Feeds

Malware abusing Windows Autorun plummets

You'll never guess why

SANS - Survey on application security programs

Microsoft saw a sharp drop in malware infections that exploit a widely abused Windows Autorun feature almost immediately after it was automatically disabled in earlier versions of the operating system.

As measured by Microsoft's various antimalware programs, Windows XP and Vista suffered 1.3 million fewer infections in the three months following February's retirement of Autorun compared with the three month preceding the change. By last month, attacks hitting Vista machines plummeted 74 percent and fell by 59 percent for those running XP.

Entire families of malware – including Conficker, Taterf, and Rimecud – owe much of their prominence to Autorun, which was designed to make life easier for users by executing code embedded on thumb drives when they were attached to a computer without first prompting the user. Worms and trojans have been abusing the feature for more than a decade to propagate malicious payloads each time an infected drive was inserted.

Microsoft finally killed much of Autorun in Windows 7, but users who wanted to disable the feature in earlier Windows OSes had to make manual changes to their system registry or install a hot fix on Microsoft's website. All of that changed in February, when the company's security team finally began pushing out an automatic update that made the change the default behavior in all supported versions of Windows.

As of last month, Microsoft saw a little more than 400,000 infections by malware that abused the feature, down from a peak of about 1.8 million in June 2010, as shown in the chart below, which Microsoft provided on Tuesday. Almost immediately after the update was released, Microsoft saw a similarly drop in infection attempts, although it wasn't quite as precipitous.

Chart showing infections targeting autorun

Source: Microsoft

What took so long?

The data raises the obvious question: If automatically retiring Autorun reaped such clear benefits, why didn't Microsoft do it years ago?

“There was a lot of work in the industry to get people moved over to new technology built into Windows, and we felt that we had finally got to that point where the industry was in agreement with us that it was time to push it out to everybody,” Jerry Bryant, group manager in Microsoft's Response Communications, told The Reg.

The delay demonstrates one of the challenges that comes when a company commands a market share as massive as Microsoft's Windows. Changes that clearly benefit users have to be weighed against the inconvenience of hardware and software partners, whose embrace is part of the reason Windows is as widely used as it is.

Even now, Autorun hasn't been completely disabled. Windows will dutifully execute code embedded into CDs and DVDs that are inserted into computers. To date, malware criminals have shown little interest in exploiting the weakness, but its survival is a reminder of the tradeoffs that come from keeping users secure. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.