More than a month after the US-CERT alerted users to the problems with the instructions for disabling the AutoRun capability in Windows, Microsoft has released a fix for the AutoRun problem.
The guidance that Microsoft had given users previously didn’t completely disable the feature, which is used to enable the automatic execution of some programs. The situation became a serious problem late last year and earlier this year with the emergence of the Conficker worm. Conficker, which has spread rapidly during the last few months, takes advantage of the AutoRun feature to execute automatically on infected machines.
A number of other pieces of malware have taken advantage of this feature as well, including those that have been found on digital picture frames.
The SANS Internet Storm Center has been following the Conficker-AutoRun thread and the headaches it’s caused administrators.
This is a typical autorun.inf file created by Conficker. The social engineering trick comes from the first two keywords (Action and Icon). When you put this in a Vista machine with default settings, an Autoplay window will pop up asking you what to do, as shown below:
So, as you can see, the first part, “Install or run program” is there because Vista detected an autorun.inf file containing the shellexecute keyword. However, the text comes from the Action keyword and the icon is extracted from shell32.dll (the 4th icon in the file) – and it’s the standard folder icon!
This can easily fool a user in clicking this one and thinking it will open the USB stick in Windows Explorer instead of the second (the real one). The first option will run Conficker, of course.
Conficker has proven to be a serious problem, and the AutoRun feature is just one of its infection vectors. But it’s an effective one and it’s important that enterprises and home users get the Microsoft patch installed as soon as possible.