-
add to favourites
The perils of autorun
Friday, September 8, 2017
Removable media (not only thumb drives) remain one of the most common ways to spread malware.
Here is an example of such a program:
Win32.HLLW.Autoruner
(Worm:AutoIt/Renocide.gen!C, Gen:Trojan.Heur.AutoIT.4, W32/Autorun.worm.zf.gen, Trojan.Win32.Generic!SB.0, Worm.Win32.AutoIt.xl, Trojan.Autoit.F, Worm/Renocide.491520, DR/Autoit.aft.393, TR/Dldr.Delphi.Gen, New Malware.bj, Trojan.Win32.AutoIt.gen.1 (v), Trojan.Generic.4184137, TrojanDropper:Win32/Dowque.A, Downloader.Agent.KNF, Trojan.Autorun.LT, Packed.Win32.Klone.bj, Worm.Win32.AutoRun.yq, Win32/Daiboo.A, Worm:Win32/Autorun.BR, Virus.Win32.AutoRun.k, TROJ_Generic.DIS, Worm/Small.I.7, Trojan.Win32.Meredrop)
Malware type: worm
Technical description
- The worm family spreads over thumb drives and can be incorporated into other malicious programs such as droppers.
- Creates the autorun.inf file on all available disks. If the disk is opened in Windows Explorer, the worm is launched automatically.
- Win32.HLLW.Autoruner persists in the memory and repeatedly checks for the availability of mounted removable disks. If a disk is available, the worm copies itself onto the media.
How do malicious programs get onto computers?
In the past to accomplish this, attackers usually took advantage of the autorun feature. If the file autorun.info was present in the root directory of removable media and the file contained the location of an executable file, one only had to plug the flash drive into a computer and the executable would launch automatically.
The file is also launched if one clicks on its icon in Explorer or on the desktop.
The autorun feature was used to launch installers and various search shells that were used to browse the flash drives, etc. But, unfortunately, attackers began to abuse it.
They brought me a disk and claimed that once the disk was connected to their computer, all the data disappeared from the D drive. It turned out that autorun.inf contained the string open=format D: /x /q. And, most important, they had tried to open the disk on two of our computers before they actually asked me what to do. And backups were stored on the D drive. So now I disable autorun wherever I can.
Because so many malicious programs abused the autorun feature, as long ago as February 2011, Microsoft released an update for Windows XP and Vista to disable the launch of applications via autorun.inf. So now the feature is disabled.
But before that happened, users could toggle off the feature on their own. For example, there existed a lot of utilities that deleted autorun.inf from all disks. However, that didn't solve all the problems because there was no way to remove the file from CD/DVD disks which were quite popular back then.
Another option involved creating autorun.inf on removable media, using a somewhat unusual technique. For example, the name could be assigned to a folder rather than a file, or some peculiar attributes could be set for the file. All sorts of techniques were available; here are a couple of them:
This is what I do. Malware tries to create autorun.inf on the flash drive, and because a folder with the same name already exists, the file is moved into the folder, and thus the Trojan won't be launched automatically. More devious species first try to delete an already existing autorun.inf but bump into the undeletable directory ".." and fail.
I can protect a flash drive forever this way, well, not quite forever—just until it is formatted.
https://habrahabr.ru/sandbox/52317
Create a folder with any name on the flash drive. Move desktop.ini containing the link to the autorun.inf icon into the folder. A change in the folder's appearance at some future point will indicate that some lousy rat has infested the thumb drive.
Vaccine applications that created a special autorun.inf file on USB sticks also used to exist.
But do these techniques work?
If a program has created an unusual file, another application can delete it. The autorun.inf modification tricks only worked until virus makers learnt about them.
On the script page of my LiveJOurnal blog, users reported that Trojans (such as Win32.HLLW.Autoruner.1018) capable of renaming the AUTORUN.INF folder had already appeared.
The Anti-virus Times recommends
Although the autorun feature is now disabled for removable media in Windows, that doesn't mean we should relax. This feature can be toggled on (attackers can do it, too). For example, to accomplish this in Windows 10, one needs to go to Start -> Options -> Devices, and in the section on the left, choose AutoPlay.
Therefore:
- Anti-viruses provide reliable protection from malware. Custom workarounds only work until virus makers learn about them.
- If you plugged your removable drive into someone else's computer or lent it to a friend, check it with the Dr.Web scanner.
- If you want to prevent data from being written onto your flash drive, purchase media with a read/write switch, and toggle it to read-only if the drive is to be used on someone else's computer.
![[Twitter]](http://st.drweb.com/static/new-www/social/no_radius/twitter.png "Shared 0 times")
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.
Comments
Неуёмный Обыватель
17:50:34 2018-07-24
vasvet
12:02:16 2018-07-15