Autorun attacks from CD
"..Microsoft has yet to see in-the-wild attacks that exploit Autorun on “shiny media.”..."
Err, Sony DRM?
After a decade of abuse, Autorun is finally being retired in older versions of Windows. On Tuesday, Microsoft began pushing an update that changes the way Windows Server 2008 and earlier versions of the OS respond when USB thumb drives and other portable media are plugged in. Until now, those versions dutifully executed code …
Even after setting NoDriveTypeAutoRun to 0xFF I've had it mysteriously come back on.
This page: http://windowssecrets.com/comp/071108#story1
documents a useful additional piece of protection, which if autorun does manage to launch, redirects it to perform a useless action instead of executing the commands in autorun.inf. I tested this idea with autorun ON and some simulated malware on removeable media, and it does seem to protect the computer.
I've seen quite a few CDs that launch via autorun Adobe Reader or Macromedia products (now Adobe) that are included on the disc to pull up an index or menu of documents contained on the CD... it's done for those people not smart enough (or perhaps too lazy) to be to open the CD manually and then the appropriate application or document file themselves...of course it seemed like a good idea at the time it was developed to have this functionality but we all know the problems that it has led to years later...
"it's done for those people not smart enough (or perhaps too lazy) to be to open the CD manually and then the appropriate application or document file themselves"
Sounds like the entire of Windows 7
"of course it seemed like a good idea at the time it was developed to have this functionality but we all know the problems that it has led to years later.."
We'll see (or rather in W7 we won't see as it keeps everything as hidden as possible)
It was for software and driver developers so that they could pop up a useless resource hogging animated thing with sound and crap as soon as you plugged in a CD. Doesn't matter that all anybody ever did was click on the "Install the damn software" button, which could've been much easier if they'd just included on the box:
1) Insert CD
2) Browse to CD in Explorer
3) Double-click on setup.exe
Instead, a lot of them seemed to put more effort and energy into their flashy autorun screens than they did in their software.
> Instead, a lot of them seemed to put more effort and energy into
> their flashy autorun screens than they did in their software.
There's a reason they (proprietary software makers) do that, making the sure the user does not gain empowerment.
If the user had to follow the same simple steps to do something then they might gain understanding of the computer. If the users have to deal with different things to achieve the same ends, or face interfaces that look different with similar products, then the users are much less likely to gain an understanding of the system. And when someone does not have understanding but has to use a system, they become dependent on third parties to progress on that system. And that is where industry steps in, to "monetize" the people's needs.
The software industry is also mature enough that it recognises this, and so very few (if any) proprietary products dare try to empower the user. They dazzle with shiny-shiny, and let the user think they have witnessed some magic.
Actually providing what the user might really need, empowerment, is not going to be forthcoming from proprietary software vendors (and to a lesser degree some Free software, the stuff that copies proprietary paradigms, like dumbing shit down to chase the mass-market (eg Firefox)).
A parallel to this is the times tables. I'm sure you can imagine how a person could learn their times tables by rote, yet still not understand the principles behind multiplication. That person would be fine with multiplication right up until the point where they need to work out more than 12x12. To do more, they need third party help, a calculator.
But a person who understands multiplication does not need the services of a calculator company, they can work it out in their head, or on paper. Proprietary software gets in the way of people's understanding of computers, and that lack of understanding is used to sell software. And software that varies little between versions, and is basically the same stuff re-heated with a few extras slung in.
That is why so much effort is spent on the autorun BS.
to kick off a software installer. Even people like PCW used to use it for their cover-mounted CD and DVD's.
I've installed a recent HP printer, and it used autorun (the installation instructions did document how to run it without auto run, but it was phrased like "If the installer program doesn't automatically start, open the CD, and .....").
My significant other (worded to attempt to not to upset the Moderatorix) has some craft software that needs the CD inserted explicitly in the D: drive (and heaven forbid if your CD is not the D: drive), and the instructions for this expect autorun to work, and do not contain an alternative. I keep explaining this, and she keeps telling me that her computer is broken because the software does not start. Grrrrrrrr.
