dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
9170

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

US-CERT alert on autorun

said by alert :
Disabling AutoRun on Microsoft Windows systems can help prevent the
spread of malicious code. However, Microsoft's guidelines for
disabling AutoRun are not fully effective, which could be
considered a vulnerability.
and
quote:
To effectively disable AutoRun in Microsoft Windows, import the
following registry value:
   REGEDIT4
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
   @="@SYS:DoesNotExist"
 

The alert is dated "Tuesday 20 January 2009 22:43:34", and will probably show up on various security mailing lists. I read it in comp.security.announce (usenet).

Its a Secret
Please speak into the microphone
Premium Member
join:2008-02-23
Da wet coast

Its a Secret

Premium Member

Thanks for that.

Nimbus
Premium Member
join:2008-11-27
Moreno Valley, CA

Nimbus to nwrickert

Premium Member

to nwrickert
Thanks. Full-color illustrated alert is here:

»www.us-cert.gov/cas/tech ··· 20A.html

An interesting article is referenced that dates back to last April before Downadup created this sense of urgency:

»www.cert.org/blogs/vuls/ ··· run.html
OZO
Premium Member
join:2003-01-17

OZO to nwrickert

Premium Member

to nwrickert
If this registry tweak is applied:
1) you'll not see icon associated with particular CD/DVD product;
2) you'll not see any menu items that may help you to work with CD/DVD. For example Office Pro 2003 disk offers two right click menu items - "Configure..." and "Install..." and you won't see them anymore.
3) you have to reboot computer in order to make it effective (and vice versa).

I prefer another simple solution - setting NoDriveTypeAutoRun value from Windows Explorer | Tools | Folder Options... | View | Advanced settings menu. See my last post at the end of this thread.

You may turn on and off autorun functionality with modifying the value:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:FF

If you block autorun with NoDriveTypeAutoRun registry value:
1) you'll see icon associated with particular CD/DVD; product;
2) you'll see new menu items that may help you to work with CD/DVD
3) you will see effect immediately, no computer restart is required.

Drawback is - it still possible to execute autorun action if:
1) you make double click on CD/DVD drive on the right panel of WE;
2) you make click in Start | My Computer on CD/DVD drive.

See more details in this thread also.

m$ could be very stubborn in fixing some obvious problems with its software...

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member

In reference to the screenshot in this link OZO See Profile you mention the disable function in the choices for folder options.

One question I have. How do you get the "My Personal Settings" to show? Is that a Vista option? I do not have it in XP pro and never have.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

2 edits

Mele20

Premium Member

said by norwegian:

In reference to the screenshot in this link OZO See Profile you mention the disable function in the choices for folder options.

One question I have. How do you get the "My Personal Settings" to show? Is that a Vista option? I do not have it in XP pro and never have.
I've never seen that either in XP or Vista. I thought you do in TweakUI for XP. What do you need these registry items for? Why wouldn't you open from MyComputer? It won't autoplay. You wanna totally break CDRom and DVD players. Do that STUPID fix. Guaranteed to break functionality and so will ANY OTHER fix that works 100% of the time. You should just use common sense and never insert a CD that you don't know for sure is clean. How is connecting your external USB drive or your USB printer going to cause arbitrary code to be run using AutoRun???

nwrickert
Mod
join:2004-09-04
Geneva, IL

1 recommendation

nwrickert to OZO

Mod

to OZO
If this registry tweak is applied:
1) you'll not see icon associated with particular CD/DVD product;
2) you'll not see any menu items that may help you to work with CD/DVD. For example Office Pro 2003 disk offers two right click menu items - "Configure..." and "Install..." and you won't see them anymore.
3) you have to reboot computer in order to make it effective (and vice versa).
Let's be clear here. You still see an icon for the CD/DVD drive, just not for the specific product.
You can still open that to see a list of files.
You can still click on the "setup" icon (among those files) to install the software.

This is how it should be, and how it should always have been.
You may turn on and off autorun functionality with modifying the value:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:FF
According to the alert, there are problems with that:
said by alert :
Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.
m$ could be very stubborn in fixing some obvious problems with its software...
I don't agree with "problems with its software" here. Rather, this is a malware injection point that was quite deliberately designed into the system by Microsoft.

I did not like Autorun in Win95. At that time I considered it quite dangerous. I still don't like it. The wonder is that this malware injection point is only now being heavily targeted.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to Mele20

Premium Member

to Mele20
said by Mele20:

I've never seen that either in XP or Vista. I thought you do in TweakUI for XP.
That is how I usually do it.
said by Mele20:

What do you need these registry items for? Why wouldn't you open from MyComputer? It won't autoplay. You wanna totally break CDRom and DVD players. Do that STUPID fix. Guaranteed to break functionality and so will ANY OTHER fix that works 100% of the time. You should just use common sense and never insert a CD that you don't know for sure is clean. How is connecting your external USB drive or your USB printer going to cause arbitrary code to be run using AutoRun???
The problem faced here Mele is not always just CD/DVD or USB. What of some scripting on a site that invokes the command?

