CD and DVD malware

I expect that they kept autorun at the request of macrovision and friends so that they can continue to protect "high value" music and video from being ripped by morons.

Even idiots know to turn off autorun or hold the shift key down.

Grrrr!

I hate U3 autoboot software but I love the hardware it sits on.

We're Talking AutoRun Again?

Service Name: ShellHWDetection

Display Name: Shell Hardware Detection

Startup Type: Disabled

Don't be fooled by the service's name, all removable media is still detected upon insertion, it just doesn't Auto-Run or open a pop-up annoyance window . Works on XP, Vista SP 1,2 & 7 with no adverse effects... unless opening My Computer to access the media is adverse?

Why is a simple solution ignored in lieu of reg tweaks and updates and patches in every!single!disable!autorun! article that comes out on a monthly basis?

It's a start now what about...

...enabling file extensions all the time as well? Why are they hidden by default? Another blindingly stupid "default" decision.

@tuna 1: Thanks for the tip! I'll be sure to add that to the enormous long list of "crap to be disabled".

Yeah...

The U3 thing is annoying indeed. You can get software to remove the thing from your USB drive, search on line (e.g. Sandisk's website has a link to it in their FAQs or somewhere like that). Even for me, using Linux, the thing was slightly annoying, because it sometimes popped up a CD icon on the desktop besides the USB drive's icon. The really annoying part was when I used the drive in computers running Windows and forgot the damn U3 software was there... I had to then wait for the stupid thing to run its course.

Now, end of the AutoRun altogether is not a bad thing at all, really. Although the pop up window asking what to do (run this, do that, ignore) seems fine to me. Besides the occasional annoyance, is there any other problem with that, from a security stand point?

U3

Two years ago I helped run a conference, with three parallel tracks. All the presentations for each session were pre-loaded onto memory sticks, updated during the break between each session. The U3 junk meant an extra delay each time a stick was inserted in one of the (Windows) laptops the presenters were using; fortunately, the Macs being used to load the data were unaffected. For the second conference, I made sure to buy the memory sticks myself - double-checking there was no U3 infestation anywhere in sight. Of course, there was no time to find or apply registry tweaks or anything else to hack around this irritation (although ISTR holding down shift avoided it, if I got the timing right).

The fail, of course, is that it took MS this long to apply a fix: far, FAR too many virus-laden Windows machines out there pumping spam, 419 scams etc thanks to design faults like this.

tsk tsk

Well wtf is everyone doing plugging-in or inserting 'unknown' content into their USB/CD/DVD drives?

Other than the few retail apps that I have bought/buy, I never plug in unknown content.

This is like surfing to unknown sites.

THANK GOD!

Better late than never eh?

Of course this happens *after* we spend the entire 6 weeks holiday rebuilding our network, only to have viruses discovered 1 day into the new term when about 300 of the little 'darlings' plug in their memory sticks, all seemingly infested with autorun-style viruses (luckily the AV caught most of them).

I hope I meet a virus writer one day, so I can smash his head into something hard =)

U3's problem

If U3 misreports the device type any security issues are U3's problem, not Microsoft's.

Microsoft has done the right thing by removing autoplay from writable media, while leaving the convenience of autoplay for read-only media.

About time... my Linux desktop doesn't have any autoplay vulnerabilities. I for one welcome our new penguin overlords.

About bloody time, and too little too late.

The entire autostart/autorun thing struck me as a huge security risk when it was first offered (officially) with Windows95. As everybody knows these days, my fears were vindicated within weeks when the first strains of malware used that "feature" (no, MS said, it's NOT a bug...) to procreate.

So 14 years after the fact, MS finally admit that there just might be a bit of a security risk in there... one that the insufferable security "warnings" of the MS "Security Center" built into some versions of XP, all of Vista and W7 never even squawked about. *sheesh!*

OK, they never told the user to get rid of ActiveX either, which is at least as dangerous. (Got mail? Click here to auto-install the latest version of our botnet client...).

All in all, I am reminded of a few of the reasons I had for choosing to stick with so-called "alternative" operating systems. I first experienced XP about five years after it came out, and even after all of my preconceptions I was shocked. The OS assumed that the user had to be reminded of the fact that he/she just put a disc in the optical drive? How pathetic is that? (and I do realize that both Ubuntu and SuSE have, unfortunately, followed suit. When will they realize that most of their customer base does not suffer from Alzheimer's and is perfectly capable of double-clicking the drive icon on their desktop to access the data? And no, I am not being unfeeling here; my own grandmother was an Alzheimer's victim but even she was mentally fit enough not to need the OS to tell her what she just did five seconds ago.

Gimme the coat with the list of pubs in its pocket. Hopefully, by the end of the evening, I won't remember I put a DVD in the drive.

@Tom 35 22:19

"CDs and DVDs" - that's what a CD/DVD Player connecteds to your TV is for.

"...pre-infested from the factory" - if that's the case, the installer or application itself may have a trojan, so installing it whether it autoplay's-or-not is irrelevant, you're infected anyway.

Haphazardly plugging anything into your PC is no different than haphazardly surfing any web site.

People are learning [usually the hard way] to take precautions when surfing. The same should be done with any other "new" content regardless of where it comes from or how you get it onto your PC.

Blaming MS for the issue [in that autoplay should be removed] when it is ultimately the responsibility of the end-user, is typical "protect me from myself" idiocy.

Remember the Maine, er, Mac...

