You are here: Home PIK Members Dietmar Gibietz Security Management of a Windows Domain Protecting Windows Computers against Attacks from infected USB-Sticks

Protecting Windows Computers against Attacks from infected USB-Sticks

A non-technical summary - Keywords: autorun.inf autorun autostart usb stick drive block NoDriveAutorun NoDriveTypeAutorun Conficker Worm KB967940

Overview

In the year 2008, malware that travels on USB drives is the main attack vector against Windows computers at PIK. In most cases, the antivirus software has intercepted the malware on its way from the USB stick into the operating system, but we have also seen some individual infections.

The culprit, of course, is Microsoft's design flaw, which makes WinXP run foreign code automatically, even if the user explicitly wishes to just display the list of files. Some of the malware uses ingenious camouflage - it will travel in hidden files and/or manipulate the names and icons on the USB stick.

The bottomline is: We do not want to rely any longer on the antivirus software only. We rather want to prevent the OS from automatically launching programs that are hosted on USB sticks, and - even more - on any removable drive.

 

The Solution: An Immunization against Autorun

During our lab work on this security issue, we have found that there is a way to make Windows ignore autorun.inf files entirely. This configuration, however, is not properly documented by Microsoft. To make things worse, Microsoft suggests steps which pretend a higher level of security - but once the user tries to display the directory of the USB drive, a malware can be launched.

Thus, we have developed and tested a custom solution for the PIK network. Our solution is based on a suggestion that we have found on the Internet: "Memory stick worms" http://nick.brown.free.fr/blog/2007/10/memory-stick-worms [23 October 2007].

Comparing our results with the work of others, we find that the US-CERT (United States Computer Emergency Readiness Team) suggests a fix which is very similar to the solution that we are deploying at PIK - see below. Also, it is worth noting that the US-CERT recommends to avoid some of the policy settings which are suggested by Microsoft - see "Vulnerability Note VU#889747" http://www.kb.cert.org/vuls/id/889747

In Feb 2009 Microsoft has released an out-of-band update, which fixes the known issues of autorun policies. Though MS calls this an "non-security update", the autoupdate service of WinXP handles this update similar to a critical patch. In particular, a WinXP computer that is configured to install critical and important updates automatically will download this update in the background, install and reboot according to the autoupdate schedule. For more information, please refer to "Microsoft Security Advisory (967940) -Update for Windows Autorun [Published: February 24, 2009], http://www.microsoft.com/technet/security/advisory/967940.mspx and "How to correct "disable Autorun registry key" enforcement in Windows", http://support.microsoft.com/kb/967715

 

Impact of the autorun Vaccination

In particular, the following changes apply:

  • when inserting an installation CD, no setup program will start. If you want to run a setup routine, you have to lanuch it;
  • when inserting any other type of a CD, no program for using the CD (search tool, help etc) will start;
  • when connecting a USB drive, no autorun-based virus will be executed(!)
  • in addition, no pre-installed software on USB drives will be launched - thus, U3-based functionality is impeded;
  • consequently, information theft by Podslurping is impeded, too;
  • when connecting any USB device which uses an autorun.inf file for changing the drive icon in Explorer, this override is ignored;
  • a known side effect concerns U3 memory sticks, which are equipped with a custom functionality (such as encryption) that is based on autorun.

In general, practically everything will continue working - but programs on USB devices will start only if the user explicitly launches them. This is far superior to the all-or-nothing-at-all approach suggested by Microsoft, see "How to disable the use of USB storage devices" in the MS knowledge base.

In addition, our approach is much more secure than the policy modifications suggested by Microsoft - see Microsoft's KB articles regarding autorun.inf issues


Deploying the Solution across the PIK Domain

In Oct 2008, we have started deploying our solution stepwise. At the same time, we have started monitoring the results and side effects of the vaccination.

Now (end of Oct 2008) we are running a continuous "immunization therapy" across the PIK Windows Domain. It works like this: Every hour, the PIK network is checked for active Windows hosts. All machines that have been discovered are tested, and - if required - fixed. The result of every run is logged, so we know how many machines have been inoculated. New machines - which are installed from system images - are inoculated right from the start, because we have integrated our fix into the master images.

Document Actions