I think too many of the people commenting here are in the Windows support business, where they are in control of any software installation, and do not talk to home and SOHO businesses where simplicity and hand-holding is essential for people who just use computers as tools.
I can't be so old that this has passed out of memory, can I?
"Microsoft didn't retire Autorun sooner was the resistance from some partners who rely on the feature to install programs that accompany their hardware"
So, basically, some dumb bozos who can't be bothered to do things in a safe manner got us years of malware crud? And the rest of M$'s customers got ignored?
What this reminds me of is how long it took M$ to turn off auto-running code in Outlook. IIRC they said something like "our users benefit from this integration". Finally turned it off after years of aggravation and after it was obvious to world and dog that this approach was an oft-repeated accident that had happened again and again. Prior to that, users also had to tinker with the settings to turn it off.
Come on guys. I know you won't get everyone to love you. But the least you can do is pay some attention when obvious security risks come to light and lock things down rather than pretend all is well.
BTW, U3 blows too, regardless of it being a security risk or not.
is autorun renamed to something different in windows 7 cos it is still happily working for me (64 bit home premium).
Steen Hive - it opens up the explorer window when the device is ready, saves me having to go start, my computer. i also use autorun for having custom icons for my partitions (i have 5). it was nice to do this for usb sticks too. always seemed to impress people at internet cafes etc (yeah i know being cute for no reason haha).
security essentials has picked up any bad versions of autorun so far for me (e.g. copying files to friend's usb sticks or wiping mine having used it outside)
don't autorun anything, they do still pop up a dialog asking you what you want to do though, with autorun.inf entries at the top. It's how it should have worked from the start, a kind of halfway house catering for the people who are too lazy/stupid to browse to the files on their own, but without the security issues of autorunning anything.
That's AutoPlay. The difference between AutoRun and AutoPlay is that AutoRun just blindly went off and ran whatever EXE the autorun.inf file told it to run.
Whereas AutoPlay looks at the content of the CD/DVD and then pops up a menu presenting you with some options (eg. view the pictures on this CD) and asking you what you want to do next.
AutoPlay solves the problem of people who don't know how to go browse the contents of a CD and find the setup.exe file vs those who don't want some virus riddled exe to startup as soon as they pop the disk in the drive.
The obvious solution is to have Windows show a dialog box: "You have inserted a CD / DVD / USB stick. Do you want to run the setup program? (This may make changes to your computer)"
For bona fide application or game install discs, the user would pick yes; otherwise no.
As it stands, when I plug in my digital camera I get the default Windows prompt asking me if I want to run a particular application with it. Seems simple enough.
You made a logical assessment of what should happen. That was your first mistake.
In reality.. Popup window comes up and user clicks OK. Clicking OK is how one closes a popup. The most dire warnings get put through a mental filter and come out as "Click OK to close this nasty scary popup".
Reading popups is dangerous. It must be avoided at all costs. Because if you have read the popup, you might be responsible for what happens next. Then you can't tell your computer repair serf that you don't know what happened. And picking that MP3 player or USB stick up off the street couldn't possibly have wrecked the work network... could it?
There are two camps of non techie users that I know of.
Ignorant: I don't know, and I don't care
These people just click yes to everything and cause a friend / relation many hours of grief trying to clean up their system
Ignorant, but scared: OMG! What has popped up on the screen, the world is going to end
These people generally have clean computers, if only because they never get turned on. These people cause friends / relations hours of grief as everything they need to do online is done over the phone, with said person giving information and the friend / relation filling in the form
(Yes I am bitter at wasting my time)
But I think that it means anything that a techie thinks is a good solution is likely to fail at the first hurdle for a real user. I am including my own solutions to regular problems here (how hard can it be to teach someone to press two buttons? Very aparently.)
