Spikes Detected In Autorun Malware 140
msm1267 writes "Researchers recently have seen a major increase in the volume of autorun malware in some countries, thanks to a couple of new worms infecting those older machines. The two new worms, Worm.JS.AutoRun and Worm.Java.AutoRun, both take advantage of the autorun functionality to spread, and the JavaScript worm has other methods of propagation, as well. Researchers at Kaspersky Lab say that the volume of autorun worms has remained relatively constant over the last few months, but there was a major spike in those numbers in April and May, thanks to the distribution of the two new pieces of malware."
Windows users are chumps. (Score:1, Insightful)
Because they keep being screwed by things like this all the time and there is no rioting band of geeks with pitchforks and shovels and rakes (and implements of destruction /Guthrie) demanding that this be removed from Windows.
>autorun.inf
The most dangerous thing to ever come out of a computer company. That this feature made it past review demonstrates the utter disregard for the most basic security at all, especially since boot sector worms had been around for years in DOS and Win3.1 before Win95 ever graced us with its presence. Since Windows 95, it's been trivial to write auto executing code because Microsoft deliberately yanks down the pants and underwear of the end user and says "Go to it!"
The fact that autorun still exists in modern versions of Windows is even more telling. "Backwards compatability" is more important than keeping users safe. Yes, I know that it's turned off by default since Vista, but the option to turn it on should never be there in the first place. Autorun in The Year of Our Lord and Savior Jesus Christ Twenty-Thousand-And-Thirteen is beyond the pale.
--
BMO
Re:Windows Right? (Score:5, Insightful)
Yes. Whenever windows sees new data from any source, it immediately executes it... for security reasons ya know.
Not really. That security hole was patched over four years ago [microsoft.com]. What does happen is that when removable media is installed, the user is prompted for what to do; this can include opening the folder to view the files, or running a setup file if one is present. Yes, if someone *chooses* to run the setup.exe file and it's infected, then they can get a virus or trojan. But that's part of the cost of having an open platform without executable signing. The only way to eliminate this risk would be to force the user into a walled garden. That may be feasible on smartphones and tablets, but it's not acceptable on workstations.
Re:Windows users are chumps. (Score:5, Insightful)
>autorun.inf
The most dangerous thing to ever come out of a computer company. That this feature made it past review demonstrates the utter disregard for the most basic security at all, especially since boot sector worms had been around for years in DOS and Win3.1 before Win95 ever graced us with its presence. Since Windows 95, it's been trivial to write auto executing code because Microsoft deliberately yanks down the pants and underwear of the end user and says "Go to it!"
You're indulging in some 20/20 hindsight here. At the time Windows 95 was released, the only media that supported autorun.inf on insertion was CD-ROMs. (Floppy disks didn't do this, if only because the OS could not reliably detect when a disk was inserted in the drive.) Remember, at that time, CD-R drives were not mainstream computing devices; they were still very expensive and rare. (According to Wikipedia, the first CD-R drive under $1000 was not released until September 1995.) When Windows 95 was released, the idea was that only pressed CDs would autorun, and presumably MS thought that the vendors could be trusted not to ship malware. (The Sony rootkit scandal proved that was a mistake, but no one anticipated something like it at the time.) And let's be honest, in 1995, IT security wasn't really on the radar for home users.
The real problem came with Windows XP. By this time, recordable CDs (and, later, DVDs) were commonplace. But Microsoft's biggest mistake was reusing their autorun code for other forms of removable media – such as thumb drives. Again, when thumb drives were first released, they were pretty expensive (I remember paying $100 for a 1GB thumb drive about a decade ago), so the best explanation is that Microsoft didn't think it likely someone would put malicious software onto a thumb drive and just leave it laying around or give it away – at the time, that would have been a rather costly strategy.
Over time, as thumb drives became dirt-cheap, it was clear that allowing INF-based autorun on rewritable removable media was a bad idea. It probably shouldn't have taken Microsoft until 2009 to get rid of this. But the decisions made earlier in the process were not as clear-cut as you're making them out to be.
Re: Windows users are chumps. (Score:2, Insightful)
Nix isn't immune against malicious wares either. The only folks who believe it is are, either, misinformed or blatantly incompetent.
Ease of use for end-users was how MS moved to become the dominant player. Any platform is subject to malicious intent and the propogation of said software. I appreciate nix but end-users still find it a struggle. Microsoft, at least, provides native management tools for hardening security, which is another reason its platforms remain the leader in the markets. You can't knock something for being susceptible to becoming vulnerable when its exposure is due to its wide adoption, that was spurred by bringing to the table the stuff competitive platforms continually lack. Nix has come a long way but it is still too fragmented to bring together the same level of native management tools that Microsoft's platform has to offer.
