AutoPlay Windows 7 behavior backported

Discussion in 'other security issues & news' started by ronjor, Sep 13, 2009.

Thread Status:
Not open for further replies.
  1. ronjor
    Online

    ronjor Global Moderator

    Microsoft
  2. Rmus
    Offline

    Rmus Exploit Analyst

    Those who followed the Conficker saga -- you know that much of the success of the variant that exploited USB was due to trickery with AutoPlay-Autorun. A number of analyses picked up on this. An early one from January:

    Conficker's autorun and social engineering
    http://isc.sans.org/diary.html?storyid=5695

    Note that the authors of Conficker have not invented anything -- this "feature" is well-documented, and like many features in software, they can be exploited for bad purposes.

    By April, Microsoft had decided "enough is enough" and implemented a change in Windows 7:

    AutoRun changes in Windows 7
    http://blogs.technet.com/srd/archive/2009/04/28/autorun-changes-in-windows-7.aspx
    So, we now have this welcome fix available for WinXP. I just installed it and can confirm that it works.

    To test: Prior to installing the fix, I set up a USB drive with an autorun.inf file to run a batch file and launch notepad:

    Code:
    [autorun]
    icon=lilguy.ico
    open=hello.bat
    action=Click "OK"
    shell\open\command=hello.bat
    
    Code:
    hello.bat
    ---------
    rem=howdy
    start notepad.exe
    pause
    My USB flash drive is not the U3-Smart drive type, so the autorun.inf file will not execute automatically. Rather, the AutoPlay Prompt box will display, encouraging me to run the program from the drive:

    usbXP-autoplayprompt.gif

    If I respond accordingly, the executable file will run:

    usbXP-autorun.gif

    From the sans.org Diary, you see the Conficker was more sneaky with the type of icon it displayed, helping to trick the user.

    There was another danger: if the user closes out the AutoPlay Prompt and accesses the drive using My Computer, the autorun.inf file will still run its code as above. This is because Windows writes the autorun.inf commands to the Registry where information for mounted drives is stored. The "Open" command makes Windows execute the autorun.inf instructions when clicking-to-open the drive icon in My Computer:

    usbXP-mpts.gif

    After installing the fix, I connected the same USB flash drive, and now, there is no option to run the file from the AutoPlay prompt box:

    usbXP-autoplayprompt2.gif

    What about the danger from clicking on the drive icon in My Computer? Windows no longer writes the autorun.inf instructions to the Registry:

    usbXP-mpts2.gif

    This is a welcome change. Opening in My Computer just displays the contents of the drive and any funny stuff would display. Note the hidden files in light gray. If Joe User goes to a friends house to swap music or pictures, and the friend's computer is infected with a USB virus, this virus gets transferred to Joe's flash drive. The virus will have set hidden files to not display, so Joe wouldn't notice anything at that time. At home, he would see the hidden files, assuming they are configured to display:

    [​IMG]

    So, this fix takes care of "normal" USB flash drives, for there is one small caveat which you might have picked up in the April Microsoft SRD blog cited above, if you were following these things:

    This is confirmed on the download site for the fix:

    Update to the AutoPlay functionality in Windows
    http://support.microsoft.com/kb/971029

    I don't have this U3-smart drive type of flash drive, but the same effect can be seen using a CD with a setup.exe or autoplay.exe file. Here, I use a Photoshop setup CD. The autorun.inf file is:

    Code:
    [autorun]
    open=autoplay.exe -c
    
    The Registry entry shows the autorun.inf commands, meaning that the same danger from accessing the drive by clicking on the icon in My Computer is still present, unless other preventative measures are taken:

    [​IMG]

    Here, this executable is not on my computer's white list, so it is blocked from running:

    [​IMG]

    This is a welcome fix, especially for the average users, and most people should be encouraged to avoid the U3 type of flash drive unless they understand the potential hazards and have other preventative measures in place.


    ----
    rich
    Last edited: Sep 14, 2009
Thread Status:
Not open for further replies.