A mid-February AutoRun update has had a dramatic effect on malware infection rates on the XP and Vista platforms, reducing infection rates using the AutoRun feature by as much as 68% across Windows platforms, according to Microsoft.
Infections via the AutoRun feature in systems running Windows XP Service Pack 1 fell by 62% . Systems running Vista Service Pack 1 saw a 68% decrease, and Vista Service Pack 2 saw an 82% decrease, Microsoft said. XP Service Pack 2 and Windows 7 saw little change as the first is no longer supported and the second had received a similar update at an earlier date.
AutoRun is a Windows feature that automates certain actions when external media, such as CDs, DVDs or removable drives are inserted into Windows systems. Specific families of malware have taken advantage of the feature and used it to spread between Windows systems, typically on removable USB drives. In June, 2010, mobile phone maker Samsung acknowledged that a batch of its S8500 Wave mobile phones, sold in Germany, were infected with an AutoRun virus, Win32/Heur, which was pre-loaded on a 1GB microSD memory card that shipped with the phones. That virus would spread to Windows PCs when the SD card or the phone was attached to them. The Conficker virus and the Stuxnet worm also, leveraged AutoRun to spread between Windows systems.
Microsoft has been slowly rolling out changes to the feature for years. Windows 7’s AutoPlay feature eliminated features of AutoRun abused by malicious programs. The company later back ported AutoRun to earlier Windows platforms. In February, Microsoft issued a fix for its Windows AutoRun that would disable it on Windows systems.
The latest data from Microsoft measures decreases
in AutoRun infections and is based on data from Microsoft’s Malicious Software Removal Tool. Such infections refer to a ‘family’ of viruses
related in that Microsoft detects AutoRun propagation behaviors in them.
The Seattle software giant claims that the infection rates on affected systems started dropping immediately after the upgrade was deployed. They expected this. Microsoft also saw a decrease in rates of infections on adjacent systems running the company’s Forefront Client Security, Forefront Endpoint Security, and Microsoft Security Essentials.
Of course, AutoRun is often just one of many options for propagating used by malware. Microsoft’s Holly Stewart noted that, even with AutoRun disabled, Trojans can use any number of infection vectors including downloaders, droppers, and social engineering techniques.