Author Topic: Treating an obscure issue - disabling autoruns  (Read 4176 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Treating an obscure issue - disabling autoruns
« on: March 07, 2010, 07:28:50 PM »
Hi malware fighters,

Could someone confirm that an automatic Microsoft patch is nonexistent for disabling
AutoRun on USB-drives for XP (not aware how it is for the Vista OS),
in which one should discriminate between on the one hand FAT and NTFS formatted drives,
and on the other side those with a CDFS partition
(for instance the USB sticks at http://www.u3.com/ both have a CDFS and a FAT partition).

You can disable (parts) of Autorun under XP as follows:
Quote
(1) Most effectfully (for all devices, also CDFS):
by putting in the registry "IniFileMapping" of Autorun.inf at "@SYS:DoesNotExist"
(Re: http://en.wikipedia.org/wiki/Autorun#Initialisation_file_mapping or on the blog of the developer,
Nick Brown: http://nickbrown-france.blogspot.com/2007/10/memory-stick-worms.html).
Setback: some setup.exe programs on CD/DVD
could have stored installation instructions inside autorun.inf,
and cannot read that file after such a hack has been performed
(Re: http://blogs.technet.com/fdcc/archive/2009/09/28/the-case-of-the-unexplained-installation-failure-and-an-ill-advised-registry-hack.aspx )

(2) Adaptation of the NoDriveTypeAutoRun value in the register (could be done via Group Policies).
Re e.g.: http://en.wikipedia.org/wiki/Autorun#NoDriveTypeAutoRun and
http://support.microsoft.com/kb/967715.
it only functions when it has been installed under XP KB967715,
which has been spread automattically
(Re: http://www.heise.de/security/Microsoft-bestaetigt-Excel-Luecke-und-fixt-Autorun--/news/meldung/133475]Heise Security ).

(3) Blocking of Autorun.inf for all devices except for CD/DVD (and USB with CDFS):
manually install according to://support.microsoft.com/kb/971029.
This will add IsAutorunForCDROMOnly (REG_DWORD, default value = 1) under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers.
Moreover shell32.dll is being updated (for older versions of this will ignore the "IsAutorunForCDROMOnly" setting).
Re: http://isc.sans.org/diary.html?storyid=7789 ).

It should be a good thing when MS came up with a survey of all these possibilities,
benefits and drawbacks. For instance mentioned 3 possibilities are almost ever given,
and if you would want autorun to function from a normal USB stick,
you have to search and search for a solution whenever IsAutorunForCDROMOnly has been set
(Google for IsAutorunForCDROMOnly shows you how little is available about this value,
also outside of Microsoft circles).
In Windows7 by default the value is set at 1. Correct me if that is not the case.
Re: http://blogs.msdn.com/e7/archive/2009/04/27/improvements-to-autoplay.aspx
Be aware of the issues treated here and don't form part of the biggest botnets anymore like MS autorun
and or that of ESET's: http://www.eset.com/threat-center/blog/2010/03/04/the-biggest-botnet-in-the-world
Translated Quote Source: Bitwiper and published at Security.nl
Original link of info: http://www.security.nl/artikel/32655/1/%22Microsoft_heeft_grootste_botnet_ter_wereld%22.html


polonus
« Last Edit: March 09, 2010, 10:30:00 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!