Hi Keith Warner,
Sophos experts advise that users disable the autorun facility of Windows so removable devices such as USB keys and CD ROMs do not automatically launch when they are attached to a PC. Any storage device which is attached to a computer should be checked for virus and other malware before use. Floppy disks, CD ROMs, USB keys, external hard drives and other devices are all capable of carrying malicious code which could infect the computers of innocent users.
Plug an iPod or USB stick into a PC running Windows and the device can literally take over the machine and search for confidential documents, copy them back to the iPod or USB's internal storage, and hide them as "deleted" files. Alternatively, the device can simply plant spyware, or even compromise the operating system. Two features that make this possible are the Windows AutoRun facility and the ability of peripherals to use something called direct memory access (DMA). The first attack vector you can and should plug; the second vector is the result of a design flaw that's likely to be with us for many years to come.
It's a Bug, Not a Feature
AutoRun is the feature built into Windows that automatically runs a program specified by the file "autorun.inf" whenever a CD-ROM, DVD or USB drive is plugged into a Windows-based computer. The feature exists so that software makers can have pretty splash screens appear on the computer when the installation CD-ROM is placed into the drive. Unfortunately, there are few, if any, restrictions placed on what AutoRun programs can do—as far as Windows is concerned, it's just another program that the user is running. So if a bad guy puts a nasty program onto a USB stick and can then convince one of your hapless users to plug that stick into their Windows-based computer, that bad guy has found a great attack vector for compromising your machines.
AutoRun is just a bad idea. People putting CD-ROMs or USB drives into their computers usually want to see what's on the media, not have programs automatically run. Fortunately you can turn AutoRun off. A simple manual approach is to hold down the "Shift" key when a disk or USB storage device is inserted into the computer. A better way is to disable the feature entirely by editing the Windows Registry. There are many instructions for doing this online (just search for "disable autorun") or you can download and use Microsoft's TweakUI program, which is part of the Windows XP PowerToys download. With Windows XP you can also disable AutoRun for CDs by right-clicking on the CD drive icon in the Windows explorer, choosing the AutoPlay tab, and then selecting "Take no action" for each kind of disk that's listed. Unfortunately, disabling AutoPlay for CDs won't always disable AutoPlay for USB devices, so the registry hack is the safest course of action.
AutoRun isn't just a problem for Windows. Back in the 1990s the Macintosh had a similar feature called Autostart that automatically ran QuickTime 2.0 files; Apple removed the feature from the operating system after the so-called Hong Kong virus (formally known as Autostart-9805) spread to thousands of computers in 1998. Likewise, the Palm operating system has a similar feature that automatically gives every program on an SD card the chance to run when that card is plugged into the expansion slot of a computer running PalmOS.
The AutoRun threat is very real and has been exploited on a massive scale. The Rootkit/spyware combination that Sony Music distributed last year on millions of compact discs was installed as part of an AutoRun script. Spyware was installed on Windows-based PCs all over the world. It turns out that the music CDs also included spyware for Macs, but on MacOS the spyware needed to be manually installed, and few Apple users bothered.
But as bad as AutoRun is, there's a vulnerability built into practically every desktop computer and server that's currently in use—and this is a vulnerability that affects PCs running Windows, Macs and quite possibly machines running Linux or even Solaris. The vulnerability is based on the direct memory access facilities built into the FireWire and USB standards. Read further here:
http://www.csoonline.com/read/050106/ipods.htmlpolonus
