Disabling Autorun
Adobe Acrobat version (PDF 98KB)
Number: TR08-004
Date: 22 December 2008
Table of Contents
Overview
Autorun vs. autoplay
Autorun.inf
Types of removable media
Risks with autorun
Known Threats using Autorun
Solutions for disabling autorun
Testing
Overview
Autorun was created by Microsoft as a convenient feature for removable media to automatically start a program upon insertion. Autorun is found on all removable media such as CDs, DVDs and USB memory sticks.
This feature poses a serious security risk because it allows worms and Trojans to spread with very little interaction from the end user. Also, there has been an increase in malware using this autorun feature.
This technical report defines what autorun is, identifies the risks associated with it and proposes mitigation strategies.
Autorun vs. autoplay
Even though autorun and autoplay are terms that have been used interchangeably, they have different functions
Autorun
Autorun was introduced by Microsoft in Windows 95. It is used to start programs automatically when a removable media is inserted into a computer. The autorun.inf file is stored on the removable device's root directory and is launched when connected to the computer.
Autoplay
Autoplay was introduced by Microsoft in Windows XP. This feature lets you choose which program to use for different types of media. For example, if there is more than one media player installed on a computer, autoplay asks the user which media player to use.
Autoplay is different from autorun because when you insert a media that uses autorun, autoplay is what asks you to choose the action to perform.
Autorun.inf
Autorun.inf is the instruction file for the autorun feature. This simple text-based configuration file contains instructions for the operating system. It could include instructions such as what executable to start, icons to use and any additional contextual menu commands to make available. When a computer detects a removable device, it searches for the autorun.inf file located at the root of the device for further instructions.
Types of removable media
USB memory sticks
USB (universal serial bus) memory sticks, or flash drives, are storage devices that plug into a USB port. They are commonly used for storing data to be easily transferred between computer workstations. USB sticks are one of the most widely used removable media.
U3 Drives
U3 drives, or "smart drives," are USB sticks with a pre-installed launch pad that is set to autoplay upon insertion. This launch pad looks similar to the Windows Start menu where it can run programs entirely from the USB drive without leaving any trace of programs or data on the host computer. U3 drives do not need administration rights to run on a computer and most come with their own virus protection software.
What's unique about U3 drives is they have two drives. One is a read-only CD-ROM partition that holds the autorun file and the other is a standard flash drive. Both are displayed when the device is plugged into the computer.
CDs and DVDs
CDs and DVDs are storage discs for different types of data including music, movies or computer software.
External hard drives
External hard drives are a type of disk drive that connects to the computer externally via a USB port. They are used as an inexpensive way to hold or backup large amounts of data. External hard drives come pre-installed with the autorun.inf file.
MP3 players
MP3 players are portable media devices used to store and play audio files. Users can download music from the Internet to store on an MP3 player via a USB port. MP3 players are pre-installed with the autorun.inf file.
Risks with autorun
Autorun is a very attractive feature to malicious code writers because it requires very little interaction from the end user to spread the malware. The autorun.inf file is what malicious code writers use to spread worms and Trojans. The file often has instructions in it telling the operating system to execute an infected file, which is also located on the removable device. Depending on the malicious code, the autorun.inf file could also include instructions to delete itself upon execution, change the icon for the file to avoid detection, or even to change the contextual menu of the device to again trick the user.
For example, an infected USB stick, when plugged into a corporate computer, would infect it with the worm it is carrying. This infected computer would then scan for all removable drives to also infect them. The corporate network could be infected in less than one second, usually without the end user's knowledge. As well, a new USB stick plugged into this infected computer would also become infected.
Once a system is infected, there are several actions the malware code can take; depending on what it is written for. Often, it is written to open up a connection to the Internet to a pre-determined IP address to download further instructions, possibly a rootkit. This rootkit could then install a key logger to steal account numbers, usernames, passwords and other sensitive information.
Known Threats using Autorun
Malware using the autorun.inf feature has been around for a few years now. It was just a matter of time before this type of attack became more common.
