Security firms warn of spreading Windows AutoRun malware

Antivirus vendors are warning customers of a spreading malware that can infect computers through a well-known bug in the Windows AutoRun software used to automatically launch programs on a DVD or USB device.

The significant increase in infection is curious because Windows 7 and Windows 8 PCs will not launch autorun.inf files, and Microsoft has released two patches for older systems. Therefore, security experts believe infections are happening through a combination of unpatched computers, shared folders and files and social media.

Someone inserting a USB drive or memory stick carrying the malware can infect unpatched PCs. On other systems, an infection can occur once the malware travels to a network share and someone clicks on an infected file or folder. Trend Micro reported that malware was also spreading on Facebook.

Other vendors tracking the malware include McAfee, Symantec and Sophos. While it is interesting that cybercriminals are still exploiting a four-year-old AutoRun bug, Sophos says most corporate PCs are being infected through network sharing.

Clicking the malware on Facebook would certainly open a quick path to a shared folder on a corporate network, said Chester Wisniewski, a senior security adviser for Sophos.

[How to: 10 commandments of Windows security]

"I would say the AutoRun part of it is probably not the source of the majority of infections," Wisniewski said on Friday. "It's just an interesting note that [criminals] are still using it. I think spreading through the file shares is probably the primary vector to get people in trouble."

Microsoft released an AutoRun patch in 2009, a month after the U.S. Computer Emergency Readiness Team (US-CERT) issued a warning that Windows 2000, XP and Server 2003 did not properly disable the feature. Microsoft had patched AutoRun a year earlier in Vista and Windows Server 2008.

The infamous Stuxnet malware created an autorun.inf file to infect computers via USB drives. Stuxnet, created jointly in 2009 by U.S. and Israel, reportsÃ'Â The New York Times, damaged Iranian nuclear facilities.

The latest malware disguises itself as files and folders in writeable network shares and removable devices, while hiding the originals. The application will also create .exe files named "porn" and "sexy" and a folder called "passwords," to entice people to click on them, Sophos said.

The malware adds a registry key, so it can start when a PC is booted up. Variants of the application will disable Windows Update to prevent the victim from downloading patches to disable the malware.

Once a PC is infected, the application follows the typical procedure for such malicious software. It contacts a command-and-control server for instructions and to receive other applications. Malware downloaded include Trojans in the Zeus/Zbot family, which steals online banking credentials, Sophos said

To combat the malware, security experts recommend disabling AutoRun on all Windows operating systems and restricting write permissions to file shares. Depending on the AV vendor, the malware has several names, including W32/VBNA-X, W32/Autorun.worm.aaeb, W32.ChangeUp and WORM_VOBFUS.

The latest outbreak arrives about a year and a half after Microsoft reported big declines in AutoRun infection rates. In the first five months of 2011, the number of AutoRun-related malware detected by Microsoft fell 59% on XP computers and 74% on Vista PCs, compared with 2010.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsWindowsWindows 7operating systemsFacebooksophosMicrosoft WindowsmcafeesymantecData Protection | MalwareMicrosofttrend microWindows AutoRunlegalsoftwaredata protectioncybercrime

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place