US-CERT Says Microsoft's Advice On Downadup Worm Bogus

CWmike writes "Microsoft's advice on disabling Windows' 'Autorun' feature is flawed, the US Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack. US-CERT said in an alert that Microsoft's instructions on turning off Autorun are 'not fully effective' and 'could be considered a vulnerability.' The flaw in Microsoft's guidelines are important at the moment, because the 'Downadup' worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features."

Non-Windows User Here

[John+Hasler]

Is it really true that you have to edit the registry to turn off autorun? There isn't any clicky? Amazing.

Re:Non-Windows User Here

[KindMind]

The Register says that the US-CERT article is based on an old MS article, and has since updated.
There's a right and wrong way to disable Windows Autorun
How to correct "disable Autorun registry key" enforcement in Windows

Re:Non-Windows User Here

[lysergic.acid]

that doesn't really provide true protection against all AutoRun attacks.

USB/flash drive-based attacks typically work by creating an autorun.inf file that replaces the default action for that device. by default, XP would simply prompt the user with a list of AutoPlay actions to take (with the AutoRun-specified action selected) when the drive is plugged in. if you "disable" AutoRun, then that menu won't pop-up, but that is arguably more dangerous; the reason being that when the AutoPlay menu pops up the user has a chance to see that an unfamiliar action has been added/selected.

if a computer-savvy user plugs in their iPod/PSP/thumbdrive and the AutoPlay menu shows some strange new action and program icon, they are going to be suspicious. they will likely select the "Open folder to view files using Windows Explorer" action to browse the volume and probably detect the malware and autorun.inf file.

now, a typical scenario when AutoPlay is disabled is that a user will plug in an infected flash drive, open up My Computer, and proceed to double-click on the removable volume to open it for browsing. however, whether or not AutoPlay/AutoRun is enabled, an autorun.inf file can replace the default action for that volume. and this time the user has absolutely no warning (unless the malware author is dumb enough to replace the volume's icon and advertise the presence of the virus). i mean, how often do you actually right-click on a volume to select "Open" from the context menu or to check its default action? most people are in the habit of simply double-clicking on a drive icon to browse its contents.

then there's the matter of dual-filesystem flash drives. because Microsoft places the interests of the RIAA ahead of the interests of their customers, they've used AutoRun to implement a rather dangerous DRM mechanism. if CDFS is detected on any removable volume, Windows automatically assumes that it is a protected CD and will launch any program specified by autorun.inf. this functionality will work whether or not you have configured Windows to allow AutoRun or not, and you cannot bypass it by holding down the "shift" key. but that can only be expected when you have DRM that's designed to "protect" the system from its user/owner.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Even if it doesn't work...

[afidel]

The problem is the Microsoft solution doesn't really disable autorun fully because they didn't think of all codepaths by which the behavior can be launched. The solution CERT gives is beautiful in its simplicity:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Basically it just associates autorun.inf with a NULL system function as the default handler.

Re:Windows itself is a vulnerability.

[hairyfeet]

Or you could, oh I don't know, not let morons near your computer? I'm typing this on a Win2K pro machine that has been hooked to the net and running non stop for almost 9 years. In that time I have gotten zero, zip, nada, squat on the virus front. Why? Because I don't let morons on this machine, that's why.

As a PC repairman I have noticed the PEBKAC problems with Windows can nearly always be traced to one of three types. One, the "anything my friend (insert name of girlfriend) sends me has to be okay." Those can usually be dealt with by installing a decent AV and having them use webmail instead of OE. Two, the "I will click on anything that'll get me teh hot lesbos!" guy. You can usually cut down on his rate of pwnage by giving a copy of Firefox loaded with bookmarks for places like Youporn and Redtube. And three, the "I click on everything I loads off the Kazaa!" types. These are usually dumbass teenagers looking for the latest horrible pop drivel and instead clicking on "lousy_tune.mp3.exe" thinking it is their pop drivel. Putting them in a limited user account and putting a good AV to scan whatever folder they are downloading crap to usually does the trick.

