It must have seemed like a good idea at the time. Automatically launch a program that’s been discovered by the computer. You don’t have to waste a bunch of mouse clicks to get your music CD or movie DVD to play. Well, the bad guys think AutoPlay is a good idea, too. Actually they think it’s a great idea and they take advantage of it a lot more than you and I do. Sality, Silly, and even Downadup are all examples of threats that leverage the AutoPlay feature. Ben Nahorney has written about this in the past.
Of course, it’s not the CDs or DVDs that are carrying the threats. It’s USB drives. Banning USB drives seems like a solution, but it’s not practical. I’m not going to stop using mine and I suspect you won’t give up yours, either. So it’s kind of hypocritical to expect your users to do it. There is software available to prevent clients from being able to use USB drives. That would work if you can get away with that kind of policy at your company. The same software can also just prevent files on a USB drive from being executed. That sounds pretty good to me—if it works in your organization, do it. But, there is another pretty simple solution as well.
I say simple. It actually wasn’t until a few days ago. Unfortunately there was a bug that prevented the NoDriveTypeAutoRun registry key from actually doing the job. You could flip the bit on AutoPlay, but it wouldn’t actually shut it down. The good news is that it’s been fixed—Microsoft released a solution. Wait, you think turning off AutoPlay isn’t a security issue? On Tuesday, Microsoft announced the bug fix as a Security Advisory. Details here: http://www.microsoft.com/technet/security/advisory/967940.mspx. For complete instructions on how to apply the patch and make Group Policy settings changes, look here: http://support.microsoft.com/kb/967715. These instructions will help you get AutoPlay turned off throughout your organization.
And, don’t forget your network servers. If a file server gets infected with Downadup and a bunch of other malicious code installs itself on shared drives, it’s just waiting for clients to connect. Then, with the help of AutoPlay, the malware launches itself onto every client machine that maps to the drive. That’s a lot faster than waiting for a USB drive to get passed around.
AutoPlay. Turn the darn thing off. I have, and I can live without it.