As some of our readers are well aware, Conficker and other malware is taking advantage of the AutoRun functionality as a spreading mechanism. Furthermore, over the last couple of months, there has been a significant increase of this threat, as more malware is abusing this functionality. Further information about this specific threat has been highlighted in the recent Security Intelligence Report (look for Win32/AutoRun) and the Microsoft Malware Protection Center (MMPC) blog.

Background

Before going into the specifics changes, it is important to understand the difference between AutoRun and AutoPlay:

• AutoRun is a technology used to start some programs automatically when a CD or another media is inserted into a computer. The main purpose of AutoRun is to provide a software response to hardware actions that a user starts on a computer.
• AutoPlay is a Windows feature that lets a user select which program starts when a specific type of media, such as music CDs, or DVDs containing photos, is inserted. During AutoPlay, the Autorun.inf file from the media is also parsed. This file (if available) specifies additional commands that will be displayed in the AutoPlay menu. Many companies use this functionality to help initiate their installers.

Changes

In order to help prevent malware from spreading (such as Conficker) using the AutoRun mechanism, the Windows 7 engineering team made two important changes to the product:

1. AutoPlay will no longer support the AutoRun functionality for non-optical removable media. In other words, AutoPlay will still work for CD/DVDs but it will no longer work for USB drives. For example, if an infected USB drive is inserted on a machine then the AutoRun task will not be displayed. This will block the increasing social engineer threat highlighted in the SIR. The dialogs below highlight the difference that users will see after this change. Before the change, the malware is leveraging AutoRun (box in red) to confuse the user. After the change, AutoRun will no longer work, so the AutoPlay options are safe.
   
              Before the Change                                              After the Change
   
2. A dialog change was done to clarify that the program being executed is running from external media.
   
               Before the Change                                               After the Change

It is worth noting that some smart USB flash drives can pose as a CD/DVD drive instead of standard ones (see http://en.wikipedia.org/wiki/U3 for an example). In this specific scenario, the operating system will treat the USB drive as if it is a CD/DVD because the type of the device is determined at the hardware level.

For further information please visit the Windows 7 blog.

This change is available in the RC build of Windows 7.We are planning on making this change available on Windows Vista and Windows XP, so that the rest of our customers can benefit from these changes as well.

Thanks,

Damian Hasse – MSRC Engineering Blogger

References:

• “What's the difference between AutoPlay and AutoRun?” http://windowshelp.microsoft.com/Windows/en-us/help/a19ac945-1007-4638-9615-e2c3bfd92b751033.mspx
• “How to disable the AutoRun functionality in Windows” http://support.microsoft.com/kb/967715/
• “AutoPlay: frequently asked questions” http://windowshelp.microsoft.com/Windows/en-US/Help/7e1fe788-0747-4e00-895b-c3461b1ddd971033.mspx
• “Enabling and Disabling AutoRun” http://msdn.microsoft.com/en-us/library/cc144204.aspx

Updated on 4/28: Change text to "non-optical removable media" instead of "non removable optical media"

*Postings are provided "AS IS" with no warranties, and confers no rights.*