Sony BMG rootkit
In 2005, it was discovered that Sony had installed a rootkit on their music CDs that collected personal information about their users without their knowledge or consent. It also opened up security holes. The rootkit was virtually undetected by end users because it took advantage of the autorun feature. When users discovered the rootkit and tried to uninstall it, they found that it left the operating system unusable.
Digital picture frames
In early 2008, reports were surfacing on the internet of infected digital picture frames. These frames, that were package sealed, came shipped with a nasty virus that would be silently installed on your computer through an autorun.inf file. Many happy custumers received these picture frames for Christmas and unknowingly installed malware on their computers. Once the story broke, all of the major retail stores recalled them.
Solutions for disabling autorun
There are several ways to prevent the autorun.inf file from being executed; however, some are more effective than others. This section will explain several mitigation strategies along with their advantages and disadvantages. CCIRC has tested these strategies and recommends only the first one.
While the solutions listed in this document work, their effectiveness relies mostly on the end user's awareness. Corporate networks can have the autorun feature disabled, but it doesn't stop the end user from clicking on executable files. CCIRC recommends ensuring that preventive security measures are in place, including but not limited to, up-to-date anti-virus and restricting firewall rules.
Also, please note that some solutions involve modifying some registry keys. CCIRC recommends backing up all registry keys before making any changes.
Table 1: Solutions and Recommendations
Solutions |
Advantages |
Disadvantages |
Recommended |
Sys:DoesNotExist |
- effective
- easy to change the registry key and apply it as a group policy
- does not allow any part of the autorun.inf to execute, even if the computer has seen the removable device before
|
- not suggested by Microsoft
|
Yes |
KB950582 |
- effective
- easy to change the registry key and apply it as a group policy
|
- need to apply the upgrade before the registry key can be changed
- even after the change, it still allows parts of the autorun.inf to execute
|
No |
MountPoint2 |
- effective
- easy to change the registry key and apply it as a group policy
|
- unsure of what other effects it has on the operating system
|
No |
NoDriveTypeAutorun |
- it is easy to change the registry key and apply it as a group policy
|
- if the computer has seen the removable media before the change has been made, MountPoint2 overrides it and executes the autorun.inf file
|
No |
Shift Key |
|
- need to rely on the end user to remember the procedure every time removable media is used
|
No |
SYS:DoesNotExist
To block all autorun.inf files from executing, which can be applied as a global policy by changing the registry keys, perform the following step:
- Start Notepad.
- Copy the following text below and paste it into Notepad. Everything between the square brackets should be on one line.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
- Save the file with the name NoAutoRun.reg. Make sure to include the .reg extension.
- Right click on your .reg file and choose "Merge". Confirm any warning prompts to add the information to the registry. Alternately, you can use the following command "REG IMPORT NoAutoRun.reg".
- Restart computer.
Changing this registry key will prevent any part of the autorun.inf file to execute, even if the computer has seen the device before the registry change and has it cached in the MountPoint2 key. It also disables the autorun features without causing other negative side effects. CCIRC recommends this procedure as an effective solution, especially in a corporate network.
It should be noted that CERT CC updated their recommendations for disabling autorun to include deleting the MountPoint2 registry key along with adding SYS:DoesNotExist. This is because they have found that even with the SYS:DoesNotExist key added, a cached entry in the Mountpoint2 key will still override it and cause autorun to launch. Through our extensive testing, we were unable to replicate this and as a result, CCIRC still recommends adding only the SYS:DoesNotExist registry. CCIRC does not currently recommend deleting the MountPoint2 registry key because of the lack of information available on it.
KB953252
In September 2008, Microsoft released "How to correct 'disable Autorun registry key' enforcement in Windows" . This is in response of TechNet article 91525 not correctly disabling autorun.
Microsoft recommends that in order for autorun to be disabled, an update must first be applied to the operating system. Once the update is complete, perform the following steps:
- Click "Start", "Run", and type "Gpedit.msc".
- Navigate to "Computer Configuration/Administrative Templates/System"
- change the "Turn off Autoplay" properties to enabled
- select "All drives"
- restart the computer.
Please refer to the link provided for details and a full explanation of the procedures.
Even though the solution is effective, CCIRC does not recommend this as a secure solution because through testing, we found that some parts of the autorun.inf still execute such as changing the folder icon.