The point is blaming Windows for morons is like blaming the SUV manufacturers when some woman plows through a family of five because she ran a redlight while playing with her cell phone. Stupid people will find a way to break stuff, hence why we call them stupid. If you put these types on OSX or Linux they would break just as much as they do on Windows. They would just be loading "Hot_Pron_codec.dmg" or "killer_tune.sh" instead of an .exe. It all comes back to the dancing bunny problem. The best we tech guys can do is educate where we can, and take steps like the ones listed above to minimize the damage they can do. Because I don't care which OS you give them PEBKAC problems will NEVER go away. After all this problem wouldn't exist in the first place if folks had actually bothered applying the patch the MSFT released in OCTOBER. Just further proof that they ain't exactly brain trusts we are talking about here.

Re: what's a worm?

[http]

Did nothing?? What planet were you on?
The machine took out more than a lot of mail servers, bringing them to a grinding halt for the duration.

Re:Would like to see a worm disable Vista's DRM

The 1 step guide to getting cheap mod points on Slashdot

1) Mention DRM

Re:I'm a linux what's a worm?

[KozmoKramer]

Thanks for pulling up that Gem from 20 + years ago. You and my wife must be related!

Re:Windows itself is a vulnerability.

[betterunixthanunix]

"Or you could, oh I don't know, not let morons near your computer?"

Which is just not feasible sometimes. Every few weeks, someone I am working with -- yes, some of us must work with others on our computers -- brings me some files on a thumb drive. I have no choice but to plug that drive into my computer and deal with it, other than not getting my work done at all.

"Putting them in a limited user account and putting a good AV to scan whatever folder they are downloading crap to usually does the trick."

When I used to repair computers, I found that doing this invariably led to questions like, "Why can't I install [insert well known program name here]?" Windows systems really are not oriented toward this sort of security for single users who cannot just call up their helpdesk whenever they need some software installed.

"If you put these types on OSX or Linux they would break just as much as they do on Windows. They would just be loading "Hot_Pron_codec.dmg" or "killer_tune.sh" instead of an .exe."

Except that in OSX and Linux (and BSD and Solaris and all *nix systems) files have to be explicitly declared executable. A user receiving LatestPopSong.mp3.sh would just sit there confused and asking, "Why does it keep opening this song in a text editor? Why does my music player keep getting confused?" In distros that enable SELinux, you can have even more security -- for example, a policy that prevents programs which are not part of Firefox from writing to the Firefox configuration, which would prevent typical virus-installing-keylogger-in-web browser attacks that seem to be so common today; such a policy could be maintained by the distro packagers themselves; in fact, Fedora already gives the .mozilla/ folder a different context. Sure, you can create such a security policy in Windows, but it is not done by default.

Yes, if administered by experts, Windows can remain secure even when connected to the Internet, I will not deny that. Most single user Windows installations are not administered by experts, and unlike big name Linux distros, Microsoft does not have thousands of people tuning the Windows security policies, nor do they have tens of thousands (perhaps hundreds of thousands) of people fixing bugs.

Re:RANT / was(Re:I'm a linux what's a worm?)

[OolimPhon]

Do you really think that people use passwords like this

  makepasswd --char=32 --count=10
CLWwBsm1c15IFadg4KTjrHhCBjFP8RNI -- for slashdot
RLQaXqSEfRHgLnwjjbgoJU5y4Uya2hM6 -- for gmail
NebgFMATH990vB8US8CE4zMgeR7uum02 -- for Administrator
SFa0qT5nIQuLYtTsq44I8336ghEBApiD -- for user account
smcruMr8rzE6PFHzus8AmPcIoKNFy0Rh -- for facebook
L6wynpgAHoINdQm2CWwXdfSiJrBzQ8YG -- for myspace
Q3D1JBVXtgPNNo4bm16WAcKPMhox8s6C -- for banking
L1hEhuisoFcnoyGEYxPYqW8Hq4Qs2EmY -- for retirement account
2RqaobNEKyQIIoUVoFPty6EruLQhVE0F -- for work login
s0zJFsLiWCSN0e5fCEvpi48GV4D0PjyH -- for paypal

Hey! How come you know all the combinations to my luggage?