Posted on by Vulnerability Analysisin
Hi, this is Will Dormann of the CERT/CC Vulnerability Analysis team. A few months ago, reports of infected digital picture frames hit the media. I was curious about how the malicious code was being executed, so I began investigating the Microsoft AutoRun and AutoPlay features.
AutoRun, which was introduced with Windows 95, has two primary behaviors:
In the process of investigating AutoRun behavior, I noticed two interesting things:
The information about malicious use of U3 drives is not particularly new. But how many systems have AutoRun disabled? One aspect that makes the problem confusing is that it is not obvious how to disable AutoRun precisely and effectively. VU#889747 originally listed several steps that appeared to be effective in my testing, but they also had the adverse effect of disabling MCN messages, which can prevent Windows from detecting when a CD-ROM or DVD is changed.
One of our readers has provided us with a workaround that disables AutoRun closest to the source, which is the Autorun.inf file itself. By importing the following registry key, the Autorun.inf file will no longer be used to determine AutoRun and AutoPlay actions:
This setting appears to disable AutoRun behaviors without causing other negative side-effects. More details about this workaround are available in Nick Brown's blog entry Memory stick worms.
Update (November 21, 2008):
Microsoft Windows may cache AutoRun information from connected devices. The impact of this feature is that even after disabling AutoRun as described above, you may still experience AutoRun behaviors for devices (USB drives, network shares, etc.) that have been connected to the computer in the past. For this reason, we also recommend removing this cache by deleting the MountPoints2 registry key for each user:
Visit the SEI Digital Library for other publications by Will.