|
US-CERT alert on autorunsaid by alert : Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft's guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability.
and quote: To effectively disable AutoRun in Microsoft Windows, import the following registry value:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
The alert is dated "Tuesday 20 January 2009 22:43:34", and will probably show up on various security mailing lists. I read it in comp.security.announce (usenet). |
|
Its a SecretPlease speak into the microphone Premium Member join:2008-02-23 Da wet coast |
Thanks for that. |
|
Nimbus Premium Member join:2008-11-27 Moreno Valley, CA |
to nwrickert
Thanks. Full-color illustrated alert is here: » www.us-cert.gov/cas/tech ··· 20A.htmlAn interesting article is referenced that dates back to last April before Downadup created this sense of urgency: » www.cert.org/blogs/vuls/ ··· run.html |
|
OZO Premium Member join:2003-01-17 |
to nwrickert
If this registry tweak is applied: 1) you'll not see icon associated with particular CD/DVD product; 2) you'll not see any menu items that may help you to work with CD/DVD. For example Office Pro 2003 disk offers two right click menu items - " Configure..." and " Install..." and you won't see them anymore. 3) you have to reboot computer in order to make it effective (and vice versa). I prefer another simple solution - setting NoDriveTypeAutoRun value from Windows Explorer | Tools | Folder Options... | View | Advanced settings menu. See my last post at the end of this thread. You may turn on and off autorun functionality with modifying the value: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoDriveTypeAutoRun"=dword:FF
If you block autorun with NoDriveTypeAutoRun registry value: 1) you'll see icon associated with particular CD/DVD; product; 2) you'll see new menu items that may help you to work with CD/DVD 3) you will see effect immediately, no computer restart is required. Drawback is - it still possible to execute autorun action if: 1) you make double click on CD/DVD drive on the right panel of WE; 2) you make click in Start | My Computer on CD/DVD drive. See more details in this thread also. m$ could be very stubborn in fixing some obvious problems with its software... |
|
norwegian Premium Member join:2005-02-15 Outback |
In reference to the screenshot in this link OZO you mention the disable function in the choices for folder options. One question I have. How do you get the "My Personal Settings" to show? Is that a Vista option? I do not have it in XP pro and never have. |
|
Mele20 Premium Member join:2001-06-05 Hilo, HI 2 edits |
Mele20
Premium Member
2009-Jan-21 8:42 am
said by norwegian:In reference to the screenshot in this link OZO you mention the disable function in the choices for folder options. One question I have. How do you get the "My Personal Settings" to show? Is that a Vista option? I do not have it in XP pro and never have. I've never seen that either in XP or Vista. I thought you do in TweakUI for XP. What do you need these registry items for? Why wouldn't you open from MyComputer? It won't autoplay. You wanna totally break CDRom and DVD players. Do that STUPID fix. Guaranteed to break functionality and so will ANY OTHER fix that works 100% of the time. You should just use common sense and never insert a CD that you don't know for sure is clean. How is connecting your external USB drive or your USB printer going to cause arbitrary code to be run using AutoRun??? |
|
1 recommendation |
to OZO
If this registry tweak is applied: 1) you'll not see icon associated with particular CD/DVD product; 2) you'll not see any menu items that may help you to work with CD/DVD. For example Office Pro 2003 disk offers two right click menu items - "Configure..." and "Install..." and you won't see them anymore. 3) you have to reboot computer in order to make it effective (and vice versa). Let's be clear here. You still see an icon for the CD/DVD drive, just not for the specific product. You can still open that to see a list of files. You can still click on the "setup" icon (among those files) to install the software. This is how it should be, and how it should always have been. You may turn on and off autorun functionality with modifying the value:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoDriveTypeAutoRun"=dword:FF According to the alert, there are problems with that: said by alert : Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.
