The San Francisco Chronicle came up with a story a couple of days ago that was even more alarming, and not only in the volume of related incidents they dug up.
You may have noticed that we’re pretty keen here on disabling the Autorun facility in Windows except when you really need it. It appears that Microsoft’s Malware Protection Center may disagree. According to the Chronicle, senior program manager Ziv Mador thinks it’s a bad idea because it’s not simple to do.
(He has a point: it should be easier than it actually is, but surely that’s an issue with the operating system, not a reason to avoid taking a step to improve security?)
His concern, apparently, is that users may get confused. ""They’re used to entering a CD (or plugging in a frame) and it loads automatically, and that will not work anymore…The important thing is to have up-to-date antivirus software and keep it turned on. That will mitigate much of the risk."
He’s right, up to a point. Even SANS – not always the antivirus company’s best friend – admits that AV companies are pretty good at keeping on top of threats that use this particular approach to infection. But that doesn’t mean that Autorun is a good idea.
Actually, it is a good idea in principle: it’s the way that it’s been exploited by the bad guys that has ruined it. However, the users of other mainstream operating systems manage quite nicely without it, and Windows users could do, if it wasn’t turned on by default, or even made a little easier to turn off for people who aren’t security gurus or MCSEs.
In fact, as Randy pointed out in a much earlier blog, not everyone at Microsoft is so protective of Autorun. (Whatever you may hear to the contrary, there are some very sharp people working in security at MS!) Steve Riley points to some ways of mitigating the autorun effect. There’s more Technet info here. Incidentally, the INF/Autorun approach to auto-installation doesn’t work with all removable media, but there have been ingenious attempts to achieve the same thing (legitimately or maliciously) on a variety of types of flash media, sometimes by forcing the media to "lie" to the operating system about what kind of device it is, or using third-party software.
There is also an interesting example of a family of SymbOS Trojans that attempts to install Windows worms if a phone memory card is read on a PC, though I’m not aware of an incident where that infiltration actually worked in real life.
(Here are a couple of other links relating to older stories: http://www.theregister.co.uk/2008/01/25/best_buy_digital_frames_virus/
http://isc.incidents.org/diary.html?storyid=3892) And this story at Darkreading, though a couple of years old, still makes the point very succinctly.)
David Harley BA CISSP FBCS CITP
Author David Harley, ESET