TweakUI AutoRun?

Discussion in 'other security issues & news' started by Someone, Jun 25, 2009.

Thread Status:
Not open for further replies.
  1. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Is disabling autorun with TweakUI safe? Does it use the registry tweak described here?
     
  2. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    Nope. TweakUI works to a point but apparently does not block all known methods. The Panda tool does appear to work for both the PC and flash drives. (The PC vaccination for Panda IS the method described at your link...
    https://www.wilderssecurity.com/showthread.php?t=245571
     
  3. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Thanks. Do you know what method Tweak UI uses?
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
  5. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    If you are running XP then the option is also available through gpedit.msc
    Gpedit can also be add`d to XP Home. Doing a Google will provide the instructions.

    Always preferred\trusted this method to 3rd party software. Closely followed by reg. tweaking. :)
     
  6. progress

    progress Guest

    This means that even if the autorun.inf file is suppressed from executing, clicking on the drive icon in My Computer, or any of the commands on the right=click menu will trigger the exploit.

    This doesn't sound good, I will remove TweakUI :(

    Edit: I tested the gpedit.msc method - if you click on the drive letter E: autorun.inf is also executed :(
     
    Last edited by a moderator: Jun 30, 2009
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Actually, the best approach, unless I misunderstood something, is to combine both Panda USB vaccine and TweakUI.

    I'm setting a system with Windows XP SP3, and Panda USB vaccine won't prevent CDs/DVDs from auto running. TweakUI allows to prevent the autorunning.

    I don't know why it (Panda's utility) won't prevent CDs/DVDs from auto running, but, perhaps, some problem handling with such in Windows XP?
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    A safe way is to access the removable media drive letter in the left pane of Windows Explorer (2-pane view of My Computer). Nothing on the drive will execute:

    [​IMG]

    On Win2K and WinXP, the 'WIN Key + E' opens Windows Explorer.

    Note that I made several folders and files Hidden but they display because I've configured Windows Folder Options to show Hidden stuff.

    Some other thoughts:

    • Unless you have a specifc need, avoid a U3-powered USB smart drive. Non-U3 types will not execute an Autorun.inf file.

    • If you copy files to your computer from someone else's USB drive, access the drive in Windows Explorer as above to view the contents. If you see an autorun.inf file, ask the person if she/he knows it's there!


    ----
    rich
     
  9. progress

    progress Guest

    Yes, but the autorun will start before. I don't know a possibility to simply turn off autorun! If you remember, even the 'DoesNotExist' registry key (in Panda USB Vaccine) doesn't work for all drives (-> MountPoints2!).

    I would like to test this idea, how can I avoid these drives? :doubt:
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Sorry, I thought you had a solution for disabling Autorun.

    Can you post a screen shot showing how the "DoesNotExist" registry key tweak is bypassed?

    Regarding non-U3 smart drives:

    Jus look on the package. It will say if it is a smart drive.

    ----
    rich
     
  11. progress

    progress Guest

    1) I added the registry tweak :)

    2) I opened Windows Explorer :)

    3) I inserted the USB stick with the modified autorun.inf :(
     

    Attached Files:

    • 1.JPG
      1.JPG
      File size:
      26.6 KB
      Views:
      249
    • 2.JPG
      2.JPG
      File size:
      9 KB
      Views:
      246
    • 3.JPG
      3.JPG
      File size:
      11.4 KB
      Views:
      248
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I'm sorry but I don't understand what your screen shot is showing. What do you mean by a modified Autorun.inf file?

    Does an Autorun.inf file execute with that Registry tweak enabled?

    ----
    rich
     
  13. progress

    progress Guest

    A autorun.inf file which labels E: as 'This could be malware!' :( So it has been executed ...

    Yes :'(
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Did you delete your MountPoints2 keys and then reboot before enabling the Registry Tweak?

    To my knowledge, only if the autorun.inf information is in that Registry key will the autorun.inf file execute.

    Nick Brown makes that point in his article on that Tweak

    Also, some systems restore the MountPoints2 Keys on reboot, so careful testing/checking is necessary.

    ----
    rich
     
  15. progress

    progress Guest

    Yes :)

    You are right, they have been restored :rolleyes: What can I do?
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Use another Autorun.inf file to start calculator or something, and see what happens.

    ----
    rich
     
  17. progress

    progress Guest

    I used this autorun.inf:

    [autorun]
    open=PAVARK.exe - didn't work!
    icon=PAVARK.exe - worked!
    label=Fake Malware! - worked!


    I get this notice, what's wrong? o_O
     

    Attached Files:

    • 4.JPG
      4.JPG
      File size:
      21.8 KB
      Views:
      237
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Look in your MountPoints 2 Key: if the 'open=PAVARK.exe' command is not there, it was prevented from being written to the Registry, so that open action failed.

    Were the icon and label commands present from your previous Autorun.inf? If so they are still in the Registry, hence, they executed.

    I suggested that you test with a completely different autorun.inf file that has nothing already in the Registry to show that the Reg Tweak does in fact block new autorun.inf commands from being written to the Registry, hence, the commands to execute fail.

    ----
    rich
     
  19. progress

    progress Guest

    How can I do this? :(

    I repeated the test with a brand new USB stick and a new autorun.inf - the commands icon and label still work. The open command didn't work, I also got no notice like in post #17 :) I don't know, maybe this is ok ..
     
    Last edited by a moderator: Jul 7, 2009
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hello ance,


    EDIT:

    OK, you posted while I was writing!

    Your test shows that the icon and label commands are still written to the registry but the Registry Tweak is preventing any new commands from been read/written.

    Does this seem logical?


    ----
    rich
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    If you are comfortable in the Registry, I can show you how to check the MountPoints2 key in WinXP.

    ----
    rich
     
  22. progress

    progress Guest

    Is it ok? :rolleyes:

    Do you mean that the registry tweak 'only' block open but don't block icon and label? :blink:
     

    Attached Files:

    • mp.JPG
      mp.JPG
      File size:
      26.3 KB
      Views:
      220
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I think Icon and Label are controlled by autoplay.

    Try a new autorun.inf file with nothing but an Open command.

    rich
     
  24. progress

    progress Guest

    I inserted a DVD, the autorun.inf only contains the open command - it doesn't work. Ahm, the same goes for the gpedit.msc method :)

    So the registry tweak 'only' blocks open and nothing else - I didn't know this. Maybe I'll test this with TweakUI again.

    Does the gpedit.msc method work like TweakUI or like Panda USB Vaccine? o_O
     
    Last edited by a moderator: Jul 7, 2009
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I'm not really sure - I don't use the tweaks, I've just read about them. All I know is that the @donotexist prevents the autorun.inf file from writing to the Registry, where Windows "reads" the commands and then executes them.

    Bojan at ISC did a good analysis of conficker, showing how the AutoPlay Prompt tricked users into running the execute command. You can see the Prompt and how the Action and Icon commands worked:

    http://isc.sans.org/diary.html?storyid=5695

    ----
    rich
     
Thread Status:
Not open for further replies.