So if you use your pop up window I think it would just be people not clicking on it ever, or clicking on it regardless. The biggest security threat to a computer is the person sitting behind it...
IIRC there was a USB based file transfer gadget (2 USB cables with some sort of box-of-hostmode-tricks in the middle, or a fancy pants null modem cable if you prefer) that had it's drivers embedded in the device so that plugging it in to a computer would fire up the transfer software with no need to install anything. This thing was marketed through infomercials to the computer illiterate as an easy means of shifting data from their desktop to their laptop etc.
I know this all sounds pretty idiotic to us reg readers, but to the computer illiterate (and their tech savvy children / grandchildren) the "plug it in and it works" functionality was a pretty useful feature. That said, having the OS execute any old code if happens to find on a USB device just because you plugged it in is and always will be a fucking stupid idea.
> Adam Shostack, a program manager for Microsoft's
> Trustworthy Computing group, said here that Microsoft
> has yet to see in-the-wild attacks that exploit Autorun
> on “shiny media.”
Apart from the obvious Sony rootkit, I remember seeing a download years ago that used autorun to bypass the screensaver on windows 95. If the screensaver was password protected, you could pop in a CD, it would autorun, switching off the screensaver's password and allowing the attacker to get to a desktop that was meant to be inaccessible
Yes, I know, 9x, no real security. But it is still an attack that used autorun on shiny media. Your sweeping PR statements are no match for my memory, Shostack!
Viewpoint Media Player is a very viral dvd player that comes packed onto loads of DVD movies, and it installs itself without asking.
I have seen XP come to a crawl just because of this stupid thing, not on my XP build tho, i disabled those Security flaws for my customers over 2 years ago. I get the occasional person I have to explain to double click on my computer. Apart from that and ofc the stupid 3g sticks and their stupid modeswitch.
I wouldn't mind, it's just another of the 500 to 1000+ registry entries that are wrong by default. How else are the MCP's going to make any money? ::)
A depressingly large number, I'm afraid.
However, while I still use XP and 2000, it is a VM on Linux now, and I generally disable networking and USB access wherever I can, in addition to having turned off autorun on ALL drives by the registry tricks.
Really, as already said in these posts, autorun was a dumb idea in the first place and only sustained by those who cared not two hoots about security and freedom from crud ware.
Closing the stable door after the horse has bolted, got out into the sheep field and scared them all, been captured, returned to the stables, had a long and productive working life in a variety of capacities, spent a short retirement giving children rides before being carted off to the glue factory, shot in the head with a bolt, boiled down, made into glue and sold in newsagents up and down the land.
Windows 7 bug number 412: I am always being asked to login twice in a row. Think I am lying? Google 'windows 7 login twice' and marvel at yet another school boy error from the world's largest software company. Yet again, no fix, no solution, that's Microsoft quality.
And it's typical of them to release a patch to disable Autorun then decide that "meh it only needs to apply to certain types of media". Yeah leave some more loopholes wide open then it's not like that's ever gotten you into trouble before.
My favourite is in Windows Backup. You tell it to automatically manage the disk space and yet as soon as it fills up the contents of the external drive, it stops working up and screams at you to delete older backups.
What on earth does "automatically manage the disk space" mean then? I can't be the only one expecting it to delete older backups to ensure that it could continue working?
Apparently it is because the default is to prompt for a password when coming out of sleep mode. You can change this in control panel (somewhere) - but it is a bug.
I lost the will to live reading the MS page on how to disable this abhorrence, and being a MS solution, I'm guessing it probably doesn't do the whole job anyway. I have used this single command line for years and it works every time; kills autorun stone dead on all devices. It should work for (at least) Windows XP, Vista and Server 2008. As this is Windows, you'll need to reboot afterwards.
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer /V NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
Another alternative is to bin Windows and use something else :-)
Why this dreadful nonsense ever existed in the first place is beyond me.
