Webroot - Malicious autorun scripts on USBs

Deleted74295

This happened on my own laptop.

Plugged in a customer pen drive to find all files/folders had been replaced by shortcuts which opened the original file or folder but also launched a script, this behaviour repeated itself on other USB sticks plugged in so something corrupted the autorun process.

I also found this in the registry: HKEY_CURRENT_USER / Software / Microsoft / Windows / CurrentVersion / Run

wscript.exe //D "C:\Users\BreffniPotter-DaraIT\AppData\Roaming\Microsoft Office\Microsoft Word.WsF"

I'm using a policy which has all the features enabled and set to high.

Opened a ticket with Webroot so will post back the reply.

Deleted74295

Now reinstalling Windows....fun

Deleted74295

Avast blocks the thing, just tested it.

Reid Cooper

Sounds like a good candidate for our non-profit security test center!

Mike Davis

So the malware was called by an autorun.inf, or you clicked on something on the pen drive?

Deleted74295

Triggered before I touched any files.

FYI Webroot replied to my ticket within 15 minutes requesting a time when one of their engineers could contact me. Fast reply.

@Reid-Cooper said in Webroot - Malicious autorun scripts on USBs:

Sounds like a good candidate for our non-profit security test center!

No one would donate or fund it. Its not sexy enough to get donations.

dafyre

@Breffni-Potter said in Webroot - Malicious autorun scripts on USBs:

Triggered before I touched any files.

FYI Webroot replied to my ticket within 15 minutes requesting a time when one of their engineers could contact me. Fast reply.

@Reid-Cooper said in Webroot - Malicious autorun scripts on USBs:

Sounds like a good candidate for our non-profit security test center!

No one would donate or fund it. Its not sexy enough to get donations.

If I had the time to do it, I would definitely do it. Time is in short supply these days.

Carnival Boy

@Breffni-Potter said in Webroot - Malicious autorun scripts on USBs:

Triggered before I touched any files.

Perhaps showing my ignorance here, but is autorun still a thing? I somehow thought it was disabled in Windows since about XP?

scottalanmiller

@Carnival-Boy said in Webroot - Malicious autorun scripts on USBs:

@Breffni-Potter said in Webroot - Malicious autorun scripts on USBs:

Triggered before I touched any files.

Perhaps showing my ignorance here, but is autorun still a thing? I somehow thought it was disabled in Windows since about XP?

LOL, sadly, still a thing.

Deleted74295

@Carnival-Boy Nope. Still present in every version of Windows since XP. In 7 it asked what action you would like to take for removable media and a default was often, open file explorer.

In Windows 10, it is still alive and kicking but I thought I had it disabled.

Carnival Boy

Opening file explorer is ok though, isn't it? It's executing autorun.inf that's the problem.

Carnival Boy

From Wikipedia:
"Autorun.inf has been used to execute a malicious program automatically, without the user knowing. This functionality was removed in Windows 7 and a patch for Windows XP and Vista was released on August 25, 2009 and included in Microsoft Automatic Updates on February 8, 2011"

What am I missing here?

JaredBusch

@Carnival-Boy said in Webroot - Malicious autorun scripts on USBs:

From Wikipedia:
"Autorun.inf has been used to execute a malicious program automatically, without the user knowing. This functionality was removed in Windows 7 and a patch for Windows XP and Vista was released on August 25, 2009 and included in Microsoft Automatic Updates on February 8, 2011"

What am I missing here?

It is still there, but not by default anymore. Even Windows 10 lets you choose to allow autorun but on a per media basis.

coliver

@Carnival-Boy said in Webroot - Malicious autorun scripts on USBs:

From Wikipedia:
"Autorun.inf has been used to execute a malicious program automatically, without the user knowing. This functionality was removed in Windows 7 and a patch for Windows XP and Vista was released on August 25, 2009 and included in Microsoft Automatic Updates on February 8, 2011"

What am I missing here?

This was the default functionality. Whenever you inserted a USB or CD it would search for the autorun.inf file and do whatever it said. Now it asks if you want to run it or do something else.

Carnival Boy

@coliver said in Webroot - Malicious autorun scripts on USBs:

Now it asks if you want to run it or do something else.

Exactly. That's my point. It doesn't autorun, it asks you what you want to do.

JaredBusch

@Carnival-Boy said in Webroot - Malicious autorun scripts on USBs:

@coliver said in Webroot - Malicious autorun scripts on USBs:

Now it asks if you want to run it or do something else.

Exactly. That's my point. It doesn't autorun, it asks you what you want to do.

It does not automatically launch the autorun.inf, true. But to say the functionality is removed is incorrect. autorun.inf is still perfectly valid and lots of stupid people still click through.

Reid Cooper

And a lot of people set it to "always do" something bad, then it doesn't ask again.