Disable Autorun is enough to protect from malware via USB drive?

Discussion in 'malware problems & news' started by ExtremeGamerBR, Jan 4, 2012.

Thread Status:
Not open for further replies.
  1. ExtremeGamerBR
    Offline

    ExtremeGamerBR Registered Member

    I do not know if I'm in the correct area, if not excuse me.

    I wonder if just disabling Autoron my computer I would be free of infection via autorun USB Drive?

    Thank you! :thumb:
  2. wat0114
    Offline

    wat0114 Guest

    If running Win 7, then use the MS Fixit or manual method at the bottom of this page you should be okay.
  3. HAN
    Online

    HAN Registered Member

    Beyond what you can do today to disable autorun on USB drives, be aware that the landscape can change quickly.

    In July 2010, the Stuxnet variety of malware came out and could autorun USB based executables by exploiting a security hole in Windows. So be sure to always do your Windows updates as they come out.
  4. x942
    Offline

    x942 Registered Member

    Yes. Autorun malware would fail to run. However there are other USB attacks available such as the HID attack and the USB Rubber Ducky is only one example. These attacks are also cross platform (Win/Mac/*Nix/etc.) and will work on any thing (even a PS3) that can use a USB HID (Human Interface Device) I.E a mouse/keyboard.

    Only way to stop them is by disabling unknown devices in the registry.
  5. ExtremeGamerBR
    Offline

    ExtremeGamerBR Registered Member

    Thank you guys, all the information helpful. :thumb:
  6. AlexC
    Offline

    AlexC Registered Member

  7. siljaline
    Offline

    siljaline Registered Member

    Disable auto-run on various incarnations of Windows Removeable media are one of the easiest exploit vectors to a system. Your AV solution should protect from this.
  8. safeguy
    Offline

    safeguy Registered Member

    First of all, let's make it clear the difference between AUTORUN AND AUTOPLAY since we all have heard of the term "disable Autorun" and that's what we need to do exactly, not disable Autoplay. It's a widely spread terminology mistake...even among many techies.

    Difference between Autorun and Autoplay:
    Autorun and Autoplay: screwed by terminology

    Next, let's touch upon what I would consider the 'best' method to 'disable autorun.inf'...

    While that method is fine and is the 'recommended' procedure by MS, it requires certain updates/prerequisites (which corrects the problem of NoDriveTypeAutoRun registry value enforcement) to be installed before one uses the MS Fixit or manual method to disable Autorun capabilities. Otherwise, Windows will not obey the NoDriveTypeAutorun registry value and Autorun will not be effectively disabled.

    See here: http://www.us-cert.gov/cas/techalerts/TA09-020A.html

    Hence, I personally prefer and would recommend others to implement Nick Brown's solution (which "tells Windows to treat AUTORUN.INF as if it were a configuration file from a pre-Windows 95 application") as listed here:

    http://nickbrown-france.blogspot.com/2007/10/memory-stick-worms.html

    It works regardless of whether or not you have the updates installed (especially useful for those who choose not to install or delay Windows updates for whatever reason)...therefore providing a better safety net in my opinion.

    More reading here:
    http://blogs.computerworld.com/the_...o_be_protected_from_infected_usb_flash_drives
    Even better, read this:
    Why Disabling Autorun Only Helps The Viruses, and What You Should Actually Do to Protect Yourself
    http://autorun.synthasite.com/

    In addition or alternatively, you may want to consider the use of Ariad (AutoRun.Inf Access Denied) by Didier Stevens:

    http://blog.didierstevens.com/programs/ariad/

    This tool is more advanced...if you intend to use it, do read up (inc. the comments) and use with caution!!
  9. wat0114
    Offline

    wat0114 Guest

    In Windows 7, at least through Group Policy editor, it is Autoplay you want to disable and it does work to disable Autorun in USB drives, as follows:

    Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\

    -Turn off Autoplay = enabled

    -Turn off Autoplay = All drives

    -Default behavior for AutoRun = Do not execute any autorun commands

    optionally:

    -Turn off Autoplay for non-volume devices = enabled
  10. m00nbl00d
    Offline

    m00nbl00d Registered Member

    I wouldn't follow this advise, though:

    I may be getting too old... but that doesn't suffice. Any decent worm can simply override it and replace it with its own autorun.inf. You need to protect it; there are tools that do it for you, such as BitDefender USB Immunizer.
  11. wat0114
    Offline

    wat0114 Guest

    With AppLocker there's also the possibility of further restricting removable storage drives with a Path rule:

    %HOT%\*
  12. 22ndcitysaint
    Offline

    22ndcitysaint Registered Member

    I just did this. Can I remove Panda USB Vaccine now?
  13. wat0114
    Offline

    wat0114 Guest

    Hard or me to say yes or no :) If it were me I wouldn't bother with Panda.
Thread Status:
Not open for further replies.