Disabling AutoRun could block a Conficker attack

By

Removing AutoRun could help block a Conficker attack vector and prevent other threats from automatically infecting computers.

Randy Abrams, director of technical education at ESET, described AutoRun as the ‘longest standing unpatched Microsoft vulnerability' that Microsoft calls a ‘feature'.


Abrams explained that AutoRun allows a computer to be run by a person with no knowledge of IT so when you use removable media, Windows will automatically look for a file called ‘autorun.inf' and if it is there then Windows will do what the file says to do.

This would mean that if a user doesn't have the know how to double click on setup.exe, they just put a CD or USB key in and the program will run itself.

Abrams said: "The problem is that the bad guys know that and often use AutoRun to install malicious software as soon as a USB drive is plugged in. Conficker exploits this as well.

"In 2008 more than one out of every 15 threats we detected were using autorun.inf to help infect users. In January, nearly one out of every 10 threats we detected at ESET used AutoRun.

"Microsoft does not provide a truly effective solution for disabling AutoRun and the partial solution they suggest is cumbersome."

Abrams explained that fixing this requires creating a registry key, which involves saving the file as a plain text file, not a document that must be .reg. Alternately you can create the registry key by hand.

Abrams said: "The Microsoft solution is ineffective and breaks Windows Media Player. When you use Microsoft's solution, each time you change a CD for Media player you have to close and re-open Windows Media player for it to recognise the new disk. With the solution I am suggesting Windows Media Player still recognises when you change a disk."

Got a news tip for our journalists? Share it with us anonymously here.
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Log In

  |  Forgot your password?