Windows AutoRun/AutoPlay and the autorun.inf file
Back in the days of Windows 95, Microsoft introduced the feature called “AutoRun”. It was intended for CDs and made it possible for a CD to play or start a program automatically. The actions to be taken when a CD was inserted were determined by parsing a file in the root of the CD that was called “autorun.inf”. (INF files are a type of text file used in a variety of Windows installation processes.) As USB flash drives became popular, AutoRun was extended to include other types of removable media as well as CD/DVDs. Windows XP and beyond also introduced AutoPlay.
AutoRun (and AutoPlay) was intended as a convenience but like some other Windows “conveniences” it also created a security problem as mentioned in a previous post. Furthermore, as discussed before, the procedures originally given by Microsoft to disable AutoRun did not work properly. Here is what Wikipedia has to say:
There has been a long standing issue with Windows failing to handle AutoRun-relevant Registry entries properly.
When AutoRun is disabled Windows should not proceed further through the activation sequence than the Registry check. However, it parses any autorun.inf found and does everything except the final action to invoke AutoPlay or execute an application.
This leaves the user open to attack from malware which uses the autorun.inf to alter the double-click and contextual menu behaviours. Double clicking the drive icon will infect the machine. Right Clicking and selecting the “Explore” or “Open” options from the context menu is not a workaround as these menu items can be coopted by the appropriate autorun.inf entries.
This bug has been fixed in security updates issued in July 2008. For Windows Vista and Windows Server 2008 the relevant Knowledge Base Article is 950582 with further details in the security bulletin itself.
For Windows XP, Windows Server 2003 and Windows 2000 the relevant Knowledge Base Article is 953252 with details and links to the OS specific patches available from that page. Windows 95 and Windows 98 are not affected.
Note that an unwary user can still trigger malware on a USB stick by clicking on an entry in the AutoPlay window that may pop up when a USB stick is inserted. I have discussed disabling AutoPlay in an earler post. The figure below is an example of an AutoPlay dialog.
Since the autorun.inf file is where malware writers can plant instructions to run their programs, it is worth seeing what one looks like. It is a text file and can be read in Notepad. It can contain various entries but a simple version is shown below. This file would automatically run a file “setup.exe” located on the removable media when it was inserted.
[autorun]
open="setup.exe"
shell\open\command="setup.exe"
useautoplay=1
The file may also contain commands to add entries to the right-click menu or other commands. For more details you can consult this link or Wikipedia.
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
Comments
No comments yet.
Sorry, the comment form is closed at this time.