Why Disabling Autorun Only Helps The Viruses, and
What You Should Actually Do to Protect Yourself.

The Internet is full of well-intentioned advice to disable AutoRun (or AutoPlay), so that you will be protected from getting infected from a worm on a USB stick.  I took this advice seriously, and still ended up getting infected.  This happened because I hadn’t understood some basic concepts, nor had I disabled the real culprit.

Basically, when an “Autorun worm” on a USB stick infects a PC, it is never by AutoRun and it is seldom by AutoPlay.  Instead, they all employ a method that I’ll call Execution of the Drive’s Default Command (EDDC).

All three of these— AutoRun , AutoPlay , and EDDC —are separate functionalities that can run a program that has been specified in the Autorun.inf file .  This is a file that is located (possibly invisibly) in the drive’s root (i.e. “top-level”) folder. 

A quick explanation on the differences between AutoRun, AutoPlay, and EDDC may be helpful, and then we’ll look at a solution that actually works, one that every Windows user ought to employ.

AutoRun, AutoPlay, EDDC — What’s the difference?

AutoRun is the functionality that enables a CD-ROM drive or a fixed drive to specify a program or document to be started immediately upon the connection of the drive. AutoRun has been designed not to work on removable drives such as USB flash drives, as these drives are much more readily infected and passed around to other computers.  (Note that while U3 flash drives do indeed employ AutoRun to automatically launch their own software, this is accomplished by hardware tricks built into the devices.)  There is no virus that employs AutoRun from an ordinary USB stick.

AutoPlay is a more recent enhancement of AutoRun, and reflects an improvement in the security model. Instead of the external media deciding for itself what program to execute, the user makes the decision in response to the AutoPlay Menu. Which items appear on this menu is determined by the types of file found on the drive (such as pictures, music, and video), and by settings in the Autorun.inf file.  A small minority of Autorun worms employ the AutoPlay menu, but only as a secondary strategy.  (It is probably an ill-advised strategy, as stealth is lost and suspicions raised for even minimally alert users.)  Because AutoPlay is user-controlled and thus “secure”, Windows enables AutoPlay for removable drives by default.
Note: Vista will actually allow the user to configure his AutoPlay settings to automatically run whatever program is specified in the Autorun.inf file, which means that an infected USB stick will indeed effectively be permitted to "AutoRun".  No one should never chose such a dangerous setting, with the possible exception of someone who lives alone in their own universe.  There are much safer ways to accomplish whatever it is you'd be aiming for with that setting.  More alarming, it's not hard to inadvertently end up with such settings for AutoPlay.  When you insert a CD with a legitimate autorun program, and Vista's AutoPlay menu asks what you want to do, suppose you tell it to run the program, and you also check the box for "always do this."   By default, that choice will also apply to removable drives.  The next time you insert an infected USB stick, it will launch the virus without further interaction from you.  Following the advice below for disabling AUTORUN.INF files will protect you from this problem, too.

Execution of the Drive's Default Command (EDDC) is a third distinct means of automatically starting a program specified in the drive's Autorun.inf file. The key difference from AutoRun functionality is that EDDC does not happen automatically upon drive connection.  It is triggered when the user double-clicks on the drive icon under 'My Computer' (i.e. in an Explorer window), or selects the highlighted option from the drive's shortcut menu (accessed with a right-click). Autorun worms often hijack both the 'Open' and 'Explore' commands on the drive's shortcut menu, so that either of these will launch the viral executable.  

Disabling AutoRun/AutoPlay

Both AutoRun and AutoPlay are disabled together via the same keys in the Windows Registry.   (These keys are named NoDriveAutoRun and NoDriveTypeAutoRun .)  These same keys can also be more conveniently (albeit less finely) configured via Group Policy or the TweakUI PowerToy for Windows XP

Remember, however, that it is by EDDC—never by AutoRun and seldom by AutoPlay—that an Autorun worm on a flash drive infects a PC.

For current Autorun worms attempting to infect a PC from a thumb drive, the only effect of Disabling AutoPlay is probably in their favor:  It means that the AutoPlay menu will never appear, and thus the clumsy minority of worms that would have advertised their presence in that menu will instead have to rely on the same stealth technique that the rest of them use:  They wait for the the user to trigger the drive’s default command.

