Dark Reading

It took a high-profile malware attack that can spread via USB drives to prompt Microsoft to disable the automatic AutoRun function for USB-type removable devices in Windows 7, XP, and Vista.

Microsoft yesterday announced that its AutoPlay function will no longer support AutoRun for USB drives, citing the infamous Conficker worm's spread via infected USB drives. So the program no longer runs from the dialog box for USB sticks, SIM cards, and external drives; only CDs and DVDs will continue to have this function, according to Microsoft.

Conficker used AutoRun to present a seemingly legitimate task with USB drives, such as "open folder to view files," then infecting users who fell for it and inadvertently installed the malware off the USB. Microsoft says 17.7 percent of infections in the second half of 2008 were from malware that can spread via AutoRun.

Meanwhile, Conficker is still alive and well, albeit fairly quietly. The latest count by ESET has around 2 million machines infected with some variant of Conficker. Researchers at Vietnamese firm Bkis says there are 750,000 machines worldwide infected with the Conficker.C variant, and that it expects these machines to continue "phoning home" for instructions beyond May 3, the date when the update that began in April is supposed to be disabled.

So will disabling AutoRun actually slow Conficker's spread? "By disabling the AutoRun feature, the malware will not infect computers when an infected drive is plugged in. On the other hand, the AutoRun feature is only one of the infection vectors used by Conficker," says Pierre-Marc Bureau, a senior researcher with ESET. "Disabling this feature will not solve the Conficker problem. Users have to patch their systems and use up-to-date antivirus to protect themselves."

Randy Abrams, director of technical education for ESET and a former Microsoft security technician, says the changes to AutoRun are long overdue, and Conficker gave the software giant a good PR opportunity to fix it. "This 'AutoInfect' was Microsoft's longest-standing unpatched vulnerability," Abrams says. "It's been a serious problem even before Conficker."

AutoRun was initially developed as a convenience and ease-of-use function for users who don't know how to install software, for instance, and later was extended to USBs and other external media, Abrams says.

The new Release Candidate Windows 7 version, which was available to developers today and will be released to the general public next week, will come with this more secure AutoRun functionality. Microsoft also plans to fix AutoRun in future release updates for XP and Vista.

Conficker, meanwhile, has been spotted during the past few weeks updating a limited number of infected machines with a spam module, which researchers say is a variant of the Waledac malware. (Waledac is the reinvented Storm botnet) "It is possible that part of the Conficker botnet was rented to the Waledac gang or that they are collaborating in another way," Bureau says. And the first variant of Conficker attempted to install rogue antivirus software on the bots, but never finished the task, he says.

No one knows for sure what the Conficker gang will do next, but most researchers agree the botnet has been testing its capabilities. Paul Ferguson, advanced threats researcher for Trend Micro, says they could be testing which operations are more lucrative financially, for instance.

Johannes Ullrich, director of SANS Internet Storm Center, said last week during a SANS panel at the RSA Conference that Conficker may be a testbed infrastructure of sorts: "In my opinion, Conficker was a little bit of a research project," Ullrich said.

All of the publicity and hype over Conficker earlier this month did help, however, because it raised awareness to get many infected machines cleaned up, experts say. But there are still plenty that haven't been disinfected and patched.

"As long as there will be vulnerable hosts, the Conficker botnet will be able to grow," ESET's Bureau says. "We think that the operators of Conficker are waiting for media attention to decrease before they do their next move. They are working hard to remain in control of infected hosts by disabling network connectivity to security vendor servers and protecting their code in memory. Their operation is well-planned, and they will not let the botnet they have built fade away with time."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.