m$ could be very stubborn in fixing some obvious problems with its software... I don't agree with "problems with its software" here. Rather, this is a malware injection point that was quite deliberately designed into the system by Microsoft. I did not like Autorun in Win95. At that time I considered it quite dangerous. I still don't like it. The wonder is that this malware injection point is only now being heavily targeted. |
|
norwegian Premium Member join:2005-02-15 Outback |
to Mele20
said by Mele20:I've never seen that either in XP or Vista. I thought you do in TweakUI for XP. That is how I usually do it. said by Mele20:What do you need these registry items for? Why wouldn't you open from MyComputer? It won't autoplay. You wanna totally break CDRom and DVD players. Do that STUPID fix. Guaranteed to break functionality and so will ANY OTHER fix that works 100% of the time. You should just use common sense and never insert a CD that you don't know for sure is clean. How is connecting your external USB drive or your USB printer going to cause arbitrary code to be run using AutoRun??? The problem faced here Mele is not always just CD/DVD or USB. What of some scripting on a site that invokes the command? I understand all the issues with my hardware in restrospect but it is a vector not unlike Internet Explorer and it's ties to the system. It is a simple command that can be run at any time on any media be it your browser, or be it a CD. There are settings that need modifying from default. Someone please comment and elaborate if I am wrong and missed all the toics here on the subject. |
|
rcdaileyDragoonfly Premium Member join:2005-03-29 Rialto, CA |
rcdailey
Premium Member
2009-Jan-21 10:40 am
For the life of me, I don't know how you would know that a CD is clean without putting into a drive and viewing the contents. That is a nonsensical statement. The only thing you might know is that you got the CD from a "trusted source." That would not guarantee that it would be safe, however. There is no absolute guarantee of that. |
|
Florida Dan Premium Member join:2001-07-06 Boynton Beach, FL |
to nwrickert
Okay, I am totally confused. Between home and work, I am running four XP boxes and none of them autoplay or autorun my USB stick. They all first ask me what I want to do with it, and I have not altered any settings or done any registry tweaks. What am I missing? |
|
Thug21Just Chillin' Premium Member join:2005-08-21 |
Thug21
Premium Member
2009-Jan-21 11:26 am
I'm a little confused here. Does this mean that disabling autorun via Tweak UI isn't enough? |
|
Florida Dan Premium Member join:2001-07-06 Boynton Beach, FL |
said by Thug21:I'm a little confused here. Does this mean that disabling autorun via Tweak UI isn't enough? Sorry to add to the confusion Thug21. My guess is that disabling autorun via Tweak UI is enough but I was wondering why it is necessary when I am always prompted first about what to do with my USB stick. |
|
Drunkula Premium Member join:2000-06-12 Denton, TX 1 edit |
Drunkula
Premium Member
2009-Jan-21 12:53 pm
said by Florida Dan:said by Thug21:I'm a little confused here. Does this mean that disabling autorun via Tweak UI isn't enough? Sorry to add to the confusion Thug21. My guess is that disabling autorun via Tweak UI is enough but I was wondering why it is necessary when I am always prompted first about what to do with my USB stick. Actually that pop-up is a form of auto-run. The malware poses as a legitimate option (Replaces it) with "Open to view files...". Disabling autorun should stop the pop-up from occuring. EDIT for clarification: You may think you are opening the device for browsing but you could be invoking the malware instead. It is a convincing looking screen. |
|
|
to Florida Dan
Between home and work, I am running four XP boxes and none of them autoplay or autorun my USB stick. They won't autorun unless there is an "autorun.inf" file there. The problem is that by the time you discover that the USB stick has been setup to invoke "autorun", it is too late. |
|
JTM1051 MVM join:2000-07-08 Terrell, TX
1 recommendation |
to Drunkula
said by Drunkula:... You may think you are opening the device for browsing but you could be invoking the malware instead. It is a convincing looking screen. ... Screenshot below from the Downandup/Conficker worm infects 9 million PCs article at Yahoo! Tech.
"...Look closely at the screenshot above and you'll see two entries for "Open folder to view files." The one at the top is a phony entry that actually installs the virus on your machine... but of course it's the default selection that pops up when you plug in a drive. ..."The US-Cert article screenshot (Win XP)
(link in Nimbus 's post above) little different than the Yahoo! Tech (Vista?) screenshot. |
|
Florida Dan Premium Member join:2001-07-06 Boynton Beach, FL 1 edit |
to Drunkula
said by Drunkula:Actually that pop-up is a form of auto-run. Are you saying that malware, I assume in the form of an .exe file, could be triggered by this pop-up? Edit: Never mind, I get it now. The malware places a second entry in the pop-up window, clicking upon which launches it. |
|
|
Autorunhater to nwrickert
Anon
2009-Jan-21 1:46 pm
to nwrickert
For those who would like an example; do this: On an USB-stick put an autorun.inf file with this content: [autorun] shellexecute=calc.exe useautoplay=1 Then remove and insert. Surprise... Think if calc.exe was verybad.exe. The us-cert fix will fix this one and many other variants. Don't get confused of the word autoplay here, this is one of MANY ugly examples of misuse of Autorun. Happy Autorunning |
|
|
Question Mark
Anon
2009-Jan-21 3:03 pm
"Sys:DoesNotExist" is the only Recommended Solution, is what Public Safety of Canada say: Those who want to read more, here is the link: » www.publicsafety.gc.ca/p ··· eng.aspx. Much good stuff. (if you don't like anonymous posters, don't tell anybody that you read it, ) |
|
Thug21Just Chillin' Premium Member join:2005-08-21 |
Thug21
Premium Member
2009-Jan-21 3:19 pm
What about unchecking all the autoplay drive letters in TweakUI?
