Am I protected from USB autorun malware on Windows 7?
When you plug a USB key in, a considerable amount of things happen. The OS first talks to the USB device to know what kind of device it is and what it can do. Then, if the device says that it is a kind of disk, the OS will look for a filesystem on it, then mount it, and explore some of the files. Depending on what files were found and their name, the OS will suggest a choice of actions to the user (that's the popup you see). Any phase of that process could have exploitable bugs, and indeed numerous examples of these have historically occurred (for instance, the PS3 Jailbreak from last year is a USB device which, internally, announces itself as a hub of four devices, one of which rambling incoherently on the USB bus in such a way that it triggers a buffer overflow in the OS USB driver).
Hence, while the current state of affairs on Windows is that the OS will not by design run malicious code automatically, it may still do it by mistake. To my knowledge, there is no currently published exploit which does so, but it would be implausible that all that code is bug-free.
As a side note, what looks like a plain USB stick may, internally, behave quite differently, and (for instance) show itself as a keyboard to the OS -- and begin "typing" immediately. The possibilities are almost endless. And a bit scary.
According to Wikipedia:
Windows 7
For all drive types, except DRIVE_CDROM, the only keys available in the [autorun] section are label and icon. Any other keys in this section will be ignored. Thus only CD and DVD media types can specify an AutoRun task or affect double-click and right-click behaviour.
There is a patch available, KB971029 for Windows XP and later, that will change AutoRun functionality to this behaviour.
https://secure.wikimedia.org/wikipedia/en/wiki/Autorun.inf
So, this would indicate that some parts of autorun.inf
are still indeed processed by Windows 7 upon insertion of any removable media. How much of it gets processed is dependent upon whether the media in question is in the optical drive.
I'm not aware of any current vulnerabilities specifically connected to the label
or icon
keys, but that doesn't mean there won't ever be any. There's also the possibility that you may encounter an infected CD/DVD/BD or other optical media where more of autorun.inf
would get processed. So, to protect yourself properly, I would still recommend disabling processing of autorun.inf
in its entirety.
Michael Horowitz wrote a great blog article about how Autorun and Autoplay work some time ago. Echoing work done by Nick Brown and Emin Atac, the article included a registry hack to disable all processing of autorun.inf
. I'll paste the registry hack details below. Check out the article link for more information.
The suggested solution involves updating the Windows Registry. So, as always, it's best to make a backup. The solution was written for Windows XP/Vista, but it should work in 7 as well.
Zapping the registry is simple, all you need is the three lines shown below in a .reg file. Then double click on the file.
You can either copy the three lines below from this web page or download the file using the link at the bottom of this posting. The file name is not important, other than it should end with ".reg". Computerworld does not allow attaching files ending with ".reg" to a blog posting, so the file type is ".txt" and you'll have to rename it to end with ".reg".
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
Note that there are three lines in the file, the middle line may wrap when displayed by a web browser, but it needs to be a single line in the .reg file.
Nick Brown explains what this does:
This hack tells Windows to treat AUTORUN.INF as if it were a configuration file from a pre-Windows 95 application ... it says "whenever you have to handle a file called AUTORUN.INF, don't use the values from the file. You'll find alternative values at HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist." And since that key, er, does not exist, it's as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action. Result: worms cannot get in - unless you start double-clicking executables to see what they do ...
The text "DoesNotExist" in the third line is meant to be a place in the registry that does not exist. If this zap gets very popular, malware may look for it, so it can't hurt to change it just a bit. For example, I might use something like @="@SYS:DoesNotExistMichael" on my computers. To be clear, this is not at all required. The zap as shown above works fine.
http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb_flash_drives
Of course, this doesn't really do much against USB sticks that present themselves to the system as something other than what they actually are. The best solution is to just not plug in any device that you don't trust. And, don't plug any devices that you do trust into systems that you don't.
For additional info about Autorun/Autoplay and how they work, see the websites already referenced. Also, check out these Wikipedia links:
https://secure.wikimedia.org/wikipedia/en/wiki/AutoRun
https://secure.wikimedia.org/wikipedia/en/wiki/AutoPlay
The default behavior is to show the popup. The popup scans the media for file types and makes an educated guess on what you might want to do. With the default behavior, the only way to exploit it is through a vulnerability in the popup code that reads the content of the media, which doesn't exist at the moment [in the wild].