you're reading...

Securing Windows Against Stupid Simple Attacks: Pt 2 AutoRun is enabled

Virus distribution via USB is growing with alarming popularity. The recent Gauss virus, a cousin of Stuxnet and Flame, has an encrypted payload that is installed on to USB mediums if a target machine meets certain criteria. Similarly the Stuxnet virus would propagate faster on illegal copies of windows. Zemra was revealed to have USB infection code as well, which was particularly alarming as Zemra was written on the .Net Framework which means the ability is firmly in the grasp of entry level programmers as well.

Below is what it looks like when GFI alerts over an autorun misconfiguration, which is default on a Windows machine.

AutoRun is enabled
Microsoft Windows supports automatic execution in CD/DVD drives and other removable media. This poses a security risk in the case where a CD or removable disk containing malware that automatically installs itself once the disc is inserted. It is recommended to disable AutoRun both for CD/DVD drives and also for other removable drives.

Setting autorun to 0xFF will disable it for all mediums, but that is possibly too aggressive according to KB 2328787 “Disabling Autoplay through Group Policy or the registry will cause HotStart buttons to not function on Microsoft Windows 7 and Microsoft Windows Vista”. Instead we will be only disabling AutoRun on removable mediums.

Running the following from an elevated shell should do the trick!

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Polices\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 0xb5
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 0xb5

This simple vulnerability falls under the idea of this thread because normally you would use a Domain or Local GPO or a machine via gpedit.mmc to disable AutoRun. That is perfectly fine for an experienced Domain Administrator, but out of the question for most Windows users and decidedly inconvenient for other administrators that would have to manually perform the task on a large number of machines.

How am I doing? First tip down, next tip topic already decided. Let me know if you don’t like the style, or have something I should cover!


About Pythorian

Exploration and Production oriented security consultant for securing IT infrastructures relating to natural resources.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: