Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:15 PM
Connect Directly

Microsoft Alters Windows AutoRun Amid Conficker Concerns

As Conficker shows no signs of going away, software giant makes worm tougher to spread via USB

It took a high-profile malware attack that can spread via USB drives to prompt Microsoft to disable the automatic AutoRun function for USB-type removable devices in Windows 7, XP, and Vista.

Microsoft yesterday announced that its AutoPlay function will no longer support AutoRun for USB drives, citing the infamous Conficker worm's spread via infected USB drives. So the program no longer runs from the dialog box for USB sticks, SIM cards, and external drives; only CDs and DVDs will continue to have this function, according to Microsoft.

Conficker used AutoRun to present a seemingly legitimate task with USB drives, such as "open folder to view files," then infecting users who fell for it and inadvertently installed the malware off the USB. Microsoft says 17.7 percent of infections in the second half of 2008 were from malware that can spread via AutoRun.

Meanwhile, Conficker is still alive and well, albeit fairly quietly. The latest count by ESET has around 2 million machines infected with some variant of Conficker. Researchers at Vietnamese firm Bkis says there are 750,000 machines worldwide infected with the Conficker.C variant, and that it expects these machines to continue "phoning home" for instructions beyond May 3, the date when the update that began in April is supposed to be disabled.

So will disabling AutoRun actually slow Conficker's spread? "By disabling the AutoRun feature, the malware will not infect computers when an infected drive is plugged in. On the other hand, the AutoRun feature is only one of the infection vectors used by Conficker," says Pierre-Marc Bureau, a senior researcher with ESET. "Disabling this feature will not solve the Conficker problem. Users have to patch their systems and use up-to-date antivirus to protect themselves."

Randy Abrams, director of technical education for ESET and a former Microsoft security technician, says the changes to AutoRun are long overdue, and Conficker gave the software giant a good PR opportunity to fix it. "This 'AutoInfect' was Microsoft's longest-standing unpatched vulnerability," Abrams says. "It's been a serious problem even before Conficker."

AutoRun was initially developed as a convenience and ease-of-use function for users who don't know how to install software, for instance, and later was extended to USBs and other external media, Abrams says.

The new Release Candidate Windows 7 version, which was available to developers today and will be released to the general public next week, will come with this more secure AutoRun functionality. Microsoft also plans to fix AutoRun in future release updates for XP and Vista.

Conficker, meanwhile, has been spotted during the past few weeks updating a limited number of infected machines with a spam module, which researchers say is a variant of the Waledac malware. (Waledac is the reinvented Storm botnet) "It is possible that part of the Conficker botnet was rented to the Waledac gang or that they are collaborating in another way," Bureau says. And the first variant of Conficker attempted to install rogue antivirus software on the bots, but never finished the task, he says.

No one knows for sure what the Conficker gang will do next, but most researchers agree the botnet has been testing its capabilities. Paul Ferguson, advanced threats researcher for Trend Micro, says they could be testing which operations are more lucrative financially, for instance.

Johannes Ullrich, director of SANS Internet Storm Center, said last week during a SANS panel at the RSA Conference that Conficker may be a testbed infrastructure of sorts: "In my opinion, Conficker was a little bit of a research project," Ullrich said.

All of the publicity and hype over Conficker earlier this month did help, however, because it raised awareness to get many infected machines cleaned up, experts say. But there are still plenty that haven't been disinfected and patched.

"As long as there will be vulnerable hosts, the Conficker botnet will be able to grow," ESET's Bureau says. "We think that the operators of Conficker are waiting for media attention to decrease before they do their next move. They are working hard to remain in control of infected hosts by disabling network connectivity to security vendor servers and protecting their code in memory. Their operation is well-planned, and they will not let the botnet they have built fade away with time."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-22
The F-Secure AV parsing engine before 2020-02-05 allows virus-detection bypass via crafted Compression Method data in a GZIP archive. This affects versions before 17.0.605.474 (on Linux) of Cloud Protection For Salesforce, Email and Server Security, and Internet GateKeeper.
PUBLISHED: 2020-02-22
SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field.
PUBLISHED: 2020-02-22
SOPlanning 1.45 allows XSS via the Name or Comment to status.php.
PUBLISHED: 2020-02-22
fauzantrif eLection 2.0 has SQL Injection via the admin/ajax/op_kandidat.php id parameter.
PUBLISHED: 2020-02-22
CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI.