Disable Autoplay in Windows

Discussion in 'other security issues & news' started by PiCo, Jun 26, 2008.

Thread Status:
Not open for further replies.
  1. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    I use USB sticks and external hard disks a lot, as I tend to share stuff with friends and so I wanted to know the right way of disabling Autoplay.

    Currently I went to Local Group Policy Editor->Computer Configuration->Administrative Templates->Windows Components->AutoPlay Policies and enabled "Turn Off Autoplay" for All Drives!

    Will this be enough to keep malware from jumping into my internal drives, or do they jump either way?

    Thank you!
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    You can test your CD drive by inserting an installation disk to see if it AutoPlays and starts the Setup.exe file.

    If it does not start, then open My Computer and d-click on the CD drive letter.
    If the Setup.exe file does not start, then this test has passed.

    For your USB drive, you can test by creating an AutoRun.inf file:

    ----------------------------------
    [AutoRun]
    Open=notepad.exe
    ----------------------------------

    Place this in the root of your USB drive, then reconnect and see what happens.

    If it does not start, do the My Computer thing again.

    If both cases pass, then you know that an executable file cannot slip through by remote code execution via the Autorun.inf file.

    If not, you can install TweakUI for XP and disable the drives. This works for sure:

    [​IMG]
    ________________________________________________________________________________


    ----
    rich
     
  3. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    560
    Location:
    Cummington MA USA
    When I was doing IT I had my flash drive as NTFS so I could make autorun.inf , set it as read only and then deny all for all users in permissions .

    Malware could jump on but would not autorun .
     
  4. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    Thanx a lot! I just got confused in this part:
    Why shouldn't it start since I double click the icon?

    I tested a CD with Office 2007 in it and yes it does not start with Autoplay, but when I double click the CD icon it starts :)

    edit://Ok that was fun, I created the autorun.inf for the USB stick and nothing happens when I plug it. When I double click though or right-click it and select run as in the picture below, it opens a notepad :p
    So guess this is a PASS!

    edit2://Ok, I see your point!!
     

    Attached Files:

    Last edited: Jun 26, 2008
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    When you d-click the icon in My Computer, it should open to the drive contents.

    If the Setup.exe file starts, then your Policy for AutoPlay has prevented the Autorun.inf file from executing the commands, but has not prevented Windows from "reading" the file and writing the commands to the Registry.

    These commands are then invoked when you

    1) d-click the icon in My COmputer

    2) r-click the icon and select Open, or whatever commands have been altered.

    As you can see, this is not very secure, since malware on someone else's USB could inadvertantly be executed.

    See here for an explanation I wrote earlier this year:

    http://www.urs2.net/rsj/computing/tests/digiframe/InfFile.html


    ----
    rich
     
  6. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Easiest way: Use TweakUI
     
  7. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    Could you give a link to a Vista compatible one?

    edit://Thanx nosirrah!
     
    Last edited: Jun 26, 2008
  8. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    560
    Location:
    Cummington MA USA
    You can turn off autorun on your computer but that wont prevent your flash drive from being able to to infect other computers .

    What I posted will prevent that and when combined with what is suggested here you will be double protected .
     
  9. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Sorry, I don't know if there's a vista version available.

    A bit Off-Topic:
    I have SBIE configured so that everything that runs from an USB stick is sandboxed.
    This way I prevent infections, but there's another advantage:
    Everytime I connect an USB drive to my laptop, I open SBIE Control and can actually see if anything is running. This way you can detect malware or any autorun activity and delete it manually.
     
  10. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    I'm a bit lucky cause it is being discussed here!

    :ninja: :ninja:
     
  11. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yes, it's actually very easy to achieve.
    Just insert a USB drive, so the drive letter (in my case F:) is recognized.
    Then go to sandboxie configuration and add force folder= f:

    Just to be safe I added F: and G:, in case I ever must plug 2 USB sticks.
     
  12. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    disabling autorun on your computer is probably more useful than trying to make your flash drive safe for other computers... autorun doesn't actually work for normal flash drives (http://www.microsoft.com/whdc/device/storage/usbfaq.mspx), autoplay does and that doesn't actually execute the program specified in the autorun.inf file it just presents it as an option in a menu...

    those other computers would either need special software to make it work as autorun instead of autoplay or your flash drive's hardware would need to lie to windows about what kind of flash device it is... both options are doable but the net result is that in order for this threat scenario to work those other computers would need to have been explicitly made vulnerable (which is probably outside your control) or you'd have to have specially prepared a dangerous flash drive (in my experience those flash drives that lie to windows store their autorun.inf file on a special partition that requires special software to write to)...
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    This is true, but in PiCo's case in sharing, he can't be sure that the device he plugs in is a *normal* flash drive, for the so-called U3 USB devices do indeed invoke AutoRun, and are very common today.

    For those not aware of this, See:

    http://en.wikipedia.org/wiki/U3
    You may remember the spate of infected digital picture frames. These are essentially U3 USB devices with picture software installed. Pluging in the device automatically infected the user who wasn't set up to protect against such exploits. These devices had a specially crafted AutoRun.inf file which changed the default commands on the computer's right-context menu for that drive. See the example in my post above.

    Regarding disabling AutoRun: as I indicated, you have to use a method which insures that Windows does not read/write the AutoRun commands to the Registry; otherwise, the user could inadvertantly launch an executable on the drive from within My Computer.


    ----
    rich
     
  14. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    hmmm... perhaps i've misread something... i figured the sharing in this situation to mean sharing data on his own flash drives that he's loaned out - in which case he would know the properties of the drives he's giving to people and only really need to worry about disabling autorun on his own computer...

    if instead he's sharing unknown flash devices whose properties he doesn't know then i suppose one might be worried about the effect those devices might have on other computers... but that gets to be a little like sharing needles and is probably something you should just avoid doing entirely rather than trying to make secure by taking away access to autorun.inf... also, i'm not sure how you'd actually prepare the u3 partition as ntfs...

    were they really? i should try and get one of those... i wonder what kinds of other devices are using u3...
     
  15. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    237
    According to this thread, ForcedFolder only works on .exe's.

    http://sandboxie.com/phpbb/viewtopic.php?t=3520
     
  16. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yes.
    But it seems that tzuk has some intersting improvement for next versions of SBIE.
    In the meanwhile "disable autoplay" (tweakUI) and Retunil can do the rest.:D
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    Creating an empty folder named autorun.inf in the root of flash drive will not do the same?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.