Re:Windows users are chumps. (Score:5, Insightful)
I don't think it would have taken any hindsight at all -- floppy based viruses predated CD-ROMs by a long time. If a virus could spread by floppy, why not a CDR?
Re:Windows users are chumps. (Score:5, Insightful)
>The real problem came with Windows XP. By this time, recordable CDs (and, later, DVDs) were commonplace
No, CD-Rs were commonplace by the time Windows 98 came out. I think there were more burned copies of Windows 98 than there were official pressed ones at that time. The first "under $1000" CD-R drive was in 1995, and 3 years to "affordability by ordinary people" in electronics had become the norm even then.
Autorun from 1998 onward revived the spread of malware by removable media. Nobody was doing bootsector viruses on floppies anymore in 1998 because the number of people booting their machines with an OS floppy was minuscule. Autorun malware took the place of bootsector malware. It was so commonplace that it was recommended by everyone who knew anything about preventing the propagation of malware by pirated software that autorun be turned off.
In 1998.
Speaking of convenience, if a software install CDROM (you know, an official one) had an autorun.inf that didn't check to see if the software was already installed, the installer would start. If you merely wanted to pick a file off the CD, you had to cancel the install and open Explorer, rather than simply pop the disk in and browse the drive. This was even before the popularity of burned disks.
While you can say this was the publisher's fault, it illustrates the dubious value of autorun even as an installation "feature"
It took a full 10 years of autorun being a problem for it to be turned off in Vista instead of in a service pack or in 98SE and NT4. That shouldn't have happened, and autorun should now not even exist.
--
BMO
Re:Windows Right? (Score:2, Insightful)
"The only way to eliminate this risk would be to force the user into a walled garden."
Yes, of course you are correct. It would be totally unfeasible just to disable autorun. I mean, I can't do that on Debian, or BSD, or Red Hat, or much of anything. And, it certainly can't be done on Windows. I wonder what would happen though, if autorun were just disabled? You know - a guy puts a removable media into his machine, and NOTHING HAPPENS!! How would the average person react to that? Would NO ONE open a file browser, and navigate to that media, and select that file he was interested in? NO ONE AT ALL?
Then, having selected the file, would NO ONE ever bother to scan the file with a virus detecting tool? Would NO ONE open the file in a text editor, to see what it really is, as opposed to what it claims to be?
"The only way to eliminate this risk would be to force the user into a walled garden."
Sorry, Pal, but millions of Windows users with a clue can prove you wrong. And, millions more Linux and BSD users can prove you wrong again. The fact that most people have poorly configured systems does NOT make a case for a walled garden. Your walled garden is but one possible approach to solving the problem of poorly configured systems. That approach seems to work for some people. Another approach is to treat all removable media with suspicion, and just don't permit it to run anything on your system.
One doesn't even require a modern machine, or a modern operating system to configure the system properly.
I've never actually looked - can autorun just be uninstalled on a Windows system? I know that a lot of stuff can be. I excised huge pieces of Windows XP using Nlite.
Re:Windows users are chumps. (Score:5, Insightful)
Hey now - you stress the "librarian" thing as if you expect librarians to be clueless. Not fair, I say. In my experience, about half of today's librarians are pretty savvy. Someone has to be administrator on library systems, after all, and in small towns, that will almost invariably be the librarian. Those little old frumpy ladies are generally pretty intelligent, and they don't make the same stupid mistakes repeatedly. Sure, some of them never really get the hang of it, but even those ladies can generally follow directions when given a rigid guideline to follow.
Maybe I read your post incorrectly, maybe not. I just want to give librarians their due!
Re: Signed apps (Score:4, Insightful)
One thing we've recently seen in my workplace is a Trojan horse virus embedded in a fake Flash player update which carries a valid Adobe signature.
So even allowing only signed apps to install is no guarantee of security.
The main difference with something like UAC versus Apple's Gatekeeper is that Apple made the effort to sell as many programs as possible in their own online store for the Mac, and Microsoft didn't really have an equivalent. So Apple was in a position to put something in place allowing only those store purchased items to be installed by end users (while admins of a box could still have less restrictive settings and load whatever they wished). This allows configuring a system with everything a user needs up front, but still giving the user freedom to buy and load a wide selection of programs after the fact, while ensuring they all come from a known, safe source.