I understand all the issues with my hardware in restrospect but it is a vector not unlike Internet Explorer and it's ties to the system. It is a simple command that can be run at any time on any media be it your browser, or be it a CD. There are settings that need modifying from default.

Someone please comment and elaborate if I am wrong and missed all the toics here on the subject.

rcdailey
Dragoonfly
Premium Member
join:2005-03-29
Rialto, CA

rcdailey

Premium Member

For the life of me, I don't know how you would know that a CD is clean without putting into a drive and viewing the contents. That is a nonsensical statement. The only thing you might know is that you got the CD from a "trusted source." That would not guarantee that it would be safe, however. There is no absolute guarantee of that.

Florida Dan
Premium Member
join:2001-07-06
Boynton Beach, FL

Florida Dan to nwrickert

Premium Member

to nwrickert
Okay, I am totally confused. Between home and work, I am running four XP boxes and none of them autoplay or autorun my USB stick. They all first ask me what I want to do with it, and I have not altered any settings or done any registry tweaks. What am I missing?

Thug21
Just Chillin'
Premium Member
join:2005-08-21

Thug21

Premium Member

I'm a little confused here. Does this mean that disabling autorun via Tweak UI isn't enough?

Florida Dan
Premium Member
join:2001-07-06
Boynton Beach, FL

Florida Dan

Premium Member

said by Thug21:

I'm a little confused here. Does this mean that disabling autorun via Tweak UI isn't enough?
Sorry to add to the confusion Thug21. My guess is that disabling autorun via Tweak UI is enough but I was wondering why it is necessary when I am always prompted first about what to do with my USB stick.

Drunkula
Premium Member
join:2000-06-12
Denton, TX

1 edit

Drunkula

Premium Member

said by Florida Dan:
said by Thug21:

I'm a little confused here. Does this mean that disabling autorun via Tweak UI isn't enough?
Sorry to add to the confusion Thug21. My guess is that disabling autorun via Tweak UI is enough but I was wondering why it is necessary when I am always prompted first about what to do with my USB stick.
Actually that pop-up is a form of auto-run. The malware poses as a legitimate option (Replaces it) with "Open to view files...". Disabling autorun should stop the pop-up from occuring.

EDIT for clarification:
You may think you are opening the device for browsing but you could be invoking the malware instead. It is a convincing looking screen.

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert to Florida Dan

Mod

to Florida Dan
Between home and work, I am running four XP boxes and none of them autoplay or autorun my USB stick.
They won't autorun unless there is an "autorun.inf" file there.

The problem is that by the time you discover that the USB stick has been setup to invoke "autorun", it is too late.

JTM1051
MVM
join:2000-07-08
Terrell, TX

1 recommendation

JTM1051 to Drunkula

MVM

to Drunkula
said by Drunkula:

...
You may think you are opening the device for browsing but you could be invoking the malware instead. It is a convincing looking screen. ...
Screenshot below from the Downandup/Conficker worm infects 9 million PCs article at Yahoo! Tech.


"...Look closely at the screenshot above and you'll see two entries for "Open folder to view files." The one at the top is a phony entry that actually installs the virus on your machine... but of course it's the default selection that pops up when you plug in a drive. ..."

The US-Cert article screenshot (Win XP)


(link in Nimbus See Profile's post above) little different than the Yahoo! Tech (Vista?) screenshot.

Florida Dan
Premium Member
join:2001-07-06
Boynton Beach, FL

1 edit

Florida Dan to Drunkula

Premium Member

to Drunkula
said by Drunkula:

Actually that pop-up is a form of auto-run.
Are you saying that malware, I assume in the form of an .exe file, could be triggered by this pop-up?

Edit: Never mind, I get it now. The malware places a second entry in the pop-up window, clicking upon which launches it.

Autorunhater
@velia.net

Autorunhater to nwrickert

Anon

to nwrickert
For those who would like an example; do this:

On an USB-stick put an autorun.inf file with this content:

[autorun]
shellexecute=calc.exe
useautoplay=1

Then remove and insert. Surprise...

Think if calc.exe was verybad.exe.

The us-cert fix will fix this one and many other variants.

Don't get confused of the word autoplay here, this is
one of MANY ugly examples of misuse of Autorun.

Happy Autorunning

Question Mark
@anonymouse.org

Question Mark

Anon

"Sys:DoesNotExist" is the only Recommended Solution, is what Public Safety of Canada say:

Those who want to read more, here is the link:

»www.publicsafety.gc.ca/p ··· eng.aspx.

