OK, so I lied about not doing a top ten. Twice.
For a paper that's going through the publication process at the moment, I revisited some of the ideas that our research team at ESET LLC came up with this time last year for a top ten things that people can do to protect themselves against malicious activity. This series of blogs is based on a series I ran at the beginning of 2009, but it's a Good Thing to recycle. Besides, it’s been drastically updated with material from more recent material from other members of ESET’s research teams across the globe, and if the advice is as good as I hope it is, it's worth updating and putting out there again for people who didn't catch it the first time.
1. Don’t Let AutoRun be AutoInfect
In other words, disable Autorun in Windows. This is the item that we pretty much all agreed should be top of the list last year, because this facility is consistently exploited by the class of malware ESET detects as INF/Autorun. Among other threats, of course: many threats that are detected by more specific names (some versions of Win32/Conficker, for example) make use of the same vulnerability. We’ve been considering this issue in detail for quite a while, now: for instance, in Randy Abrams’ blog at http://www.eset.com/threat-center/blog/?p=94.
Has anything changed? Well, not as much as I'd like. That class of malware has been consistently at or near the top of our monthly worldwide top ten reported threats as long as I’ve been tracking them. Don’t assume, though, that that single precaution will save you from every example of that type of threat. Most malware uses more than one technique to infect targeted systems. However, Windows 7’s move away from the misconceived, much misused Autorun facility will contribute to a gradual decline in INF/Autorun and related threats.
Here’s the description of INF/Autorun based on the one we use currently in our monthly threat reports.
This detection label is used to describe a variety of malware using the file autorun.inf as a way of compromising a PC. This file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. ESET security software heuristically identifies malware that installs or modifies autorun.inf files as INF/Autorun unless it is identified as a member of a specific malware family.
What does this mean for the End User?
Removable devices are useful and very popular: of course, malware authors are well aware of this, as INF/Autorun’s frequent return to the number one spot clearly indicates. Here’s why it’s a problem.
The default Autorun setting in Windows (though not Windows 7) will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra “value” by including an additional infection technique.
While using this mechanism can make it easy to spot for a scanner that uses this heuristic, it’s better, as Randy Abrams has suggested in our blog (http://www.eset.com/threat-center/blog/?p=94; http://www.eset.com/threat-center/blog/?p=828) to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case.
As Randy Abrams pointed out in a blog at http://www.eset.com/threat-center/blog/2009/08/25/now-you-can-fix-autorun, Microsoft has released the patches required to make autorun work with only CD and DVD drives. There is one little catch, a USB drive can be configured to look like a CD, but this patch definitely helps reduce risk.
Randy recommends that you install the patch so that you can connect most thumb drives, GPS systems, digital picture frames, and other USB devices with storage to your computer safely.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/