AutoPlay Windows 7 behavior backported

[ronjor]

Quote:

Back in April we talked about the Windows 7 improvements in AutoPlay that disables certain functionality which has been abused by malware (like Conficker). We also mentioned that these changes will be backported to down level platforms. On August 25th this functionality was made available for Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008, please visit the following KB article for more information and how to download the updates http://support.microsoft.com/kb/971029

Microsoft

[Rmus]

Those who followed the Conficker saga -- you know that much of the success of the variant that exploited USB was due to trickery with AutoPlay-Autorun. A number of analyses picked up on this. An early one from January:

Conficker's autorun and social engineering
http://isc.sans.org/diary.html?storyid=5695

Note that the authors of Conficker have not invented anything -- this "feature" is well-documented, and like many features in software, they can be exploited for bad purposes.

By April, Microsoft had decided "enough is enough" and implemented a change in Windows 7:

AutoRun changes in Windows 7
http://blogs.technet.com/srd/archive...windows-7.aspx

Quote:

In order to help prevent malware from spreading (such as Conficker) using the AutoRun mechanism, the Windows 7 engineering team made two important changes to the product:

AutoPlay will no longer support the AutoRun functionality for non-optical removable media. In other words, AutoPlay will still work for CD/DVDs but it will no longer work for USB drives. For example, if an infected USB drive is inserted on a machine then the AutoRun task will not be displayed. This will block the increasing social engineer threat...

So, we now have this welcome fix available for WinXP. I just installed it and can confirm that it works.

To test: Prior to installing the fix, I set up a USB drive with an autorun.inf file to run a batch file and launch notepad:

Code:

[autorun]
icon=lilguy.ico
open=hello.bat
action=Click "OK"
shell\open\command=hello.bat

Code:

hello.bat
---------
rem=howdy
start notepad.exe
pause

My USB flash drive is not the U3-Smart drive type, so the autorun.inf file will not execute automatically. Rather, the AutoPlay Prompt box will display, encouraging me to run the program from the drive:

If I respond accordingly, the executable file will run:

From the sans.org Diary, you see the Conficker was more sneaky with the type of icon it displayed, helping to trick the user.

There was another danger: if the user closes out the AutoPlay Prompt and accesses the drive using My Computer, the autorun.inf file will still run its code as above. This is because Windows writes the autorun.inf commands to the Registry where information for mounted drives is stored. The "Open" command makes Windows execute the autorun.inf instructions when clicking-to-open the drive icon in My Computer:

After installing the fix, I connected the same USB flash drive, and now, there is no option to run the file from the AutoPlay prompt box:

What about the danger from clicking on the drive icon in My Computer? Windows no longer writes the autorun.inf instructions to the Registry:

This is a welcome change. Opening in My Computer just displays the contents of the drive and any funny stuff would display. Note the hidden files in light gray. If Joe User goes to a friends house to swap music or pictures, and the friend's computer is infected with a USB virus, this virus gets transferred to Joe's flash drive. The virus will have set hidden files to not display, so Joe wouldn't notice anything at that time. At home, he would see the hidden files, assuming they are configured to display:

So, this fix takes care of "normal" USB flash drives, for there is one small caveat which you might have picked up in the April Microsoft SRD blog cited above, if you were following these things:

Quote:

It is worth noting that some smart USB flash drives can pose as a CD/DVD drive instead of standard ones (see http://en.wikipedia.org/wiki/U3 for an example). In this specific scenario, the operating system will treat the USB drive as if it is a CD/DVD because the type of the device is determined at the hardware level.

This is confirmed on the download site for the fix:

Update to the AutoPlay functionality in Windows
http://support.microsoft.com/kb/971029

Quote:

This update disables AutoRun entries in AutoPlay, and displays only entries that are populated from CD and DVD drives. Effectively, this prevents AutoPlay from working with USB media.

Users who install this update will no longer receive a setup message that prompts them to install programs that are delivered by USB flash drives.

Some USB flash drives have firmware that present these USB flash drives as CD drives when you insert them into computers.

These USB flash drives are not affected by this update.

I don't have this U3-smart drive type of flash drive, but the same effect can be seen using a CD with a setup.exe or autoplay.exe file. Here, I use a Photoshop setup CD. The autorun.inf file is:

Code:

[autorun]
open=autoplay.exe -c

The Registry entry shows the autorun.inf commands, meaning that the same danger from accessing the drive by clicking on the icon in My Computer is still present, unless other preventative measures are taken:

Here, this executable is not on my computer's white list, so it is blocked from running:

This is a welcome fix, especially for the average users, and most people should be encouraged to avoid the U3 type of flash drive unless they understand the potential hazards and have other preventative measures in place.


----
rich