Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:15 PM
Connect Directly

Microsoft Alters Windows AutoRun Amid Conficker Concerns

As Conficker shows no signs of going away, software giant makes worm tougher to spread via USB

It took a high-profile malware attack that can spread via USB drives to prompt Microsoft to disable the automatic AutoRun function for USB-type removable devices in Windows 7, XP, and Vista.

Microsoft yesterday announced that its AutoPlay function will no longer support AutoRun for USB drives, citing the infamous Conficker worm's spread via infected USB drives. So the program no longer runs from the dialog box for USB sticks, SIM cards, and external drives; only CDs and DVDs will continue to have this function, according to Microsoft.

Conficker used AutoRun to present a seemingly legitimate task with USB drives, such as "open folder to view files," then infecting users who fell for it and inadvertently installed the malware off the USB. Microsoft says 17.7 percent of infections in the second half of 2008 were from malware that can spread via AutoRun.

Meanwhile, Conficker is still alive and well, albeit fairly quietly. The latest count by ESET has around 2 million machines infected with some variant of Conficker. Researchers at Vietnamese firm Bkis says there are 750,000 machines worldwide infected with the Conficker.C variant, and that it expects these machines to continue "phoning home" for instructions beyond May 3, the date when the update that began in April is supposed to be disabled.

So will disabling AutoRun actually slow Conficker's spread? "By disabling the AutoRun feature, the malware will not infect computers when an infected drive is plugged in. On the other hand, the AutoRun feature is only one of the infection vectors used by Conficker," says Pierre-Marc Bureau, a senior researcher with ESET. "Disabling this feature will not solve the Conficker problem. Users have to patch their systems and use up-to-date antivirus to protect themselves."

Randy Abrams, director of technical education for ESET and a former Microsoft security technician, says the changes to AutoRun are long overdue, and Conficker gave the software giant a good PR opportunity to fix it. "This 'AutoInfect' was Microsoft's longest-standing unpatched vulnerability," Abrams says. "It's been a serious problem even before Conficker."

AutoRun was initially developed as a convenience and ease-of-use function for users who don't know how to install software, for instance, and later was extended to USBs and other external media, Abrams says.

The new Release Candidate Windows 7 version, which was available to developers today and will be released to the general public next week, will come with this more secure AutoRun functionality. Microsoft also plans to fix AutoRun in future release updates for XP and Vista.

Conficker, meanwhile, has been spotted during the past few weeks updating a limited number of infected machines with a spam module, which researchers say is a variant of the Waledac malware. (Waledac is the reinvented Storm botnet) "It is possible that part of the Conficker botnet was rented to the Waledac gang or that they are collaborating in another way," Bureau says. And the first variant of Conficker attempted to install rogue antivirus software on the bots, but never finished the task, he says.

No one knows for sure what the Conficker gang will do next, but most researchers agree the botnet has been testing its capabilities. Paul Ferguson, advanced threats researcher for Trend Micro, says they could be testing which operations are more lucrative financially, for instance.

Johannes Ullrich, director of SANS Internet Storm Center, said last week during a SANS panel at the RSA Conference that Conficker may be a testbed infrastructure of sorts: "In my opinion, Conficker was a little bit of a research project," Ullrich said.

All of the publicity and hype over Conficker earlier this month did help, however, because it raised awareness to get many infected machines cleaned up, experts say. But there are still plenty that haven't been disinfected and patched.

"As long as there will be vulnerable hosts, the Conficker botnet will be able to grow," ESET's Bureau says. "We think that the operators of Conficker are waiting for media attention to decrease before they do their next move. They are working hard to remain in control of infected hosts by disabling network connectivity to security vendor servers and protecting their code in memory. Their operation is well-planned, and they will not let the botnet they have built fade away with time."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-16
Information disclosure in PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier may allow for an authenticated user with read-only privileges to extract the API key of the device and/or the username/password from the XML API (in PAN-OS) and p...
PUBLISHED: 2019-07-16
Command injection in PAN-0S 9.0.2 and earlier may allow an authenticated attacker to gain access to a remote shell in PAN-OS, and potentially run with the escalated user?s permissions.
PUBLISHED: 2019-07-16
A Denial of Service vulnerability in the ImageNow Server service in Hyland Perceptive Content Server before 7.1.5 allows an attacker to crash the service via a TCP connection.
PUBLISHED: 2019-07-16
Quake3e < 5ed740d is affected by: Buffer Overflow. The impact is: Possible code execution and denial of service. The component is: Argument string creation.
PUBLISHED: 2019-07-16
UPX 3.95 is affected by: Integer Overflow. The impact is: attacker can cause a denial of service. The component is: src/p_lx_elf.cpp PackLinuxElf32::PackLinuxElf32help1() Line 262. The attack vector is: the victim must open a specially crafted ELF file.