MountPoint2
When a computer detects a removable device, it scans it to search for the autorun.inf file. It then writes the values in the MountPoint2 registry key. This key holds cached information on every device ever connected to the computer.
Changing the permissions on the MountPoint2 registry key will prevent the autorun.inf to be executed, even if the computer has seen the removable device before. To change the permissions on the MountPoint2 registry key, perform the following steps:
- Start › Run › type "regedit" to open the registry.
- Navigate to HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2.
- Right click "mountpoints2" and select "permission".
- Click "Advance" and uncheck "inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here".
- Click "remove"," Yes" and "ok".
Even though this solution is effective, CCIRC does not recommend it because there is limited information available regarding what the MountPoint2 registry key does and what other effects it may have on the operating system.
NoDriveTypeAutoRun
Microsoft recommends that in order to disable the autorun feature on all removable drives, you can modify the following registry key and change the values to 0xFF.
HK_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policies\
Explorer\NoDriveTypeAutoRun.
Changing this registry key will prevent the autorun.inf file located on any removable devices to be executed.
However, if the computer saw the removable device before this registry key was changed, then all of the information from the removable device was cached in the MountPoint2 registry key. When the removable device is used after the registry change, the MountPoint2 key will override the NoDriveTypeAutoRun value, which will result in the autorun.inf being executed.
CCIRC does not recommend this solution. We tested this with an operating system that had not seen the removable device before and found that parts of the autorun.inf file were still being executed. Even though the NoDriveTypeAutorun registry change prevented the malware from spreading, the autorun.inf on the removable drive still executed the contextual menu and changed the drive icon.
Shift Key
The simplest way to prevent the autorun.inf file from being executed is to have users hold down the Shift key while inserting removable media. The disadvantage of this approach is that users might forget to follow the procedure each and every time.
CCIRC does not recommend this solution because it relies solely on the end user to remember. It is not a reliable security measure, especially in a corporate environment.
Testing
Extensive testing was conducted using a U3 Smart drive on Windows XP. The E drive was the CD-ROM and the F drive was the standard flash drive. We configured the autorun.inf file so that if it was executed, it would add entries in the contextual menu and change the folder icon. Table 2 and 3 below gives a summary of our findings.
Table 2: Results for a U3 drive that has not been previously seen by the computer
Recommendations |
Executable specified in Autorun.inf was launched |
Autoplay Window was launched |
Contextual menu was changed |
Drive icon was changed |
Sys:DoesNotExist |
No |
No |
No |
No |
KB953252 |
No |
No |
No |
Both were changed |
MountPoint2 |
No |
Yes |
No |
Both were changed |
NoDriveTypeAutoRun |
No |
No |
Both were changed |
Both were changed |
Shift Key |
No |
No |
Both were changed |
Both were changed |
Table 3: Results for a U3 drive that was previously seen by the computer
Recommendations |
Executable specified in Autorun.inf was launched |
Autoplay Window was launched |
Contextual menu was changed |
Drive icon was changed |
Sys:DoesNotExist |
No |
No |
No |
No |
KB953252 |
No |
No |
No |
Both were changed |
MountPoint2 |
No |
Yes |
No |
Both were changed |
NoDriveTypeAutoRun |
No |
No |
Only for the F drive |
Both were changed |
Shift Key |
Yes |
Yes |
Both were changed |
Both were changed |
http://windowshelp.microsoft.com/Windows/en-us/help/a19ac945-1007-4638-9615-e2c3bfd92b751033.mspx
Examples of commands can be found at the following link. http://autorun.moonvalley.com/autoruninf.htm
http://en.wikipedia.org/wiki/2005_Sony_BMG_CD_copy_prevention_scandal
http://isc.sans.org/diary.html?storyid=3787
http://www.windowssecrets.com/2007/11/08/02-One-quick-trick-prevents-Autorun-attacks
http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html
http://support.microsoft.com/kb/953252
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx?mfr=true
Note to Readers
The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.
For urgent matters or to report any incidents, please contact the GOC at:
Phone: 613-991-7000
Fax: 613-996-0995
Secure Fax: 613-991-7094
Email: goc-cog@ps-sp.gc.ca
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca