Friday, December 05, 2008

Honor Thy Settings

Some of us have been working with the Sality virus lately, which reportedly propagates by writing an autorun.inf file and an executable file to the root of all volumes or drives found on the infected system. If the user workstation maps to a file share, for example, the virus process writes the files to the volume, and anyone else that then connects to that share also gets infected. The same has been shown to be true for removable storage, such as USB thumb or flash drives.

So when working with analysts and customers, most of us tend to recommend disabling autorun capability all together, or perhaps for specific drives. Usually this is good advice, but only if it works. MS recently published this KB article which basically states that previous advice didn't work, and you need to install an update AND set another Registry value (ie, HonorAutorunSetting) for the functionality that you set to actually work.

Is this really such an important issue? Well, given stuff like this, and this...perhaps. Update your systems, and recommend that your friends and customers do the same. Even Symantec has picked this up.


hogfly said...

I've been dealing with incidents involving USB malware for over two months straight now. 10% of everything, if not more now is capable of this method of spreading. Autorun needs to be disabled in every system. I discussed this in a few posts for the responder, but it applies to the end user/sysadmin as well.

H. Carvey said...

Like a lot of other things, this appears to be something where MS has had the information posted, and then during some kind of investigation, someone found out that the settings were not working. At that point, most likely due to the visibility of the 'victim', MS was engaged, and now there's a fix to the fix, one where you need to (a) install an update, and then (b) create and set a Registry value.

Anonymous said...


From a sysadmin perspective I'm 100% on board.

However, from a "consumer/dad" perspective I'm I bit more frustrated.

Daughter unit needed a USB stick to take to school to save work from a computer-lab if her assignment work wasn't completed. Asked a few days in advance and promptly forgot. Got in the car a few days later and remembered and asked her about it. She said she had the forethought to grab one of our old/small USB sticks (32MB?) and had it with her.

I had to confiscate it with regret.

1) I didn't know what of our data was still on it and needed to "audit" it and remove anything of importance in case of loss/theft at the school.

2) I needed to make sure it was "clean" of any thing that might get her into trouble at school for "posessing" (forbidden utilities perhaps such as pentesting tools and other PUPS, etc.).

3) I have NO idea the condition of the lab-pc's she will be using at school. Don't know how their IT department maintains them, what AV/AM software is used, how often they are scanned/checked for rootkits and other baddies, etc. So cross-infection of our systems could be a real possiblity.

4) Need to figure out a "reasonable" way for daughter-unit to use a USB drive between school/friends houses/systems and our own but that will minimize chance of infecting our own. Going to have to spend time looking at my new AV/AM software to check out automatic detection and scanning/access settings for removable (USB) devices.


It's hard being an IT dude AND a dad these days. Oh to be blissfully unaware....

Would it be appropriate and reasonable to visit the school one day to request information on their IT policy and audit/security procedures? Or would that just freak them out as some kind of pen-test attack?

I'm curious how many families even think about these things as a threat risk. I know I certainly do....

H. Carvey said...


4) Need to figure out a "reasonable" way for daughter-unit to use a USB drive between school/friends houses/systems and our own but that will minimize chance of infecting our own.

Read the blog post. No automagical execution of autorun.inf files once can even set the specific drive types to which it applies. Set in the HKLM hive. AV is secondary solution.

What I'd love to do is be able to set admin-defined actions to occur based on an event on the system, much like WFP, rather than as a scheduled task...

hogfly said...

There are ways to mitigate risk on a usb stick.

1) Buy one with a write block switch. Kanguru sells these.

2) Create a directory(yes a directory) named Autorun.inf. This is known to help mitigate the ability of the malware to write to the drive.

3) Disable Autorun using group policy on your computers and force the following registry change:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

These steps work.

And it is completely reasonable for you to question the schools.

Anonymous said...

Harlan - Yep. Already had planned on doing that (MS fix) on all our systems over the weekend. Thank you!

Hogfy - Wonderful tips! I use a Kanguru device and use the switch often. I will have to look specifically for that feature when I pick up a USB drive for her and show her how/when to use it.

Also like the suggestion on making the renamed folder. Clever!

Thanks gentlemen! And great/timely post!