WARNING: USB-based malware ignoring Windows AutoRun config UserPageVisits:237 active 414 333 DaniWeb 561 60 2010-07-20T16:50:34+00:00 https://www.daniweb.com/hardware-and-software/information-security/news/297989/warning-usb-based-malware-ignoring-windows-autorun-config

WARNING: USB-based malware ignoring Windows AutoRun config

happygeek

The good news is that security savvy Windows users will, more than likely, have already disabled the AutoRun and AutoPlay features. The bad news is that a new zero-day vulnerability could care less, and executes automatically anyway.

The zero-day vulnerability in question was first spotted by Sergey Ulase, a researcher with security vendor VirusBlokAda, who when talking about some new malware samples he had been analysing noted "You should take into consideration that virus infects Operation System in unusual way through vulnerability in processing lnk-files (without usage of autorun.inf file). So you just have to open infected USB storage device using Microsoft Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware".

Microsoft has eventually picked up on this, yet another Windows vulnerability , and has now issued a Security Advisory (2286198) which confirms it is "investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell" then goes on to state that the vulnerability exists "because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed".

According to security experts at Sophos , a new rootkit has been discovered which goes by the name of Stuxnet and exploits this vulnerability to install itself onto even a fully patched Windows PC by running from a USB memory stick even if the user has disabled Windows AutoRun and AutoPlay. It does, however, require the user to browse the device using Windows Explorer in order to be able to do this, rather than just execute automatically upon insertion.

"Threats such as the infamous Conficker worm have spread very successfully via USB devices in the past, but were in part reduced by disabling AutoPlay. The risk is that more malware will take advantage of the zero-day exploit used by the Stuxnet rootkit, taking things to a whole new level" Says Graham Cluley, senior technology consultant at Sophos, adding "the exploit is still being analysed by the security community, but there are disturbing suggestions that the malware could be trying to access data specific to Siemens SCADA systems - software that controls national critical infrastructure".

237 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...