Windows Addresses the Changing AutoRun Threat Environment

AutoRun is the ability for a device, through the use of autorun.inf, to expose a set of tasks for the user to choose upon insertion of new media into the computer.  This could be a USB drive, a CD or DVD, a network drive, or any other additions of new media.  The user is shown the AutoRun tasks along with other functions via the AutoPlay dialog.
About a decade ago, diskette use started to wane.  Machines  began to not include diskette drives anymore.  And diskette viruses were effectively removed from the malware landscape.  Today, USB media have appeared and are taking on the same role.  In today’s malware landscape, AutoRun malware has dramatically increased in popularity. The following chart highlights the increase in the number of different malware samples we have come across in our lab that are detected as Worm:Win32/Autorun:
Each quarter, we deal with close to a quarter million such samples.  Additionally, the WildList Organization (WLO) produces a monthly list of viruses confirmed to be spreading among worldwide users.  Their count of Worm:Win32/Autorun confirmed samples also shows a significant increase.

The numbers are smaller because the WLO has to collect, coordinate, and validate disparate contributions from many different vendors and only lists those confirmed by more than one industry contributor. But the dramatic rise is the same.
The recent Conficker worm is another of the many AutoRun pieces of malware that use this infection vector.  It uses the additional concept of AutoPlay to confuse users and trick them into picking the incorrect option.   Without closely studying the difference between the two choices, there is the possibility that users will select the first choice, which executes a copy of the worm.

So, due to this rise in malware usage of the AutoRun system, the Windows 7 team has undertaken a dramatic step to block this specific threat. 
The new changes will no longer expose the AutoRun entries in the dialog unless it is removable optical media (CD/DVDs). So, if a USB drive is inserted into a machine, the AutoRun choice will no longer be shown.  In addition, changes have been implemented to help clarify actions about to be undertaken by the AutoPlay dialog.
We encourage you to update your systems to take advantage of  this new functionality.  We also hope AutoRun malware succumbs to this change in basic computer architecture, much as diskette viruses were defeated by the change in user habits. 
To read more about the details of this new implementation, please see Engineering Windows 7: Improvements to AutoPlay.

-- Jimmy Kuo & Huzefa Mogri

Comments (0)

Skip to main content