AutoRun Function – Security Risk

This piece may, quite frankly, be of absolutely no interest to many of you as most do not even know what this is.  I believe that the AutoRun feature in Windows is a huge security risk, especially since the Conficker hub-a-bah-loo.  But now, don’t let me get a head of myself.  First things first….

What is AutoRun?

AutoRun is a feature in Windows in which you can dictate what action your computer will take when a drive is mounted.  Meaning, when you insert or plug in a cd/dvd, thumb drive,  or any other external data source, you can tell the computer what you want it to automatically do with it.  You can specify anything from automatically downloading data off of the source, to doing absolutely nothing.  The latter is my preference, when I plug a thumb drive into a USB port, I do not want the computer to do anything.  Unfortunately, Microsoft thought otherwise when it released XP and Vista.  Now in their (Microsoft’s) defense, when XP was released it really was not such a big deal to have iTunes or Media player open and start playing a CD as soon as it was loaded into the computer.  However, it has now become a real big security risk.  Conficker was originally spread using infected thumb drives.  Once an infected thumb drive is inserted into an AutoRun enabled computer, it would automatically download the worm, without the user doing anything.  I want to see what is on the disk before anything is started.

This has been a venue for spreading malware for a long time.  In the early days, all malware was spread through infected floppy disks as the internet was not a viable venue.  Now, however, let’s say that you visit the library or any other public location where a computer is available.  You do a search for some information and decide to download the info and put it on your thumb drive. Well, if that computer that you are using is infected, now your thumb drive is also infected, so as soon as you plug that into your own AutoRun enabled computer, your own computer is now infected.  From there you can spread the malware via email, IM’s, etc, without you even knowing.  You get the gist.

So how do you disable this function?  Well, it is not for the faint of heart as it requires making a registry change.  Now before we get started, let me tell you that changing registries can be dangerous, changing the wrong registry entry could cause your computer to crash and worse yet, not even boot. So, if you are not adventurous, DO NOT ATTEMPT THIS!!!! Also, you have to make sure your version of Windows is completely updated.  If you are not sure whether you have all the updates, using Internet Explorer, go HERE to check. (THIS IS IMPORTANT)

But for the courageous, like me, let’s start at the beginning.  Just in case, make sure all of your personal data (ie. Music, Photos, Documents, etc.) are backed up on an external drive.  If you are not sure, check out my post on backing up HERE.  The next thing that you need to do is back up all of your registry entries.  This is pretty simple.

Using XP, click on the Start menu and select Run.  In the dialog box, type “regedit.exe” without the quotes of course.  In Vista, click the Start Menu and in the search dialog type “regedit.exe”, again without the quotes. In both instances click Return (Enter).  From here the two operating systems have the same procedure.  In the left hand pane of the window that opens, make sure that the My Computer (Computer, in Vista) option is selected.  It will be all the way at the top.  DO NOT CLICK ON ANYTHING ELSE!! Then in the title bar, select File>Export, then select the location where you want to save this backup and the name of the backup. I recommend just saving it to your desktop, you can move it later if you so choose.  Select Save, and the backup will be created.  Close out the Registry Editor and restart your computer.  Once it restarts, make sure that the registry backup that you just made is on your desktop. You may need this should something go horribly wrong with the next step.

Now it is time to get your hands dirty.  Do not attempt the following if you have not backed up your data and your registry.

I was going to explain how to navigate through the file system in the Registry Editor, and I do not mean this in a demeaning manner, but I decided against it, as if you do not know how this is done, then you probably should not be attempting this.

OK, here we go.  In XP, click on Start>Run….in the dialog box type “regedit.exe” (you already know not to use the quotes). In Vista, click on Start, then in the search dialog type “regedit.exe”.  Now comes the fun.  From here you need to navigate to the following:

HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>

Policies>Explorer

Once there, double click on the “NoDriveTypeAutoRun” option, which will be in the right hand pane.

Now in the “Base” field, make sure that “Hexadecimal” is selected and it should be by default.  Then in the “Value Data” dialog box, change the value to “FF” (no quotes). Then select OK and you are done.  Restart your computer. Now when you plug in any external data device, like a CD/DVD, thumb drive, etc. your computer will do nothing.  You will need to navigate to it using MyComputer (XP) or Computer(Vista) and open the files manually.  This will give you time to inspect the volume’s content and scan it for malware, before actually mounting the drive.  Security wise, this is much safer than allowing the drive to mount itself and just do it’s thing, which may be to download malware.  You just never know.

Wow, that got pretty geeky.

WHAT FUN!!!!