How AutoRun Malware Became a Problem on Windows, and How it Was Fixed

Mar 4
08:23

2015

Rossy Guide

Rossy Guide

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

AutoRun was as soon as an enormous safety drawback on Windows. AutoRun helpfully allowed malicious software to launch as soon as you inserted discs and USB drives into your computer. This flaw wasn’t only exploited by malware authors. It was famously used by Sony BMG to hide a rootkit on music CDs.

mediaimage

The Origin of AutoRun:

AutoRun was introduced in Windows 95. When you inserted a software disc into your computer,How AutoRun Malware Became a Problem on Windows, and How it Was Fixed Articles Windows would automatically read the disc, and an autorun.inf file was found in the root directory of the disc - it would automatically launch the program specified in the autorun.inf file.

When you inserted a software CD or PC game disc into your computer, it automatically launched an installer or splash screen with options. The feature was designed to make such discs easy to use, reducing user confusion.

If AutoRun didn’t exist, users would have to open the file browser window, navigate to the disc, and launch a setup.exe file from there instead. This worked quite well for a time, and there were no big issues.

AutoRun wasn’t enabled for floppy disks. After all, anyone could place whatever files they wanted on a floppy disk. AutoRun for floppy disks would allow malware to spread from floppy to computer to floppy to computer.

AutoPlay in Windows XP:

Windows XP refined this feature with an “AutoPlay” function. When you inserted a disc, USB flash drive, or another type of removable media device, Windows will examine its contents and suggest actions to you.

In Windows XP, CDs and DVDs would still automatically run programs on them if they had an autorun.inf file, or would automatically begin playing their music if they were audio CDs. And, due to the security architecture of Windows XP, those programs would probably launch with Administrator access.

With USB drives containing autorun.inf files, the program would not automatically run, but would present you with the option in an AutoPlay window.

You could still disable this behavior. There were options buried in the operating system itself, in the registry, and the group policy editor. You could also hold down the Shift key as you inserted a disc and Windows wouldn’t perform the AutoRun behavior.

Some USB Drives Can Emulate CDs, and Even CDs Aren’t Safe:

This protection began to break down immediately. SanDisk and M-Systems saw the CD AutoRun behavior and wanted it for their own USB flash drives, so they created U3 flash drives. These flash drives emulated a CD drive when you connect them to a computer, so a Windows XP system will automatically launch programs on them when they’re connected.

Even CDs aren’t safe. Attackers could easily burn a CD or DVD drive, or use a rewritable drive. The idea that CDs are somehow safer than USB drives is wrong-headed.

Windows Vista Disabled AutoRun By Default, But…

Windows Vista and later versions of Windows won’t automatically run programs without asking you - you’d have to click the “Run [program].exe” option in the AutoPlay dialog to run the program and get infected.

But it would still be possible for malware to spread via AutoPlay. If you connect a malicious USB drive to your computer, you’re still just one click away from running the malware via the AutoPlay dialog - at least with the default settings. Other security features like UAC and your antivirus program can help protect you, but you should still be alert.

And, unfortunately, we now have an even scarier security threat from USB devices to be aware of.