Video Screencast Help
Security Response

AutoPlay Worms

Created: 03 Dec 2008 17:02:51 GMT • Updated: 23 Jan 2014 18:38:45 GMT
Ben Nahorney's picture
+1 1 Vote
Login to vote

Banning the use of removable drives may sound like a strict IT policy. But when faced with a worm introduced to your network by such devices, it is the sensible thing to do. Recently, the US Department of Defense has done just that in order to protect their networks from such threats.

As the use of removable drives has increased, they have become a successful vehicle to enter a network and compromise computers. The ease of infection is facilitated by a feature within Windows called AutoPlay. Meant as a feature of convenience, AutoPlay allows programs to automatically launch when CDs, DVDs, removable drives, or any other form of storage is inserted into a computer. However, this convenience comes at a serious security cost, as described in the following video:

So how do you protect yourself from such rapidly spreading threats? Banning the use of removable media does reduce the risk. On many computers you can also disable the USB ports from within the computer’s BIOS, rendering the ports inert. At the very least, Symantec recommends disabling AutoPlay.

 

• If you are running Windows XP, you can download and install a Microsoft “Powertoy” called TweakUI. There are a number of options within TweakUI for customizing AutoPlay under My Computer > AutoPlay.

 

• If you are running Windows Vista, there is now a Control Panel applet dedicated to AutoPlay customization. To reach it, open the Control Panel and then go to Hardware and Sound > AutoPlay.

 

• If you are managing a network of computers, you can use the Group Policy editor to create Group Policy Objects to assign to your clients. In Windows 2000/XP/2003’s Group Policy editor, AutoPlay options are under Computer Configuration > Administrative Templates > System > Turn off AutoPlay. For Windows Vista/2008, go to Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies.

 

• Administrators using Symantec Endpoint Protection Manager have the option to disable programs from running from removable drives entirely. In the management console, go to Policies > Application and Device Control > Add an Application and Device Control Policy > Application Control, select Block Programs from running from removable devices and then push the changes out to your clients. Alternatively, you can prevent autorun.inf files from running entirely by following the instructions in this support document.

 

• Norton users- no need to do anything. By default, all Norton products that contain antivirus will scan removable drives when they are plugged into the computer.

 

• Sometimes AutoPlay doesn’t behave as expected after making changes. Microsoft has a knowledge base article that covers these situations and how to get AutoPlay working as you’d like it to.

 

• Finally, disable AutoPlay on network drives as well. While these worms are often introduced to the network via a removable device, many copy themselves to all drive letters on a compromised computer, regardless of the device type. When a compromised network drive is accessed, AutoPlay will launch the malicious code.

 

Completing any of these tasks should significantly reduce the risk posed by removable drives and help prevent you or your users from being an unwitting agent for spreading malicious code.