I heard that uses NoDriveAutoRun, which isn't mentioned on that site. |
|
|
Autorunhater
Anon
2009-Jan-21 3:33 pm
Thug21:
No, not if you want to stay safe. Do it and try my example. |
|
1 edit |
to nwrickert
I disabled this via a group policy network wide about a month ago after a user was infected with autorun. It is set in the Group Policy editor under the computer configuration > Administrative Templates > System (Turn Off Autoplay) Set it Enabled for All drives. The group policy is applied to workstations not users.
I tried the test with creating an autorun.inf and calc didn't run. I have also noticed that since we applied the policy, install CD's no longer autorun and we no longer get the dialogue box that asks what we want to do when we insert CDs or USB sticks.
It appears that the group policy does work. Anyone care to offer an opinion if this is sufficient protection?
[EDIT]
I just answered my own question - NO! If I double click on the USB stick in My computer it launches calc. #$@@@!
regards, rotbay |
|
|
Autorunexpert
Anon
2009-Jan-21 3:47 pm
Reread the Canadian article linked to some posts ago. Then you don't need to ask any questions. |
|
|
OZO Premium Member join:2003-01-17 |
to norwegian
said by norwegian:In reference to the screenshot in this link OZO you mention the disable function in the choices for folder options. One question I have. How do you get the "My Personal Settings" to show? Is that a Vista option? I do not have it in XP pro and never have. Oh, it's simple. I've downloaded "WE_TMenu_DisableAutoRun" registry file from this site and run it on my WXP computers. |
|
Thug21Just Chillin' Premium Member join:2005-08-21 2 edits |
to Autorunhater
said by Autorunhater :
Thug21:
No, not if you want to stay safe. Do it and try my example. I tried this and my cursor just blinked a bit when I put the USB drive back in. I don't see anything else and there is no popup. |
|
|
Ad Infinitum
Anon
2009-Jan-21 5:39 pm
Thug: Then you are protected againt this VERY special variant. 'Default' users get the program running without a question or pop-up at all when inserting thw USB-stick. But there is only one safe method against this, referred to by the OP. Take it or leave it. Good luck. Ihave used final solution for a long time with NO adverse effects. If you are afraid, rest assured it can be reversed. |
|
Florida Dan Premium Member join:2001-07-06 Boynton Beach, FL |
to Nimbus
Colleagues--my apologies for taking up your time with comments and questions that could have been avoided if I had only followed the link in Nimbus' initial post in this topic. I have done so at last and the situation is now clear to me. I encourage others to do so as well. |
|
chrisretusnRetired Premium Member join:2007-08-13 Philippines |
to Mele20
said by Mele20:What do you need these registry items for? Why wouldn't you open from MyComputer? It won't autoplay. You wanna totally break CDRom and DVD players. Do that STUPID fix. Guaranteed to break functionality and so will ANY OTHER fix that works 100% of the time. You should just use common sense and never insert a CD that you don't know for sure is clean. How is connecting your external USB drive or your USB printer going to cause arbitrary code to be run using AutoRun??? The CD and DVD will still play, it does not break the functionality of them it just requires you the user to initiate it. Say you take your camera memory stick down to the photo shop to get some pictures developed. You plug it back in to you camera, takes some new pictures. Then plug you camera in to you computer to download those new pictures to your favorite photo program. Meanwhile, in the background a new virus just installed itself on your computer via autorun.inf and also added an autorun.inf to every hard drive it found on your system, including any connected external hard drives or USB sticks. |
|
|
mrknowitall to nwrickert
Anon
2009-Jan-21 6:59 pm
to nwrickert
i've always used this key Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000000
am i safe? |
|
Mele20 Premium Member join:2001-06-05 Hilo, HI |
to Autorunhater
I can't try that because I don't have a USB stick and don't intend to get one. No one has convinced me that I need to do anything more than disable autoplay through TweakUI for XP. Vista...looks to me like it would be much harder to have this autorun problem there. It handles autoplay a lot better than XP. |
|
norwegian Premium Member join:2005-02-15 Outback |
to mrknowitall
That is for a CD drive and yes I believe it is a good setting but the referenced link suggests turning it off for everything HDD/CD/DVD/USB
|
|