Slashdot Mirror
Spikes Detected In Autorun Malware
msm1267 writes "Researchers recently have seen a major increase in the volume of autorun malware in some countries, thanks to a couple of new worms infecting those older machines. The two new worms, Worm.JS.AutoRun and Worm.Java.AutoRun, both take advantage of the autorun functionality to spread, and the JavaScript worm has other methods of propagation, as well. Researchers at Kaspersky Lab say that the volume of autorun worms has remained relatively constant over the last few months, but there was a major spike in those numbers in April and May, thanks to the distribution of the two new pieces of malware."
Yes. Whenever windows sees new data from any source, it immediately executes it... for security reasons ya know.
Not really. That security hole was patched over four years ago. What does happen is that when removable media is installed, the user is prompted for what to do; this can include opening the folder to view the files, or running a setup file if one is present. Yes, if someone *chooses* to run the setup.exe file and it's infected, then they can get a virus or trojan. But that's part of the cost of having an open platform without executable signing. The only way to eliminate this risk would be to force the user into a walled garden. That may be feasible on smartphones and tablets, but it's not acceptable on workstations.
>autorun.inf
The most dangerous thing to ever come out of a computer company. That this feature made it past review demonstrates the utter disregard for the most basic security at all, especially since boot sector worms had been around for years in DOS and Win3.1 before Win95 ever graced us with its presence. Since Windows 95, it's been trivial to write auto executing code because Microsoft deliberately yanks down the pants and underwear of the end user and says "Go to it!"
You're indulging in some 20/20 hindsight here. At the time Windows 95 was released, the only media that supported autorun.inf on insertion was CD-ROMs. (Floppy disks didn't do this, if only because the OS could not reliably detect when a disk was inserted in the drive.) Remember, at that time, CD-R drives were not mainstream computing devices; they were still very expensive and rare. (According to Wikipedia, the first CD-R drive under $1000 was not released until September 1995.) When Windows 95 was released, the idea was that only pressed CDs would autorun, and presumably MS thought that the vendors could be trusted not to ship malware. (The Sony rootkit scandal proved that was a mistake, but no one anticipated something like it at the time.) And let's be honest, in 1995, IT security wasn't really on the radar for home users.
The real problem came with Windows XP. By this time, recordable CDs (and, later, DVDs) were commonplace. But Microsoft's biggest mistake was reusing their autorun code for other forms of removable media – such as thumb drives. Again, when thumb drives were first released, they were pretty expensive (I remember paying $100 for a 1GB thumb drive about a decade ago), so the best explanation is that Microsoft didn't think it likely someone would put malicious software onto a thumb drive and just leave it laying around or give it away – at the time, that would have been a rather costly strategy.
Over time, as thumb drives became dirt-cheap, it was clear that allowing INF-based autorun on rewritable removable media was a bad idea. It probably shouldn't have taken Microsoft until 2009 to get rid of this. But the decisions made earlier in the process were not as clear-cut as you're making them out to be.
Nix isn't immune against malicious wares either. The only folks who believe it is are, either, misinformed or blatantly incompetent.
Ease of use for end-users was how MS moved to become the dominant player. Any platform is subject to malicious intent and the propogation of said software. I appreciate nix but end-users still find it a struggle. Microsoft, at least, provides native management tools for hardening security, which is another reason its platforms remain the leader in the markets. You can't knock something for being susceptible to becoming vulnerable when its exposure is due to its wide adoption, that was spurred by bringing to the table the stuff competitive platforms continually lack. Nix has come a long way but it is still too fragmented to bring together the same level of native management tools that Microsoft's platform has to offer.
The only way to eliminate this risk would be to force the user into a walled garden. That may be feasible on smartphones and tablets, but it's not acceptable on workstations.
apple has successfully closed holes for this sort of stuff through gatekeeper and mac app store. gatekeeper has three settings, and at its most restricitve setting you can only run programs that have been registered wtih apple. medium setting throws a stern warning, and low setting is off.
the mac app store takes it one step further by porting the security of ios app store to mac.
I don't think it would have taken any hindsight at all -- floppy based viruses predated CD-ROMs by a long time. If a virus could spread by floppy, why not a CDR?
What changed under Obama? Nothing Good
>The real problem came with Windows XP. By this time, recordable CDs (and, later, DVDs) were commonplace
No, CD-Rs were commonplace by the time Windows 98 came out. I think there were more burned copies of Windows 98 than there were official pressed ones at that time. The first "under $1000" CD-R drive was in 1995, and 3 years to "affordability by ordinary people" in electronics had become the norm even then.
Autorun from 1998 onward revived the spread of malware by removable media. Nobody was doing bootsector viruses on floppies anymore in 1998 because the number of people booting their machines with an OS floppy was minuscule. Autorun malware took the place of bootsector malware. It was so commonplace that it was recommended by everyone who knew anything about preventing the propagation of malware by pirated software that autorun be turned off.
In 1998.
Speaking of convenience, if a software install CDROM (you know, an official one) had an autorun.inf that didn't check to see if the software was already installed, the installer would start. If you merely wanted to pick a file off the CD, you had to cancel the install and open Explorer, rather than simply pop the disk in and browse the drive. This was even before the popularity of burned disks.
While you can say this was the publisher's fault, it illustrates the dubious value of autorun even as an installation "feature"
It took a full 10 years of autorun being a problem for it to be turned off in Vista instead of in a service pack or in 98SE and NT4. That shouldn't have happened, and autorun should now not even exist.
