Fatma Bazargan’s blog


Autorun-Based Malware: Detection, Prevention and Cure
November 24, 2008, 10:15 am
Filed under: Security

rdsd

I’m sure most of the InfoSec folks are aware about the autorun.inf malware that was so popular late 2007, when it was noticed that most of the removable data storage devices purchased such as pendrives, CDs, usbs, ipods, etc. were all shipped with the autorun.inf malware.

 

In a recent news article the US Strategic Commander banned the usage of removable data storage devices within the military ranging from USBs to floppy disks, in order to stop the propagation of the autorun.inf malware within the network. Although, I think we would all believe that taking the right steps to prevent such kind of infection is better than banning from using a certain technology!

 

I simply see the autorun.inf malware an interestingly smart piece of malware; as it has some of the most interesting characteristics:

  • First of all the person who crafted it is completely aware that these removable drives are highly used with people so the malware will infect as much of the cyber user community as possible.
  • One of its many characteristics is that the autorun.inf malware spreads by copying itself into the root directory of all the hard drives on your actual local computer and to the removable data storage devices such as thumb drives; cables that connect to your mobile, ipod, etc.  
  • It then creates an autorun.inf file into the root directory of all the hard drives and the removable data storage devices.
  • Interestingly enough, if the infected computer with the autorun.inf malware has a shared network drive “guess what!” the autorun.inf malware infects the shared network drive and propagates from there to the rest of the computers on the network. “I actually love this part! – Try it in the Lab, you’ll see wonders of propagation!” J
  • More to come, it not only have the functionality of spreading but it also helps in propagating malicious payloads such as a backdoor or a password stealer. “Nasty!”

 So.. how can you detect and prevent from the autorun.inf malware:

  • on a technical note; you can prevent this by either, Disabling the AutoRun feature in Windows for your personal workstation through the Registry Editor simply copy paste the below in a notepad, save it as NoAutoRun.reg on the desktop, then right click and select Merge.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\IniFileMapping\Autorun.inf]@=”@SYS:DoesNotExist” 
  • or disable it through the Domain Policy Editor in the Active Directory for your organization.  
  • alternatively, you can simply create an Autorun.inf file in each of the root directories. How?
    • WinKey + R à CMD à CD\ à MD C:\autorun.inf à do the same to all your drives, don’t forget all the connected media drives such as the USBs, etc. Now, the interesting part, if you fail to create the autorun.inf file on any of the drives, then most probably you are infected already. L  
  • on a more educational and awareness note of prevention; Be an InfoSec Awareness Agent and spread the word to your family, friends, colleagues and work mates about the best way to use removable drives and the safe steps to secure your personal workstation from being infected with an autorun.inf malware. 

So.. how can you clean the infection from the autorun.inf malware (this will not fully work with all the different autorun.inf malware variants but the below is more of a generic one):

  • Restart your computer on the safe mode command prompt (F8) then type
  • CD\ à dir/ah à type autorun.inf (here you will see the .exe carrier of the autorun.inf file – Note it down)
  • TYPE à ATTRIB –H –R –S autorun.inf à DEL autorun.inf (this will unhide the file and then give you the privilege of deleting it)
  • Repeat it for all the other connected drives.  
  • Now to make sure that the carrier of the autorun.inf file will not run when you startup again you need to disable it, go to
  • command prompt type à MSCONFIG à you will see the System Config Utility
  • Once you spot the suspected .exe carrier UNCHECK it à this will disable it and will not run again at startup;  
  • Finally, I usually when recovering from such “devastative-propagative-nasty-malware” reinstall the antivirus program from scratch and update it, you never know the effect of the nasty malware on the poor anti-virus!  

Safe USB’ng;

Fatma Bazargan

Advertisements

1 Comment so far
Leave a comment

[…] sure you all remember my previous post about the Autorun-Based Malware where I have mentioned how it works and what can some of the workarounds be. We all know that […]

Pingback by Ninja(ing)! « Fatma Bazargan’s blog




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s



%d bloggers like this: