No AutoRun Is Working

   USB flash drives have long been a vector by which attackers spread their malware {Chapter 1 Security+ 3ed}. Panda Software has reported that 1 out of every 4 worms were designed to replicate through USB flash drives, and this is in line with other data regarding how attacks are spread through USB flash drives (see Dec 7 2010 blog).  One of the means that made this so easy was Microsoft Window's AuoRun feature.  When you inserted a USB flash drive into an older version of Microsoft Windows XP or Vista the "AutoPlay" dialog box appeared with a list of standard choices ("Open folder to view files", "Speed up my system", etc.) that you could launch with a click of the mouse.  And if you had an application on that device you would see the AutoRun option "Install or run program". Attackers crafted malware that displayed an option on the AutoPlay menu that looked similar to the normal "Open folder to view files", with the same yellow icon of a folder and even the same wording.  Yet this malicious choice was an AutoRun under the heading of "Install or run program" and not "General options", meaning that the attackers disguised the AutoRun feature to look like you're viewing files and not installing them.  Clicking on the fake icon would install the malware (see Apr 30 2009 blog).

   To minimize this Microsoft disabled the AutoRun feature in Windows 7 (the only time AutoRun is displayed is when removable optical media (CD/DVDs) is inserted and the AutoRun task was created during the media creation process).  This automatic disabling feature was also migrated to Windows XP and Vista through a patch, yet had to search for the patch and manually download it.  In February 2011 that patch was made available through the normal Windows Update feature for Windows XP and Vista users (see February 14 2011 blog).

   This week Microsoft released some statistics about the effectiveness of disabling AutoRun. They tracked data based on Microsoft's Malicious Software Removal Tool (MSRT), which is a free download that detects and deletes malware and then reports back to Microsoft.  The data from February through May of 2011 showed that infection rates of XP Service Pack 3 (SP3) have decreased by 62%, while Vista SP1's infection rate has fallen by 68% and Vista SP2's has gone down by a whopping 82%.  It's estimated that disabling AutoRun has resulted in 1.3 million fewer infections in this time period.

   By the way, back in February when Microsoft disabled AutoRun it noted that it could impact the functionality of some USB drives by forcing users to manually install software that's on the USB flash drive.  So Microsoft made available a tool known as "Enable AutoRun" to disable the disabled AutoRun and make it run like it used to.  To stay secure, don't install it.

   You can read about AutoRun at

   Stay secure!