Flash drive infections - part 1

Flash drive infections - this term can apply to infections spreading through any removable media and devices, such as usb flash drives or memory cards. Infections of this type take advantage of Autorun/Autoplay feature in Windows.

AutoRun, a feature of Windows Explorer introduced in Windows 95, enables media and devices to launch programs by use of commands listed in a file called autorun.inf, stored in the root directory of the medium.
AutoPlay is a feature introduced in Windows XP which examines removable media and devices and, based on content such as pictures, music or video files, launches an appropriate application to play or display the content. If available, settings in an autorun.inf file can add to the options presented to the user.

How can you get infected? Pretty easily, that's why we have seen so many infections lately using this method to infect more and more computers or reinfect them easily if the system drive has been reformatted (for example Sality or Conficker worm). Your computer or removable device can be infected and you won't even notice that, unless you know what to look for. So, let's take a closer look.

This is what you may see when you plug your flash drive into usb port in your computer:

autorun1 (56K)

or, in English: link (Wikipedia)
However, when your flash drive is infected, you may notice something different:
(source of the other image: link - isc.sans.org)

autorun24 (48K)

It tricks users to install or run a program - in most cases a malicious one. Clicking Open folders to view files under General options won't execute the code.
However, you're not safe yet, unless you have disabled Autorun. A malicious program still can be run when you open the drive from Windows Explorer (either a removable drive or infected partition) - commands listed in an autorun.inf file will be executed - with your minimal contribution. It's well shown on the images on US-Cert's page.

Note: autorun.inf files are not necessarily bad - they can be used for both legitimate and malicious purposes. Such files are also used on CD discs with programs or games - they will 'tell' system to proceed with an install of an application. Another example is the autorun.inf file used in the U3 platform.

So, what is the solution? You just need to disable Autorun in Windows, so your system will ignore commands listed in autorun.inf files. You won't get infected unless you execute a malicious program manually.


Disable Autorun/Autoplay

Note: the information presented below may be a little outdated, and it is for a reference only. Since February 8, 2011, Microsoft has been offering, through Microsoft Automatic Updates, this hotfix: Update to the AutoPlay functionality in Windows:

This update disables AutoRun entries in AutoPlay, and displays only entries that are populated from CD and DVD drives. Effectively, this prevents AutoPlay from working with USB media.

It restricts AutoPlay functionality to only CD and DVD media on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. In other words, it will work the same as in Windows 7: Improvements to AutoPlay.
------------------------------------------------------------

There are several methods to disable Autorun/Autoplay in Windows. One of the simplest method (and effective) is the one presented on Nick Brown's blog:

All you do is to copy these three lines into a file called NOAUTRUN.REG (or anything.REG) and double-click it.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"


This hack tells Windows to treat AUTORUN.INF as if it were a configuration file from a pre-Windows 95 application.

Another method, if only you have a Microsoft Windows update KB967715 or KB953252 installed (or KB950582), is to disable Autorun directly through the Group Policy settings or registry.
For most versions of Windows Vista (through Group Policy settings):

1. Click Start VistaStartButton (1K), type Gpedit.msc in the Start Search box, and then press ENTER.

SecurityShield (1K) If you are prompted for an administrator password or for confirmation, type the password, or click Allow.

2. Under Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Autoplay Policies.
3. In the Details pane, double-click Turn off Autoplay.
4. Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives.
5. Restart the computer.
For Windows XP Professional and Windows 2000 (through Group Policy settings):
1. Click Start, click Run, type Gpedit.msc in the Open box, and then click OK.
2. Under Computer Configuration, expand Administrative Templates, and then click System.
3. In the Settings pane, right-click Turn off Autoplay (or Disable Autoplay in Windows 2000), and then click Properties.
4. Click Enabled, and then select All drives in the Turn off Autoplay box to disable Autorun on all drives.
5. Click OK to close the Turn off Autoplay Properties dialog box.
6. Restart the computer.
In the basic versions of Windows Vista and in Windows XP Home Edition we need to modify the registry to disable Autorun (consider backing up the registry first: link), as Gpedit.msc is not included there:
1. In Windows XP: click Start, click Run, type regedit in the Open box, and then click OK. /
or in Windows Vista: click Start, type regedit in the Start Search box, and then press ENTER.
2. Locate and then click the following entry in the registry:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutorun

3. Right-click NoDriveTypeAutoRun, and then click Modify.
4. In the Value data box, type 0xFF to disable all types of drives (recommended). To selectively disable specific drives, use a different value as described in the "How to selectively disable specific Autorun features" section of this article.
5. Click OK, and then exit Registry Editor.
6. Restart the computer.

One another method is to use any automated tool which can disable Autorun for us.
Panda USB Vaccine is one of such tools. It's very easy to use. It offers:
- Computer Vaccination - it will disable Autorun
- USB Vaccination - when applied on a USB drive (FAT & FAT32), the vaccine permanently blocks an innocuous AUTORUN.INF file, preventing it from being read, created, deleted or modified. Malware trying to get into your flash drive (or any other removable device) won't be able to delete that blocked autorun.inf file. So, even with malware files on the drive, infection won't spread - you can safely plug your flash drive into other computers.

Autorun Protector is pretty similar to Panda's tool. With PC Protection enabled, Autorun is disabled - it uses the method presented by Nick Brown. Device Protection is similar to USB Vaccination - however, the method this program uses is better for drives with NTFS file system.


Consequences of having Autorun disabled

According to Microsoft: You may notice a change in user experience for the drives for which Autorun is disabled. The double-click and right-click shortcut menu functionality might be different because the Autorun.inf file is no longer read.


Am I safe now?

Theoretically, yes - with Autorun disabled you're pretty safe. However, there are at least two things to watch out for. Firstly, you can still get infected if you manually open an infected file (that's what antivirus programs are supposed to protect you against). Secondly, system may have cached Autorun information about devices which had been connected in the past - it will 'remember' what to do when that device is connected once again.
That's why it is recommended to remove this cache by deleting the MountPoints2 key in registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 (repeat for each user)

Note: Autorun Protector has that option as well.
Note2: That key will get recreated (cache will be cleared, though) after reboot.


Additional reading:
- Memory stick worms (Nick Brown's blog)
- Microsoft Windows Does Not Disable AutoRun Properly (US-CERT)
- The Dangers of Windows AutoRun (Vulnerability Analysis Blog)
- How to disable the Autorun functionality in Windows (Microsoft)
- Panda USB and AutoRun Vaccine (PandaResearch Blog)
- Conficker's autorun and social engineering (isc.sans.org - Diary)
- in Polish: Infekcje z pendrive / mediów przenosnych (by picasso)
- Flash drive infections - part 2

Published: 30 May 2009
Updated: 28 April 2011