Didn't we first see this "attack" back in the early days of Macintosh, where malware was loaded into the resource fork of the Mac file header (or what ever it was back then)? And didn't Apple fix the problem very, very early on...so early on that this has become know ONLY as a Windows problem thereafter?

Sometimes it just takes a Global Village of idiots...

OMFGWTFU3??

Ok I actually like the U3 software for the password lock you can have but I cant get the damn thing working on the schools computers here not because of any security on the systems it just wont bloody run. Grrrrr......

Follow Up

@Dave29: No problem, I wish all MS end-users learned from the get go to navigate to the device instead of the nag pop-ups/auto-plays.

@Chris C: My interest is piqued, I'd like to know what the problem was and how re-enabling SHD resolved the issue. I have been disabling this service(amongst others) on all my & my clients' MS OS's for 2 or 3 years w/ no adverse effects(personal and enterprise). I have found nothing of note Googling, except the vulnerabilities associated w/ keeping it enabled and DVD drives may be labeled as a CD drive in My Computer.

http://www.blackviper.com/WinXP/Services/Shell_Hardware_Detection.htm

Well done!

Now when is Steve gonna do the same for OSX? Absolutely stupid to have anything on any O/S autorun on media insertion!

U3.. I hate them with a passion

Why is it that when you simply plug one of these things in it creates folders and registry entries all over the place.

If its on a USB Stick it should be a true portable app.

</Rant>

A little bit late...

Didn't this horse bolt in, like, 1996? Next up from Microsoft, servicing your Austin Allegro...

So...

All you have to do to get around this is hack the memory stick to present itself as a CD drive to the OS? Or is that not possible on a regular (non U3) device?

Only A Matter Of Time Then,

... till malware starts to exploit XP's built-in disc burning engine so a virus writes itself to CD/DVD thus enabling it to continue Autorun(ning).

Now when I ran this patch on an XP box, why the heck did it need to spin up the half dozen sleeping hard drives instead of just writing the bloody files to the windows partition on the already awake drive? They really don't know how to do anything conservatively I suppose.

On a related note, I suppose we can forecast that they'll finally iron out all the major Win7 issues within the same period we waited for this fix *from them*, around 2016?

How Simple Can It Be???

For XP Pro, create a .reg file with this line:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

@="@SYS:DoesNotExist"

You can then create an "undo" .reg file that simply removes this entry from the registry.

For XP Home use TweakUI

ZZZZzzzzzzzzzz

@Steve Brooks

That's your fault for not scanning your USB stick after plugging it in. Has it occurred to you that the infection could be spread to executables on the USB stick instead of using Autorun? If you're negligent enough to grab media from an infected PC and assume it's safe to plug it into someone else's PC it's your own fault when it goes tits up, nothing to do with Autorun. If you're really that adverse to it, hold down shift.

@JC 2

So how many people do you think have writable CDs/DVDs sitting in their drive at time of infection?

@tuna 1

The bad guys cry........

Noooooooooo

Don't disable autorun! My "install linux as soon as dropped in drive" disk will stop working

IniFileSettings

I've disabled autorun using the IniFileSettings registry patch, as the other ones seem to have too many gotchas, like device types not covered or the possibility of your setting being overriden by some other registry value that somehow takes precedence.

This one tells the OS, if you ever feel like loading AUTORUN.INF, look at this bit of the registry instead, where you'll find nothing. Nothing is what I want you to see when looking for AUTORUN.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

@="@SYS:DoesNotExist"

You lose the benign icons and names, but I can live with that. I'd much rather that Windows treated all executables on removable devices (including CDs) like they were downloaded files, so you get the "are you sure" message and signature check.

@Hazel Rees

The vociferous group is actually the one that understands the security risks. You do not appear to. We are usually the ones who are also aware that the obvious vulnerabilities in AutoRun are spreading viruses and malware, which affect EVERYONE who uses the net.

Let's say you are out with some friends, and you take some nice pics on your DSLR. Your friends say they would like to have a copy of the photos - and just for the sake of convenience, you pop your CompactFlash card in the card reader on their PC, so you can copy the pics over directly, rather than faffing around later and sending them a DVD in the post. Within a second or so, and without your knowledge, you now have a virus on your CompactFlash card, which, after you finish copying the pics from, you duly take home and pop in your PC to transfer the files from. Bang! You get infected, and your PC is now yet another hub in the spam network dedicated to marketing penis extensions to my mother.

I'm all for AutoRun opening up the media root folder *and* *that's* *it* - but this funny shit where any executable could be run without user approval - on any form of removable media, needs, I'm afraid, to be dragged out and shot in the head. Now. This patch is A Good Thing.

@How Simple Can It Be???

And some people like to say that Linux is hard...

Oh, yeah, and the hiding of the extensions by default is pure evil too.

Users unwilling to learn

It's switch off on my Wife's computer. She is an unwilling novice, and a bit of a luddite as well. She does not remember what I tell her about computers from one day to the next, mainly because she just doesn't care.

All I hear from her is "I've put my CD in the drive, and it's not working" when she puts one of her craft CD's in the system.

God knows how many times I've told her, but the instructions on the CD cover tell her that it will autorun, and she trusts that more than she trusts me. It's driving me crazy.

This type of software is written for people who will never care about how computers work, and uses every trick in the book (and some daft ones as well) to try to make sure that the computer is just an applience. I can't even install the software on the hard disk, because the STUPID and SIMPLISTIC copy protection system KNOWS that it will ALWAYS run from drive D, and has hard coded-paths scattered throughout the software. Of course, nobody partitions their hard disks, do they!

Aaaaaaaaargh!!!!!