Feeds

Malware abusing Windows Autorun plummets

You'll never guess why

Securing Web Applications Made Simple and Scalable

Microsoft saw a sharp drop in malware infections that exploit a widely abused Windows Autorun feature almost immediately after it was automatically disabled in earlier versions of the operating system.

As measured by Microsoft's various antimalware programs, Windows XP and Vista suffered 1.3 million fewer infections in the three months following February's retirement of Autorun compared with the three month preceding the change. By last month, attacks hitting Vista machines plummeted 74 percent and fell by 59 percent for those running XP.

Entire families of malware – including Conficker, Taterf, and Rimecud – owe much of their prominence to Autorun, which was designed to make life easier for users by executing code embedded on thumb drives when they were attached to a computer without first prompting the user. Worms and trojans have been abusing the feature for more than a decade to propagate malicious payloads each time an infected drive was inserted.

Microsoft finally killed much of Autorun in Windows 7, but users who wanted to disable the feature in earlier Windows OSes had to make manual changes to their system registry or install a hot fix on Microsoft's website. All of that changed in February, when the company's security team finally began pushing out an automatic update that made the change the default behavior in all supported versions of Windows.

As of last month, Microsoft saw a little more than 400,000 infections by malware that abused the feature, down from a peak of about 1.8 million in June 2010, as shown in the chart below, which Microsoft provided on Tuesday. Almost immediately after the update was released, Microsoft saw a similarly drop in infection attempts, although it wasn't quite as precipitous.

Chart showing infections targeting autorun

Source: Microsoft

What took so long?

The data raises the obvious question: If automatically retiring Autorun reaped such clear benefits, why didn't Microsoft do it years ago?

“There was a lot of work in the industry to get people moved over to new technology built into Windows, and we felt that we had finally got to that point where the industry was in agreement with us that it was time to push it out to everybody,” Jerry Bryant, group manager in Microsoft's Response Communications, told The Reg.

The delay demonstrates one of the challenges that comes when a company commands a market share as massive as Microsoft's Windows. Changes that clearly benefit users have to be weighed against the inconvenience of hardware and software partners, whose embrace is part of the reason Windows is as widely used as it is.

Even now, Autorun hasn't been completely disabled. Windows will dutifully execute code embedded into CDs and DVDs that are inserted into computers. To date, malware criminals have shown little interest in exploiting the weakness, but its survival is a reminder of the tradeoffs that come from keeping users secure. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.