"J. P. Gilliver (John)" <> wrote:
> <> writes:
>>"Robin Chapple" <> wrote:
>>> My DVD drive no longer recognises a program disk when inserted. I have
>>> to find the EXE file myself. Then it will load the program.
>>> How do I fix that?
>>Are you complaining that the system is not opening the folder for the root
>>of the disk, or that it's not automatically executing a program from the
>>disk?
>>If the latter, I'll recommend being thankful that it's working the way it
>>does. I'll note that my work involves enterprise-level IT but from any
>>viewpoint the autorun "feature" is a security problem that's quite popular
>>among malware distributors[*]. It's certainly a convenience *if* you are
>>absolutely certain that *any* disk (including USB key) you insert is
>>uninfected...but are you willing to make that assumption for every disk in
>>your future?
> Yes, but CD distribution of malware is _probably_ quite rare these days
> (though I guess it does still happen). And isn't it possible to enable
> autorun only on some drives (such as the optical drive but not pen
> drives)?
I'll agree that the risk of infection from optical disks ** commercially
manufactured by a well-known company ** is low - nonzero, but low. If
you're using pirated software (knowingly or otherwise) the risk goes up,
sometimes significantly.
If you're inserting a field-burned disk, unless you personally burned it -
and maybe not even then - you're in a crapshoot. (Consider downloading an
ISO file and burning it to a disk - do you routinely look at the contents of
the ISO file beforehand?)
And yes, you can specify the drive letters that are permitted to invoke
autorun (see the KB article I cited for details).
Incidentally, I'll concede before anyone points it out that a good
signature-based antivirus program will scan the file read from the optical
disk before allowing it to be given control for execution. Unfortunately,
while I'll agree that signature-scanning antivirus programs should be
installed, malware writers have for some time been using code sequences that
produce the same result with several different instruction sequences
("polymorphic code"). For example, the three trivial pseudocode examples
below generate the same functional result (ignoring boundary cases):
Load register X from abc
Add 3 to X
Load register X from abc
Subtract -3 from X
Load register X from abc
nop
nop
nop
nop
Add 3 to X
so if malware is detected based on the signature of the first example, the
second and third will not be detected.
I've recently noted elsewhere in a.f.c that some of the malware writers are
clearly capable of producing incredibly sophisticated attacks; I've seen
some incidents where investigators who are among the best in the field
haven't figured out everything the malware does even after a couple of years
of reverse engineering.
A bit of paranoia on the part of computer users isn't a bad idea.
>>OK...that being said, you might want to look at KB967715
>>http://support.microsoft.com/kb/967715 where about a third of the way
>>through the article you'll find instructions on configuring autorun for
>>Windows 7. You've probably guessed that my strong recommendation is that
>>you ensure that it's disabled for all media.
>>[*] A common, and (sadly) usually successful, attack used by pen testers
>>is
>>to create what might be called "proof of concept" malware that makes its
>>presence known but doesn't do anything bad, then put that malware on
>>several
>>USB drives and scatter them in the parking lot of the organization that
>>hired them to test its security. Even if company policy requires that
>>autorun be turned off one can usually find a few rogue machines where it's
>>enabled, and where the user gives no thought to inserting a drive he has
>>picked up from the pavement.
>
> Isn't that also used by real malware (such as spying) agents?
Absolutely. That's why the pen testers need to rub the noses of their
customer's managers in the dirt to get them to recognize the vulnerability.
Joe
Similar Threads
