Saturday, November 3, 2007

Preventing USB Autorun Infection

Protect your PC from USB autorun infection with this step-by-step guide with screenshots. I've been doing this for quite sometime on all of my computers, my friends and relatives computers. You will never have to worry again getting your PC infected automatically from USB sticks.

Autorun are being used by malware such as Brontok to infect other PCs thru removable drives (i.e. Flash Drives, External HDD). Previous autorun infection had been prevented by turning off autoplay on all drives in Group Policy (run gpedit.msc>Computer Configuration>Administrative Templates>System).

But this Brontok have used another autorun.inf command to execute the malware, that is when a user double clicks the USB drive from My Computer.

Try this on your USB drive, create an autorun.inf file which contains the ff. code:
Reinsert your USB drive, access your removable drive either by clicking the icon twice or via context menu. It is safe though, it only runs Windows Calculator same as executing it from the command line. You won't be able to access your drive without executing Calculator except if you open Windows Explorer and opening the drive via Folder column.

I was looking for the solution to remove the context menu entries Auto, Browser, Explore from associating themselves to EXE files in the flash drive. I already have the idea that inserting a USB drive updates the Windows Registry's MountPoints2. The only problem is preventing this from happening. Luckily for me, I've found the solution from Pierre's comment at about setting Registry permissions.

Here shows a clean MountPoints2:

Here shows the MountPoints2 after putting the autorun.inf:

Find your account's MountPoints2 in the registry:

Then right click on the "MountPoints2" key and modify the permission to deny, like this:

Now you double-click this drive anytime without running Window$ Calculator.

If this prevents calc.exe from running, this will surely help in preventing malicious executables such as Brontok from infecting your computer via autorun vector.