• Home
  • Report an Incident
  • Read Bulletins
  • Discuss Viruses
• Articles & Guides
  • For Everyone
  • For Sysadmins
  • For IT Managers
  • Recent Articles
• Resources
  • External Advisories
  • Vendor Information
  • Further Reading
• Tools
  • Network Scanner
  • Web Scanner
  • Certificate Authority
• Training
  • LSP Services
  • Unix Systems Support Group
  • Windows: End-User Security
  • Awareness and Education
  • SANS Partnership Series
• About
  • Contact Information
  • ITSO Staff
  • Mission Statement
  • Recent Changes
  • Site Index
  • Colophon
• Search

Disable Autorun

Before the Internet was popular and commonplace, the primary method of transferring information from one computer to another was via floppy disk. Disks, which were passed from person to person and computer to computer all time time, had a little switch you could open or close to mark the disk write-protected or write-enabled. Viruses were frequently copied onto these disks and programmed to run automatically when they were inserted into a new computer. Over time, popularity of this type of virus waned as CD-ROMs replaced floppy disks and the Internet proved to be much faster anyway.

Fast forward to the present day: the Internet is big and fast but is recognized as an obvious entry point for viruses. Microsoft puts increasing restrictions (or protective measures, depending on your point of view) on Internet Explorer. Meanwhile, inexpensive writable USB thumb drives have become ubiquitous -- often given away by vendors. In addition, iPods and other mp3 players offer vast amounts of storage at a reasonable price. As it turns out, virus writers have noticed this trend and are taking advantage.

At the University, a recent incident has brought this issue to the forefront. A server administrator was using Identify Finder to scan a server for sensitive data. The administrator mapped a drive to a file server and shortly after the local firewall and antispyware programs began alerting to outbound Internet connections and registry changes.

Now alerted that something was wrong, the system administrator began searching and discovered a autorun.inf file on the root of the share that was previously mapped for scanning. The autorun.inf started an autorun.exe that turned out to be a trojan that was not recognized by Symantec Antivirus. The system administrator contacted the University Information Security Office at it-incident@iu.edu. Working with the system administrator, we searched for other compromised computers and submitted a virus sample to Symantec, who quickly released a virus definition update that recognizes the Trojan W32.SillyFDC.

Since that time, more worms include the ability to spread in the same manner. The highly publicized Conficker worm, for example, can spread from a USB drive to a computer automatically using Autorun.

There are three things a system administrator can do to prevent this situation. They are all listed in the Microsoft KB document 967715.

1. Disable the autorun feature on your computer. This means that CDs and USB devices will not autoplay when inserted and you will not be prompted for action every time any device is connected to the computer.
2. Prevent autorun.inf creation on file shares. Do not allow users to write to the root of file shares. Instead create a folder structure inside the share for users.
3. Prevent use of USB devices on computers. With group policy you can easily prevent USB devices from mounting on Windows computers. With a little more work, you can also allow pre-approved devices. This will help stop the spread of any virus through USB devices since the devices themselves will no longer work on these computer.