Am I protected from USB autorun malware on Windows 7?

Question

As far as I know, the autorun.inf problem (the possibility of automatically executing code when a USB stick is plugged in) was solved through Windows Updates for XP, and on 7 it is no longer possible at all.

But there is still some auto play dialog popping up, when a USB stick is plugged in.

Can this be exploited, would it be possible to execute code somehow?

(assumed)

Assets: Single home desktop machine containing personal information, financial records, passwords to web sites, contact information for friends and relatives.

Exposure: Located in personal residence with little unknown individual traffic.

Threats: Personal acquaintance with non-financial motivation or service worker with financial motivation.

Answer 1

When you plug a USB key in, a considerable amount of things happen. The OS first talks to the USB device to know what kind of device it is and what it can do. Then, if the device says that it is a kind of disk, the OS will look for a filesystem on it, then mount it, and explore some of the files. Depending on what files were found and their name, the OS will suggest a choice of actions to the user (that's the popup you see). Any phase of that process could have exploitable bugs, and indeed numerous examples of these have historically occurred (for instance, the PS3 Jailbreak from last year is a USB device which, internally, announces itself as a hub of four devices, one of which rambling incoherently on the USB bus in such a way that it triggers a buffer overflow in the OS USB driver).

Hence, while the current state of affairs on Windows is that the OS will not by design run malicious code automatically, it may still do it by mistake. To my knowledge, there is no currently published exploit which does so, but it would be implausible that all that code is bug-free.

As a side note, what looks like a plain USB stick may, internally, behave quite differently, and (for instance) show itself as a keyboard to the OS -- and begin "typing" immediately. The possibilities are almost endless. And a bit scary.

Answer 2

According to Wikipedia:

• Windows 7

  For all drive types, except DRIVE_CDROM, the only keys available in the [autorun] section are label and icon. Any other keys in this section will be ignored. Thus only CD and DVD media types can specify an AutoRun task or affect double-click and right-click behaviour.

  There is a patch available, KB971029 for Windows XP and later, that will change AutoRun functionality to this behaviour.

https://secure.wikimedia.org/wikipedia/en/wiki/Autorun.inf

So, this would indicate that some parts of autorun.inf are still indeed processed by Windows 7 upon insertion of any removable media. How much of it gets processed is dependent upon whether the media in question is in the optical drive.

I'm not aware of any current vulnerabilities specifically connected to the label or icon keys, but that doesn't mean there won't ever be any. There's also the possibility that you may encounter an infected CD/DVD/BD or other optical media where more of autorun.inf would get processed. So, to protect yourself properly, I would still recommend disabling processing of autorun.inf in its entirety.

Michael Horowitz wrote a great blog article about how Autorun and Autoplay work some time ago. Echoing work done by Nick Brown and Emin Atac, the article included a registry hack to disable all processing of autorun.inf. I'll paste the registry hack details below. Check out the article link for more information.

The suggested solution involves updating the Windows Registry. So, as always, it's best to make a backup. The solution was written for Windows XP/Vista, but it should work in 7 as well.

Zapping the registry is simple, all you need is the three lines shown below in a .reg file. Then double click on the file.

You can either copy the three lines below from this web page or download the file using the link at the bottom of this posting. The file name is not important, other than it should end with ".reg". Computerworld does not allow attaching files ending with ".reg" to a blog posting, so the file type is ".txt" and you'll have to rename it to end with ".reg".

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Note that there are three lines in the file, the middle line may wrap when displayed by a web browser, but it needs to be a single line in the .reg file.

Nick Brown explains what this does:

This hack tells Windows to treat AUTORUN.INF as if it were a configuration file from a pre-Windows 95 application ... it says "whenever you have to handle a file called AUTORUN.INF, don't use the values from the file. You'll find alternative values at HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist." And since that key, er, does not exist, it's as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action. Result: worms cannot get in - unless you start double-clicking executables to see what they do ...

The text "DoesNotExist" in the third line is meant to be a place in the registry that does not exist. If this zap gets very popular, malware may look for it, so it can't hurt to change it just a bit. For example, I might use something like @="@SYS:DoesNotExistMichael" on my computers. To be clear, this is not at all required. The zap as shown above works fine.

http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb_flash_drives

Of course, this doesn't really do much against USB sticks that present themselves to the system as something other than what they actually are. The best solution is to just not plug in any device that you don't trust. And, don't plug any devices that you do trust into systems that you don't.

For additional info about Autorun/Autoplay and how they work, see the websites already referenced. Also, check out these Wikipedia links:

https://secure.wikimedia.org/wikipedia/en/wiki/AutoRun
https://secure.wikimedia.org/wikipedia/en/wiki/AutoPlay

Answer 3

The default behavior is to show the popup. The popup scans the media for file types and makes an educated guess on what you might want to do. With the default behavior, the only way to exploit it is through a vulnerability in the popup code that reads the content of the media, which doesn't exist at the moment [in the wild].

Answer 4

You are not protect and very much at risk

Autorun.inf is an old attack that should no longer work but this is not the only attack vector using USB.

BadUSB is where firmware has been altered on a USB device to emulate other devices and be extend its capabilities. Remember USB is only a specification for devices connecting and different devices run at different levels or privilege, storage does not run at the same level as a keyboard. With the extended capability a storage device will look like a keyboard when plugged into a machine.

A possible scenario could be this:

You plugin a USB stick, the next thing you know code is executing. This is possible due to the device emulating a keyboard USB device and supplying input to your system such as short cut keys to open up PowerShell and then run code.

BadUSB can be found in commercial products that can be purchased that use this exploit such as the Bashbunny and Rubber ducky.

Addtionally there are guides on creating your own from scratch As found here

Answer 5

Absolutely not

The issue with autorun may be fixed but any USB device can easily present itself as a keyboard or mouse to the operating system and use this to download malware. This is a risk that applies regardless of the platform, unless the operating system requires a confirmation dialog before allowing the user to install new USB devices, which I'm not aware of any that do.

Look into Teensy if you want to try creating a proof of concept of how such an attack could be executed. It's really important to only plug USB devices into your computer that you trust.