--
BMO
I challenge what Wikipedia says; I was there in 1995, and for new computers that shipped with Windows '95 having a CD-ROM drive was the norm and not the exception. Installing Windows '95 from floppy disks required a very tall pile of them, and I know few people who can recount the experience of installing the OS out of them. CD burners were much rarer, but using burnt CDs coming from a third party was commonplace.
1. Floppy disk viruses were already commonplace, even without autorun.
2. I burned my first CD in 1997, using my Win95C desktop's built-in burner.
It took Microsoft better than a decade to put 1 and 2 together (to get 4, mind you--and they managed to be that close only because everybody was shouting the correct answer at them).
You seem to think this is acceptable. I do not.
Il n'y a pas de Planet B.
No we are not. Some of us knew it was a fucking stupid idea when it was introduced in 1995. Anybody that listened to the antivirus companies grumbling about it for instance. Then the fools went and repeated the stupidity with the first version of Active-X years later - and it was so widely seen as a stupid idea that a librarian warned me about the consequences and was 100% correct.
No doubt we'll see more of this type of article for the next year as the drive to bury XP intensifies. It's not going to yield the results they expect, but hey.
Help stamp out iliturcy.
The terms "closed platform" and "walled garden" have a very specific meaning, and it doesn't apply to Windows. From Wikipedia (my emphasis):
It's obvious that Microsoft has absolutely no control over what software can be run on Windows. Compare that to Apple's iPad, where you can't install anything that's not approved by Apple (unless you jailbreak it first). That makes iOS a "walled garden".
Now, maybe we agree that it was foolish for Microsoft to enable any kind of "autorun" feature. The point is that in an "open platform" (that is, one where the user has complete control over what can be run on it), the user must also have enough power to do dumb things like running an unknown program from a pendrive that was just plugged in. How easy it should be for the user to do that is another discussion.
Gatekeeper sounds a lot like UAC on Windows. It differentiates between signed and unsigned apps. Much like the Mac App Store we now have the Windows App Store or whatever they call it.
Unfortunately most users are not happy with those restrictions. They want to be able to buy software and install it, e.g. games. I keep saying it: if you are dumb enough to click though all the dire warnings and install some unknown application you were not expecting to install then there really is no help for you, other than a crippled PC. Buy a tablet or etch-a-sketch instead, or perhaps a Chromebook.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
And, we are right back to the point made in an earlier post. People who don't even know what an installer is, should not be installing stuff. In the long run, the clueless computer owner who wanted to install something, and didn't know how, would have saved money by going to his local computer guy, and HAVE THE SOFTWARE INSTALLED.
BMO was modded a troll above - but he makes a very valid point. Microsoft's strategy of permitting any type of autorun was flawed. Computing should have remained something of a mystery, and local witch doctors should have presided over the installation of software. Given time, more witch doctors should have been trained. Given enough time, home users should have become qualified witch doctors in their own right. Becoming a witch doctor should have required a few semesters of genuine "Computer Science" classes (as opposed to Microsoft-centric "keyboarding" classes and other such nonsense). The mistake was to hand over all the magic talismans to every untrained fool who imagined himself to be smarter than the witch doctors.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
In my own experience, I'm pretty sure it was 98 before I found a CD writer that I could afford. It may have been 99, I'm not quite certain. I remember the day I walked into a store outside of Los Angeles on Interstate 10. I just can't precisely place the date.
As for CD readers, I had one on a 386 SX, a couple of years before Win95 was released. That was just a bit of luck - I found it at an estate sale, and the ladies didn't know the value of the thing. They gave me the whole computer, and a couple boxes of floppies and a small box of CD's for fifty bucks. Helluva bargain . . . .
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Hey now - you stress the "librarian" thing as if you expect librarians to be clueless. Not fair, I say. In my experience, about half of today's librarians are pretty savvy. Someone has to be administrator on library systems, after all, and in small towns, that will almost invariably be the librarian. Those little old frumpy ladies are generally pretty intelligent, and they don't make the same stupid mistakes repeatedly. Sure, some of them never really get the hang of it, but even those ladies can generally follow directions when given a rigid guideline to follow.
Maybe I read your post incorrectly, maybe not. I just want to give librarians their due!
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
One thing we've recently seen in my workplace is a Trojan horse virus embedded in a fake Flash player update which carries a valid Adobe signature.
So even allowing only signed apps to install is no guarantee of security.
The main difference with something like UAC versus Apple's Gatekeeper is that Apple made the effort to sell as many programs as possible in their own online store for the Mac, and Microsoft didn't really have an equivalent. So Apple was in a position to put something in place allowing only those store purchased items to be installed by end users (while admins of a box could still have less restrictive settings and load whatever they wished). This allows configuring a system with everything a user needs up front, but still giving the user freedom to buy and load a wide selection of programs after the fact, while ensuring they all come from a known, safe source.
I've never actually looked - can autorun just be uninstalled on a Windows system?
Uninstalled, probably not. But it can be disabled... and that feature has been in Windows for at least 10 years.
For that matter, Windows Vista and newer don't autorun directly*... they instead bring up a number of options when removable media is inserted, with the top one being the autorun program if one exists.
*Although I seem to remember some atrocity of a flash drive protocol named U3 that did some trickery to autorun its launchpad software, but that may have been back on WinXP.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011