Disabling AUTORUN.INF

What every Windows user ought to do is disable the Autorun.inf file.  In some rare cases, some legitimate functionality will be lost, but this can be restored more securely in other ways we’ll look at shortly.

The way to accomplish this was first suggested in a blog entry by Nick Brown .  His explanation there is well worth reading, but to quote just his how-to instructions:

All you do is to copy these three lines into a file called NOAUTRUN.REG (or anything.REG) and double-click it…

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Alternatively, for your convenience, you can double-click the DisableAutorunINF.reg file found in DisableAutorunINF.zip

Note: On many computers, the change won’t go into effect until you’ve restarted all instances of Explorer including the Windows Desktop.  If you don’t know how to do that, just log off Windows or restart the computer.

Inoculating Your USB Flash Drive

Before we move on, I should mention a trick to keep your USB flash drive from being a carrier for Autorun worms:  ( This has been suggested by Nick Brown and by others also.)

Create a folder on the drive named “Autorun.inf”.  Maybe even put a small file in there so that the folder is non-empty.  That’s all.

I’ve had several kinds of Autorun worms try to infect my USB stick, and all of them were foiled by this.  They can write their executable to the drive, but not the Autorun.inf file necessary to launch that program, because they didn't anticipate that a folder by that name might already be present.  Thus, using my USB stick in another computer after it's been in an infected computer won’t spread the worm.  Sooner or later, malware authors will catch onto this trick, but at least your drive won’t be a carrier for any of the hundreds of Autorun worms that are currently wreaking havoc.

(Note: Typically a worm marks the Autorun.inf file it’s created with “Hidden” and “System” attributes, so that you won’t notice the file unless you’ve configured Windows to show you both hidden and system files.)

Replacing and Improving upon Autorun.inf Functionality

If you’ve disabled Autorun.inf as described above, there is no need to have AutoPlay disabled.  AutoPlay offers a good deal of convenient functionality that it would be a pity to lose.  e.g. When you insert your SD card from your camera, it may be handy to automatically launch Picasa’s import process.

However, there are other cases in which you really do want some kind of behavior to occur when a certain drive is connected:
  • Maybe you have a U3 drive , and you want to start the U3 LaunchPad when the U3 drive is inserted.
  • Maybe you always want an option for running a virus scan to pop up when any flash drive is inserted, or perhaps you'd like to be alerted if the drive just connected contains an autorun.inf file, or files/folders marked as hidden or system. (These are signs of a worm.)
  • Maybe you want an option for launching your backup program to pop up whenever you connect that specific drive.
  • Maybe you want to automatically mount a TrueCrypt volume any time a drive containing a .tc file is connected, or perhaps whenever a specific drive is connected.
  • Maybe you have a portable application on your USB drive that you want to launch when the drive is inserted, but you also know that you should never trust any program on any drive that has been in a possibly-infected machine.  (A virus on that machine may have injected itself into the program on your USB drive.)  So you want to launch your portable app, but only after verifying that it hasn't been changed .
All of these are things that are best controlled by your computer.  There are utilities that will enable you to control such behavior.  Two options are Didier Stevens' USBVirusScan (freeware) and Uwe Sieber's USBDLM (free for private and educational use) .  If you know of better options, please let me know.  Despite the name, what USBVirusScan does is simply call a program of your choice any time a drive is connected.  I have written a command script for USBVirusScan to call, and it is named...

AutoRunGuard™

I have written a small program called AutoRunGuard to be used with USBVirusScan. It can be used in tandem with AutoPlay or as an AutoPlay replacement. 

Think of AutoRunGuard as a way of setting out rules --- as simple or complex as you like --- to govern what will happen as soon as a removable drive is connected or CD inserted. This may include launching a particular program immediately, or adding relevant options to a menu for you to choose from.  And there's more...

For details, please see the AutoRunGuard page.

Stay safe!


Copyright (c) 2008 by Daniel McCloy
 
Make a Free Website with Yola.