Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:15 PM
Connect Directly

Microsoft Alters Windows AutoRun Amid Conficker Concerns

As Conficker shows no signs of going away, software giant makes worm tougher to spread via USB

It took a high-profile malware attack that can spread via USB drives to prompt Microsoft to disable the automatic AutoRun function for USB-type removable devices in Windows 7, XP, and Vista.

Microsoft yesterday announced that its AutoPlay function will no longer support AutoRun for USB drives, citing the infamous Conficker worm's spread via infected USB drives. So the program no longer runs from the dialog box for USB sticks, SIM cards, and external drives; only CDs and DVDs will continue to have this function, according to Microsoft.

Conficker used AutoRun to present a seemingly legitimate task with USB drives, such as "open folder to view files," then infecting users who fell for it and inadvertently installed the malware off the USB. Microsoft says 17.7 percent of infections in the second half of 2008 were from malware that can spread via AutoRun.

Meanwhile, Conficker is still alive and well, albeit fairly quietly. The latest count by ESET has around 2 million machines infected with some variant of Conficker. Researchers at Vietnamese firm Bkis says there are 750,000 machines worldwide infected with the Conficker.C variant, and that it expects these machines to continue "phoning home" for instructions beyond May 3, the date when the update that began in April is supposed to be disabled.

So will disabling AutoRun actually slow Conficker's spread? "By disabling the AutoRun feature, the malware will not infect computers when an infected drive is plugged in. On the other hand, the AutoRun feature is only one of the infection vectors used by Conficker," says Pierre-Marc Bureau, a senior researcher with ESET. "Disabling this feature will not solve the Conficker problem. Users have to patch their systems and use up-to-date antivirus to protect themselves."

Randy Abrams, director of technical education for ESET and a former Microsoft security technician, says the changes to AutoRun are long overdue, and Conficker gave the software giant a good PR opportunity to fix it. "This 'AutoInfect' was Microsoft's longest-standing unpatched vulnerability," Abrams says. "It's been a serious problem even before Conficker."

AutoRun was initially developed as a convenience and ease-of-use function for users who don't know how to install software, for instance, and later was extended to USBs and other external media, Abrams says.

The new Release Candidate Windows 7 version, which was available to developers today and will be released to the general public next week, will come with this more secure AutoRun functionality. Microsoft also plans to fix AutoRun in future release updates for XP and Vista.

Conficker, meanwhile, has been spotted during the past few weeks updating a limited number of infected machines with a spam module, which researchers say is a variant of the Waledac malware. (Waledac is the reinvented Storm botnet) "It is possible that part of the Conficker botnet was rented to the Waledac gang or that they are collaborating in another way," Bureau says. And the first variant of Conficker attempted to install rogue antivirus software on the bots, but never finished the task, he says.

No one knows for sure what the Conficker gang will do next, but most researchers agree the botnet has been testing its capabilities. Paul Ferguson, advanced threats researcher for Trend Micro, says they could be testing which operations are more lucrative financially, for instance.

Johannes Ullrich, director of SANS Internet Storm Center, said last week during a SANS panel at the RSA Conference that Conficker may be a testbed infrastructure of sorts: "In my opinion, Conficker was a little bit of a research project," Ullrich said.

All of the publicity and hype over Conficker earlier this month did help, however, because it raised awareness to get many infected machines cleaned up, experts say. But there are still plenty that haven't been disinfected and patched.

"As long as there will be vulnerable hosts, the Conficker botnet will be able to grow," ESET's Bureau says. "We think that the operators of Conficker are waiting for media attention to decrease before they do their next move. They are working hard to remain in control of infected hosts by disabling network connectivity to security vendor servers and protecting their code in memory. Their operation is well-planned, and they will not let the botnet they have built fade away with time."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-17
Adobe Download Manager versions have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation.
PUBLISHED: 2019-10-17
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
PUBLISHED: 2019-10-17
An issue was discovered in Bitdefender BOX firmware versions before that affects the general reliability of the product. Specially crafted packets sent to the miniupnpd implementation in result in the device allocating memory without freeing it later. This behavior can cause the miniupn...
PUBLISHED: 2019-10-17
CA Performance Management 3.5.x, 3.6.x before 3.6.9, and 3.7.x before 3.7.4 have a default credential vulnerability that can allow a remote attacker to execute arbitrary commands and compromise system security.
PUBLISHED: 2019-10-17
The Deep Security Manager application (Versions 10.0, 11.0 and 12.0), when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability.