, and web browsing.

Anti-Executable's white list protection eliminates all these problems and threats by ensuring computer workstations are only able to run applications that have been authorized for use.

----
Curiosity
join:2001-10-01
Dawson Creek, BC

Curiosity to bcastner

Member

to bcastner
I would recommend disabling autorun on CDs and DVDs as well. If you have any such disks with autorun-installed spyware or rootkits, you stop that from inatalling. Besides that popup window can be very annoying if all you want to do are backups or file transfers to another computer. All you need to do that is TweakUI.

hayc59
Your a Daisy
Premium Member
join:2001-02-26

1 edit

hayc59 to slajoh01

Premium Member

to slajoh01
ok so maybe I am stupid here..but
If I disable auto-run for my dvd's and cd's
or my wifes hallmark card maker she uses always?
how will I get them to play? or when I burn a cd
slajoh01
join:2005-04-23

3 edits

slajoh01

Member

Ok, wait....just wait...

If all the users in the network ran as Admin account, then that means that EXE code FROM the device to the PCs, means that the code can have the rights to function.

Now, it would be different story if all the users ran as Restricted.

I run my Windows as Restricted always and most of the time if programs want to intall themselves from CD or a USB media automatically, Windows will asl you for the Admin password...

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert to hayc59

Mod

to hayc59
If I disable auto-run for my dvd's and cd's
or my wifes hallmark card maker she uses always?
how will I get them to play? or when I burn a cd
You should still be able to open "My Computer" and then click in the icon for the CD or DVD.

anonin
@10/24.bsnl.in

anonin to slajoh01

Anon

to slajoh01
I use "Security and Privacy complete" from sourceforge to disable autorun on removable drives.

»sourceforge.net/projects/cmia/

Small executable file. No installation.

Just check the option to "disable autorun of all drives" under 'system"

Choose other options with care so as to not cripple normal use.

The option to choose what to do with files on the removable media will no longer popup once autorun is disabled. The removable drive can be accessed only through "My computer".

Mannus
Premium Member
join:2005-10-25
Fort Wayne, IN

Mannus to slajoh01

Premium Member

to slajoh01
I like my autorun.

tempnexus
Premium Member
join:1999-08-11
Boston, MA

tempnexus to bcastner

Premium Member

to bcastner
FlashDrive Disinfector got picked up by ANtiVir and by THreatfire as an Adware/Unwanted program?

bcastner
MVM
join:2002-09-25
Chevy Chase, MD

bcastner

MVM

FlashDrive Disinfector is written by MS-MVP "sUBs", is freeware, and adware and malware free.

Like his Combofix utility, that many AV and anti-malware programs also tend to identify as malware.

It does have a small set of plain-text definitions for common Autorun infectors, and will remove them if found. This is likely what is triggering any notice.

The most important feature is the Disinfection process; where any writeable storage devices are given at their root an new Folder, Autorun.inf that is System and Read-Only in attributes. This prevents Autorun infections from writing an Autorun.inf file -- cutting off at their knees the ability of Autorun infections to create their own malicious filenames in order to autostart.

On another note: Microsoft's TweakUI is nothing more than a gloried, GUI-based registry editor. It lists some registry keys that are not in Group Policy, but of common interest to many users of XP.

The use of TweakUI to disable Autorun on a drive is just an easy way to disable Autorun on a drive-letter basis. It can be done through Regedit by hand if you prefer.

HA Nut
Premium Member
join:2004-05-13
USA

HA Nut to slajoh01

Premium Member

to slajoh01
I ran across one of these USB flash drive pains in the @$$e$ tonight. It was transferred to the drive at one of the local high schools.

The good... the home laptop the student plugged the drive into had up-to-date Avast on it. It nabbed the EXE file and he did the right thing by deleting the file to the virus chest.

The semi-bad... he didn't say anything to anyone and he plugged the drive into another PC. This PC had NOD32 on it. NOD saw the left over autorun.inf file that referred to the EXE and NOD then went berserk.

So in the end, both AVs came through and nailed the nasty. I put Mr. Castner's autorun.inf folder fix onto the drive and sent the student back on his way. I also told him to alert the IT person at the school about the nasty but he said they really don't seem to care much about security.

Which means others will spread the thing around...

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

antdude

Premium Member

said by HA Nut:

I ran across one of these USB flash drive pains in the @$$e$ tonight. It was transferred to the drive at one of the local high schools.

The good... the home laptop the student plugged the drive into had up-to-date Avast on it. It nabbed the EXE file and he did the right thing by deleting the file to the virus chest.

The semi-bad... he didn't say anything to anyone and he plugged the drive into another PC. This PC had NOD32 on it. NOD saw the left over autorun.inf file that referred to the EXE and NOD then went berserk.

So in the end, both AVs came through and nailed the nasty. I put Mr. Castner's autorun.inf folder fix onto the drive and sent the student back on his way. I also told him to alert the IT person at the school about the nasty but he said they really don't seem to care much about security.

Which means others will spread the thing around...
Reminds me of stealth virus during my college computer labs days. Had to use McAfee's DOS virus scanner to clean up that crap! The infection spreaded like crazy! It spreaded through 3.5" disks even if you only type A:.
mysec
Premium Member
join:2005-11-29

mysec

Premium Member

It's much easier to clean up computer lab machines these days! - the schools I've been involved with use Deep Freeze, where all changes to the system are removed upon reboot.

----

ironwalker
World Renowned
MVM
join:2001-08-31
Keansburg, NJ

ironwalker to Mannus

MVM

to Mannus
said by Mannus:

I like my autorun.
So does Sony.
ironwalker

ironwalker to slajoh01

MVM

to slajoh01
I would also disable autorun on cd and dvd drives.There are still dvd's out there with crap like what sony put out.

Better be safe than sorry and this holds true for the future.

As mentioned above, just open disc through my computer or explore disc through my computer.

If its a music disk, get to through your player's file tab
Same for dvd movie.
mysec
Premium Member
join:2005-11-29

mysec

Premium Member

With the Sony CD -- did the software install automatically via AutoRun.inf, or was the user prompted to OK the installation? I was never clear on that point...

----