EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
|  Blocking autorun
Scott Dunn and Fred Langa's newsletter had a handy article on preventing autoruns from executing on media inserted or attached to a PC. It seems that disabling autoplay through Explorer doesn't prevent autoplay from working in all cases. Scott has a registry entry that supposedly closes the vulnerability.
said by newsletter :
I was able in just a few minutes to make an AutoRun file that would run, even with AutoPlay disabled in XP and "take no action" selected in Vista.
... The exploit involves creating an autorun.inf file that adds a new default command to a USB flash drive's context menu. If you have "take no action" selected in Vista, the flash drive doesn't automatically launch any programs when first inserted. But double-clicking the flash drive icon in My Computer, for example, is all it takes to launch whatever commands are in autorun.inf (which the attacker has made the default command, in place of Open). ...
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
Link to full article and instructions here.
--
My Flickr Gallery |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire |  Useful to know. Thank you 
Cudni |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| It's worth a post to note a nice little tutorial on autorun that was referenced and linked in the article. It tells how to tweak the autorun.inf file on a USB drive;
see here.
--
My Flickr Gallery |
|
mysec
Premium
join:2005-11-29
1 edit | reply to EGeezer
For those interested a less complicated solution for preventing autoruns installing programs:
any program with execution protection will do the job.
I find this useful on family computers, where the parents control the installation of programs.
Some tests:
»www.urs2.net/rsj/computing/tests/autorun/
edit: spelling
----
rich |
|
Anon Name
@telus.net
 from:
antdude 
| reply to EGeezer
Why not just do this?
 |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | read the bit about the exploit in the 1st post
Cudni |
|
Anon Name
@telus.net
| reply to EGeezer
Is that for SONY rootkits or what?
I'd be the weakest link with CD security.
I burn back-ups of my OS and insert blank media for burning.
I wouldn't dare put a AOL FREE disk or some trash like that, but I guess.....
As long as it doesn't screw-up the Vista built-in burning and CD sessions, Vista works good that way. |
|
HA Nut
Premium
join:2004-05-13
USA
| reply to EGeezer
As the article notes (and I noticed some time ago), that even with autoplay defeated, if you double clicked a CD's drive's icon, it often fired up something via autoplay. What I do now is to right click and choose Explore instead of Open.
That said, it's nice to know how to permanently block autoplay... |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| reply to Anon Name
said by Anon Name :
As long as it doesn't screw-up the Vista built-in burning and CD sessions, Vista works good that way. Please read the article as you have been politely asked already. Auto Runs has absolutely NOTHING to do with CD Burning.
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
brianiscool
join:2000-08-16
Miami, FL | reply to EGeezer
Easy create your own snap-in security scope. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| said by brianiscool :Easy create your own snap-in security scope. Now that little gem gets the "most helpful" trophy.. 
Did you ever remember what that admin password was? 
--
My Flickr Gallery |
|
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
1 edit | reply to EGeezer
It seems that a lot of people, including a few in this thread, not to mention the author of the article, mix up AutoPlay and AutoRun. They are not the same.
said by EGeezer :It seems that disabling autoplay through Explorer doesn't prevent autoplay from working in all cases. Not entirely true, disabling it should disable AutoPlay but it won't disable AutoRun, which should be obvious.
said by newsletter :
I was able in just a few minutes to make an AutoRun file that would run, even with AutoPlay disabled in XP and "take no action" selected in Vista.
Of course he was. Disabling AutoPlay has nothing to do with AutoRun. It's not an exploit. It's a feature.
Microsoft introduced the AutoRun specification in Windows 95. AutoPlay is as new as XP. AutoRun worked long before AutoPlay even existed. What makes you think disabling AutoPlay would or should disable AutoRun?
--
You can catch the Devil, but you can't hold him long. |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| said by Wildcatboy :Microsoft introduced the AutoRun specification in Windows 95. AutoPlay is as new as XP. AutoRun worked long before AutoPlay even existed. What makes you think disabling AutoPlay would or should disable AutoRun? I've got "something" like AutoPlay in Windows 95. It is only changeable when Tweak UI is installed or by editing the Registry.
Tweak UI on Windows 95
Tweak UI on Windows 95
Tweak UI on Windows 95
Where does AIN (Auto Insert Notification) come in? I kill that and it stops Windows from even seeing a CD/DVD insert event. I know to F5 or Refresh to see the change.
AIN checkbox under Hardware Manager
AutoRun, Auto insert, and AutoPlay
»www.base40.com/cdtTipAutoRun.htm
Regards,
Doctor Olds
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
| reply to EGeezer
You don't need a software to stop Autorun. I have a .reg file on my desktop like this:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000000
Copy it to notepad, rename it to whatever.reg. In my case Autorun.reg
If I need to insert a CD or DVD, I just double click it. Autorun is disabled, insert the CD, examine it and if it's OK, I just change the dword to dword:00000001 , save the file and double-click it again. Autorun is enabled again.