Key thing here us the registry branch - HKCU. Change user (or have a problem with your userprofile, so it defaults itself) and autorun sneakily turns back on. You can also set the same value in HKLM (and should do) but this can still be over-ridden by a user setting.
See my earlier post (or http://windowssecrets.com/comp/071108#story1 ) for a more reliable method of nobbling it for all users.
> Bryant said the main reason Microsoft didn't retire Autorun sooner was the resistance from some partners who rely on the feature to install programs that accompany their hardware
This doesn't make technological sense ..
> Over the past few years technologies such as in the U3 functionality found on many thumb drives has provided alternatives .. As we've pointed out before, the changes to Autorun still don't go far enough. CDs and DVDs by default still automatically execute code when inserted ..
I have noticed that U3 USB devices execute a menu regardless of the settings. It's to do with a hidden partition on the U3 device identifying itself as a CD.
Not going to miss auto-execution, hopefully this might cause some users to work out how to navigate their filesystems. I kid you not, I have been on the other end of a support call where the 'user' was unaware of right-click, that windows could be other than full-screen and that they could have more than one window open at a time. This was why autorun was adopted - to help reduce support calls... of course, it was a bloody stupid system that was just ripe for misuse.
However I'd be a bit saddened if this loses the augmentation of icon and volume label that autorun provided.
Paris, because I feel sure she's wide open for improper insertion of dodgy hardware.
I found that autorun was useful for when manufacturers were too stupid to have a simple setup.exe file on the root of the disc.
Some software packages come with a depressingly deep folder structure and no obvious installation executable. So it was nice for autorun to just launch d:\bin\files\acid\HiBob.exe as I was never going to know that that was actually what I needed to install my software.
If everyone could go back to something as complicated as d:\setup.exe then definitely, autorun can go (:
...for whom trying to FIND the CD drive is an adventure (remember, this is Windows, not MacOS or most Linuxes--the CD drive does not magically appear on the desktop when you insert it). Plus I have to wonder why AutoRun is so truly, despicably evil in the disc world (now, I can see it for USB devices and so on--those are too easy to tamper). If a miscreant has access to the files that end up on the "gold" copy that eventually gets pressed, that's indicative of a bigger problem. Plus, such a miscreant can booby-trap more than just the AutoRun. What about the Setup.exe itself? And other program files within the disc? Since you need the Setup to install the program anyway, you'd be damned either way.
1 CDs are not always professionally produced thanks to CD/DVD/Blu Ray writeables so this leaves a whole non virus related attack vector.
2 Not every CD is a software installer. If I put a CD or DVD in the drive to listen to music or watch a movie I probably don't want the thing installing whatever cute viewer/anti piracy software mucking about my system.
You've never seen the leave a CD containing autorun malware labeled PORN in the parking lot and wait for someone to take it into work with them and stick it in their computer. It's a fairly successful ploy. The malware is installed long before the person realizes there is no porn on the disk.
Anonymous Coward because this is probably a luser question...
Once autorun is disabled, what is the recognised method of achieving the same result for those CDs where the target is deeply buried? I had one the other day with some drivers on and I still haven't worked out how to make it go...
Click around until you find it...
I'm not quite sure why driver disks come with executables anyway. You can usually extract the executable with a program e.g. 7zip to reveal the standard driver files that Windows will find and accept. Why do they need to be locked away in an "installer"? All the installer does is copy the files to the Windows folder and then let Windows discover them and do the actual driver installation itself.
The answer? So they can install a whole bunch of crap that is in no way necessary for the correct functioning of your device but is 100% necessary to get adware and other shite onto your PC for marketing purposes.
“We feel like now is the right time across the industry to be able to push this change out and have a pretty substantial impact on how malware spreads,” Jerry Bryant, group manager in Microsoft's Response Communications, told The Reg. “This is really something that will help to further protect the ecosystem.”
S'funny. I thought the "right time" was about ten years ago.
