About Me

Lokesh Kumar

Lokesh Kumar

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

More on Autorun-Based Malware

Friday, November 21, 2008 at 11:54am by Lokesh Kumar
Lokesh Kumar

Earlier, my colleague Vinoo Thomas blogged about “The Rise in Autorun-Based Malware” and about a method employed to disable such malware from executing that uses the gpedit.msc tool.

I briefly want to add a couple of points to this:

The Group Policy Editor (gpedit.msc) is a tool provided by Microsoft, and is used to modify various system settings. One such setting is the ability to turn off the autoplay feature.

Changes made using this tool eventually get applied in the Windows registry. For example, when a user modifies settings related to autoplay using the group policy editor, it will be reflected in the following location in the registry:

HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key: NoDriveTypeAutoRun

Now, here’s the interesting part. The Group Policy Editor is not available to users of Windows XP Home Edition. Those users would need to manually edit the registry or install TweakUI, a tool available in the PowerToys Suite, or download a third-party tool to do disable this feature.

Isn’t it odd that Microsoft makes a home user manually edit the registry to turn off this feature, yet it provides a tool for administrators using XP Professional?

I can understand the growing concern many are having with the use of removable devices. There has been a known bug in the NoDriveTypeAutoRun subkey value, which allows any changes made to this subkey to revert to its default value.

Of course, the default value enables the autoplay feature to function in all its glory.

All hope is not lost, though, as I managed to find a fix. Save the following text as a .reg file and import it into the registry. And, as always, remember to back up your registry before doing this.

REGEDIT4
[HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”

Apparently, this registry value prevents Windows from taking actions based on the Autorun.inf file.

If you are a McAfee Virus Scan customer, you could create a custom Access Protection Rule to disable the execution of files named autorun.inf. Many autorun worm variants are detected by McAfee asW32/Autorun.worm.dw.

Finally, Microsoft should implement this autorun feature (which is now exploited by malware) in a more efficient manner. My Ubuntu machine, which has Wine installed, can run Windows executables and has the same autoplay feature as Microsoft does, but with one BIG difference:

Ubuntu Autorun

When a removable device with an autorun.inf file is inserted on my Ubuntu machine, it recognizes that the autorun.inf file is trying to run an executable and then asks for confirmation. Now, that’s what I call prioritizing the user’s security needs!!

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (2)

  • Andy Chow May 19, 2009 6:29PM

    Is there any known potential risks to disabling of the Autorun feature?

    What I’m concern is the impact on existing applications for our environment.

    We have Citrix, SAP, Lotus applications. While I doubt the disabling Autorun will have any setbacks (other than the minor inconvenience to very non-IT inclined users who may not know how to launch a program), I need to convince the management that this is a safe and non-risky implementation.

    Anyone can give any good advises?

    Reply
  • Nick November 23, 2008 10:00AM

    Hi,

    As the co-discoverer and original publisher of this little bit of registry cuteness, I’m pleased that it’s finding a wider audience. More background is available in the original post at http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html

    Thanks
    Nick

    Reply