As for disabling AutoRun for USB media, I really see no reason for it. I use the Autorun.inf extensively on my USB stick to create right click menus, have TrueCrypt automatically start and ask for password, etc...
The only USB media that gets connected to my laptop is mine, so what's the point?
--
You can catch the Devil, but you can't hold him long. |
|
Anon Name
@telus.net
| reply to EGeezer
So what if I add my CD rom model to this list?
like so...
 |
|
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON |
Not recommended. Messing with that list may cause your CD-ROM drives to stop working properly.
--
You can catch the Devil, but you can't hold him long. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
2 edits | reply to Wildcatboy
WCB, thanks for the registry tweak! Unfortunately, unlike yourself, others may use a PC and want to do things like store documents, run portable apps etc. The possibility of an infected drive being unintentionally connected is a real issue with many people.
Some questions, hope somebody can provide solutions;
1) Will this tweak be permitted by the OS when a limited user is logged onto the machine?
1) Would this work for USB attached drives? If so, what reg entry would disable autorun for flash drives while not messing up other attached drives or devices?
2) Would such a registry tweak cause problems if the flash (or external CD) drive were inserted in a different port on the PC, or other drives are also attached?
3) The reg tweak looks good for the CD drive, I wonder if there could be a little program with a radio button to make the registry changes. Assuming a limited or power user could use it, an "enable/disable" button might be handy.
Lots of good feedback to the article - thanks all!
--
My Flickr Gallery |
|
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
| OK, here's the situation. We have an article written by someone who doesn't have a clear understanding of how things work, creating unnecessary panic among those who are unclear about how things work. Let's see if I can help.
said by EGeezer :WCB, thanks for the registry tweak! Unfortunately, unlike yourself, others may use a PC and want to do things like store documents, run portable apps etc. I do all of that. In fact I do nothing but.
I think instead of answering your questions one by one, I should first explain how things work when it comes to autorun.inf. Once you know a bit more about that, you may not care about some of those questions.
autorun.inf was designed to be included on CDs. Sure, it does work on just about any kind of drive, including your hard drive and even mapped Network drives, if you know how to get it to work, but what you're afraid of (launching an application without your interaction) can only work if the file resides on a CD/DVD or a media that emulates a CD media. In other words almost every command in autorun.inf works on a USB drive except
Open=whatever.exe
unless it is accompanied by:
Action=Whatever
in which case you'll get the AutoPlay pop up, asking you whether you want to run it using "whatever". It's not going to be automatic.
Now, I'm sure someone is going to show up and say they have a USB drive with autorun.inf that actually does run an application automatically. The answer is yes, however all those USB drives have two partitions, a large one formatted as FAT and a tiny one formatted as CDFS. Windows reads the CDFS partition, assumes it's a CD and then runs the autorun.inf which resides on that partition.
Now if your USB drive doesn't have one of those partitions, you have nothing to worry about. I highly doubt anyone would go through the expense of handing out USB sticks just so they can get you to run their virus, when emailing you the virus would be much easier and far cheaper. Besides, once the partition emulates a CD, Windows thinks of it as a CD and the tweak I mentioned would apply, which means no luck for Autorun.
Now, I guess the answer is clear as to why the tweak I provided, would only work for CD/DVD drives and ignores the rest. And to answer one of your questions, no, limited user accounts can't modify the registry but then again, neither can the virus they're going to try to run. There's probably a way around it by modifying the permissions on your registry keys to get it to work for your limited users but the dangers of doing that wrong, far outweigh not doing it at all.
Remember, even the infamous Sony DRM Rootkit wouldn't affect the limited user accounts. Power users are a different beast altogether. Don't use them.
Your last question, I can't really answer. I can tell you about security but when it comes to security apps, I can't be of much help as I hardly use or look for them. I doubt there's one that would do what you're asking but what do I know.
Now, there's more I should tell you to help answer your other questions but that requires another long post. I promise to do that a bit later.
--
You can catch the Devil, but you can't hold him long. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country! | Interesting topic here: »Trojan Found In New HDs Sold In Taiwan
--
My Flickr Gallery |
|
jmorlan
Hmm... That's funny.
Premium
join:2001-02-05
Pacifica, CA
 ·Pacific Bell - SBC
| reply to Wildcatboy
said by Wildcatboy :Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun"=dword:00000000
Copy it to notepad, rename it to whatever.reg. In my case Autorun.reg This setting also disables auto-insert notification so CDs will not refresh when a new CD is inserted, nor will they refresh when F5 is pressed. It took quite a while for me to figure out why explorer was showing the contents of the previous CD after a new one had been inserted.
For this reason I leave that registry key set to "1" and disable autorun for individual drives using TweakUI. This leaves auto-insert notification functional while disabling autorun for those drives.
|
|