Stable doors, horses bolting, etc.
... DISABLING ANY AND ALL PROGRAMS REQUIRING FOCUS WHEN YOU ARE EXECUTING ANYTHING ELSE IN FULL SCREEN.
Ok now, I'm serious. Some *ahem* softwares are not too fond of being 'alt-tabbed' away by anything else that requires focus on the system, like, say, Antivirus, or even Messenger itself. Well, messenger learned to stay put when something is running fullscreen. Some DirectX modes crap themselves out when you alt-tab out of them and won't take alt-enter either to return to them. Some *3D softwares* simply won't run again when you try to go back to them, after being alt-tabbed out of them.
Autorun was, and has always been, an UTTER AND MAJOR FAIL. Not just that, it is a liability. It is a gas-leaking pipe in front of a arc-welding repair shop FAIL of a liability and a misinformed kludge that MS thought practical when someone inserted an Audio CD back in Windows (95?) just to look cute, edgy and advanced.
Pretty much like autoexec.bat. Yes, this one was also silently killed because it was even worse and older than autorun.inf. I bet you can still stuff a W7 today if you insert one of those on the root of the boot drive.
I've always disabled autorun on every installation I've ever done. It never fails to amuse me when people call to say I broke their computer or Windows is broken or some such nonsense. Once I explain why autorun is a security risk I always get positive comments back. When I tell then what to do (for the second time) to run a program or installer on the CD/DVD I get, "I have to do all that just to make it work? How do I make it work the way it used to?", almost every time. I guide them through finding and running the .reg file that will undo the fix (always provide an undo) and they're happy. That is until, once again, their brother-in-law gave then the coolest game that just messed up their computer. I then refer them to several shops that will gladly take their money to fix it for them. "You won't fix it for me?" I just tell them no, I can't help. They never learn and they never fail to ask for help again. I just got too many dumb friends.
Yes, it's true that Autorun has done a lot of damage. Yes, it's true that hand-holding features such as the default "Hide file extensions" are a nuisance. But ultimately the most damaging weakness of Windows, the one that causes the most problem for most users, is the lack of a standard and reliable way of creating an image of your installation of Windows, which you can take to another computer to restore your Windows system onto a different hard disk. Because of this weakness in Windows, many of my friends get into a catastrophe in any of the following scenarios:
(i) the hard disk dies and there is no restore/driver CD
(ii) Windows slows down after one year, and the user can't fix it
(iii) the factory restore CD doesn't work (e.g. my old Gateway and new Acer)
(iv) you create an image using third-party software but the image restoration is not bootable (it happened to me before with Ghost 2002 and True Image Home 9)
Compounding the problem is that your personal data is deeply interwoven with the Windows system, so restoring an image will wipe out your personal data unless you know how to back up your buried data (no problem if you are a techie).
I use a really good product called Paragon Backup and Recovery. We have used this to clone machines for deployment as well as straight file backup and image backups.
If you look hard enough, you will find a free version.
No, I don't work for them.
U3 seems to be dead. The websites are missing or closed, the downloads are gone, the licencing unavailable. And StartKey -- which was to be the U3 replacement -- is also dead and cremated.
So what are suppliers using? Is it all in-house solutions now? Or have they given up on USB installation media?
A futher article would be welcome
If someone buys a computer without knowing how to use/run Explorer and about the file system then they should buy a book to learn from or go on a computing for beginners course. If they can't be bothered to learn then "though shit".
After years of receiving support calls from friends and family I've finally got to the point where if I say "Open Explorer and navigate to your CD drive or D:\ or whatever" and they ask how then I've just started telling them to buy "book x" from Amazon, read it and get back to me.
Perhaps disabling autorun will force people to expend some effort to learn how to use their machines properly.
Microsoft is NOT pushing this update via Windows Update. To XP users at least, it is an *optional* update so it still needs to be manually requested.
This article has more
Biting the hand that feeds IT © 1998–2019