Much good stuff.

(if you don't like anonymous posters, don't tell anybody that you read it, )

Thug21
Just Chillin'
Premium Member
join:2005-08-21

Thug21

Premium Member

What about unchecking all the autoplay drive letters in TweakUI?

I heard that uses NoDriveAutoRun, which isn't mentioned on that site.

Autorunhater
@anonymouse.org

Autorunhater

Anon

Thug21:

No, not if you want to stay safe.
Do it and try my example.
NullMaster
join:2000-08-24
Minneapolis, MN

1 edit

NullMaster to nwrickert

Member

to nwrickert
I disabled this via a group policy network wide about a month ago after a user was infected with autorun. It is set in the Group Policy editor under the computer configuration > Administrative Templates > System (Turn Off Autoplay) Set it Enabled for All drives. The group policy is applied to workstations not users.

I tried the test with creating an autorun.inf and calc didn't run. I have also noticed that since we applied the policy, install CD's no longer autorun and we no longer get the dialogue box that asks what we want to do when we insert CDs or USB sticks.

It appears that the group policy does work. Anyone care to offer an opinion if this is sufficient protection?

[EDIT]

I just answered my own question - NO! If I double click on the USB stick in My computer it launches calc. #$@@@!

regards,
rotbay

Autorunexpert
@velia.net

Autorunexpert

Anon

Reread the Canadian article linked to some posts
ago. Then you don't need to ask any questions.
OZO
Premium Member
join:2003-01-17

OZO to norwegian

Premium Member

to norwegian
said by norwegian:

In reference to the screenshot in this link OZO See Profile you mention the disable function in the choices for folder options.

One question I have. How do you get the "My Personal Settings" to show? Is that a Vista option? I do not have it in XP pro and never have.
Oh, it's simple. I've downloaded "WE_TMenu_DisableAutoRun" registry file from this site and run it on my WXP computers.

Thug21
Just Chillin'
Premium Member
join:2005-08-21

2 edits

Thug21 to Autorunhater

Premium Member

to Autorunhater
said by Autorunhater :

Thug21:

No, not if you want to stay safe.
Do it and try my example.
I tried this and my cursor just blinked a bit when I put the USB drive back in. I don't see anything else and there is no popup.

Ad Infinitum
@anonymouse.org

Ad Infinitum

Anon

Thug:

Then you are protected againt this VERY special variant.

'Default' users get the program running without a question or pop-up at all when inserting thw USB-stick.

But there is only one safe method against this, referred to by the OP. Take it or leave it.

Good luck.

Ihave used final solution for a long time with NO adverse effects.

If you are afraid, rest assured it can be reversed.

Florida Dan
Premium Member
join:2001-07-06
Boynton Beach, FL

Florida Dan to Nimbus

Premium Member

to Nimbus
Colleagues--my apologies for taking up your time with comments and questions that could have been avoided if I had only followed the link in Nimbus' initial post in this topic. I have done so at last and the situation is now clear to me. I encourage others to do so as well.

chrisretusn
Retired
Premium Member
join:2007-08-13
Philippines

chrisretusn to Mele20

Premium Member

to Mele20
said by Mele20:

What do you need these registry items for? Why wouldn't you open from MyComputer? It won't autoplay. You wanna totally break CDRom and DVD players. Do that STUPID fix. Guaranteed to break functionality and so will ANY OTHER fix that works 100% of the time. You should just use common sense and never insert a CD that you don't know for sure is clean. How is connecting your external USB drive or your USB printer going to cause arbitrary code to be run using AutoRun???
The CD and DVD will still play, it does not break the functionality of them it just requires you the user to initiate it.

Say you take your camera memory stick down to the photo shop to get some pictures developed. You plug it back in to you camera, takes some new pictures. Then plug you camera in to you computer to download those new pictures to your favorite photo program. Meanwhile, in the background a new virus just installed itself on your computer via autorun.inf and also added an autorun.inf to every hard drive it found on your system, including any connected external hard drives or USB sticks.

mrknowitall
@anonymouse.org

mrknowitall to nwrickert

Anon

to nwrickert
i've always used this key
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000000
 
 

am i safe?
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to Autorunhater

Premium Member

to Autorunhater
I can't try that because I don't have a USB stick and don't intend to get one.

No one has convinced me that I need to do anything more than disable autoplay through TweakUI for XP. Vista...looks to me like it would be much harder to have this autorun problem there. It handles autoplay a lot better than XP.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to mrknowitall

Premium Member

to mrknowitall

That is for a CD drive and yes I believe it is a good setting but the referenced link suggests turning it off for everything HDD/CD/DVD/USB