Microsoft's advice on how to beat the Downadup worm is flawed, the US Computer Emergency Readiness Team (US-CERT) said yesterday (21 January).
The Microsoft recommendation to disabling Windows' "Autorun" feature and leaves users who rely on its guidelines to protect their PCs open to attack.
The worm is one of the fastest spreading attacks on web. Luis Corrons, the technical director of the research labs at anti-virus vendor Panda, said it was“a phenomenon we haven't seen since the times of the great epidemics of Kournikova or Blaster," referring to major worm attacks of 2001 and 2003, respectively.
In an alert issued Monday , US-CERT said Microsoft's instructions on turning off Autorun are "not fully effective" and "could be considered a vulnerability."
The flaw in Microsoft's guidelines are important at the moment, because the "Downadup" worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' "Autorun" and "Autoplay" features.
Autorun, the focus of the US-CERT warning, lets Windows automatically run any program specified in the "autorun.inf" on, for example, a CD or a flash drive, as soon as the disc or device is inserted or connected. By default, Windows has Autorun enabled.
The problem is that Downadup, which as of last week had infected nearly 9 million PCs worldwide, tries to spread using USB-based devices, typically flash drives.
The worm creates an autorun.inf file at the root directory of any USB-based device it finds connected to the infected machine, then when that device is later connected to an uninfected computer, the autorun.inf file copies the worm to the machine without any action on the part of the user, or the user even knowing.
The result: another PC hacked by Downadup.
Although Microsoft has not formally recommended that users disable Autorun as an anti-Downadup measure, most security companies and researchers have in light of the autorun.inf infection vector. According to US-CERT, Microsoft's advice is useless.
"The 'Autorun' and 'NoDriveTypeAutorun' registry values [specified by Microsoft] are both ineffective for fully disabling Autorun capabilities on Microsoft Windows systems," the organization said.
"Setting the Autorun registry value to '0' will not prevent newly-connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed."
Likewise, the recommended '0xFF' setting for the NoDriveTypeAutorun registry entry, which Microsoft says "disables Autoplay on all drives," won't protect users from infection if they happen to double-click on the drive's icon in Windows Explorer, said US-CERT.
Instead, users should make a different modification to the Windows registry, US-CERT said. In the alert, it gave the new value as well as instructions on how to copy it to Windows Notepad and import it into the registry.
"Once these changes have been made, all of the Autorun code execution scenarios described above will be mitigated because Windows will no longer parse autorun.inf files to determine which actions to take," read the US-CERT warning.
One security researcher was surprised that Microsoft didn't catch its recommendation errors, particularly in light of the ongoing Downadup attacks. "Seems unbecoming of Microsoft not to have been the one posting this information on a blog of theirs," said Andrew Storms , director of security operations at nCircle Network Security Inc.
He also bemoaned the need to edit the registry to disable Autorun. "Not only [is] editing the registry outside the [reach] of most people, but now we have learned that the information from the source is not complete," Storms added in an exchange via instant messaging.
Microsoft did not immediately reply to a request for comment on US-CERT's alert.