Microsoft doctors AutoRun in Windows 7 to stymie Conficker

More

Conficker Worm

• Researchers turn Conficker's own P2P protocol against itself
• Conficker botnet could flood Web with spam
• IT was ready for April 1 Conficker attack
• Conficker, the Internet's No. 1 threat, gets an update
• IT Blogwatch: Conficker botnet wakes up and smells the coffee
• Conficker's makers lose big, expert says
• Conficker activation passes quietly, but threat isn't over
• FAQ: Just the facts on Conficker

More: Malware Knowledge Center

Computerworld - Prompted by the spread of the Conficker worm through infected USB drives, Microsoft Corp. will unveil changes in next week's public Windows 7 Release Candidate that are designed to stymie such hacker strategies.

But Microsoft, which has promised to update the operating systems currently being used by customers -- Windows XP and Vista -- with a similar change at some point, has not set a timeline for that task.

In four different company blogs -- including a trio of security blogs, as well as one devoted to Windows 7 -- Microsoft spelled out how it has modified AutoRun and AutoPlay, a pair of technologies originally designed for CD-ROM content, to keep malware from silently installing on a victim's PC.

"Windows will no longer display the AutoRun task in the AutoPlay dialog for devices that are not removable optical media (CD/DVD) because there is no way to identify the origin of these entries," Arik Cohen, a program manager on the Windows 7 team, said in the entry on the Engineering Windows 7 blog.

AutoRun is the technology that starts some programs automatically when a CD, DVD or other media is inserted. One of its most common uses is to start an installation program when a user puts a CD into the optical drive.

AutoPlay, on the other hand, is the Windows feature that lets a user pick which program starts when a specific type of media, like a DVD containing photos, is inserted.

Conficker leveraged both. The worm, which first appeared in November 2008 and exploded in January 2009 -- in part because a new variant added the ability to spread using USB flash drives -- copied a malicious "autorun.inf" file to any USB storage device that was connected to an infected machine. It then spread to any other PC if the user connected the device to another computer, then picked the "Open folder to view files" option under "Install or run program" in the AutoPlay dialog. (Conficker also spread to a PC if the user had earlier told AutoRun to make that choice by default.)

To stop Conficker, as well as other malware that spreads by exploiting AutoRun and AutoPlay, Microsoft changed Windows 7 so that the AutoPlay dialog no longer lets users run programs -- except when the device is a nonremovable optical drive, in other words, a CD or DVD drive. A flash drive connected to a Windows 7 PC, for instance, will only let the user open a folder to browser a list of files.

"The new changes will no longer expose the AutoRun entries in the dialog unless it is removable optical media (CD/DVDs)," said Jimmy Kuo and Huzefa Mogri, two security researchers at Microsoft's malware protection center. "So, if a USB drive is inserted into a machine, the AutoRun choice will no longer be shown."