Notes on autorun.inf files in Windows.
AutoRun and the companion feature AutoPlay run software automatically upon insertion of a properly configured a removable device. AutoRun and AutoPlay have been have been so widely abused by malware authors that Microsoft has over time chipped away at these features. Since February 2011, a properly patched copy of Windows XP, Vista, or Seven will ignore an autorun.inf file unless it is on a CD or DVD. Additionally many consultants, myself included, recommend disabling the feature entirely. For these reasons AutoRun and AutoPlay are not to be relied upon.
When enabled, autorun.inf can instruct a computer to do any or all of the following:
- Automatically and silently run a specified program upon insertion of a removable device. The user is given no notice.
- Set a specified program or action to be the first option in the AutoPlay window. Autorun.inf can also specify the text and icon that accompanies the selection, including misleading information.
- Create new right-click associations, including redefining default associations. For example, the default “Open” association could be redefined to run any specified program instead of opening the Windows explorer as expected.
- Run a specified program if the device icon is double clicked in the Windows explorer. The user is given no notice.
Some malware scanners attempt to flag malicious autorun.ini files; G-Data is one. An author of a legitimate autorun.inf should set it to read only to avoid over-zealous malware scanners from deleting it. Of course now that most computers won’t execute autorun.inf except on CD or DVD, that point becomes largely moot.
Comments are indicated with a semicolon.
You are not limited to files on the removable device; you can reference files on the computer. For example, Conficker calls a default Windows icon:
General security references
Microsoft’s announcement that AutoRun and AutoPlay are disabled for all media save CDs and DVDs
For users who want it, Microsoft also has a Fix-It to restore AutoRun and AutoPlay for all removable media
Test your defenses against autorun.inf
Learning from the examples of malware
The Dangers of Windows AutoRun (US-CERT vulnerability analysis blog)
Additional details behind the CERT Registry patch
Autoplay and Windows 7 shows that version is vulnerable to autorun attacks, too
Microsoft Kills Windows Autorun On Win 2K, Vista & XP
How flash drives and social engineering can compromise networks (Microsoft TechNet) is old but still useful
This episode of Hak5 shows how easy an exploit of autorun can be
How Conficker uses autorun.inf and how it obfusicates its autorun.inf